These are new features for this release of PingDirectory Server:

  • To improve our support for containerization, PingDirectory Server can now determine that it is running in a container and stores this state in the isDocker property within the System Information monitor (cn=System Information, cn=monitor).
  • The Administrative Console now supports using OpenID Connect for admin SSO, allowing you to set up the PingOne administration console to have one-click SSO access without typing a password.
  • To ensure that PingDirectory Server is protected against online password guessing attacks, PingDirectory Server can now inject a delay before sending failure responses back to the client for basic HTTP authentication failures.
  • The Dictionary password validator includes approximately 10,000 more entries in the dictionary file and can now check for capitalization, reversed passwords, leading or trailing non-alphabetical characters and ignore diacritical marks.
  • A new operational attribute has been defined to contain information about recent successful and failed bind attempts. Also, you can configure the server to maintain recent login history such as the number of records of successful and/or failed authentication attempts.
  • The setup command can now create a populated config/tools.properties file from the properties set either on the command or input using interactive mode. There are several modes for adding the bind password to the file. By default, no properties file is created unless the --populateToolPropertiesFile argument is used (non-interactive mode) or the option to create the file is specified while running setup.
  • The validate-ldap-schema tool has been added allowing for administrators to verify any LDIF file used to create schema and/or entries and report any potential issues they may contain.
  • Typically, passwords are only validated when they are set, changed or reset for an entry. However, this might lead to a weak password since these evens are infrequent. PingDirectory Server now supports the ability to periodically run password validation on bind requests. By default, this is not enabled but can be added to any password policy by setting both the bind-password-validator and the minimum-bind-password-validation-frequency properties. If, at the time of the bind, the password does not meet the specified password policies, the bind-password-validation-failure-action property specifies what action to take like requiring a password change.
  • Customers want a better way to perform a sorted search on a large dataset using SCIM 2.0. In this version of PingDirectory Server, SCIM searches with the proper search parameters can be the returned in pages. The PingDirectory Server needs to be configured with Virtual List View (VLV) indexes for the desired SCIM Resource Type.
  • You can now configure password policies to keep a record of recent login history, successes, and failures, per account. The possible configuration options include tracking every success and failure or collapsing to a single event per day.
  • To improve logging and monitoring, administrators can now configure the Syslog, Audit Log, HTTP Operation Log, and the Sync Log to produce output in the JSON format so other tools can more easily consume the information. These log publishers are disabled by default.

Upgrade considerations

Upgrade considerations are no longer part of the release notes. That information is now in Upgrade overview and considerations.

Known issues and limitations

The following are known issues in the current version of PingDirectory Server:

When signing on to the Administrative Console, you must specify an LDAPS port in the Server field. For example, to use port 636, you would specify pingdirectory:636. If you do not specify a port, you get a

Resolved Issues

The following issues have been resolved with this release of PingDirectory Server:

Ticket ID Description
DS-644, DS-42031

Added a new validate-ldap-schema tool that can be used to examine schema definitions in a set of LDIF files and report any issues that it detects.


Updated the ldap-diff tool to make it possible to control the column at which long lines should be wrapped. Previously, long lines were always wrapped at 80 characters. Now, no wrapping is performed by default, but the --wrapColumn argument can be used to enable wrapping with a specified maximum line length.


Improved the dsframework tool to support multivalued server properties.

DS-5143, DS-11035

Updated support for logging access and error log messages to a syslog server. While the server previously supported logging these messages to a syslog server (through the "syslog-based access log publisher" and "syslog-based error log publisher" logger implementations), these loggers used an older version of the syslog protocol (described in RFC 3164) and only offered support for communicating over UDP.

These loggers are still available for legacy backward compatibility, but we now also offer new "syslog text access log publisher" and "syslog text error log publisher" implementations that use a newer version of the syslog protocol (syslog version 1, described in RFC 5424) and support communicating over UDP or the more reliable TCP. When using TCP, it is also possible to encrypt communication with TLS, and it is possible to configure multiple servers for better redundancy. These loggers use the same space-delimited text format as the former loggers.

We also offer new "syslog JSON access log publisher" and "syslog JSON error log publisher" implementations that offer the same set of capabilities, but that format the message text as JSON objects, which can be more easily parsed by third-party software.

