Upgrade Considerations

Important considerations for upgrading to this version of the Directory Server

  • Note: The product names have been updated to reflect the UnboundID acquisition by Ping Identity. This is a naming and branding change only; the code base is the same as in prior releases and will continue to be maintained into the future.
  • If upgrading the server that was running an older version of the JDK, run the dsjavaproperties --initialize command after the software upgrade to compare the settings of the older JDK with requirements for the new server software. Apply any necessary changes to the upgraded server based on previous performance settings.
  • The 6.0 release makes these changes to supported platforms:

    • CentOS 7.2 and RedHat 7.2 are now supported operating system versions.
    • SUSE 11 SP4 is now supported; SUSE 11 SP2 support has been retired.
    • Linux KVM and VMWare ESXi 6.x have been added as supported virtual machine environments.
    • Deprecation of JDKs 7.x. Customers are strongly advised to use JDK 8 with this release. A later release of the platform will remove support for JDK versions 7.x. At that time customers will be required to upgrade to JDK 8.x when upgrading servers. This will apply to all of our JDK flavors (OpenJDK, OracleJDK, IBM JDK) on all platforms.
    • WildFly 9.x (renamed from JBoss) is now a supported application server for all web applications, including the Administrative Console and sample applications. Support for JBoss 7.x has been retired. Tomcat support remains unchanged in this release.
  • PBKDF2 is now the default encoding for root passwords. This only affects new installations.
  • In addition to changing the default password storage scheme for root users to PBKDF2, the default password storage scheme for regular users has been changed to salted 256-bit SHA-2.
  • HTTPS defaults to ON: servers now default to use HTTPS for console and API connections including the SCIM API. This may affect automation scripts and development environments where HTTPS has not been in use before.
  • Generated user passwords, for example those created by the server during a password reset sequence, are now created as pass-phrases instead of random character strings. This makes them them easier to type and remember. This change will not affect upgrades.
  • The /config directory file permissions have been changed so that they are only accessible by the server user.
  • Customers who choose to use the optional encryption algorithms provided by the third-party BouncyCastle library are encouraged to upgrade to BouncyCastle 1.54.
  • The Self Service Account Manager (SSAM) application is now included in the distribution image and may be optionally installed as desired.
  • Updated commons-beanutils from version 1.8.3 to 1.9.2 to improve security.
  • Updated Spring Boot artifact to v1.2.8 so transitive Spring library dependencies use v4.1.9.
  • Updated the HTTP/HTTPS connection handler to Jetty 9.2.15.v20160210.
  • The encryption-settings tool in a previous version of the PingDirectory Server will not be able to import settings generated by this version of the PingDirectory Server, if there are multiple settings exported at once.

What's New

These are new features for this release of the Directory Server

  • Added a new control for very large result sets 'maximum-sort-size-limit-without-vlv-index,' which allows client applications to request that the server gracefully degrades to unsorted results in cases where sorting a very large result set would have caused a time-out.
  • Added LDAP support for applications that authenticate users with Yubikey one-time passwords. The extensions include the UNBOUNDID-YUBIKEY-OTP SASL handler configuration object, extended operations and command line tools for registering a user’s Yubikey device, deregistering, and supporting authentication using either the one-time password (OTP) only, or the OTP together with a static password. The server can be configured to use the public Yubico validation service, or a different validation service. The Yubikey FIDO U2F, OATH HOTP, and PGP modes are not supported.
  • Added new "generate TOTP shared secret" and "revoke TOTP shared secret" extended operations to make it easier for applications to enable TOTP authentication for users. While these operations are primarily intended to be invoked programmatically, a generate-totp-shared-secret tool can be used to invoke these operations from the command line.
  • A new transform-ldif tool is available to read an LDIF file and write an updated file with a number of changes applied. The transformations include:

