Upgrade Considerations

Important considerations for upgrading to this version of PingDirectory Server:

Important:

If you plan to upgrade servers using a mixed-version environment where one version is earlier than 7.0 and some of the servers are still using the admin backend while others have been updated to the topology registry, do not attempt to make size changes to the topology. You cannot remove any existing servers (using dsreplication disable) or add new servers (using dsreplication enable) when in this transitional state of partially-updated servers. When a topology has been completely migrated to a 7.0 or later version with the topology registry, changes to the topology size are allowed, even in mixed-version environments (for example, mixed 7.3 and 8.3).

  • If you have upgraded a server that is in a cluster (that has a cluster name set in the Server Instance configuration object) to version 8.1, you will not be able to make cluster configuration changes until all servers with the same cluster name have been upgraded to version 8.1. If needed, you can create temporary clusters based on server versions and modify each of the servers' cluster name appropriately to minimize the impact while you are upgrading.

  • The bypass-pw-policy privilege was intended to provide a way for administrators to bypass certain password restrictions that would normally be imposed when managing passwords for other users. A user with this privilege could use it to bypass password validation for their own entry. The bypass-pw-policy privilege now only applies when changing another user’s password (that is, an administrative password reset), and only in the following scenarios:
    • A user with this privilege will be permitted to set pre-encoded passwords.
    • A user with this privilege will be permitted to set passwords that would otherwise be rejected by one or more password validators.
    • A user with this privilege will be permitted to set passwords that match the current password or that are in the password history.
    The privilege will only apply when changing the password for another user, and it will have no effect for a self password change. Further, a user with this privilege will no longer be exempted from any other restrictions in their own password policy. Before upgrading, you should search for users that have the bypass-pw-policy privilege and check for compatibility issues. You can use the existing password validators and a custom password policy to enforce passwords for administrative users.
  • Missing changes will now be detected when the backend is reverted and there are insufficient changes in the changelog database. When in this particular missing-changes state the local replica will not accept changes from the local replication server.
  • Fixed an issue in which the server could incorrectly evaluate a matched values request control containing an extensible match filter that specified both an attribute type and a matching rule. The server incorrectly used the attribute type's equality matching rule instead of the matching rule specified in the filter.
  • Updated the "delay bind response" failure lockout action to provide an option to delay the response to bind requests initiated by non-LDAP clients (for example, when using HTTP basic authentication). This option is disabled by default because delaying the bind response for non-LDAP clients may require temporarily blocking the thread used to process the request, which could increase the risk of a denial-of-service attack. To help mitigate this risk, if you enable delayed bind responses for non LDAP clients, we recommend that you also increase the number of request handler threads for all enabled HTTP connection handlers.
  • Updated setup to create a second encryption settings definition if data encryption is enabled. It will continue to create a definition for 128-bit AES encryption for use as the preferred definition to preserve backward compatibility with existing servers in the topology, but it will now also generate a definition for 256-bit AES encryption. The 256-bit AES definition may become the preferred definition in a future release, but you can use it now by first ensuring that any existing instances are updated to contain the new definition (with the "encryption-settings export" and "encryption-settings import" commands) and then making it the preferred definition (with "encryption-settings set-preferred") in all instances.
  • Fixed an issue that could prevent the uninstaller from removing information about the instance from the topology registry.

Critical Fixes

This release of PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.

  • Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.

    • Fixed in: 8.1.0.0
    • Introduced in: 5.2.0.0
    • Support identifiers: DS-41301
  • Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely.

    • Fixed in: 8.1.0.0
    • Introduced in: 7.3.0.0
    • Support identifiers: DS-40955
  • Fixed a memory leak when performing SCIM queries on PingDirectory Server.