DS-7475, DS-7605, DS-11725, DS-37707, DS-40342, DS-41940
Made several improvements to the parallel-update tool, which can use multiple concurrent threads for improved performance when applying add, delete, modify, and modify DN changes read from an LDIF file. The enhancements include:
  • Added support for several additional controls, including proxied authorization, manageDsaIT, ignore NO-USER-MODIFICATION, password update behavior, operation purpose, name with entryUUID, assured replication, replication repair, suppress operational attribute update, and suppress referential integrity updates. The tool also now supports specifying arbitrary controls for inclusion in add, bind, delete, modify, and modify DN requests.
  • Made its communication more robust. The tool would previously establish connections only when it was first started, but it can now detect when a connection is no longer valid and can re-establish connections as needed to continue processing. Further, if an operation failed because it was attempted on an invalid connection, that operation can be automatically retried immediately on a newly established connection.
  • Added support for failover directory servers. You can now provide the --hostname and --port arguments multiple times to specify information about multiple directory server instances. In the event that the first server listed is not available (or becomes unavailable in the middle of processing), it can automatically try establishing a connection to an alternative server to continue processing there.
  • Improved the ability to determine whether all changes were processed successfully. Previously, the tool would always use an exit code of zero if it was able to attempt all of the changes read from the LDIF file, even if some of the changes were not successfully applied. That is still the default behavior, but a new --useFirstRejectResultCodeAsExitCode argument can be used to indicate that if any operations are rejected, the result code from the first rejected operation should be used as the exit code.
  • Added support for encrypted LDIF files. If the LDIF file was encrypted with a key from the server's encryption settings database, then the tool will automatically attempt to retrieve the appropriate key. Otherwise, the new --encryptionPassphraseFile argument can be used to supply the encryption passphrase, or the passphrase can be interactively requested from the user.
  • The tool is now parallel by default. Previously, if you did not specify a value for the --numThreads argument, it would use a single thread. It now defaults to using eight threads.
  • The tool now provides a --followReferrals argument that allows it to automatically attempt to follow any referrals that are returned.
  • The tool now provides a menu-driven interactive mode that can be used to provide values for all of the command-line arguments.
DS-10320, DS-12550, DS-12551, DS-12552, DS-42116, DS-42162, DS-42179, DS-42222, DS-42223, DS-42224, DS-42225, DS-42416, DS-42437

Added a config/sample-dsconfig-batch-files directory with set of well commented dsconfig batch files that may be useful in enabling or configuring a variety of features in the server.

Updated the dictionary password validator to support additional options:
  • It can now ignore non-alphabetic characters that appear at the beginning or end of the password before checking the dictionary.
  • It can strip characters of diacritical marks, including accents, cedillas, circumflexes, diaereses, tildes, and umlauts, before checking the dictionary. If this option is used, then any character with such a mark will be replaced with a base version of the character without that mark (for example, a lowercase letter n with a tilde over it would be replaced with just a lowercase letter n).
  • You can define maps with information about character substitutions to use for checking alternative versions of the provided password. For example, if you indicate that "0" might map to "o", "1" or "!" might map to "i", "7" might map to "t", and "3" might map to "e", then the validator can reject a proposed password of "pr0h1b!73d" if the dictionary contains the word "prohibited".
  • It can reject a proposed password if a value from the provided dictionary makes up more than a specified percentage of that password.
DS-11524, DS-41860, DS-42112
Added support for new administrative alert types:
  • We have added a new admin alert account status notification handler, which can generate administrative alerts whenever an applicable account status notification is generated within the server. For example, this account status notification handler can be added to the root password policy to generate an alert whenever a root user's password is updated or their account is locked as a result of too many failed authentication attempts. A separate alert type has been defined for each account status notification type.
  • We have added a new "privilege-assigned" administrative alert that can be raised whenever a new entry is added or an existing entry is updated to include one or more privileges.
  • We have added a new "insecure-request-rejected" administrative alert that can be raised whenever the server rejects a request as a result of the reject-insecure-requests global configuration property.

Added support for the OAUTHBEARER SASL mechanism (as described in RFC 7628) to allow LDAP clients to authenticate with OAuth 2.0 bearer tokens.


Updated the password policy to add support for maintaining a history of recent successful and failed bind attempts for each account. A new "get recent login history" control can be used to obtain this history during a successful bind, and it can also be obtained from the ds-pwp-state-json virtual attribute or the password policy state extended operation.

DS-15848, DS-42360

Added support for invoking a specified set of password validators during bind operations. If the password used to authenticate fails to satisfy one or more of the configured validators, the bind attempt can be rejected, the user can be forced to change their password, or the server can generate an account status notification to take some alternative action (for example, notifying the end user or server administrators).


Replaced the ldappasswordmodify tool with a new version that offers more functionality, including support for additional controls, support for multiple password change methods (the password modify extended operation, a regular LDAP modify operation, or an Active Directory-specific modify operation), and the ability to generate the new password on the client.

DS-17422, DS-37387
Added a new "Modifiable Password Policy State" plugin with support for a new ds-pwp-modifiable-state-json operational attribute whose value is a JSON object with fields that reflect elements of the associated user's current password policy state. Authorized clients may replace the value of that attribute (with a modify request using LDAP or with a PUT or PATCH request using the Directory REST API) to update that user's password policy state. Elements of the password policy state that may be updated include:
  • The time the user's password was last changed
  • The user's account activation time
  • The user's account expiration time
  • The user's password expiration warned time
  • Whether the account is administratively disabled
  • Whether the account is locked as a result of too many failed authentication attempts
  • Whether the user will be required to change their password before they will be allowed to perform any other operations

Fixed an issue that could cause the server to return the password expired control (as defined in draft-vchu-ldap-pwd-policy) in response to a bind request that included invalid credentials. The server will now only return that control if the provided credentials were valid.

The password policy configuration has also been updated to make it possible to better specify when the server should return the password expired or password expiring control. Previously, the server would only return these controls if the bind request did not include the password policy request control (as defined in draft-behera-ldap-password-policy), as the response to that control may also indicate whether the user's password is expired or is about to expire. This is still the default behavior, but it is now possible to configure the server to return the password expired or password expiring control when appropriate, even if the password policy response control will also be returned. Alternatively, the server can be configured to never return the password expired or password expiring controls.


Updated setup to provide a --populateToolPropertiesFile argument that will allow it to populate the config/tools.properties file with default values for command-line tool arguments. If requested, properties will be provided for the server address, port, and communication security, and may also include a default bind DN and optionally a bind password. When running setup interactively, it will now prompt to determine which properties (if any) should be populated in the properties file.


Updated the crypto manager to make it possible to augment the set of enabled TLS cipher suites with specific suites to add to or remove from the default set of enabled suites. To enable one or more suites in addition to those in the default set, prefix the names of those suites with the "+" symbol. To disable one or more suites in the default set of enabled suites, prefix the names of those suites with the "-" symbol. This was already possible when configuring cipher suites for the LDAP and HTTP connection handlers, but it was not an option for the crypto manager.


Updated the System Information monitor with an "isDocker" attribute to identify if the server is running in a Docker container.

DS-38118, DS-42495
Made several updates related to the server's handling of data written to standard output and standard error:
  • The server can now be configured to rotate the logs/server.out file once it reaches a given size, and it will retain a configurable number of those log files. By default, the server will rotate the file once it reaches 100 megabytes and will keep up to ten files.
  • To better facilitate capturing log data in containerized environments, the server now supports writing JSON-formatted access and error log messages to the JVM's original standard output and error streams (which will be separate from the server.out file when the server is started with the --nodetach argument).
  • It is now possible to prevent the server from logging messages during startup in non-JSON format. It is also possible to prevent messages about administrative alerts from being written to standard error, or to write those messages in JSON format. These options are especially useful when using JSON-based logging to the console in no-detach mode, as they can help ensure that everything written to standard output and standard error will be formatted as JSON objects.
DS-38816, DS-41995

Updated support for the uniqueness request control to provide a more reliable mechanism for preventing conflicts that arise from operations processed concurrently in the same or different servers. If indicated in the request control, a temporary conflict prevention details entry can be added to the server before searching for existing conflicts, and that entry can be detected during pre-commit processing for other operations with uniqueness request controls that attempt to make a conflicting change.