    • Scramble, replace, redact, or exclude a specified set of attributes.
    • Replace values of a specified attribute with a generated value that includes a sequential counter.
    • Replace values of a specified attribute with a generated value that includes a sequential counter.
    • Add a given set of attribute values to entries matching a provided set of criteria.
    • Exclude entries matching a provided set of criteria.
    • Rename attributes.
    • Replace the base DN for entries in a specified subtree.
  • A new load-ldap-schema-file tool is available for loading LDAP schemas while a server is active and on-line.
  • A new register-yubikey-otp-device tool is available for creating or changing associations between users and specific OTP devices.
  • The *rate performance testing tools now includes some additional sample rate pattern files: hockey stick, step-function, sine, triangle, sawtooth and square wave patterns.
  • The setup command now logs its input arguments, making it easier to confirm or duplicate a setup process. This changes the content of the log and may affect automated scripts that read these log files.
  • The config-diff tool, which makes it easy to compare and reconcile settings between server instances, now also supports the --pretty-print option which adds line breaks to the generated lists of dsconfig commands.
  • The manage-account tool has been enhanced significantly to make it easier to perform operations that affect large sets of user accounts including bulk lock-outs, parallel processing of updates, support for input filter criteria and DN lists. In particular, the manage-account tool now supports explicitly setting user accounts to the "locked-out" state. This is an improvement over earlier versions which required manipulation of operational attributes. See the command help for a complete list of the options and new sub-commands.
  • For easier consumption by third-party analysis tools, the Directory and Proxy Servers can now output JSON log formats. Similar support will be added to the Data Sync and Governance Brokers in a later release.
  • To help avoid issues when indexes near their index-entry-limit, the verify-indexes command now has the following two options:--listKeysNearestIndexEntryLimit, and --listKeysExceedingIndexEntryLimit. The Admin Guide includes a new section, "Monitoring Index Entry Limits", which explains how to set, track, and tune the server's Index Entry Limit values.
  • Monitor entries have been added for a number of related metrics, all of which can be set to trigger alarms:

    • index-unique-keys-near-entry-limit-accessed-by-search-since-db-open
    • ds-index-unique-keys-exceeding-entry-limit-accessed-by-search-since-db-open
    • ds-index-unique-keys-exceeding-entry-limit-accessed-by-search-since-db-open
    • ds-index-unique-keys-near-entry-limit-accessed-by-write-since-db-open
    • ds-index-unique-keys-exceeding-entry-limit-accessed-by-write-since-db-open
  • The Pass-Through Authentication plugin has a new "allowLaxPassThroughAuthenticationPasswords" option that permits password changes that do not comply with the Directory Server's password policy. This facilitates integration in cases where the pass-through system has less-strict rules for new passwords.
  • For Java developers whose tools and workflows make use of Maven, the Server SDK jar has been deployed to Maven Central so that a developer can now add the Server SDK as a project dependency by adding a few lines to a project's pom.xml. Also, developers can now generate a Server SDK project that Maven-aware IDEs such as IntelliJ IDEA can package into an extension bundle with no special configuration needed. This benefit extends similarly to continuous integration systems such as Jenkins.
  • The dsconfig tool provides the ability to search for and quickly navigate to configuration objects and properties in which the name, synopsis, or description matches a provided pattern.
  • A new rotate-log tool and task have been added, which can be used to trigger rotation of one or more log files.
  • The Configuration API is now fully supported for all servers. In this release, the API was changed to match SCIM conventions for attribute naming, resource modeling, and the standard HTTP verbs. The UnboundID SCIM 2 SDK (available through GitHub) can now be used with the Configuration API.
  • All servers have an updated web Administrative Console, which includes:

    • New layouts for operational statistics, processing time, queues, all monitors, and the list of installed extensions.
    • New layouts for operational statistics, processing time, queues, all monitors, and the list of installed extensions.
    • Alert and alarm displays, summarizing the data in cn=alerts and cn=alarms and based on the configured gauges. Plus, filtering and searching for these.
    • A new LDAP Schema Editor for importing schema files, validity checking, creation and editing of object classes and attribute types. The editor also supports viewing of the attribute syntaxes, inheritance, and indexes that exist for each attribute and the dependencies between object classes and attributes.
  • The new Administrative Console can also be deployed to independent application servers instead of being co-hosted by the servers. This simplifies deployment models and increases separation between data and application layers.

  • To assist with situations where a very large number of changes may cause disk, memory, and server start time to increase unexpectedly, alerting and gauge features have been added to the Recent Changes Database.

  • Servers can now trigger events whenever log file rotation occurs. This includes "copy on rotate" and "summarize on rotate" listeners, as well as Server SDK support for creating custom log file rotation listeners.

  • It is now possible to create, change, and remove root user accounts across the topology using the dsconfig tool and Administrative Console.

