Configuring Groovy-scripted extensions - PingDirectory - 8.3
PingDirectory
bundle
pingdirectory-83
ft:publication_title
PingDirectory
Product_Version_ce
PingDirectory 8.3
category
Product
pd-83
pingdirectory
ContentType_ce
PingDirectory
Release Notes
PingDirectory Server Release Notes
PingDirectory Server 8.3.0.9 release notes
PingDirectory Server 8.3.0.8 release notes
PingDirectory Server 8.3.0.7 release notes
PingDirectory Server 8.3.0.6 release notes
PingDirectory Server 8.3.0.5 release notes
PingDirectory Server 8.3.0.3 release notes
PingDirectory Server 8.3.0.2 release notes
PingDirectory Server 8.3.0.1 release notes
PingDirectory Server 8.3.0.0 Release Notes
PingDirectory Server previous releases
PingDirectory 8.2.0.8 release notes
PingDirectory Server 8.2.0.7 release notes
PingDirectory Server 8.2.0.6 release notes
PingDirectory Server 8.2.0.5 release notes
PingDirectory Server 8.2.0.3 release notes
PingDirectory Server 8.2.0.2 release notes
PingDirectory Server 8.2.0.1 Release Notes
PingDirectory Server 8.2 release notes
Critical fixes
PingDirectory Server 8.1.0.6 release notes
PingDirectory Server 8.1.0.5 release notes
PingDirectory Server 8.1.0.2 Release Notes
PingDirectory Server 8.1 Release Notes
PingDirectory Server 8.0.0.5 release notes
PingDirectory Server 8.0.0.4 release notes
PingDirectory Server 8.0.0.3 release notes
PingDirectory Server 8.0.0.2 Release Notes
PingDirectory Server 8.0.0.1 Release Notes
PingDirectory Server 8.0.0.0 Release Notes
PingDirectoryProxy Server Release Notes
PingDirectoryProxy Server 8.3.0.9 release notes
PingDirectoryProxy Server 8.3.0.8 release notes
PingDirectoryProxy Server 8.3.0.7 release notes
PingDirectoryProxy Server 8.3.0.6 release notes
PingDirectoryProxy Server 8.3.0.5 release notes
PingDirectoryProxy Server 8.3.0.3 release notes
PingDirectoryProxy Server 8.3.0.2 release notes
PingDirectoryProxy Server 8.3.0.1 release notes
PingDirectoryProxy Server 8.3.0.0 release notes
PingDirectoryProxy Server previous releases
PingDirectoryProxy 8.2.0.8 release notes
PingDirectoryProxy Server 8.2.0.7 release notes
PingDirectoryProxy Server 8.2.0.6 release notes
PingDirectoryProxy Server 8.2.0.5 release notes
PingDirectoryProxy Server 8.2.0.2 release notes
PingDirectoryProxy Server 8.2.0.1 Release Notes
PingDirectoryProxy Server 8.2 release notes
Critical fixes
PingDirectoryProxy Server 8.1.0.6 release notes
PingDirectoryProxy Server 8.1.0.5 release notes
PingDirectoryProxy Server 8.1.0.2 Release Notes
PingDirectoryProxy Server 8.1 Release Notes
PingDirectoryProxy Server 8.0.0.5 release notes
PingDirectoryProxy Server 8.0.0.4 release notes
PingDirectoryProxy Server 8.0.0.3 release notes
PingDirectoryProxy Server 8.0.0.2 Release Notes
PingDirectoryProxy Server 8.0.0.1 Release Notes
PingDirectoryProxy Server 8.0.0.0 Release Notes
PingDataMetrics Server Release Notes
PingDataMetrics Server 8.3.0.9 release notes
PingDataMetrics Server 8.3.0.8 release notes
PingDataMetrics Server 8.3.0.7 release notes
PingDataMetrics Server 8.3.0.6 release notes
PingDataMetrics Server 8.3.0.5 release notes
PingDataMetrics Server 8.3.0.3 release notes
PingDataMetrics Server 8.3.0.2 release notes
PingDataMetrics Server 8.3.0.1 release notes
PingDataMetrics Server 8.3.0.0 release notes
PingDataMetrics Server previous releases
PingDataMetrics 8.2.0.8 release notes
PingDataMetrics Server 8.2.0.7 release notes
PingDataMetrics Server 8.2.0.6 release notes
PingDataMetrics 8.2.0.5 release notes
PingDataMetrics Server 8.2.0.2 release notes
PingDataMetrics Server 8.2.0.1 release notes
Data Metrics Server 8.2.0.0 Release Notes
Critical fixes
PingDataMetrics Server 8.1.0.6 release notes
PingDataMetrics 8.1.0.5 release notes
Data Metrics Server 8.1.0.2 Release Notes
PingDataMetrics Server 8.1 Release Notes
PingDataMetrics 8.0.0.5 release notes
Ping Data Metrics Server 8.0.0.4 release notes
PingDataMetrics Server 8.0.0.3 release notes
Ping Data Metrics Server 8.0.0.2 Release Notes
PingDataMetrics Server 8.0.0.1 Release Notes
PingDataMetrics Server 8.0.0.0 Release Notes
Delegated Admin Release Notes
Delegated Admin 4.6 release notes
Delegated Admin previous releases
Delegated Admin 4.5.0 - April 2021
Known issues and limitations
Delegated Admin 4.4.0 - December 2020
Delegated Admin 4.2.0 Release Notes
Delegated Admin 4.1.0 Release Notes
Delegated Admin 4.0.0 Release Notes
Delegated Admin 3.5.1 Release Notes
Delegated Admin 3.5.0 Release Notes
PingDataSync Server Release Notes
PingDataSync Server 8.3.0.9 release notes
PingDataSync Server 8.3.0.8 release notes
PingDataSync Server 8.3.0.7 release notes
PingDataSync Server 8.3.0.6 release notes
PingDataSync Server 8.3.0.5 release notes
PingDataSync Server 8.3.0.3 release notes
PingDataSync Server 8.3.0.2 release notes
PingDataSync Server 8.3.0.1 release notes
PingDataSync 8.3.0.0 release notes
PingDataSync Server previous releases
PingDataSync 8.2.0.8 release notes
PingDataSync Server 8.2.0.7 release notes
