What's New

These are new features for this release of the PingDirectory Server:

  • Java 7 is now required when setting up a new server or upgrading an existing server.

  • Added support for extensible match filters that can make assertions about the number of values that a specified attribute has in an entry. For example, the extensible match filter "(cn:valueCountEquals:=1)" will match an entry only if that entry has exactly one value for the cn attribute. The following special matching rules have been added to help provide this capability:

    - valueCountEquals - valueCountDoesNotEqual - valueCountGreaterThan - valueCountGreaterThanOrEqualTo - valueCountLessThan - valueCountLessThanOrEqualTo

  • Updated the LDAP changelog to support selecting which entries should be included in or excluded from the changelog. Entries can be selected based on the location of the target entry in the DIT, and/or based on whether the changelog entry matches a given filter.

    A new ds-changelog-target-attribute attribute has also been added to changelog entries to indicate which attributes were involved in the change. This may be used to select changelog entries for inclusion or exclusion based on changes to specific attributes.

  • Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.

  • Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.

  • Updated the server to use the latest 6.2.31 release of the Berkeley DB Java Edition.

  • The default SCIM base context path changed from / to /scim. Any clients using the previous base context path will no longer be able to access SCIM services until they are updated. The following dsconfig command may be used to revert to the previous base context path after update:

    dsconfig set-http-servlet-extension-prop --extension-name SCIM --set base-context-path:/

  • Introduced the Configuration HTTP Servlet Extension, which can be used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.

  • Improved the diagnostic information the server can provide at startup for any components that take a substantial amount of time to initialize. The server will also generate an alert notification if any component attempts to perform an unindexed internal search operation, in order to warn about potential misconfiguration.

  • Added a global configuration setting called database-on-virtualized-or-network-storage. This boolean setting must be set to true when database files will be stored on network file systems. It should be set to false if the database is on a local disk since it incurs a performance penalty.

Resolved Issues

The following issues have been resolved with this release of the PingDirectory Server:

Ticket ID Description

Added a new schema file that contains previously undefined server attributes. The addition of these attributes helps resolve conflicts with user-defined schema.


Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body.


Fixed an issue where replication would not be established for a new replica when it was initialized by importing an LDIF file exported from an existing replica. The issue occurred whether the import was performed before or after enabling replication.


Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized.


Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option.


Fixed an issue where deleting values of a multi-valued attribute using SCIM PATCH could silently fail. Modifications in SCIM PATCH are now mapped directly to LDAP modifications to take advantage of the matching rules configured in the Identity Datastore, when matching deleted values. Since the SCIM PATCH is now applied by the Datastore, the Permissive Modify Request Control (1.2.840.113556.1.4.1413) is now required by the SCIM component. This will ensure that adding an existing value or deleting a non-existent value in the PATCH request will not result in an error.

To continue using SCIM component after an upgrade of the Identity Datastore or Identity Proxy, access controls and configuration may need to be updated to allow access to the Permissive Modify Request Control.

Identity Datastore:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 ||")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

Identity Proxy:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 ||")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol=" || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'

dsconfig set-request-processor-prop --processor-name dc_example_dc_com-req-processor --add supported-control-oid:1.2.840.113556.1.4.1413

Note that "dc_example_dc_com-req-processor" is the default processor name and it may be different depending on your configuration.

Identity Broker: For each Identity Datastore used as an user store, the following configuration changes are required:

dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="||||||1.2.840.113556.1.4.1413||||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="||||||1.2.840.113556.1.4.1413||||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319||1.2.840.113556.1.4.1413")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'

Note that the user DN "cn=Broker User,cn=Root DNs,cn=config" is default user name created when the external store is prepared. It may be different depending on your configuration.


Simplified the various cache-mode properties within the Local DB Backend configuration. Current values for these properties are "cache-keys-and-values" (formerly "default"), "cache-keys-only" (formerly "evict-leaf-immediately"), and "no-caching" (formerly "evict-bin-immediately"). The old values will continue to work. If the update tool is used to upgrade to this release, the existing values within the configuration will be updated to use the new values.


Updated gauge alert details to include the last threshold value that was crossed.


Added the ability for a Server SDK extension, such as a Plugin, to register for notifications when an operation completes using the OperationContext#registerOperationCompletedListener() method.


Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types.


Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change.


Updated the set subtree accessibility extended operation handler to support atomically altering the accessibility of multiple subtrees in a single request.


Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value.


Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message.


Updated the javadoc for the Example Overload Handler plugin to include the argument "invoke-for-internal-operations" with a value of "false" during the plugin creation. Previously, the plugin, when enabled, would drop internal queries to the monitor backend initiated by the gauge state provider.

Fixed an issue in the Example Overload Handler plugin's applyConfiguration method, where when any changes were made to the plugin's configuration itself (such as adding a new pre-parse type), it would drop requests because we were doing an LDAP search for the gauge argument in the config backend over a client connection, instead of using an internal connection.