  • Made a number of improvements to way the server handles the encryption settings database:

    • When running setup, the server no longer overwrites the encryption settings PIN file if it already exists.
    • When configured to use a file-based cipher stream provider (which is now the default), anything needing access to the encryption settings database would fail immediately if the password file was missing. The server now waits for the password file to become available, for example if kept on removable storage. This behavior can be controlled through the wait-for-password-file configuration property.
    • When configured to use a file-based cipher stream provider (which is now the default), anything needing access to the encryption settings database would fail immediately if the password file was missing. The server now waits for the password file to become available, for example if kept on removable storage. This behavior can be controlled through the wait-for-password-file configuration property.
    • When backing up the contents of the encryption settings database, when a file-based cipher stream provider is configured, the output now includes a warning that indicates the PIN file is not included in the backup and should be archived separately.
    • When restoring a backup of the encryption settings database, the restore will fail if the encryption settings database contained in the backup was protected with a different cipher stream provider, or if the cipher stream provider is configured with a different encryption key. The restore process will warn if it cannot verify compatibility.
    • The server now provides a better error message when it fails to open the encryption settings database, especially when the encryption settings database was created before running setup, which results in a less secure configuration.
  • Updated the search-logs tool to support JSON formatted logs.

  • The dsreplication initialize command now ignores the adminUID and adminPassword property values in the tools.properties file, as these values may not necessarily be correct for the new server being added to the replication topology. The command now always prompts for the administrative credentials.

Known Issues/Workarounds

The following are known issues in the current version of the Directory Server

  • When deploying the Administrative Console in Tomcat 8, and accessing the Administrative Console application using Tomcat's Web Application Manager, some browsers (including Safari and Firefox) will generate a path URL that encodes the dash in ubid-console. This results in a path such as http://localhost:8888/ubid%2Dconsole/, which causes session management errors. To workaround this issue, copy and paste the generated link into a browser, and replace the encoded dash with a dash (-) character.

  • The PermSize and MaxPermSize JVM properties are no longer supported in JDK 8, and will safely be ignored. These properties can be removed by modifying the config/java.properties file and running "bin/dsjavaproperties" while the server is offline.

  • Security criteria for root passwords with the default configuration will be increased in a future release. This might affect automated installation scripts that currently use less secure passwords. This will not affect existing root accounts.

  • The dsconfig tool and the Administrative Console enables creating and managing new Root DN users in this release. However, there is a limitation with changing the password of the currently logged in administrator. The ldappasswordmodify command can be used to change the administrator's password by providing the current and new password.
  • For version to pre- servers configured to use the IBM version of Java, an extraneous ${INSTANCE_ROOT} directory is created under the server root. This is fixed on a fresh install of, but if updating to, this directory still exists and can be deleted before or after the update.

Resolved Issues

The following issues have been resolved with this release of the Directory Server:

Ticket ID Description
Improved visibility of the use of index keys near or in excess of the index entry limit. These changes include:
  • If the server accessed any index keys near the index entry limit while processing an add, delete, modify, modify DN, or search operation, the access log message for that operation will include an indexesWithKeysAccessedNearEntryLimit field that holds the names of the appropriate indexes. If the operation accessed any index keys that exceeded the index entry limit, those indexes will be named in the indexesWithKeysAccessedExceedingEntryLimit field in the access log message.
  • If the server accessed any index keys near or in excess of the index entry limit while processing a search operation that requested the debugsearchindex attribute or that requested matching entry count debug information, the resulting debug messages will include information about those indexes.
The index monitor entry includes new attributes that track the number of such keys accessed by search or write operations:
  • ds-index-unique-keys-near-entry-limit-accessed-by-search-since-db-open
  • ds-index-unique-keys-exceeding-entry-limit-accessed-by-search-since-db-open
  • ds-index-unique-keys-near-entry-limit-accessed-by-write-since-db-open
  • ds-index-unique-keys-exceeding-entry-limit-accessed-by-write-since-db-open

Updated the verify-index tool to add a "--listIndexKeysNearestIndexEntryLimit" argument to obtain information about the keys whose ID lists are closest to (but have not yet exceeded) the index entry limit, including the number of matching entries and how close they are to reaching the limit.


Added the ability to search for configuration objects and their properties by name with the dsconfig tool.


Added support for log file rotation listeners, which allow for custom processing whenever a log file is rotated out of service so that the server will no longer write to it. A copy listener (which will copy the rotated log file to an alternate location, optionally compressing it in the process), and a summarize listener (which will invoke the summarize-access-log tool on the rotated log file) are included. The Server SDK also includes an API for creating custom log file rotation listeners.


