What's New

These are new features for this release of the Directory Server

  • New capabilities have been added to the Delegated Admin application (packaged separately). Now directory administrators can delegate the responsibility of managing group memberships for users in PingDirectory Server. Administrators can delegate to individuals or groups of users, and assign authority over one or more groups in PingDirectory Server.

  • Added a new mirrored virtual attribute capability that mirrors the value of an attribute from an entry relative to the entry being retrieved. For example, you could include an attribute from the parent entry. This can eliminate a second search request to the server when a client needs a user entry as well as information from some related entry.

  • Improved the way the PingDirectoryProxy Server distributes requests in the failover load-balancing configuration. This is especially helpful for multi-tenant environments to better distribute requests per tenant. Now you can configure a load-spreading base DN such that requests to DIT branches below the load-spreading base DN are balanced among the PingDirectory Servers. The proxy will automatically maintain affinity between servers and DIT branches.

  • Added new monitoring data points and data history to aid in performance tuning and troubleshooting. Now the monitoring backend stores occurrences and time spent for several operations, including a histogram distribution of time spent. Operations tracked include time waiting on file system synchronization and time spent at the proxy per directory server operation.

Known Issues/Workarounds

The following are known issues in the current version of the Directory Server

  • An ACI starting with "GENERATED D-ADMIN ACCESS" is generated automatically by the server from Delegated Admin configuration. Do not create your own custom ACI with the same prefix, for example by copying and pasting from the generated ACI. A custom ACI with this prefix will be deleted when the server is restarted, and whenever a Delegated Admin configuration change causes the Delegated Admin ACI to be regenerated.

  • While upgrading servers in a mixed-version environment, where some of the servers are still using the admin backend while others have been updated to the topology registry, do not attempt to make size changes to the topology. No existing servers may be removed (using dsreplication disable), or new servers added (using dsreplication enable) when in this transitional state of partially-updated servers. When all of the servers have been updated to the topology registry, sizing changes can be made. This restriction is temporary only while crossing the admin backend to topology registry boundary. In post 7.0.1 releases, changes to the topology size will be allowed, even in mixed-version environments.

  • It is not possible to add a new server to an existing replication topology of servers. The problem is addressed in In order to add a new server, all existing servers must be updated to at least

  • Servers to be monitored by the PingDataMetrics Server must have an instance name of less than 256 characters. A server's instance name is specified during setup.

Resolved Issues

The following issues have been resolved with this release of the Directory Server:

Ticket ID Description

Added the Replication State Detail (ds-sync-state-detail) virtual attribute, which provides a more detailed version of "ds-sync-state" attribute. The additional information can be used for debugging replication issues.


Improved the behavior that the server exhibits under certain network conditions when it is not possible to write to a client without blocking. This includes:

* If the server cannot write data to a client after waiting for a length of time specified by the connection handler's max-blocked-write-time-limit configuration property, the access log message indicating that the client has been disconnected because of an I/O timeout will now more clearly indicate that the reason was the inability to write data to the client.

* The server now limits the number of threads that can be blocked while trying to send data to the same client over the same client connection. If too many threads would have been blocked while trying to send data over the same connection, that connection will be terminated, and the disconnect access log message will include the reason for the disconnect.

* If the server is trying to send data to the client that it considers optional (for example, certain types of unsolicited notifications), then the server may skip sending that optional data if the write would have caused the server thread to block.


Added a configuration option to allow a null serverFQDN for the GSSAPI SASL mechanism to allow an unbound SASL server connection.


Fixed an issue where the isMemberOf virtual attribute provider would indirectly evaluate other virtual attributes, which could lead to significant slow down in search processing.


Fixed an issue in which an unprivileged Consent API client could modify the actor value of a consent record.


Updated the mirror virtual attribute provider to allow a DN map to identify the entry containing the attribute to mirror.


Delegated Admin operations now appear in the LDAP access log.


Enabling replication for restricted domains now creates a server group for each replication set when replication servers are added. Server groups enable initializing restricted domains interactively.


Changed Resource IDs produced by the Delegated Admin API so that they no longer contain percent characters from Base64 padding.


Updated the keys and values used in the monitoring JMX MBeans to conform with best practices. The keys "type" and "name" are now used in place of "Rdn1" and "Rdn2".

To maintain backwards compatibility with existing monitoring solutions, installations upgrading to this release will retain the old behavior, but they can revert to the default behavior by changing the Global Configuration property jmx-use-legacy-mbean-names to false.


The Notification Delivery Thread will now log unexpected errors rather than throwing them as exceptions.


Prevent a notification destination from assuming the master notification delivery role if that server is in lockdown mode or replication hasn't finished initialization.