Critical Fixes
This release of PingDirectoryProxy Server addresses critical issues from earlier versions. Update all affected servers appropriately.
-
Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently.
- Fixed in: 8.1.0.0
- Introduced in: 5.2.0.0
- Support identifiers: DS-41301
-
Fixed a memory leak when performing SCIM queries on the Directory Server.
- Fixed in: 8.1.0.0
- Introduced in: 7.2.0.0
- Support identifiers: DS-41206 SF#00681395
- Fixed a memory leak when performing SCIM queries on the Directory Server.
-
Fixed in: 8.0.0.1
Introduced in: 7.2.0.0
Support identifiers: DS-41206 SF#00681395
-
- Addressed an issue that could lead to slow off-heap memory growth. This only occurred on
servers whose cn=Version,cn=monitor entry was retrieved frequently.
-
Fixed in: 8.0.0.1
Introduced in: 5.2.0.0
Support identifiers: DS-41301
-
-
The following enhancements were made to the topology manager to make it easier to diagnose connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38334 SF#00655578
-
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38344 SF#00655578
-
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38335 SF#00655578
-
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
- Fixed in: 7.3.0.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38897 DS-38908
-
The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
- Fixed in: 7.2.1.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38334 SF#00655578
-
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.
- Fixed in: 7.2.1.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38344 SF#00655578
-
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
- Fixed in: 7.2.1.0
- Introduced in: 7.0.0.0
- Support identifiers: DS-38335 SF#00655578
-
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
- Fixed in: 7.0.1.3
- Introduced in: 7.0.0.0
- Support identifiers: DS-38897 DS-38908
Upgrade Considerations
Important considerations for upgrading to this version of PingDirectoryProxy Server:
-
If you have upgraded a server that is in a cluster (i.e., has a cluster name set in the Server Instance configuration object) to version 8.1, you will not be able to make cluster configuration changes until all servers with the same cluster name have been upgraded to version 8.1. If needed, you could create temporary clusters based on server versions and modify each of the servers' cluster name appropriately to minimize the impact while you are upgrading.
- Updated the "delay bind response" failure lockout action to provide an option to delay the response to bind requests initiated by non-LDAP clients (for example, when using HTTP basic authentication). This option is disabled by default because delaying the bind response for non-LDAP clients may require temporarily blocking the thread used to process the request, which could increase the risk of a denial-of-service attack. To help mitigate this risk, if you enable delayed bind responses for non LDAP clients, we recommend that you also increase the number of request handler threads for all enabled HTTP connection handlers.
- Updated setup to create a second encryption settings definition if data encryption is enabled. It will continue to create a definition for 128-bit AES encryption for use as the preferred definition to preserve backward compatibility with existing servers in the topology, but it will now also generate a definition for 256-bit AES encryption. The 256-bit AES definition may become the preferred definition in a future release, but you can use it now by first ensuring that any existing instances are updated to contain the new definition (with the "encryption-settings export" and "encryption-settings import" commands) and then making it the preferred definition (with "encryption-settings set-preferred") in all instances.
- Fixed an issue that could prevent the uninstaller from removing information about the instance from the topology registry.
What's New
These are new features for this release of PingDirectoryProxy Server:
-
The SCIM v2 REST API was added to PingDirectory Server in version 8.0. PingDirectoryProxy Server now supports the SCIMv2 REST API to create, read, update and delete (CRUD) users and other resources using JSON over HTTP. PingDirectoryProxy Server supports all the same endpoints and HTTP methods that PingDirectory Server supports.
-
In an ongoing effort to improve the use of containers for PingDirectory Server, several features have been implemented:
- The --outputFile option has been added to the collect-support-data tool. You can now specify either a path, a file name, or a path and file name for the resulting CSD file. This means an administrator can run the collect-support-data tool and put the output file into a directory outside of the container, allowing access to the file without having to actually connect to the container.
- The collect-support-data tool can now be run as a recurring task. Recurring tasks can be created using the Administration console which means that administrators do not have to connect to the container in order to run the tool.
- A Collect Support Tool Extended Operation has been added allowing LDAP clients to initiate the collect-support-data tool and to receive the output of the request. The LDAP SDK has been updated to support this, and the --remoteServer added to the collect-support-data tool can be used to send the request to another server. In other words, you can now run collect-support-data on the command line and reference another server, possibly in a container, and retrieve the output file remotely.
-
PingDirectoryProxy Server has a Consent REST API that allows users to create and store consents. A new feature now allows users to search for consents that have been granted to them by another party.