    • Fixed in: 8.1.0.0
    • Introduced in: 7.2.0.0
    • Support identifiers: DS-41206 SF#00681395
  • Addressed an issue that could lead to slow off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.
    • Fixed in: 8.0.0.1

      Introduced in: 5.2.0.0

      Support identifiers: DS-41301

  • Fixed an issue that could cause the server to report an "Unable to decode a blacklist key" error while trying to open a local DB backend after an unclean shutdown.
    • Fixed in: 8.0.0.0
    • Introduced in: 7.2.0.0
    • Support identifiers: DS-40788
  • The following enhancements were made to the topology manager to make it easier to diagnose connection errors:

    • Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
    • Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
      • Fixed in: 7.3.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38334 SF#00655578
    • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.
      • Fixed in: 7.3.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38344 SF#00655578
    • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
      • Fixed in: 7.3.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38335 SF#00655578
    • Fixed the following two issues in which the server could have exposed some clear-text passwords in files on the server file system:
      • When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
      • When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

      In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Furthermore, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

      We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

      • Fixed in: 7.3.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38897 DS-38908

    The following enhancements were made to the topology manager to make it easier to diagnose connection errors:

    • Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
    • Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
      • Fixed in: 7.2.1.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38334 SF#00655578
    • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.
      • Fixed in: 7.2.1.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38344 SF#00655578
    • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
      • Fixed in: 7.2.1.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38335 SF#00655578
    • Addressed an issue where an InvalidKeyException could occasionally be reported by import-ldif. The error message for this problem resembles, "An unexpected error occurred during merge processing for index 'dc_example_dc_com_sn.equality': InvalidKeyException: The provided passphrase is invalid."
      • Fixed in: 7.2.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-37313
    • Fixed the following two issues in which the server could have exposed some clear-text passwords in files on the server file system:
      • When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
      • When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

      In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

      We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

      • Fixed in: 7.0.1.3
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38897 DS-38908
    • Addressed an issue in "dsreplication enable/initialize" that prevented servers from some previous versions (5.2.0.5 and earlier and 6.0.0.*) from initializing newer servers. Servers from these prior versions can now be used to enable replication with current versions of the server.
      • Fixed in: 7.0.0.0
      • Introduced in: 5.2.0.5
      • Support identifiers: DS-35528 SF#624368
    • Fixed a very rare race condition with the Frequently Accessed Entry Cache which could lead to an index being marked as degraded and requiring a rebuild.

      The problem is unlikely to happen outside of testing environments since it requires modifying a single entry over 1000 times per second across multiple servers concurrently.

      • Fixed in: 7.0.0.0
      • Introduced in: 5.2.0.6
      • Support identifiers: DS-35616 SF#00625189
    • Addressed an issue where an index key could incorrectly be reported as exceeding the index-entry-limit after one billion entries had been imported or added to the directory server. The directory server does not need to contain one billion entries at the same time to be affected by this issue since the entry ID will always increase for each added entry even if entries are deleted. Environments that have experienced this issue should export and reimport their data after applying this patch.
      • Fixed in: 7.0.0.0
      • Introduced in: 2.0.0.0
      • Support identifiers: DS-35790 SF#00625942

What's New

These are new features for this release of PingDirectory Server:

  • The collect-support-data tool will now collect additional files if Delegated Admin is configured within PingDirectory Server. These files include the config.js configuration file, the version file, and any custom files used to create customized UI fields. This information can be useful when troubleshooting issues with the Delegated Admin application.

  • In an ongoing effort to improve the use of containers for PingDirectory Server, several features have been implemented:

    - The --outputFile option has been added to the collect-support-data tool. You can now specify either a path, a file name, or a path and file name for the resulting CSD file. This means an administrator can run the collect-support-data tool and put the output file into a directory outside of the container, allowing access to the file without having to actually connect to the container.
    • For the collect-support-data tool, you can now specify either a path, a file name, or a path and file name for the resulting csd file. This means an administrator can run the collect-support-data tool and put the output file into a directory outside of the container, allowing access to the file without having to actually connect to the container.
    • The collect-support-data tool can now be run as a recurring task. Recurring tasks can be created using the Administration console which means that administrators do not have to connect to the container in order to run the tool.
    • The manage-profile command used for creating server profiles can also be run as a recurring task from the Administration Console. Running manage-profile as a task creates an archive file that can be downloaded with the HTTP File Servlet. This allows updated server profiles to be created from PingDirectory Server running in a container.
    • A Collect Support Tool Extended Operation has been added allowing LDAP clients to initiate the collect-support-data tool and to receive the output of the request. The LDAP SDK has been updated to support this and the --remoteServer option added to the collect-support-data tool itself can be used to send the request to another server. In other words, you can now run collect-support-data on the command line and reference another server, possibly in a container, and retrieve the output file remotely.
  • The SCIMv2 REST API was added to PingDirectory Server 8.0. Now developers can "join" separate objects into one query that allows PingDirectory Server to present distinct objects in LDAP as a single SCIM Resource object. There are two general scenarios where this functionality will be used:
    • Primary and Secondary resources, where the secondary resource is represented as a field of the primary resource
    • Composite resources, where the SCIM endpoint server stitches together scattered data into a coherent resource with which the user can interact
  • PingDirectory Server has a Consent REST API that allows users to create and store consents. This new feature now allows users to search for consents that have been granted to them by another party.
  • PingDirectory Server now supports the ability to create composed attributes that are derived from other attributes like virtual attributes. However, composed attributes can be stored in the backend, they are persistent and can be indexed.
  • To address the need for clients to obtain information about account and password policy states, a new virtual attribute Password Policy State JSON, that is a JSON object, provides read-only access to a number of account state and password policy state properties. Since the value is a JSON object, it should be easily consumable by HTTP clients using SCIM and the Directory REST API.
  • PingDirectory Server currently has an HTTP file servlet extension that can be used to access files on the server filesystem. This can be used for several purposes such as serving static HTML pages. In this version, the HTTP file servlet now supports basic authentication. Users can authenticate with either a distinguished name or username. Additionally, a new file servlet will be configured automatically when creating a PingDirectory Server instance. This servlet will have as the base directory the install directory for the instance and can be used to access items such as configuration, log files, and backups.. Directory indexing is enabled so you can browse available files. When using this file servlet, authentication is required, and access is restricted to users with the file-servlet-access privilege.
  • To assist with recovering from the split-brain state the "dsreplication initialize" command will have a new "--force" option that overrides the lockdown check.
  • Missing changes will now be detected when the backend is reverted and there are insufficient changes in the changelog database. While in this particular missing-changes state, the local replica will not accept changes from the local replication server.

Known Issues/Workarounds

The following are known issues in the current version of PingDirectory Server:

  • Several known issues can occur when you use the Administrative Console with Tomcat 9.0.31. You can resolve these issues by upgrading to Tomcat 9.0.33 or later.

  • If you use the create-systemd-script tool to create a forking systemd service, the service is stopped by the "systemctl stop ping-directory.service" command. At that time, you can see the status using the "systemctl status ping-directory.service" command. That status might contain an indication of failure: "Active: failed (Result: exit-code)". This error has to do with the way the service exits. It is harmless.

Resolved Issues

The following issues have been resolved with this release of PingDirectory Server:

Ticket ID Description
DS-1046,DS-1204,DS-36547

Added support for remotely invoking the collect-support-data tool using an administrative task, and for invoking the tool on a regular basis as a recurring task. The tool has also been updated to add an outputPath argument to allow specifying the path or name to use for the output file.

DS-1103,DS-41138,DS-41956,DS-41957

Updated the password policy configuration to add support for alternate failure lockout actions, which can customize the behavior the server exhibits for an account with too many outstanding authentication failures. Available implementations include:

* A "Lock Account" action that will prevent the user from authenticating or from being used as an alternate authorization identity. This matches the behavior that the server exhibited in the past when the password policy was configured to lock accounts after too many failed authentication attempts, and it remains the default behavior unless an alternative is configured.

* A "Delay Bind Response" action that will allow the user to authenticate if they provide the correct credentials and their account is not otherwise unusable, but it will delay the bind response (regardless of its ultimate success or failure) by a specified duration to limit the rate at which an attacker can attempt to guess the password. The account will be permitted as an alternate authorization identity without any delay imposed for those operations.

* A "No Operation" action that will not prevent or otherwise interfere with the ability to use the account to authenticate or as an alternate authorization identity, but it will still be reported as having too many failed authentication attempts for the purposes of account status notifications, the password policy state extended operation, and the password policy state JSON virtual attribute.

DS-10216

Updated the GSSAPI SASL mechanism handler to support integrity and confidentiality protection for client communication.