The server has also been updated to make it possible to generate an administrative alert if a uniqueness conflict is detected during post-commit processing for the uniqueness request control. Even though the conflict cannot be prevented at this stage in processing, the alert can let administrators know about it as soon as it happens so they can take any appropriate corrective action.


Updated setup to create a second encryption settings definition if data encryption is enabled. It will continue to create a definition for 128-bit AES encryption for use as the preferred definition to preserve backward compatibility with existing servers in the topology, but it will now also generate a definition for 256-bit AES encryption. The 256-bit AES definition may become the preferred definition in a future release, but you can use it now by first ensuring that any existing instances are updated to contain the new definition (with the "encryption-settings export" and "encryption-settings import" commands) and then making it the preferred definition (with "encryption-settings set-preferred") in all instances.

DS-39257 The dsreplication enable subcommand options --preferredID1 and --preferredID2 allow you to specify a preferred value for new replicationIDs for the first and second server respectively. By default, replication IDs are randomly chosen. The lowest unused value that is greater than or equal to the value specified is used, subject to being even or odd as required. Replication server IDs must be even, and replicaIDs must be odd. Each value specified must be in the range [0, 32766] inclusive. If the maximum value is reached while searching, the search wraps to 0.

Updated the JVM memory usage monitor provider to fix an issue that could prevent the monitor from reporting the total amount of memory held by all memory consumers. Also, fixed an issue that could cause the memory-consumer attribute to use an incomplete message for consumers without a defined maximum size and added an additional memory-consumer-json attribute whose values are JSON objects with data that can be more easily extracted by automated processes.


Updated the collect-support-data tool to make it possible to specify how much data should be captured from the beginning and end of each log file to include in the support data archive. You can also specify the capture size when invoking the tool through an administrative task, recurring task, or extended operation.


Fixed an issue where some state associated with a JMX connection was not freed after the connection was closed. This led to a slow memory leak in servers that were monitored by an application that created a new JMX connection each polling interval.


Eliminated a misleading error message that could be logged at startup if the server was configured with one or more ACIs that only apply when using specific SASL mechanisms.


Missing changes will now be detected when the backend is reverted and there are insufficient changes in the changelog database. When in this particular missing changes state the local replica will not accept changes from the local replication server.


To assist with recovering from the split-brain state the "dsreplication initialize" command will have a new "--force" option that overrides the lockdown check.


Fixed an issue where disabling certain backends (such as 'alarms') caused an internal monitor to log unnecessary error messages every few seconds, about not being able to gather data from that backend.

Note that deliberately disabling the 'alarms' backend is not recommended in normal operation, but may occur during backup/restore operations.


The SCIM 2 service on PingDirectory and PingDirectoryProxy now automatically generates a Swagger 2 specification document based on the server's SCIM 2 configuration. To view this document, go to https://<your-server>/api-docs in a web browser.


To help with multi-tenant and delegated admin ACI parameterization implement the ($attr.attrName) macro. In particular the ($attr.attrName) macro can be used to build bind DNs.


PingDirectory and PingDirectoryProxy can now perform SCIM 2 paged searches on result sets greater than the configured lookthrough limit. To perform such a search, you must first configure a virtual list view (VLV) index.


Fixed an issue with the manage-profile tool where files in a server profile's dsconfig/ directory without a ".dsconfig" extension could cause failures in manage-profile replace-profile when validating updated dsconfig files.


Fixed an issue that could result in duplicate column headers being produced by the Periodic Stats Logger, even when the header-prefix-per-column attribute was set to true.


Updated the Stats Collector Plugin with a new generate-collector-files configuration property. When using the plugin exclusively for providing metrics to one or more StatsD Monitoring Endpoints, set this property to false to prevent unnecessary I/O.

DS-42059, DS-42060
Updated setup to add options for improving communication security:
  • Non-interactive setup now offers a --rejectInsecureRequests argument that will configure the server to reject any request received over a connection that is not encrypted with SSL or StartTLS.
  • Non-interactive setup now offers a --rejectUnauthenticatedRequests argument that will configure the server to reject any request received over a connection that is not authenticated (or that is authenticated as the anonymous user).
  • Interactive setup now allows you to configure the server with the LDAP connection handler disabled (which was already an option when using non-interactive setup), or enabled but only for communication encrypted with StartTLS.

