The following issues have been resolved with this release of PingDirectoryProxy Server:
|Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file.
|The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration.
Updated the installer to discourage the use of weak root passwords.
When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.
When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.
In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints.
|Updated PingDirectory Server, PingDirectoryProxy Server, PingDataSync, and PingDataGovernance with the capability to run as Windows Services.
Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.
Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear.
|Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler.
|The Globally-Unique Attribute Plugin has a new multiple-attribute behavior option named "unique-in-combination." When selected, this option ensures the uniqueness of combinations of values for the configured attributes. For example, if no two users may have the same value for both givenName and sn, but users may have the same givenName or the same sn, use unique-in-combination.
|Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the Directory Server (for cases in which each server contains a complete copy of the data) or the Directory Proxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing).
|Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running.
|Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses.
|Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files.
|Improved support for password modify extended requests processed through the Directory Proxy Server. Those operations will now be processed more reliably and the results will be more consistent with the results obtained from sending the requests directly to a Directory Server instance.
Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.
Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed.
|The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set.
|Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation.
|Fixed an issue where incorrect names were displayed in the usage for the start scripts.
|The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product.
|The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made.
|Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend.
Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the Directory Server. This includes:
|Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction.
|The server now requires Java version 8.
|Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned.
|Improved error reporting for the manage-extensions tool.
Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.
Some of the changes include:
|The Administrative Console is no longer compatible with older versions of the server.
Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.
Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.
The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).
The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that might exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced.
|Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security.
Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.
Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.
Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest.
|Updated the Admin Alerts Health Check to tolerate an incorrect LDAP result code returned by Active Directory when testing for the existence of cn=alerts. With this change, having use-for-all-servers=true configured on the Admin Alerts Health Check will no longer cause Active Directory servers to be flagged as UNAVAILABLE.
|The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root.
|Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information.
|Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK.
|Addressed an issue where LDAP throughput and response time data were not available for tracked applications configured in the Directory Proxy Server. The problem occurred when the applications were identified by user entries stored in a Directory Server that was referenced by a proxying request processor where a value of 'true' was configured for the assign-client-connection-policy-from-backend-server setting.
|Fixed an issue that could prevent an entry-balaned Directory Proxy Server from returning a get password policy state issues response control in response to a failed bind attempt. Also, updated the access logger to include additional details in FORWARD-FAILED messages, including matched DN, referral URLs, and response controls.
|Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs.
|Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions.
Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:
|A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact email@example.com.
|Round-robin load-balancing algorithm has been deprecated. The fewest-operations load-balancing algorithm should be used instead since it utilizes a pool of servers more efficiently than a simple round-robin algorithm.
|Addressed an issue in the Server SDK where internal searches performed by extensions could fail in entry balanced environments. An internal search listener was not properly synchronized and could become corrupted when accessed by multiple threads when doing a broadcast search.
|Removed the ability to create custom HTTP trace loggers using the Server SDK.
|Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes.