Introduced a Directory REST API to create, read, update, and delete (CRUD) any object in the directory by using JSON over HTTP. Compared to the SCIM-based Identity Access API, which was introduced in version 4.0, the Directory REST API offers more capability without the configuration overhead and the SCIM protocol limitations. For more information, visit https://apidocs.pingidentity.com/pingdirectory/directory/v1/api/guide/.
The following issues have been resolved with this release of PingDataSync Server:
|DS-6930||To facilitate testing in multiple garbage collection (GC) environments, GC JVM options have been moved to separate Java properties in the java.properties file. The new .gc-type suffix selects the GC type to use, and the new .gc-<GC type>-args suffix has the JVM options for that GC type.|
Added support for a file-retention task that can identify files in an indicated directory that match a given pattern, and can remove matching files that fall outside the specified retention criteria. You can specify the minimum number, age, and aggregate size of the files to retain. Files that match the pattern are sorted by timestamp. If any files are removed, the most recent files are retained, and the oldest files are deleted.
The file-retention task can be scheduled as a standalone or recurring task. The following instances of the file-retention recurring task are defined in the default configuration:
In each case, the recurring task is configured to retain at least the 100 most recent files. No files that are younger than 30 days old are removed. Although these recurring tasks are defined in the default configuration, they are not part of a recurring task chain. Consequently, they are not invoked unless they are configured as part of a chain.
The default configurations of PingDirectory Server and PingDirectoryProxy Server also include recurring tasks that clean up old, expensive operation dump log files or work-queue backlog thread dump log files if too many of them have collected in the server logs directory. For each file type, if more than 100 files are present in the server logs directory, remaining files that are older than 30 days are candidates for removal. A recurring task chain performs this cleanup every day at 12:05 a.m. in the JVM's default time zone.
|DS-35873||Added support for an exec task that can invoke commands on the server. Multiple safeguards prevent unauthorized users from invoking arbitrary commands on the server system, including a new exec-task privilege and a whitelist file that must be updated to include the absolute paths of the allowed commands. Additionally, a new schedule-exec-task tool helps create an exec task from the command line, and the LDAP SDK has been updated to allow pragmatic interactions with exec tasks.|
|DS-35873||Added support for recurring exec tasks.|
|DS-35909||HTTP Connection Handlers now raise an alarm during initialization if a context path conflict is detected.|
A header that contains a correlation ID has been added to outgoing HTTP servlet responses, allowing the correlation of HTTP responses with log messages across server instances. The name of the correlation ID response header defaults to "Correlation-Id" but can be changed by setting the HTTP Connection Handler's correlation-id-response-header property. By default, the server generates a globally unique correlation ID automatically, but the correlation-id-request-header configuration property can optionally be used to specify one or more request headers that provide an existing correlation ID value from the requesting client. The correlation ID header can be disabled on a per-HTTP Connection Handler basis by using the use-correlation-id-header configuration property.
For Server SDK extensions that have access to the current HttpServletRequest, the correlation ID can be retrieved as a string by using the HttpServletRequest's com.pingidentity.pingdata.correlation_id attribute, as follows:
Added a Mock Access Token Validator that uses a trusted authorization server or signing certificate to accept access tokens without validating their authenticity. When enabled, the Mock Access Token Validator accepts bearer tokens in the form of a plain text JSON object that contains an arbitrary set of claims.
Warning: Mock Access Token Validators are intended for test or demonstration use only. Never enable them in production deployments or use them to access sensitive data.
|DS-36434||Added a preFetch method to the LDAPSyncSourcePlugin Server SDK extensions. This method allows extension developers to modify the search request or source entry fetch behavior for LDAP Sync Sources.|
Added Change Detectors as a new type of Server SDK extension. A Change Detector can be used to customize the manner in which a Sync Source detects changes to entries in a source server.
As an example, a developer could build a Change Detector that reads messages from a Kafka topic and uses them as the source of changes for an OpenLDAP server that is configured as the Sync Source.
Change Detectors are available only for use with the new Generic LDAP Sync Source.
|DS-36510||Added support for a delay task that can be used on its own or as a recurring task. It is primarily intended for use as a spacer between other tasks, and can sleep for a specified period of time, wait for the server to become idle (all worker threads are idle, and no operations are outstanding), or wait for sets of search criteria to match at least one entry (for example, until a monitor entry indicates that the server is in a particular state).|
|DS-37131||Fixed an issue in which the HTTP Servlet Config Monitor could throw an exception in an HTTP Servlet Extension when attempting to determine its context paths. This exception caused the status tool and the Administrative Console to potentially omit the HTTP Servlet Extension from the list of active HTTP extensions.|
|DS-37492||Added a time limit retention policy to support the removal of log files that are older than a specified age.|