Critical Fixes
This release of the PingDataSync Server addresses critical issues from earlier versions. Update all affected servers appropriately.
No critical issues have been identified
What's New
These are new features for this release of the PingDataSync Server:
-
Use Server Profiles to reduce risk and improve consistency following the DevOps principle of infrastructure-as-code. Administrators can export the configuration of the PingDataSync Server server to a directory of text files called a Server Profile, track changes to these files in version control such as Git, and install new instances of PingDataSync Server or update existing instances of PingDataSync Server from a Server Profile. Server Profiles support variable substitution in order to remove the settings unique to each pre-production or production environment from the Server Profile that is stored in version control.
-
Improved consistency for user passwords that are managed in PingOne. Now when PingDataSync Server recognizes a password change in the source PingOneenvironment, the password is removed from the destination PingDirectory. Upon the next on-prem LDAP bind, the validated password is saved in the destination PingDirectory by the pass-through authentication plugin.
Known Issues/Workarounds
The following are known issues in the current version of the PingDataSync Server:
- The following are suggested solutions for problems with slow DNS:
- Maintain a connection pool in the client app rather than opening new connections for each bind.
- Add appropriate records, including PTR records, to DNS.
- Add
options timeout:1
in the /etc/resolv.conf file and/oroptions single-request
- If IPv6 requests specifically are causing issues, add
-Djava.net.preferIPv4Stack=true
to thestart-server.java-args
line in PingDirectory’s config/java.properties file, run bin/dsjavaproperties, and restart the server to stop the issuance of IPv6 PTR requests.
-
Some server tools, such as
dsreplication
,collect-support-data
, andrebuild-index
, will fail with errors if they are run with an encrypted tools.properties file.Workaround: Add the
--noPropertiesFile
argument to the server tools to prevent them from pulling information from the encrypted file. -
Deploying the Admin Console to an external container using JDK 11 requires downloading the following dependencies and making them available at runtime (for example, by copying them to the WEB-INF/lib directory of the exploded WAR file).
- groupId:jakarta.xml.bind, artifactId:jakarta.xml.bind-api, version:2.3.2
- groupId:org.glassfish.jaxb, artifactId:jaxb-runtime, version:2.3.2
Resolved Issues
The following issues have been resolved with this release of the Data Sync Server:
Ticket ID | Description |
---|---|
DS-17278 | Added a cn=Server Status Timeline,cn=monitor monitor entry to track a
history of the local server's last 100 status changes and their
timestamps. Updated the LDAP external server monitor to include
attributes tracking health check state changes for external servers.
The new attributes include the number of times a health check
transition has occurred, timestamps of the most recent transitions,
and messages associated with the most recent transitions. |
DS-37881 | The PingFederate Access Token Validator will now refresh its cached value of the PingFederate server's token introspection endpoint. A new attribute, endpoint-cache-refresh, has been added to the PingFederate Access Token Validator, which will determine how often this refresh occurs. |
DS-37955 | To support multiple trace loggers, each trace logger now has its own resource key,
which is shown in the Resource column in the output
of status . This key allows multiple alarms, due to
sensitive message types for multiple trace loggers. |
DS-38053 | The JWT Access Token Validator no longer requires a restart after a change to one of its signing certificates. |
DS-38493 | Updated the PingOne Sync Source
to remove a user's password from a destination (for example,
PingDirectory) when the corresponding user's password has changed in
PingOne.