Added support for authenticating with one-time passwords generated by YubiKey devices. The server may be configured to require static passwords in conjunction with YubiKey one-time passwords as a form of two-factor authentication, or it may be configured so that a one-time password alone is sufficient for authentication.


Updated the default file permissions for new installations on UNIX-based systems. Files and directories included in the zip file will be only be accessible to their owner (the user that unzipped the file) by default.

Newly-created files and directories will also be assigned permissions that allow them to be accessed only by the account used to run the server. Existing configuration options for setting file permissions (the log-file-permissions and db-directory-permissions properties) will continue to behave as before. The new config/server.umask file will control the default permissions for all other newly-created files and directories.

Updated the initial server configuration to improve security and usability. These changes apply only to new installations and will not be applied when updating an existing installation. Changes include:
  • Updated the default password policy to use a default password storage scheme that uses a salted 256-bit SHA-2 digest rather than a salted SHA-1 digest.
  • Updated the root password policy to use a default password storage scheme of PBKDF2 rather than salted 512-bit SHA-2.
  • Updated the secure password policy to use a default password storage scheme of PBKDF2 rather than a CRYPT variant that uses multiple rounds of 256-bit SHA-2.
  • Updated the password policy import plugin so that it will attempt to use the default password policy to select the password storage scheme(s) to use for entries that do not explicitly specify a password policy. The plugin will also fall back to using a salted 256-bit SHA-2 scheme instead of a salted SHA-1 scheme.
  • A number of weaker password storage schemes have been disabled by default, including base64, clear, unsalted MD5, salted MD5, 3DES, RC4, and unsalted SHA-1.
  • The default password policy has been updated to use a password generator that generates very strong yet memorable passphrases rather than a shorter and less-memorable string of randomly-selected characters.
  • Many of the server loggers have been updated to include additional log elements by default, including the instance name, requester DN, requester IP address, and request controls.
  • The exact match identity mapper has been updated to look at the mail attribute in addition to the uid attribute. When targeting a user with an authentication ID value (as when using SASL authentication or the proxied authorization v2 request control), it is now possible to specify an email address as an alternative to a user ID.
  • The UNBOUNDID-TOTP SASL mechanism handler has been updated to prevent TOTP password reuse by default.
  • Added new request criteria that make it possible to identify requests that target the root DSE or the subschema subentry. The global configuration has been updated so that requests targeting these entries will be in the default exceptions lists if the server is configured to reject insecure or unauthenticated requests.
  • Updated the template that setup generates for creating sample data to use a more logical and user-friendly numeric range. When the user requests N entries, setup would previously number the entries 0 through N-1 (for example, if the user requested 1000 entries, they would be numbered 0 through 999). It is logical for a user to expect them to be numbered 1 through 1000, but this change could break things that expecting to find an entry numbered with zero. To address this, if the user requests the server be populated with sample data, setup will create one more entry than actually requested so the numbering will go from 0 to N.

Added the server's process ID to the output of the status tool.


Added a new rotate-log tool to request the rotation of one or more log files.


Addressed a few issues in config-diff. In some situations, config-diff would not generate commands in an order that respected all dependencies. This has been fixed. Most expected warnings are now excluded by default but can be included in the output with the --includeAllWarnings option. The --sourceBindPasswordFile and --targetBindPassword are now applied in conjunction with the --targetConfigGroup and --sourceConfigGroup options.


Added a --dry-run option to dsconfig, which can be used in batch mode to validate the configuration changes in a batch file without applying them.


Updated the Local DB Backend to detect the database being only partially initialized via a "dsreplication initialize" command. If the backend is started with a partially initialized environment, then the incomplete database files will be deleted, and an alarm will be raised to signal to the administrator that the backend must be reinitialized.


Added support for setting the request header size in the Jetty http configuration server properties.


Updated the offline mode of the rebuild-index tool to improve performance and reduce disk utilization.


Updated the verify-index tool to improve performance and reduce disk utilization.


Improved the collect-support-data tool to include information provided by systemd on platforms that support it.


Updated replication host name checking with support for certificate alternative subject names and dnsname extensions checking.


Improved the dsconfig tool to validate that there is only one enabled entry cache per entry cache level.

