This release of the PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.
No critical issues have been identified
The following issues have been resolved with this release of the PingDirectory Server:
Fixed a bug where restoring an incremental backup could result in the server not being able to start.
Fixed an issue that caused the server to return an objectClassViolation result code instead of the more appropriate attributeOrValueExists result code when trying to modify an entry to add an object class that already exists in that entry.
Updated setup and the replace-certificate tool to improve the way we generate self-signed certificates and certificate signing requests to make them more palatable to clients.
To reduce the frequency with which administrators had to replace self-signed certificates, we previously used a very long lifetime for self-signed certificates generated by setup or the replace-certificate tool. However, some clients (especially web browsers and other HTTP clients) have started more strenuously objecting to certificates to long lifetimes, so we now generate self-signed certificates with a one-year validity period. The inter-server certificate (which is used internally within the server and does not get exposed to normal clients) is still created with a twenty-year lifetime.
Also, the replace-certificate tool's interactive mode has been updated to improve the process that it uses to obtain information to include in the subject DN and subject alternative name extension for self-signed certificates and certificate signing requests. The following changes have been made in accordance with CA/Browser Forum guidelines:
* When selecting the subject DN for the certificate, we listed a number of common attributes that may be used, including CN, OU, O, L, ST, and C. We previously indicated that CN attribute was recommended. We now also indicate that the O and C attributes are recommended as well.
* When obtaining the list of DNS names to include in the subject alternative name extension, we previously suggested all names that we could find associated with interfaces on the local system. In many cases, we now omit non-qualified names and names that are associated with loopback interfaces. We will also warn about any attempts to add unqualified or invalid names to the list.
* When obtaining the list of IP addresses to include in the subject alternative name extension, we previously suggested all addresses associated with all network interfaces on the system. We no longer suggest any IP addresses associated with loopback interfaces, and we no longer suggest any IP addresses associated in IANA-reserved ranges (for example, addresses reserved for private-use networks). The tool will now warn about attempts to add these addresses for inclusion in the subject alternative name extension.
Increased the maximum number of RDN components that a DN may have from 50 to 100.
Updated the system information monitor provider to restrict the set of environment variables that may be included. Previously, the monitor entry included information about all defined environment variables, as that information can be useful for diagnostic purposes. However, some deployments may include credentials, secret keys, or other sensitive information in environment variables, and that should not be exposed in the monitor. The server will now only include values from a predefined set of environment variables that are expected to be the most useful for troubleshooting problems, and that are not expected to contain sensitive information.
Added the ability to retry operation failures from replication if the failures are likely due to dependent writes being played out of order. This issue only affected environments that were sending writes to different servers, and also were not able to use the appropriate level of replication assurance. To enable this setting, update the on-replay-failure-wait-for-dependent-ops-timeout configuration property on a replication domain.
Fixed an issue where the "format" field is omitted from the list of operational attribute schemas in the Directory REST API.
The Security Guide is now available online at pingidentity.com and has been removed from the server packaging.
Fixed an issue where Directory Server sometimes reports erroneous warnings about duplicate jar files.
Updated the server to allow the operation purpose control to be used for operations that are part of an LDAP transaction.
Avoid lockdown due to missing changes during enable caused by a missing timestamp that indicates the enable time. The problem resulted in change numbers and error messages with dates around the year 1970.