DS-11505

Changed the behavior the server exhibits for users with the bypass-pw-policy privilege. Although this privilege was primarily intended to allow administrators to be exempted from certain password policy restrictions while managing other user accounts, it also previously exempted the user from restrictions that should be imposed by their own password policy.

As a result of these changes, the bypass-pw-policy privilege now only permits the following:

* An account with this privilege will be permitted to set pre-encoded passwords in other user entries, regardless of the value of the allow-pre-encoded-passwords setting in the target user's password policy. This does not apply when the privileged user is changing their own password.

* An account with this privilege will be permitted to set passwords in other user entries that would otherwise be rejected by one or more password validators configured in the target user's password policy. This does not apply when the privileged user is changing their own password.

* An account with this privilege will be permitted to set passwords in other user entries when the new password is in the target user's password history. This does not apply when the privileged user is changing their own password.

If the previous behavior (in which a privileged user is not subject to password policy restrictions for their own account) is desired, the user should be assigned a password policy that is not configured with the restrictions that are not wanted.

DS-36573

The minimum required heap size for installing PingDirectory Server has been increased to 768 MB. Other product sizes are unchanged.

DS-36726

Improved performance when adding entries that match very large composite index keys.

DS-37829

The "create-systemd-script" CLI now creates a "forking" service file since Ping services are started by a process (the "start-server" script) that is different than the actual service process.

DS-38122

Added support for an extended operation that can be used to invoke the collect-support-data tool from a remote system and stream the output and resulting support data archive back to the client. The collect-support-data command-line tool has been updated to support this capability through the new --useRemoteServer argument.

DS-38535

Fixed an issue that could cause the server to generate an administrative alert about an uncaught exception when trying to send data on a TLS-encrypted connection that is no longer valid.

DS-38585

Added gauge "Replication Purge Delay" in order to protect against missing changes. The new gauge will have a warning and critical threshold with respect to the effective purge delay, which can be configured by selecting "Gauges" in dsconfig.

DS-38790

Added support for a new ds-pwp-state-json virtual attribute, whose value is a JSON object that provides information about the state and configuration for the password policy with which that entry is associated.

DS-38879

Added a populate composed attribute values task that can be used to update existing entries with composed attribute values without the need to export data to LDIF and re-import. A command-line tool to invoke the task is also provided.

DS-38879

Added a "composed attribute" plugin that allows creating attributes whose values are constructed from the values of other attributes in the same entry. Its behavior is similar to that of the constructed virtual attribute, but composed values are actually stored in the entry rather than being dynamically generated at the time the entry is retrieved, and therefore may be indexed. Composed attribute values may be generated when entries are created by LDAP add operations or in an LDIF import, and their values may be updated if the source attributes are changed by modify or modify DN operations.

DS-39238

Updated the attribute value password validator to provide the ability to specify a minimum substring length when determining whether to reject a proposed password because it contains the value of another attribute in the entry.

DS-39442 Added the X-Frame-Options header in the Administrative console to prevent clickjacking attacks.
DS-39539,DS-41417,DS-41478

Fixed an issue where the manage-profile replace-profile subcommand was unable to create new local DB backends through dsconfig. Also fixed an issue where replace-profile could not export and re-import data from a server with multiple backends.

DS-39649,DS-40115

Optimized the searches for replication data performed by the status tool.

DS-39798

Fixed a bug in which SEMI_AGGRESSIVE and AGGRESSIVE JVM Tuning Parameters were previously allowed to both be selected.

DS-39911

Updated the character set password validator to make it possible to require that a proposed password contain characters from at least a specified minimum number of character sets. For example, you may define four optional sets containing lowercase letters, uppercase letters, numeric digits, and symbols, and then require that proposed passwords include characters from at least three of those sets.

DS-40356

Updated the manage-profile tool to prevent displaying warnings about offline config changes when starting the server.

DS-40379

Fixed an issue that could cause the load-balancing-algorithm-name configuration property of a directory server instance to be lost when joining a topology.

