PingDataSync Server 8.3.0.1 release notes - PingDirectory - PingDataSync

PingDataSync Server 8.3.0.1 release notes - PingDirectory - PingDataSync - 8.3

PingDirectory

bundle

pingdirectory-83

ft:publication_title

PingDirectory

Product_Version_ce

PingDirectory 8.3

Critical Fixes

This release of PingDataSync Server addresses critical issues from earlier versions. Update all affected servers appropriately.

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology. When a server is removed via the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Note:
Since this change only applies to the most recent version of dsreplication disable or remove-defunct-server, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication disable or remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you may lose access to secret keys from servers that are removed from the topology.
- Fixed in: 8.3.0.1
- Introduced in: 7.0.0.0
- Support identifiers: DS-44591

Resolved Issues

The following issues have been resolved with this release of the DataSync Server.

Ticket ID Description

DS-44513

Ticket ID	Description
DS-44513	Synchronize from Active Directory attribute `lockoutTime` source systems to PingDirectory attribute `pwdAccountLockedTime`. Since `pwdAccountLockedTime` can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from `pwdAccountLockedTimeFromAD` to `pwdAccountLockedTime`.
DS-44591	Fixed an issue where secret keys under `cn=Topology,cn=config` could be lost when removing a server from the topology. When a server is removed via the `dsreplication disable` or `remove-defunct-server` tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed. The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology. Note: Since this change only applies to the most recent version of `dsreplication disable` or `remove-defunct-server`, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past `dsreplication disable` or `remove-defunct-server` could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you may lose access to secret keys from servers that are removed from the topology.

Synchronize from Active Directory attribute lockoutTime source systems to PingDirectory attribute pwdAccountLockedTime. Since pwdAccountLockedTime can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD to pwdAccountLockedTime.

DS-44591

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology. When a server is removed via the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Note:

Since this change only applies to the most recent version of dsreplication disable or remove-defunct-server, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication disable or remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you may lose access to secret keys from servers that are removed from the topology.