PingDataSync Server 8.2.0.6 release notes
PingDataSync Server 8.2.0.5 release notes
PingDataSync 8.2.0.2 release notes
PingDataSync 8.2 release notes
Critical fixes
PingDataSync Server 8.1.0.6 release notes
PingDataSync Server 8.1.0.5 release notes
PingDataSync 8.1.0.2 Release Notes
PingDataSync 8.1 Release Notes
PingDataSync Server 8.0.0.5 release notes
PingDataSync 8.0.0.4 release notes
PingDataSync 8.0.0.3 release notes
PingDataSync 8.0.0.2 Release Notes
PingDataSync 8.0.0.1 Release Notes
PingDataSync 8.0.0.0 Release Notes
PingDirectory Server Administration Guide
Introduction to PingDirectory Server
Server features
Administration framework
Server tools location
Installing PingDirectory Server
Prepare your environment
Before you begin
System requirements
Installing Java
Preparing the operating system (Linux)
Configuring the file descriptor limits
Tuning the file system
Setting the file system flushes
Setting noatime on ext3 and ext4 Systems
Setting the maximum user processes
About editing OS-level environment variables
Installing sysstat and pstack (Red Hat)
Installing dstat (SUSE Linux)
Disabling file system swapping
Omitting vm.overcommit_memory
Managing system entropy
Setting file system event monitoring (inotify)
Tuning the I/O scheduler
Running as a non-root user (Linux)
Enabling the server to listen on privileged ports (Linux)
Getting the installation packages
Signing on to the Administrative Console
Directory Server folder layout
make-ldif template format
Server installation modes
Before you begin
Ping license keys
Setting up the Directory Server in interactive mode
Installing the Directory Server in non-interactive mode
Installing the Directory Server in non-interactive mode
Installing the Directory Server in non-interactive mode with a truststore
Installing a lightweight server
Uninstalling the Server
Uninstalling the server in interactive mode
Uninstalling the server in non-interactive mode
Uninstalling selected components in non-interactive mode
Upgrading the Server
Upgrade overview and considerations
Upgrading servers in a topology
Restoring a mixed topology to a clean state
Upgrading the Directory Server
Reverting an update
Getting Started with Directory Server
Multiple backends
Importing data
Generating sample data
Importing data on the Directory Server using offline import
Running the server
Starting the Directory Server
Running the server as a foreground process
Starting the server at boot time
Signing on to the Administrative Console
Stopping the Directory Server
Scheduling a server shutdown
Restarting the server
Running the server as a Microsoft Windows service
Registering the server as a Windows service
Running multiple service instances
Deregistering and uninstalling services
Configuring log files for services
Running the status tool
Tuning the Server
About minimizing disk access
Memory allocation and database cache
Directory Server process memory
Determining heap and database cache size
Automatic DB cache percentages
Automatic memory allocation
Automatic memory allocation for the command-line tools
Database preloading
Configuring database preloading
Configuring database preloading
Configuring multiple preloading methods
Configuring system index preloading
Databases on storage area networks, network-attached storage, or running in virtualized environments
Database cleaner
Compacting common parent DNs
Setting the import thread count
JVM properties for server and command-line tools
Applying changes using dsjavaproperties
Updating the Java version in the properties file
Regenerating the Java properties file
Tuning for disk-bound deployments
Uncached attributes and entries
Configuring uncached attributes and entries
JVM garbage collection using CMS
Determining the CMSInitiatingOccupancyFraction
Configuring the Server
About the configuration tools
About the dsconfig configuration tool
Using dsconfig in interactive command-line mode
Configuring the Server using dsconfig interactive mode
Viewing dsconfig advanced properties
Changing the dsconfig object menu
dsconfig interactive administrative alerts
Using dsconfig in non-interactive mode
Configuring the Server using dsconfig non-interactive mode
Viewing a list of dsconfig properties
Getting the equivalent dsconfig non-interactive mode command
Using dsconfig batch mode
Using PingDirectory Server or PingDirectoryProxy Server with PingFederate OAuth tokens
About recurring tasks and task chains
Creating a recurring task and task chain
LDIF export as a recurring task
Lockdown mode as a recurring task
File retention recurring task
Using exec tasks
Topology configuration
Topology master requirements and selection
Topology components
Monitor data for the topology
Servers and certificates
Listener certificates
Replacing listener certificates
Inter-server certificates
Replacing the inter-server certificate
X.509 certificates
Certificate subject DNs
Certificate key pairs
Certificate extensions
Certificate chains