Updated command-line tools based on the LDAP SDK tool APIs to add the following features:
  • Tools can obtain default values for any arguments not provided on the command line from a properties file. If it exists, the server's config/tools.properties file will be used by default. Command-line arguments can be used to specify an alternate properties file or to indicate that no properties file should be used.
  • Tools can be launched in an interactive mode, in which the user is prompted for arguments used to establish and authenticate the connection, and for any other required arguments. The user can then use an interactive menu to specify values for any remaining arguments.

Collect-support-data tool now captures Kerberos config and log information.


The configuration framework now trims leading and trailing spaces from distinguished names.


Added a warning during startup for any invalid group entries that are encountered and cannot be used.


Added the ability to create local constants in LDIF template files using the new 'local' keyword.


Added a passphrase password generator that concatenates randomly-selected words from a dictionary file to construct a password that can be both secure and easy to remember.


Updated the Apache commons collections library to address the security vulnerability described by CVE 2015-4852.


Added a monitor entry for each Server SDK extension.


Improved the log message for memory pools with an undefined maximum size when priming a server.


The replication target of the Directory Server now correctly handles the connection being lost during initialization.


Added a --prettyPrint option to the config-diff tool to make the output more human-readable.


Updated the restore command so that it can no longer be used to restore a backup of the config backend. The command now points the administrator for safer ways to revert configuration changes, including using config-diff.


Updated the server's support for the Twilio Messaging Service so that it uses the newer "Messages" API when sending SMS messages instead of the older "SMS" API. The older API has been deprecated, and Twilio now imposes a 120-character limit for messages sent via that API. The messages API allows the server to take advantage of the full 160 characters per SMS message.


Added a new global configuration property, unrecoverable-database-error-mode, which enables configuration of an action to take when an unrecoverable database error occurs.


Improved the logic the server uses when leveraging indexes to identify the set of candidate entries that are expected to match the search criteria. Also, dramatically improved the information about index usage that the server provides when issuing a search that requests the special debugsearchindex attribute, or that includes the matching entry count request control.


Added a maximum-sort-size-limit-without-vlv-index property to the client connection policy configuration. If this property is given a nonzero value, the server will not attempt to sort a result set if the number of candidate entries is greater than this number, unless it can do so using a VLV index. If the server refuses to sort a result set because of this setting, then it will either reject the search (if the server-side sort control is marked critical), or it will return the results unsorted (if the server-side sort control is not critical).


Fixed an issue with the dsjavaproperties tool where java properties for PermSize and MaxPermSize could be added when using JDK 8, which no longer supports these options.


Updated the FIFO Entry Cache's max-memory-percent property to specify the maximum percentage of JVM memory the cache can use. Previously the property specified the maximum percentage of memory that must be consumed in the JVM by the application overall before the cache begins to shrink.


Improved memory utilization when processing entries with very large attributes, to prevent possible data retention in memory.


Added support for JSON-formatted access and error log messages.


Updated the bcrypt, crypt, PBKDF2 and scrypt password storage schemes so they can be used to create new instances.


Fixed a case where attribute syntax configuration changes would not apply to undefined attributes, which rely on default attribute types.


Fixed a formatting issue in ldap-diff which could result in multiple progress messages being printed on the same line.


Updated the server to use the latest 6.4.25 release of Berkeley DB Java Edition.


Updated the pass-through authentication plugin to allow replacing passwords for migration from legacy directory products.


Fixed an issue with the summarize-access-log tool where it would appear to hang due to slow processing of large complex filters.


Server SDK extensions are now built with a Java source version of 1.7 by default.


Improved the message used to indicate when the replication server startup minimum replication backlog processing completes. The message now states that the calculation was done when the server was started, and any missing local replicas that were unavailable for the calculation are listed.


Updated the default set of global ACIs to permit requests that include the simple paged results control.


The former suite of Administrative Console applications, each of which were tied to a particular product (for example the dsconsole.war for the Directory Server) are no longer available, and have been superceded by a new version of the Administrative Console capable of managing any server product. You can choose to access the Administrative Console by hosting it within a server, or by deploying it in an external servlet container. For the former, enable an HTTP Connection Handler and add the Administrative Console Web Application Extension to the handler. For the latter, download and unzip the management-console-[version].zip file, and install the ubid-console.war file according to your container's instructions.


Fixed an issue where opening the backend database might fail with an IllegalStateException that references "exploded-index-background-deletes" when there are several backend exploded indexes.