Fixed an issue where when the Example Overload Handler plugin was disabled and then re-enabled, an IllegalStateException occurred because the monitor provider that publishes drop stats was previously registered.


Updated the Web Console so that upon login, the user's old session is always invalidated.


Fixed a rare issue in backend database entry encoding where the server alerted on an "unexpected exception" when encoding large entries with an unusually large number of ds-sync-hist values. The error was reported in the alert message as being a NegativeArraySizeException thrown from the EntryEncoder class.


Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page.


Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates


Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu.


Updated the alarm manager to not persist normal alarms.


Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions.


Added a fail safe to the pending changes queue for the Changelog Backend that can detect and ignore recovered changes that do not need to be committed in order to prevent holding up other changes in the queue.


Fixed a bug that resulted in an error message related to performing a modify DN operation against a currently authenticated user entry.


Removed the "alarm-normal" alert.


Updated the server so that alarm-cleared, alarm-warning, alarm-minor, alarm-major, and alarm-critical alerts are not subject to duplicate alert suppression. Separate alert notifications of these types may represent distinct conditions and resources that should not be suppressed.


Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names.


Updated the HTTP Detailed Access logger to use timestamps with millisecond precision.


Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.

SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.


Updated the access logger to include usedPrivileges and/or missingPrivileges fields in result log messages for operations in which the requester used one or more privileges, or in cases where the requested operation required one or more privileges that the requester did not have.


Updated numeric gauges so that their severity changes when the current gauge value equals the threshold's exit value. Previously the value had to be strictly less than the exit value for the severity to change.


Added additional debug information for constraint violations that can happen during replication enable.


Fixed an issue where the server would hang during startup due to a previous unexpected service outage resulting in an empty tasks.ldif file.


Fixed the index rebuild job so that it does not generate redundant "index-degraded" alerts when an index is being rebuilt.


Fixed a replication issue where the changelogDb path on the destination server was incorrect when the following conditions were met: the source and destination shared the same installation path, the source server used a symlink for changelogDb to an external path, the destination server did not have the external path.


Added a workaround for a bug in some versions of Java that could interfere with the ability to restore an encrypted backup.


When using SCIM, the method in which the user name in HTTP Basic authentication are mapped to a user is now configurable using Identity Mappers. After the user name is mapped to a user, a simple BIND request will be used to verify the password.


Computed minimums, averages, maximums in statistics loggers previously processed infinite or out-of-range numbers leading to unprintable character output in comma-separated value (CSV) files. Computed minimums, averages, maximums in statistics loggers now exclude infinite and out-of-range values.


Fixed an issue that could interfere with rebuilding an attribute index with one or more exploded index keys.


Added change type indexes to the LDAP changelog to improve the efficiency of get changelog batch operations that target records with only a subset of change types.


Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903.


Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance.


Fixed an issue where a password policy was configured to record the last login time and last login IP address, but those attributes were not being updated when a bind went through the pass-through authentication plugin to a remote server.


Fixed an issue where attempting to cancel many outstanding proxy operations could make the proxy server unresponsive.


Fixed a rare condition where parent DNs stored in compact form for evaluation of group membership could consume a large amount of memory.


Fixed an issue where a password policy was adding login failures when a bind went through the pass-through authentication plugin, and failed locally, but subsequently succeeded against an external server.


Fixed an issue that caused replication to disconnect for up to fifteen minutes when sending on half open connections, typically due an unforeseen network issue.


Updated the configuration properties of the Local DB Backend to indicate which settings require a component (or server) restart to take effect.


Fulfilled an enhancement request to allow access to the additional information properties in alert notifications.


Fixed an issue where the server could hit an unexpected exception when a new attribute index was added while the server was under heavy load.


Fixed a problem with startup dependencies not being properly honored for Server SDK plugins.


Added a configuration option that can be used to indicate that an attribute index should maintain a matching entry count for keys that exceed the index entry limit. While maintaining a count for these index keys will not improve the efficiency of applicable searches, the count can be used to improve the result the server is able to return for these searches when used in conjunction with the matching entry count request control.


The dsreplication remove-defunct-server subcommand no longer allows the removal of a running server from the replication topology.


Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects.


Updated the character set password validator to allow for adding optional character sets that require zero or more matches.


Updated the server's support for filtered indexes so that they can be used for a broader set of search filters.


Fixed an issue where registering a server extension would cause a null-pointer exception at startup preventing the server from starting.


Updated the rebuild-index tool to add offline support for approximate indexes.


Fixed an issue with the verify-index tool that could arise when examining approximate indexes with one or more keys exceeding the index entry limit.


Fixed an issue where updating a component in the web console could generate a missing enabled property error.


Fix an issue where a VLV request specifying a large afterCount value would result in an OutOfMemoryError and cause the Datastore to shut down.