DS-40530 Fixed XSS vulnerabilities in the Administrative console.
DS-40532

Added a logging-error-behavior property to the log publisher, periodic stats logger plugin, and monitor history plugin configuration that can be used to specify the behavior the server should exhibit if an error occurs while attempting logging-related processing. By default, the server will preserve its previous behavior of writing a message to standard error, but it can be configured to enter lockdown mode on a logging error, in which the server will report itself as unavailable and will only accept requests from accounts with the lockdown-mode privilege and only from clients communicating over a loopback interface.

DS-40551

Fixed an issue that could prevent some tools from running properly with an encrypted tools.properties file.

DS-40567

A license is now always required when using the manage-profile replace-profile tool.

DS-40681

Added a cache for password policies stored in user data rather than in the configuration. The cache will hold up to 500 policies by default, but the cache size can be configured (or the cache disabled) using the maximum-user-data-password-policies-to-cache property in the global configuration.

DS-40746

Updated the logic that the server uses to select an appropriate default set of TLS cipher suites.

DS-40806

Fixed an issue that could cause the shutdown process to stall if the server is configured to use TCP to communicate with a StatsD endpoint that has become unresponsive.

DS-40817

PATCH operations on SCIM 2 for PingDirectory Server now require that the value of the schemas attribute in the request body to be "urn:ietf:params:scim:api:messages:2.0:PatchOp", in accordance with RFC 7644.

DS-40869

Made JSON the default SCIM 1.1 response content type for requests that did not specify an accept content type.

DS-40889

Fixed an issue with recurring exec tasks where the working-directory attribute was ignored.

DS-40902

Fixed an issue that could cause the server to report an error when disabling a PingOne for Customers pass-through authentication plugin.

DS-40951

Improved import-ldif indexing performance.

DS-40953

Added detection for buffer issues that could cause connections to get stuck during TLS handshake.

DS-40955

Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely.

DS-41033

Before starting replication calculates the total backlog for each replica by adding up the outstanding changes for each remote replica. With this change obsolete replicas will no longer be included in the calculation.

DS-41051

Improved the logic used to determine an appropriate replication database cache size. The previous fixed size of 5MB was found to be too small in some cases, and the replication database could grow larger than expected. In deployments in which the JVM has access to at least 500MB of memory, the replication database cache will now be permitted to use up to 10f that memory. The former 5MB cache size will still be used in deployments with access to less than 500MB of memory.

DS-41054

Fixed an issue that stopped new extensions from being installed.

DS-41056

Updated the dictionary of commonly used passwords to include new values from studies released at the end of 2019.

DS-41074

Fixed an issue with the way the server reports memory usage after completing an explicitly requested garbage collection.

DS-41079

Trimming of replication changes database no longer gets stuck when the sequence number of the first change is greater than the sequence number of the last change, which can happen when "dsreplication initialize" is used to initialize a target with changes that are older than the changes the target previously had.

DS-41086

Updated the StatsD monitoring endpoint to replace any spaces, commas, or colons with underscores, and remove and single quotes or double quotes in sent metric lines. This simplifies parsing of the produced metrics.

DS-41118

A gauge called HTTP Processing (Percent) is now available. This gauge measures the server's capacity to process new incoming HTTP requests.

DS-41126

Updated the server to make the general monitor entry available to JMX clients.

DS-41142

Improved debugging support for Server SDK extensions. If debugging is enabled, the server will now generate a debug message whenever it invokes an extension. For some extension methods that return a value, the server will also generate a debug message with that return value.

DS-41206

Fixed a memory leak when performing SCIM queries on PingDirectory Server.

DS-41215

Updated the manage-profile replace-profile subcommand to check for encryption-related arguments in setup-arguments.txt when determining if an export and re-import of user data is necessary.

DS-41221

A new collaborator field has been added to consents. This field is for storing users with whom the consent has been shared with, in order to search consents that have been shared with a user.

DS-41235

Updated the cn=Cluster subtree to prevent clustered configuration changes when servers in the cluster have mixed versions. To make clustered configuration changes, either update all servers in the cluster to the same version, or temporarily create separate clusters by server version by changing the cluster-name property on the server instance configuration objects.