This behavior requires the password attribute in
PingOne to
be mapped to the password attribute (for example,
userPassword ) in the destination schema. |
DS-38560 | Updated manage-profile replace-profile to apply configuration changes
directly, when possible. If the new server profile used by
replace-profile has changed only the
dsconfig batch files from the original profile,
then only the dsconfig files are applied. If no
changes are detected between profiles, replace-profile takes no
action. If changes other than dsconfig are detected, the full
replace-profile process is followed. |
DS-38777 | Added support for updating the server version during manage-profile
replace-profile . The server must have been originally
set up with a server profile. |
DS-38832 | Fixed an issue that could cause the server to leak a small amount of memory each time it failed to establish an LDAP connection to another server. |
DS-38863 | Updated the manage-profile setup subcommand to set a server's cluster name to match
its instance name by default. This prevents servers in the same
replication topology from being in the same cluster, reducing the
risk of unintentionally overwriting parts of an existing server's
configuration in a DevOps environment. The
--useDefaultClusterName argument can be used to
leave the cluster name unchanged. |
DS-38867 |
Updated the PBKDF2 password storage scheme to add support for variants that use the 256-bit, 384-bit, and 512-bit SHA-2 digest algorithms. At present, the SHA-1 variant remains the default to preserve backward compatibility with older versions. Also, in accordance with the recommendations in NIST SP 800-63B, we have increased the default iteration count from 4096 to 10,000, and the default salt length from 64 bits to 128 bits. |
DS-38869 | Updated the remove-defunct-server tool's
--ignoreOnline option. When using
--ignoreOnline in a mixed-version environment,
all servers must support the option. |
DS-39176, DS-39308 |
Updated the Groovy scripting language version to 2.5.7. For a list of changes, visit groovy-lang.org and view the Groovy 2.5 release notes. As of this release, only the core Groovy runtime and the groovy-json module are bundled with the server. To deploy a Groovy-scripted Server SDK extension that requires a Groovy module not bundled with the server, such as groovy-xml or groovy-sql, download the appropriate jar file from groovy-lang.org and place it in the server's lib/extensions directory. |
DS-39191 | Updated the auto-mapped-source-attribute property on Sync Class
configuration objects to not have a default value since the previous
default of -all- caused confusion. Existing
dsconfig batch files used for automated deployments might need to be
updated to provide a value for this property. A value of
-all- is recommended when synchronizing between
two systems with the same schema, such as when migrating from a
legacy LDAP server to PingDirectory. |
DS-39253 | Added a replace-certificate tool, which can help an administrator
replace the listener or inter-server certificate for a server
instance. |
DS-39320 | Added support for PingDataSync Server to the
manage-profile tool and its
subcommands. |
DS-39325 |
Removed the legacy product-specific scripts for starting and
stopping the server. These include:
These legacy scripts had been deprecated for several releases in
favor of the more general If you still have dependencies on these legacy product-specific
scripts, you will need to update them to reference the general
|
DS-39373 | Preserve the privileges that are explicitly set on the admin user when migrating from the admin backend to the topology registry. |
DS-39518 | Fixed an issue in which escaped characters in schema extensions may not be handled
properly. If used in attribute type constraints (such as
X-VALUE-REGEX ), this could cause unexpected or
incorrect behavior. |
DS-39540 | Released an updated Password Sync Agent for Active Directory that uses SSHA256 as a default for its password hashing algorithm instead of SSHA, since SSHA is soon to be deprecated in PingDirectory. If SSHA256 is not supported by a directory or if it is not wanted, a registry value was added that can be set to specify the password hashing algorithm. |
DS-39592 | HTTP External Servers have a new attribute, ssl-cert-nickname, which defines the alias of a specific certificate within their keystore to be used as a client certificate. |
DS-39603 | Fixed an issue where Server SDK extensions could not be configured by dsconfig batch files in the manage-profile tool. |
DS-39626, DS-40357 | The trace log publisher will now record an access token's scopes after the token is successfully validated. |
DS-39654 | Added support for the --topologyFilePath argument to the
manage-topology add-server subcommand. |
DS-39671 | Updated the manage-topology add-server subcommand to require being
run from the older server in a mixed-version environment. |
DS-39715 | Updated the Server SDK to add support for sending email messages. |
DS-39853 | Added support for the PingOne
Sync Source and Destination to the
create-sync-pipe-config tool. |
DS-39857 | Added the StatsD monitoring endpoint. When the Stats Collector Plugin is enabled, this endpoint sends metric data from the server in StatsD format to the configured destination. |
DS-39908 | Added a new JVM-default trust manager provider that can be used to automatically trust any certificate signed by an authority included in the JVM's default set of trusted issuers. Also, updated other trust manager providers to offer an option to use the JVM-default trust addition to the trust that they normally provide. |
DS-40020 | Fixed an issue in Active Directory Sync Source where the persistent state was updated before applying changes, so changes could be missed when stopping the Sync Pipe. |
DS-40114 | Added a new cn=Status Health Summary,cn=monitor monitor entry that
provides a summary of the server's current assessment of its health.
This simplifies monitoring with third party tools that support
retrieving monitoring data over JMX. The Periodic Stats Logger has
also been updated to allow some of this monitoring information to be
logged. No new information is logged by default. |
DS-40354 | Fixed a problem with config-diff when writing properties that span
multiple lines using the --prettyPrint argument. |
DS-40366 | Fixed an issue where the server was attempting to connect by an IP address rather than a hostname when DNS lookup was successful. |
DS-40377 | Added support for logging to a JSON file in the Periodic Stats Logger Plugin. |
DS-40517 | Added metrics for status summary, replication database, and LDAP changelog to the Stats Collector Plugin. |
DS-40543 | Updated manage-profile replace-profile to copy the tool log file to
the server being updated. |
DS-40556 | Added support for specifying a working directory for exec tasks. |
DS-40730 | Updated the encrypt-file tool to prevent using the same path for both
the input file and the output file. |
DS-40771 | Added a --duration argument to collect-support-data. When used, only
the log files covering the specified duration before the current
time will be collected. |