The release notes for the 8.2.0.7 release of PingDirectory Server.
Critical fixes
This release of PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.
-
Fixed an issue where secret keys under
cn=Topology
,cn=config
could be lost when removing a server from the topology. When a server is removed via thedsreplication disable
or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Note:Since this change only applies to the most recent version of remove-defunct-server and
dsreplication disable
, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.- Fixed in: 8.2.0.7
- Introduced in: 7.0.0.0
- Support identifiers: DS-44591
Resolved issues
The following issues have been resolved with this release of the Directory Server.
Ticket ID | Description |
---|---|
DS-42961 |
To help with replication backlog analysis the replication summary
monitor will now include a
|
DS-43959, DS-44924 |
Added new global configuration properties that can be used to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request, which can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that may be provided for an attribute. |
DS-44591 |
Fixed an issue where secret keys under
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology. Note:
Since this change only applies to the most recent version of
remove-defunct-server and
|
DS-44892 |
Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology. |
DS-45032 |
Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode. |
DS-45115 |
Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security. |
DS-45124 |
Removed |
DS-45154 |
Fixed an issue where a server with a newly initialized database
(through |
DS-45190 |
Added support for the use of JDKs obtained through BellSoft. |
DS-45449 |
Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file may be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes. |
DS-45654 |
Resolved an issue where SCIM POST requests that violated a unique attribute constraint got an internal error instead of the expected SCIM error response. |