- Updated PingDirectoryProxy Server to improve support for the PLAIN, UNBOUNDID-DELIVERED-OTP, UNBOUNDID-TOTP, and UNBOUNDID-YUBIKEY-OTP SASL mechanisms. Previously, PingDirectoryProxy Server itself performed all of the processing for those SASL mechanisms, and it would only work if PingDirectoryProxy Server could retrieve the appropriate encoded credentials from the backend PingDirectory Server. It will now forward the bind request to the backend server for processing, which allows it to work in deployments in which the backend server prevents PingDirectoryProxy Server from accessing the stored credentials.
- Added a new validate-ldap-schema tool that can be used to examine schema definitions in a set of LDIF files and report any issues that it detects.
Known Issues/Workarounds
The following are known issues in the current version of the PingDirectoryProxy Server:
-
Several known issues can occur when you use the Administrative Console with Tomcat 9.0.31. You can resolve these issues by upgrading to Tomcat 9.0.33 or later.
- If you use the create-systemd-script tool to create a forking systemd service, the service is stopped by the "systemctl stop ping-directory.service" command. At that time, you can see the status using the "systemctl status ping-directory.service" command. That status might contain an indication of failure: "Active: failed (Result: exit-code)". This error has to do with the way the service exits. It is harmless.
Resolved Issues
The following issues have been resolved with this release of the PingDirectoryProxy Server:
Ticket ID | Description |
---|---|
DS-1046,DS-1204,DS-36547 |
Added support for remotely invoking the collect-support-data tool using an administrative task, and for invoking the tool on a regular basis as a recurring task. The tool has also been updated to add an outputPath argument to allow specifying the path or name to use for the output file. |
DS-10216 |
Updated the GSSAPI SASL mechanism handler to support integrity and confidentiality protection for client communication. |
DS-37829 |
The "create-systemd-script" CLI now creates a "forking" service file since Ping services are started by a process (the "start-server" script) that is different than the actual service process. |
DS-38008,DS-41192 |
Updated PingDirectoryProxy Server to improve its support for retrying operations that fail in a manner that suggests they may succeed if attempted in a different server or on a newly established connection. Previously, PingDirectoryProxy Server would automatically enable retry support for all types of operations except add. At the time this retry support was initially implemented, retrying an add operation on a different server had the potential to result in a replication conflict if the entry was ultimately created on multiple servers. The Directory Server's replication logic has since been updated to detect and automatically resolve conflicts that result from attempts to add the same entry concurrently on multiple servers. As it is safe to enable automatic retry support for add operations (along with all other types of operations), that is now the default configuration. PingDirectoryProxy Server has also been updated to improve its retry support for the case in which connections to multiple backend servers have become invalidated in a manner that it cannot immediately detect (for example, as the result of an issue with a network switch or hardware load-balancer). As a result of this change, if all of the PingDirectoryProxy Server's usual attempts to process an operation fail in a manner that could indicate that connections are no longer valid, it may now attempt to establish a new connection to a backend server for one additional retry attempt. |
DS-38122 |
Added support for an extended operation that can be used to invoke the collect-support-data tool from a remote system and stream the output and resulting support data archive back to the client. The collect-support-data command-line tool has been updated to support this capability through the new --useRemoteServer argument. |
DS-38535 |
Fixed an issue that could cause the server to generate an administrative alert about an uncaught exception when trying to send data on a TLS-encrypted connection that is no longer valid. |
DS-39798 |
Fixed a bug in which SEMI_AGGRESSIVE and AGGRESSIVE JVM Tuning Parameters were previously allowed to both be selected. |
DS-40356 |
Updated the manage-profile tool to prevent displaying warnings about offline config changes when starting the server. |
DS-40532 |
Added a logging-error-behavior property to the log publisher, periodic stats logger plugin, and monitor history plugin configuration that can be used to specify the behavior the server should exhibit if an error occurs while attempting logging-related processing. By default, the server will preserve its previous behavior of writing a message to standard error, but it can be configured to enter lockdown mode on a logging error, in which the server will report itself as unavailable and will only accept requests from accounts with the lockdown-mode privilege and only from clients communicating over a loopback interface. |
DS-40551 |
Fixed an issue that could prevent some tools from running properly with an encrypted tools.properties file. |
DS-40567 |
A license is now always required when using the manage-profile replace-profile tool. |
DS-40681 |
Added a cache for password policies stored in user data rather than in the configuration. The cache will hold up to 500 policies by default, but the cache size can be configured (or the cache disabled) using the maximum-user-data-password-policies-to-cache property in the global configuration. |
DS-40746 |
Updated the logic that the server uses to select an appropriate default set of TLS cipher suites. |