The --rejectInsecureRequests and --rejectUnauthenticatedRequests arguments can also be used with manage-profile by including them in the setup-arguments.txt file of the server profile.


Updated the interactive command-line tool framework to prefer establishing secure LDAP connections over insecure connections. Previously, when prompting for the information needed to establish a connection, the default option was to create an unencrypted LDAP connection. Now, tools will default to creating an SSL-encrypted connection if the server supports it, or to creating a StartTLS-encrypted connection if that is available but SSL is not. Tools will also default to using streamlined settings when establishing secure connections. Previously, they would always prompt about how to determine whether the server's certificate chain should be trusted. When using the streamlined settings, the tools will only prompt about certificates that cannot automatically be considered trusted using information in the JVM's default trust store, the server's default trust store (config/truststore), or the server's topology registry.


Updated the root password policy so that LDAP bind responses for root users and topology administrators will be delayed by one second after five consecutive failed authentication attempts.


Updated the "delay bind response" failure lockout action to provide an option to delay the response to bind requests initiated by non-LDAP clients (for example, when using HTTP basic authentication). This option is disabled by default because delaying the bind response for non-LDAP clients may require temporarily blocking the thread used to process the request, which could increase the risk of a denial-of-service attack. To help mitigate this risk, if you enable delayed bind responses for non-LDAP clients, we recommend that you also increase the number of request handler threads for all enabled HTTP connection handlers.


Updated the server's command-line tool framework to make it easier and more convenient to communicate with the server over a secure connection when no trust-related arguments are provided. Most non-interactive tools will now check the server's default trust store, the topology registry, and the JVM's default trust store to see if the presented certificate chain can be automatically trusted without the need to prompt the user. If the presented chain cannot be automatically trusted, the user may be interactively prompted to determine whether it should be trusted.

DS-42157, DS-43033

Updated the CRAM-MD5 and DIGEST-MD5 mechanism handlers so that they are no longer considered secure. Although the credentials are encoded in transit, their protection relies on the weak MD5 digest. Further, they require that user passwords be encoded in a reversible form so the server can retrieve them in the clear for use in authentication processing, which increases the risk that they will be exposed in a data breach. This primarily affects the ability to use these SASL mechanisms over an unencrypted connection for users that are required to authenticate in a secure manner (for example, if their password policy has require-secure-authentication set to true, or if their entry has a ds-auth-require-secure-authentication operational attribute with a value of true).

These SASL mechanisms are still enabled by default for legacy backward compatibility purposes, but we discourage their use. To assist with that, we have also provided a sample dsconfig batch file that can be used to disable these SASL mechanism handlers.

DS-42164, DS-43015

Added a new AES256 password storage scheme that can encode passwords with 256-bit AES encryption. Although non-reversible schemes are recommended in most deployments, reversible schemes may be necessary under certain circumstances, and the new scheme provides support for stronger encryption and better integrity protection than the existing 128-bit AES scheme.

The key used to encrypt passwords will be derived from an encryption settings definition. Clients with access to an AES256-encoded password and the passphrase used to encrypt it may obtain the original plaintext representation of the password. The UnboundID LDAP SDK for Java provides support for decoding and decrypting these passwords through the AES256EncodedPassword class, and the Javadoc for that class provides documentation that may be used to implement support those passwords in other programming languages.


Optimized some searches commonly used by the status tool. This should improve the performance of the tool in more complex or large-scale environments.


Upgrade to jetty 9.4


Fixed an issue where using the encryption-settings tool to import definitions with the set-preferred flag could result in none of the imported definitions being set as the preferred definition.


Updated the server to require a minimum key size of 2048 bits when negotiating a TLS cipher suite that uses ephemeral Diffie-Hellman key exchange.


Replaced the ldifsearch, ldifmodify, and ldif-diff command-line tools with more full-featured and robust implementations.


Replaced the ldapcompare tool with a new version that offers more functionality, including support for multiple compare assertions, following referrals, additional controls, and multiple output formats (including tab-delimited text, CSV, and JSON).


Updated the server to use /dev/urandom (on non-Windows systems where that path exists and is readable) instead of /dev/random as the primary source for secure random data. Attempts to read from /dev/random can block if the underlying system does not have sufficient entropy, which can have a severe adverse effect on performance. Reads from /dev/urandom will not block, and the data that it provides is no less secure than data from /dev/random in any way that matters for the server.