DS-41236

To avoid inconsistencies, changing clustered configuration will now require all servers in the cluster to be on the same product version. Servers will not pull any clustered configuration from the master of the cluster if they are on a different product version.

DS-41239

Missing changes are now detected for new replicas that have not yet had any changes.

DS-41252

Obsolete changes are now removed from the replication database of the target system when the target system is initialized.

DS-41261

Fixed an issue with manage-profile replace-profile where certain configuration changes for recurring task chains were not being applied.

DS-41270 Fixed an intermittent hang in dsreplication initialize due to replication failing to send an internal replication message. When the hang happens a message containing "the destination server is currently unavailable" is logged on the target of the initialize. The fix is to retry sending the internal replication message.
DS-41289

Fixed an issue that prevented password changes for topology administrators unless their password policy was configured to allow pre-encoded passwords.

DS-41301

Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.

DS-41333

Added an ssl-client-auth-policy configuration property to the HTTP connection handler to provide support for mutual TLS authentication.

DS-41366

Updated the base monitor entry to include locationName and locationDN attributes if the server is configured with a location.

DS-41396

Updated the Server SDK to add ClientContext and OperationContext methods for obtaining the name and DN of the associated client connection policy.

DS-41400

Updated the file servlet HTTP servlet extension to add support for requiring authentication in order to access the content. Access may optionally be limited to members of a specified set of groups.

DS-41441

Changed a validator error to a warning since it was deemed to be relatively harmless. The validator error was "Validator Error: The server experienced an unexpected error. Please report this problem and include this log file. Received an update requiring replication assurance, but without a location option"

DS-41465

Obsolete replicas will no longer be purged by default. To turn on the purging of obsolete replicas use "dsconfig" to set "replication-purge-obsolete-replicas" to true in the global configuration.

DS-41471

Added a global ACI that grants clients access to the pre-read and post-read request controls by default. The server will only process these controls if the requester has permission to perform the associated write operation, and the entries returned will only include attributes the requester has permission to read.

DS-41516

Added a --addBaseEntry argument to dsreplication enable. This argument can be used to add a base entry when enabling replication for an empty base DN.

DS-41622

The use-administrative-operation-request-control property is now hidden on unsupported products.

DS-41731

Fixed an issue that could prevent setup from generating a self-signed certificate for systems with non-ASCII hostnames.

DS-41762

Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list.

DS-41763

Updated the server behavior when returning entries in response to a search request in which the client explicitly specified a list of attributes to be returned. If any of the requested attributes exists in the entry but is not defined in the server schema, the server would have previously returned that attribute with a name formatted in all lowercase characters. The attribute will now be returned with a name that uses the same capitalization that the client used for it in the list of requested attributes.

DS-41818

Added the --zip argument to the manage-profile generate-profile subcommand, which can be used to generate a zipped server profile.

DS-41820

Added an administrative task that may be used to generate a server profile and a corresponding recurring task that may be used to invoke the task on a regular basis.

DS-41821

Added an instance root file servlet to the default configuration. HTTPS requests to /instance-root by authenticated users with the file-servlet-access privilege will be granted access to files within the server instance root.

DS-41850

Servers running on Linux will now log a warning about possible performance impacts if the current memory control group has memory.swappiness set to a nonzero value.

DS-41851

Enabled Correlated LDAP Data Views for SCIM 2 resource types on PingDirectory Server and PingDirectoryProxy Server.

DS-41939

Fixed an issue with in which the server may not generate an account status notification for the account-updated notification type for modify operations unless the operation also qualifies for other types of account status notifications.

DS-41941

Fixed an issue that prevented enabling the LDAP changelog backend with the manage-profile replace-profile tool.

DS-41987

Updated the PUT request in the consent service to reject requests that have duplicate collaborators to make it consistent with POST and PATCH requests.

DS-42006

The server now warns the administrator at startup if there are multiple versions of the same jar listed in the classpath, and the first one in the classpath is not the newest one.

DS-42033

Addressed an issue where some tools would throw a NullPointerException if a server was configured with a custom global result code map.

DS-42387 Updated the manage-profile generate-profile subcommand to exclude files in the ldif/ and bak/ directories by default when generating a server profile. If necessary, you can manually include those directories using the --includePath argument.