DS-40806 |
Fixed an issue that could cause the shutdown process to stall if the server is configured to use TCP to communicate with a StatsD endpoint that has become unresponsive. |
DS-40817 |
PATCH operations on SCIM 2 for PingDirectory Server now require that the value of the schemas attribute in the request body to be "urn:ietf:params:scim:api:messages:2.0:PatchOp", in accordance with RFC 7644. |
DS-40889 |
Fixed an issue with recurring exec tasks where the working-directory attribute was ignored. |
DS-40953 |
Added detection for buffer issues that could cause connections to get stuck during TLS handshake. |
DS-41054 |
Fixed an issue that stopped new extensions from being installed. |
DS-41074 |
Fixed an issue with the way the server reports memory usage after completing an explicitly requested garbage collection. |
DS-41086 |
Updated the StatsD monitoring endpoint to replace any spaces, commas, or colons with underscores, and remove and single quotes or double quotes in sent metric lines. This simplifies parsing of the produced metrics. |
DS-41118 |
A gauge called HTTP Processing (Percent) is now available. This gauge measures the server's capacity to process new incoming HTTP requests. |
DS-41126 |
Updated the server to make the general monitor entry available to JMX clients. |
DS-41136 |
Enabled SCIM 2 API for PingDirectoryProxy Server. |
DS-41142 |
Improved debugging support for Server SDK extensions. If debugging is enabled, the server will now generate a debug message whenever it invokes an extension. For some extension methods that return a value, the server will also generate a debug message with that return value. |
DS-41206 |
Fixed a memory leak when performing SCIM queries on PingDirectory Server. |
DS-41235 |
Updated the cn=Cluster subtree to prevent clustered configuration changes when servers in the cluster have mixed versions. To make clustered configuration changes, either update all servers in the cluster to the same version, or temporarily create separate clusters by server version by changing the cluster-name property on the server instance configuration objects. |
DS-41236 |
To avoid inconsistencies, changing clustered configuration will now require all servers in the cluster to be on the same product version. Servers will not pull any clustered configuration from the master of the cluster if they are on a different product version. |
DS-41261 |
Fixed an issue with manage-profile replace-profile where certain configuration changes for recurring task chains were not being applied. |
DS-41289 |
Fixed an issue that prevented password changes for topology administrators unless their password policy was configured to allow pre-encoded passwords. |
DS-41299 |
Fixed an issue where the Ping Directory Proxy could incorrectly return duplicate entries after timing out on an unindexed search. |
DS-41301 |
Addressed an issue that could lead to slow, off-heap memory growth. This only occurred on servers whose cn=Version,cn=monitor entry was retrieved frequently. |
DS-41333 |
Added an ssl-client-auth-policy configuration property to the HTTP connection handler to provide support for mutual TLS authentication. |
DS-41366 |
Updated the base monitor entry to include locationName and locationDN attributes if the server is configured with a location. |
DS-41396 |
Updated the Server SDK to add ClientContext and OperationContext methods for obtaining the name and DN of the associated client connection policy. |
DS-41400 |
Updated the file servlet HTTP servlet extension to add support for requiring authentication in order to access the content. Access may optionally be limited to members of a specified set of groups. |
DS-41622 |
The use-administrative-operation-request-control property is now hidden on unsupported products. |
DS-41731 |
Fixed an issue that could prevent setup from generating a self-signed certificate for systems with non-ASCII hostnames. |
DS-41762 |
Fixed an issue where mirrored subtree polling could produce config archive files that were identical or ignored the configured insignificant attributes list. |
DS-41818 |
Added the --zip argument to the manage-profile generate-profile subcommand, which can be used to generate a zipped server profile. |
DS-41820 |
Added an administrative task that may be used to generate a server profile and a corresponding recurring task that may be used to invoke the task on a regular basis. |
DS-41821 |
Added an instance root file servlet to the default configuration. HTTPS requests to /instance-root by authenticated users with the file-servlet-access privilege will be granted access to files within the server instance root. |
DS-41850 |
Servers running on Linux will now log a warning about possible performance impacts if the current memory control group has memory.swappiness set to a nonzero value. |
DS-41851 |
Enabled Correlated LDAP Data Views for SCIM 2 resource types on PingDirectory Server and Nokia8661DirectoryProxyServerAdministrationGuid. |
DS-41987 |
Updated the PUT request in the consent service to reject requests that have duplicate collaborators to make it consistent with POST and PATCH requests. |
DS-42006 |
The server now warns the administrator at startup if there are multiple versions of the same jar listed in the classpath, and the first one in the classpath is not the newest one. |
DS-42033 |
Addressed an issue where some tools would throw a NullPointerException if a server was configured with a custom global result code map. |
DS-42387 | Updated the manage-profile generate-profile subcommand to
exclude files in the ldif/ and bak/
directories by default when generating a server profile. If necessary, you can
manually include those directories using the --includePath
argument. |