Updated the pass-through authentication plugin to suppress the "force change on reset" behavior if the user's local password is replaced with a password that was accepted by a backend server.


Replaced the scramble-ldif tool with a more powerful transform-ldif tool with support for a number of additional transformation types. The new transform-ldif tool is backward compatible with the former scramble-ldif tool, and the scramble-ldif shell script and batch file are still included with the server to ensure compatibility with scripts that depend on that tool.


Improved the locking strategy for multi-update requests to better accommodate delete and add requests for the same entry. This also enables graceful failures for bad requests, instead of lock timeouts.


Updated the manage-account tool to display labels for recently added password policy extended operation types.


The Configuration API now returns unquoted, native Javascript values for integer, real number, and boolean properties. Duration and size property values, for example '1 w' or '100 G', continue to be represented as Javascript string types.


Improved the error messages and examples for create-rc-script and create-systemd-script by explicitly suggesting the use of sudo so that the scripts can modify protected files.


Changed interactive setup default value for HTTPS enablement.


Changed interactive setup default value for entry cache priming.


Added new options to the matching entry count request control to allow the client to better control the balance between how quickly the server obtains the matching entry count estimate and how accurate that estimate is.


Updated the server to reject baseObject searches that request the debugsearchindex attribute.


Updated mirror virtual attribute provider implementation to read values from additional entries when the source entry dn attribute has more than one value.


Improved the error messages for create-rc-script and create-systemd-script when the directory in which the script will be created does not exist.


Added support for a "generate TOTP shared secret" extended operation that allows a client to request that the server generate a shared secret for a specified user that will be stored in the user's entry and returned to the client. That shared secret can be used to generate time-based one-time passwords for use in the course of authenticating to the server through the UNBOUNDID-TOTP SASL mechanism. A "revoke TOTP shared secret" extended operation was also added to allow a shared secret to be eliminated if it is no longer needed or may have been compromised. The password policy state extended operation and the manage-account command-line tool have also been updated to provide support for manipulating the set of TOTP shared secrets for a user.


Updated interactive setup to display default values, and improved the overall layout and appearance.


Fixed a bug that could cause the same filter index to be evaluated multiple times when processing a search operation.


Addressed an issue where dsconfig incorrectly allowed certain configuration objects to be deleted.


Improved the error messages produced by the manage-extensions tool when attempting to install invalid extensions.


Increased the default cache size set by the installer for JVM heaps smaller than 8GB.


Updated the global ACIs that ship with the server to use a separate ACI for each control or extended request to allow by default, rather than grouping all desired controls together in one ACI and all desired extended requests together in a second ACI. This change will only be reflected in new installations, and not when updating an existing deployment.


Root DN User configuration entries can now be fully managed through the configuration management interfaces such as dsconfig and the Administrative Console.


Provided a graphical tool, watch-entry, that is intended to demonstrate replication or synchronization latency by watching an LDAP entry for changes. If the entry changes, then the background of modified attributes will temporarily be red. Attributes can also be directly modified as well.


Added more logging information when initializing web application and servlet extensions in case an extension causes conflicts or delays.


The backend is no longer locked with an exclusive lock when renaming an entry due to an add conflict during replication.


Updated the changelog backend to report progress and summary information when exporting to LDIF or importing from LDIF. Also fixed a problem that could cause valid entries from being imported because of a mistaken schema violation.


Added the ssl-cert-nickname property to the HTTP Connection Handler. If multiple public-private key pairs are in a JKS keystore, the LDAP Connection Handler enables choosing a specific certificate alias with the ssl-cert-nickname property. The HTTP Connection Handler for HTTPS connections now has the same option for parity.


Fixed a defect where removing an objectClass value could result in an entry that violates the schema, we will now ensure that the entire entry is valid whenever adding or removing objectClasses.


Updated setup to encode the root password with the PBKDF2 password storage scheme instead of SSHA512.


Updater tool will increase PermSize and MaxPermSize parameters to recommended value to prevent Java JVM pauses.


Added support for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism that indicates that an application attempted to verify the identity of a user whose account is stored in the server but that used a form of authentication that is external to the server (for example, via social login). The server will not alter the authentication state of the underlying connection, but may veto a successful external authentication if the user's account is not in a usable state (for example, the account is locked or disabled, or the password is expired), or it may update password policy state for the user to reflect the authentication attempt (for example, updating the last login time and IP address for a successful authentication, or recording the failed attempt and potentially locking the account for an unsuccessful authentication).