DS-42349, DS-43209, DS-43210, DS-43323, DS-43324

Added support for JSON-formatted audit loggers, which complement the existing file-based LDIF-formatted error logger. The JSON-formatted audit log messages provide a record of changes to data in the server and can be written to files on the local filesystem, written to the JVM's standard output or standard error stream, or sent to a syslog server.

Added support for JSON-formatted HTTP operation loggers, which complement the existing file-based loggers using the W3C common log format and a proprietary space-delimited text format. The JSON-formatted HTTP operation log messages provide a record of interaction with HTTP clients and can be written to files on the local filesystem, written to the JVM's standard output or standard error stream, or sent to a syslog server.

Fixed an issue that caused JSON-formatted loggers to use a timestamp format that was not strictly compliant with the ISO 8601 format described in RFC 3339. Timestamps incorrectly omitted the colon between the hour and minute components of the time zone offset.


Fixed an issue in which the server could incorrectly evaluate a matched values request control containing an extensible match filter that specified both an attribute type and a matching rule. The server incorrectly used the attribute type's equality matching rule instead of the matching rule specified in the filter.


Fixed an issue where unindexed LDAP searches filtered on virtual attributes sometimes omitted objectClass from the returned result.


Fixed an issue that could prevent the uninstaller from removing information about the instance from the topology registry.


Fixed an issue that could raise an internal error when trying to undelete a non-soft-deleted entry.


Fixed an issue that could cause the remove-defunct-server tool to not remove certain replication attributes when run with a topology json file.


Updated manage-profile replace-profile to set encryption settings definitions defined in the newer server profile as preferred in the encryption settings db.


Previously, even if LDAP SDK debug logging was enabled, messages would be suppressed while running dsreplication. Now if LDAP SDK debug logging is enabled, messages will get printed to the console while running dsreplication.


Fixed an issue that could cause an exception when creating a resource in SCIM 1.1 using certain types of DNTemplate.


Fixed an issue where manage-profile generate-profile would print "null" as the generated profile directory when writing to an existing directory.


Fixed an issue in which the Directory REST API could fail to decode certain credentials when using basic authentication.


Fixed an issue in which the Consent API could fail to decode certain credentials when using basic authentication.


Added support for creating or importing a key pair configuration object using an elliptic curve (EC) key algorithm. You can use this to designate the encryption key pair for a JWT access token validator that handles EC-encrypted access tokens.


The JWT Access Token Validator can now validate JWT access tokens signed using the elliptic curve digital signature algorithms ES256, ES384, and ES512.


The JWT Access Token Validator can now validate JWT access tokens encrypted using elliptic curve cryptographic algorithms. The following key encryption algorithms are now supported in addition to RSA-OAEP: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, and ECDH-ES+A256KW.

To support best practices for JWT security, you must now also configure the JWT Access Token Validator with explicit allow lists for key encryption and content encryption algorithms. For backward compatibility, the key encryption allow list defaults to RSA-OAEP, while the content encryption allow list defaults to A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512. We recommend setting both allow lists to the strict minimum set of algorithms needed by the Access Token Validator.


Updated the manage-profile replace-profile subcommand to better support updating the server's keystore and truststore files. When using the --generateSelfSignedCertificate argument in a server profile's setup-arguments.txt file, the server will maintain the original keystore and truststore files during replace-profile. Otherwise, replace-profile will use the keystore and truststore specified in the profile's setup-arguments.txt file.


Updated the server to set a unique cluster name when started for the first time.

DS-42669, DS-42748

Updated the online dsconfig step of the manage-profile replace-profile subcommand to support getting LDAP connection arguments from a tools.properties file on the server being updated.

Fixed an issue where boolean LDAP connection arguments like --useSSL and --trustAll would cause manage-profile replace-profile to fail when applying dsconfig online.


Updated the manage-profile setup subcommand to fail if the start-server command has a non-zero exit code.

DS-42681, DS-42684

Performance statistics generated by the Sideband API can now be published by the Periodic Stats Logger. To enable this, use the "included-http-servlet-stat" property of the Periodic Stats Logger.