Increase the minimum memory requirements for the server process from 256MB to 384MB to accommodate the Administrative Console.


Added a load-ldap-schema-file tool that will allow the server to recognize a new schema file, or an updated version of an existing schema file, and make the definitions immediately available without needing to restart the server.


Changed the dsjavaproperties command so that its --initialize operation now carries over properties that are tool-independent from an existing java.properties file, such as the default java home and the tuning parameters.


Added the default JVM argument "-XX:UseCMSInitiatingOccupancyOnly" to decrease server pauses by forcing the JVM to respect the CMSInitiatingOccupancyFraction.


Fixed an error that could occur during upgrade when the configuration can not be loaded due to missing custom schema.


Updated the Groovy Scripting Language version to 2.4.6.


Fixed an issue that prevented the deletion of disabled debug loggers.


Added the ability to define an ACI to grant regular users access to the debugsearchindex operational attribute. This attribute can be used to obtain detailed information about the server's use of indexes in the course of processing a search request, and it was previously accessible only to users with either the bypass-acl or bypass-read-acl privilege.

To grant this access, you will need to permit access to both the debugsearchindex operational attribute, and to the cn=debugsearch portion of the DIT. For example, if you have a group with DN "cn=debugsearchindex Users,ou=Groups,dc=example,dc=com" and you want to grant the members of that group the ability to use the debugsearchindex feature, you can use the following command to add an appropriate global ACI to permit that access:

dsconfig set-access-control-handler-prop --add "global-aci:(targetattr=\"debugsearchindex\")(target=\"ldap:///cn=debugsearch\")(version 3.0; acl \"Allow members of the 'debugsearchindex Users group to request the debugsearchindex operational attribute \"; allow (read,search,compare) groupdn=\"ldap:///cn=debugsearchindex Users,ou=Groups,dc=example,dc=com\";)"

In addition, the server now allows the debugsearchindex attribute to be requested in a case-insensitive manner. Previously, the server would only recognize debugsearchindex in all lowercase. It can now be requested in mixed case, like debugSearchIndex.


Updated the server SDK generated documentation to use the new logo and new icon.


Replaced the tabs in parallel-update log messages for failure with spaces and made the log message timestamps consistent with other logs.


The Data Services Markup Language (DSML) client and gateway components have been discontinued and are no longer available.


Improved server performance by reducing the cost of determining the transaction settings for interacting with the backend database.


Changed default number of HTTP request handlers from 2 times to 4 times the number of processors available to the Java virtual machine to improve performance. For example, the default has increased from 128 to 256 on a dual-socket, 8-core x64 CPU-based system with hyper-threading enabled.


Updated the server to allow users with expired passwords to authenticate with SASL mechanisms that do not involve passwords.


Updated the unique attribute plugin so that the filter property applies to conflict searches, and matches entries being added or modified.


Added r) option in dsconfig interactive mode which shows how to preform the pending operation through the configuration REST API. Added --rest option to config-diff which changes the output from dsconfig command line arguments to configuration REST API arguments.


Added memory tracking to the FIFO Entry Cache. The memory usage of the FIFO Entry Cache is about 10% less than reported, but is not likely to be higher than reported.

Rewrote the manage-account tool to provide many new features:
  • Added the following new subcommands:
    • get-account-is-usable
    • get-account-usability-notice-messages
    • get-account-usability-warning-messages
    • get-account-usability-errors-messages
    • get-account-is-not-yet-active
    • get-account-is-expired
    • get-password-is-expired
    • get-password-expiration-time
    • get-account-is-failure-locked
    • set-account-is-failure-locked
    • get-failure-lockout-time
    • get-account-is-idle-locked
    • get-idle-lockout-time
    • get-account-is-password-reset-locked
    • get-password-reset-lockout-time
    • get-account-activation-time
    • set-account-activation-time
    • clear-account-activation-time
    • get-seconds-until-account-activation
    • get-last-login-ip-address
    • set-last-login-ip-address
    • clear-last-login-ip-address
    • get-password-history-count
  • Added new ways to target multiple users with a single command. It was already possible to provide a file with the DNs of the users to target. There are now additional options for providing one or more search filters or user IDs to identify which users to target.
  • Added automatic retry support. If an operation fails in a manner that indicates the connection is no longer valid, the tool will retry the operation on a newly-created connection. It is also possible to provide multiple host name and port values to allow operations to be sent to multiple servers.
  • Added the ability to use multiple threads to operate more quickly when targeting multiple users.
  • Added the ability to limit the rate at which the tool operates. The target rate may be specified as a fixed number of operations per second, or it may vary over time.
  • Changed the output format so that the result of each operation is provided in an LDIF representation. The output remains easy for a person to read, but it is now much easier to consume programmatically.
  • Added the ability to send the output to a specified file instead of or in addition to standard output. Also added the ability to write a reject file that contains only information about those operations that were not completed successfully.

Improved the warnings given when the maximum memory that all server components can consume is greater than the available memory in the JVM.


Updated the isMemberOf virtual attribute implementation so that it preserves the case of the RDN attribute and value in the group DNs.


Updated the changelog backend to better deal with the case in which it encounters information about an orphaned operation in its pending changes map.


Updated the password policy state extended operation and the manage-account tool to provide a way to obtain a list of the SASL mechanisms and OTP delivery mechanisms that are available to a user, to determine whether a user has a TOTP shared secret, and to retrieve and manipulate the set of public IDs for the YubiKey OTP devices registered for a user.


Fixed an issue where update verification fails to catch a problematic update that causes the server to not start.


Improved an error message about a possible database recovery operation that may be triggered after a database restore from a online backup or during replication binary initialization. In rare cases, the database recovery may cause a delay while opening the database.


If a replicated operation has failed multiple times as a result of database lock conflicts resulting from interactions with other operations, the server will now acquire an exclusive lock before making a final attempt at processing that operation to ensure that no other operations will be allowed to conflict with it.


Updated the local DB backend to provide an option to use a single-writer lock to avoid database lock conflicts between operations by ensuring that only a single write operation may be in progress at any time.

By default, write operations do not acquire the single-writer lock and are fully concurrent as long as none of those operations result in database lock conflicts. In the event that a lock conflict does arise between two or more operations (which should be a very rare occurrence in most environments), the server will retry each of those operations one or more times. With the changes included in this update, the server will now also acquire a single-writer lock to ensure that it only processes one of those conflicting operations at at time to reduce the likelihood of a further conflict.

In environments with a very large number of database lock conflicts, it may be desirable to configure the server to acquire the single-writer lock even on the first attempt of each write operation. This can be accomplished by setting single-writer-lock-behavior property to always-acquire in the backend configuration. While this can limit the overall write performance that the server can achieve, the server should still be able to process thousands of write operations per second, which is more than enough for most deployments.

The use of the single-writer lock does not have any effect on the concurrency of read operations. The server may still process any number of read operations simultaneously, even when the single-writer lock is used to ensure that only one write operation may be processed at any time.


Updated the sanitize-log tool to add support for JSON-formatted access and error log files.


Fixed an issue in which a password modify extended request that included the target user's current password could be seen as an administrative reset rather than a self change and might put the user's account in a "must change password" state if the user's password policy has force-change-on-reset set to true.


Fixed an issue that prevented the server from using the allowed-unauthenticated-request-criteria property to indicate which extended operations would be allowed on an unauthenticated connection when reject-unauthenticated-requests was set to true.


Fixed an issue that could prevent password reset tokens from being used on locked accounts when the server was configured to permit such changes.


Updated the password modify extended operation to enable a user to provide an expired password, as long as the user has at least one available grace login.


Fixed an issue with JSON field indexing that could occur if the same field value appeared in multiple attribute values in the same entry, when at least one of those field values was removed or changed and at least one remained the same.


Fixed a null-pointer exception error that occurred when performing a bounded range search on an unindexed attribute.


CollectSupportData collects to gc-with-context all log messages for all stop-the-world GC events longer than one second, along with the two previous log messages.


Updated the pass-through authentication plugin to make it possible to search for the appropriate user entry in the external server using a filter constructed from attributes in the local server's copy of the user entry. This makes it possible to use pass-through authentication in cases where the user's entry has a different DN in the external server than in the local server, and where the DN for the external server cannot be constructed from the information contained in the local copy of the user entry.


Fixed an issue in which the server may fail to identify matching entries for an OR JSON object filter that targets an attribute for which at least one JSON field index is defined, but where at least one of the OR filter components is unindexed.