Upgrade to Jetty 9.4.30


Updated the ds-pwp-state-json virtual attribute provider to include information about the requirements that passwords must satisfy for adds, self password changes, administrative password resets, and binds.


Fixed an issue where the dsconfig ilst subcommand would not display requested properties.


To support best practices for JWT security, you must now configure the JWT Access Token Validator with an explicit list of the JWT signing algorithms that it accepts. For backward compatibility, this list defaults to the RSA signing algorithms RS256, RS384, and RS512, but we recommend setting this list to the strict minimum set of signing algorithms needed by the Access Token Validator.


Added new override-status-code and additional-response-contents attributes to the Availability State HTTP Servlet Extension. These new attributes can be used to customize the response code and JSON response body of the servlet.


Fixed a bug where backup retention attempted to purge old backups out of order, which lead to errors.


Fixed an issue where new replicas incorrectly went into lockdown mode after initialization.

This issue would happen when trying to initialize a newly-added replica to a topology that had been created some time ago. This amount of time had to exceed the replication purge delay, which is 24 hours by default. Before this fix was introduced, you could get past this by running "leave-lockdown-mode" on the new replica, then re-running "dsreplication initialize" on it.


Added a remove-attribute-type-from-schema tool that can be used to safely remove an attribute type definition from the server schema. It will ensure that the attribute type is not in use, and it will clean up metadata references to that attribute type that could have previously required re-importing the data before the attribute type could actually be removed from the schema.

The remove attribute type processing can also be requested programmatically through an administrative task.


Fixed an issue that could inappropriately allow HTTP-based clients (for example, those using SCIM, the Directory REST API, or the Consent API) to issue requests when the server is in lockdown mode.


Fixed a typo in the password-expiring template that caused "password_expiration_time_of_day" to be printed instead of the password expiration time.


Updated the manage-profile tool logs to include the duration of each step the tool takes. The new --verbose argument can also be used to display timing information in the tool's console output.


Added an aggregate identity mapper that uses Boolean AND or OR combinations of other identity mappers.


Updated the exact match and regular expression identity mappers to make it possible to only include entries matching a given filter.


Added a JSON-formatted stats logger to the server's default configuration. The stats logger is disabled by default.


Updated non-interactive setup (including manage-profile setup) to allow the password for the initial root user to be provided in pre-encoded form using the PBKDF2, SSHA256, SSHA384, or SSHA512 password storage scheme. This eliminates the need to have access to the clear-text password when setting up the server.


Fixed a bug where restoring an incremental backup could result in the server not being able to start.


Fixed an issue where Ping Directory products configured to run as Microsoft Windows services were sometimes unable to automatically restart following an unplanned reboot, due to errors reading a corrupted server status file.


The Administrative Console configuration settings have been updated to account for the new SSO functionality.


For Windows only, there can be a hang on start when global configuration property startup-error-logger-output-location is set to values that contain standard-error. For Windows only, standard-error values are silently mapped to equivalent standard-output values.


Updated the manage-profile generate-profile subcommand to ignore files larger than 100 megabytes when generating a server profile. Fixed an issue where many large files in the server root could cause the tool to run out of memory.


Added a new --adminPasswordFile argument to the manage-topology add-server command, to allow specifying the administrator password with a file rather than with the command line.


Fixed an issue where paged subtree searches posted to the Directory Rest API failed with error message: "Unable to decode the cookie in the simple paged results control value", whenever the search returned entries with DN length approaching or exceeding 127 characters.


Fixed an issue that could result in isMemberOf and isDirectMemberOf attributes not being updated appropriately when updating groups with multiple threads.


Fixed an issue that caused the server to return an objectClassViolation result code instead of the more appropriate attributeOrValueExists result code when trying to modify an entry to add an object class that already exists in that entry.


Added a new export-reversible-passwords tool that can be used to create an LDIF export containing the clear-text representations of reversibly encoded passwords. The export may optionally include non-password attributes from the entries, entries containing non-reversible passwords, and entries without passwords. This tool can be used to help rotate the keys used to encrypt passwords if the need arises.

There are a number of safeguards in place to help ensure that this tool cannot be used inappropriately. These include:
  • The tool invokes the export over LDAP and therefore requires that the server be online. It cannot be invoked with the server offline.
  • The tool can only be invoked by a user with the permit-export-reversible-passwords privilege. This privilege is not granted to any users (even root users) by default.
  • The tool can only be used if the server is configured with an instance of the "export reversible passwords" extended operation handler. The requester must also have access control permission to invoke this extended operation.
  • The tool can only be run from the server system itself and the request must be received over the loopback interface. The export cannot be requested by a remote client.
  • The request must be issued over a secure connection.
  • The output file will be written to the server filesystem. It may only be written to a file that is beneath the instance root, and that file must not already exist (although its parent directory must exist).
  • The exported file will be encrypted using the UnboundID LDAP SDK for Java's PassphraseEncryptedOutputStream, using a key generated from either a user-supplied passphrase or an encryption settings definition. This encrypted file may be directly imported by the import-ldif tool. If the contents of the file are needed, the LDAP SDK may be used to access its contents programmatically, or the encrypt-file tool may be used to decrypt it.
  • The server will generate administrative alert notifications whenever it begins and ends the export process.
DS-43073, DS-43198

Added support for ID Token Validators, which validate the integrity and content of ID tokens issued by OpenID Connect providers. Use these validators with the OAuth Bearer SASL Mechanism Handler to enable single sign-on (SSO) for the Administrative Console using an OpenID Connect provider such as PingOne. Currently, only PingOne is supported for SSO.


Added three built-in identity mappers that you can use to look up administrative accounts stored in the server configuration: Root DN Users, Topology Admin Users, and All Admin Users.


Updated setup and the replace-certificate tool to improve the way we generate self-signed certificates and certificate signing requests to make them more palatable to clients.

To reduce the frequency with which administrators had to replace self-signed certificates, we previously used a very long lifetime for self-signed certificates generated by setup or the replace-certificate tool. However, some clients (especially web browsers and other HTTP clients) have started more strenuously objecting to certificates to long lifetimes, so we now generate self-signed certificates with a one-year validity period. The inter-server certificate (which is used internally within the server and does not get exposed to normal clients) is still created with a twenty-year lifetime.

Also, the replace-certificate tool's interactive mode has been updated to improve the process that it uses to obtain information to include in the subject DN and subject alternative name extension for self-signed certificates and certificate signing requests. The following changes have been made in accordance with CA/Browser Forum guidelines:
  • When selecting the subject DN for the certificate, we listed a number of common attributes that may be used, including CN, OU, O, L, ST, and C. We previously indicated that CN attribute was recommended. We now also indicate that the O and C attributes are recommended as well.
  • When obtaining the list of DNS names to include in the subject alternative name extension, we previously suggested all names that we could find associated with interfaces on the local system. In many cases, we now omit non-qualified names and names that are associated with loopback interfaces. We will also warn about any attempts to add unqualified or invalid names to the list.
  • When obtaining the list of IP addresses to include in the subject alternative name extension, we previously suggested all addresses associated with all network interfaces on the system. We no longer suggest any IP addresses associated with loopback interfaces, and we no longer suggest any IP addresses associated in IANA-reserved ranges (for example, addresses reserved for private-use networks). The tool will now warn about attempts to add these addresses for inclusion in the subject alternative name extension.

Increased the maximum number of RDN components that a DN may have from 50 to 100.


Updated log publisher logic to reduce the amount of CPU that the server consumes when it is idle.


Updated the system information monitor provider to restrict the set of environment variables that may be included. Previously, the monitor entry included information about all defined environment variables, as that information can be useful for diagnostic purposes. However, some deployments may include credentials, secret keys, or other sensitive information in environment variables, and that should not be exposed in the monitor. The server will now only include values from a predefined set of environment variables that are expected to be the most useful for troubleshooting problems, and that are not expected to contain sensitive information.


Updated the jose4j library used for JWT signing and encryption to version 0.7.2.


The Security Guide is now available online at pingidentity.com. The guide has been removed from the server packaging.


Fixed an issue in which a server in lockdown mode could incorrectly allow an operation to be processed if a connection authenticated as a user with the lockdown-mode privilege issued a request with an alternate authorization identity that did not have the lockdown-mode privilege. The server now requires that both the authentication and authorization identities have the lockdown-mode privilege.