About representing certificates, private keys, and certificate signing requests
Certificate trust
Keystores and truststores
Transport Layer Security (TLS)
TLS handshakes
Key agreement
LDAP StartTLS extended operation
About the manage-certificates tool
Available subcommands
Common arguments
Listing the certificates in a keystore
Generating self-signed certificates
Generating certificate signing requests
Importing signed and trusted certificates
Exporting certificates
Using manage-certificates as a simple certification authority
Enabling TLS support during setup
Enabling TLS support after setup
Configuring key and trust manager providers
Configuring connection handlers
Updating the topology registry
Troubleshooting TLS-related issues
Log messages
manage-certificates check-certificate-usability
ldapsearch
Using low-level TLS debugging
Using the Configuration API
Authentication and authorization with the Configuration API
The Configuration API and the dsconfig tool relationship
GET example
GET list example
PATCH example
Configuration API paths
Sort and filter objects
Update properties
Administrative actions
Updating servers and server groups
Configuration API responses
Working with the Directory REST API
Configuring the Server using the Administrative Console
Signing on to the Administrative Console
Configuring the Server using the Console
Generating a summary of configuration components
Administrator account classes
Using separate administrator accounts
Unpredictable identifiers for server administrators
Secure communication for server administrators
Managing root user accounts
Default root privileges
Configuring administrator accounts
Setting up a single administrator account
Changing the administrator password
Setting up an administrator group
Configuring a global administrator
Creating a global administrator
Removing a global administrator
Configuring server groups
Client connection policy configuration
About the client connection policy
When a client connection policy is assigned
Restricting the type of search filter used by clients
Resource limits
Defining the operation rate
Client connection policy deployment example
Define the connection policies
How the policy is evaluated
Configuring a client connection policy using the console
Configuring a client connection policy using dsconfig
Restricting server access based on client IP address
Restricting server access using the connection handlers
Restricting server access using client connection policies
Automatically authenticating clients that have a secure communication channel
Securing the Server with lockdown mode
Entering lockdown mode manually
Leaving lockdown mode
Starting a server in lockdown mode
Configuring maximum shutdown time
About working with referrals
Specifying LDAP URLs
Creating referrals
Modifying a referral
Deleting a referral
Configuring a read-only server
Configuring HTTP access for the Directory Server
Configuring HTTP Servlet Extensions
Configuring web application servlet extensions
Configuring Java-based servlet extensions
Configuring Groovy-scripted extensions
Configuring HTTP operation loggers
Example HTTP log publishers
Configuring HTTP connection handlers
Configuring an HTTP connection handler
Configuring an HTTP connection handler for web applications
HTTP correlation IDs
Configuring HTTP correlation ID support
HTTP correlation ID example
DNS caching
IP address reverse name lookups
Configuring traffic through a load balancer
Working with the Referential Integrity plugin
Working with the Unique Attribute plugin
Working with the Purge Expired Data plugin
Configuring the Purge Expired Data plugin for expired entries
Configuring the Purge Expired Data plugin for expired attribute values
Configuring uniqueness across attribute sets
Working with the Last Access Time plugin
Working with the Pass-Through Authentication plugin
The Pass-Through Authentication plugin for PingOne
Troubleshooting server performance issues
Slow password storage schemes
Database size versus memory capacity
Large number of access control rules
Large static groups
Large index ID sets
Missing indexes
Configuring the Directory Server for Oracle compatibility
Supporting unindexed search requests
Syncing passwords to PingOne
Single sign-on with the PingDirectoryServer administrative console
Setting up SSO to PingDirectory from PingOne
Setting up SSO to PingDirectory from a generic OpenID Connect provider
Configuring Soft Deletes
About soft deletes
General tips on soft deletes
Configuring soft deletes on the Server
Configuring soft deletes as a global configuration
Configuring a user to use soft or hard delete controls
Searching for soft deletes
Running a base-level search on a soft-deleted entry
Running a filtered search by soft-delete-entry object class
Running a search using the soft delete entry access control
Undeleting a soft-deleted entry using the same RDN
Undeleting a soft-deleted entry using a new RDN
Modifying a soft-deleted entry
Hard deleting a soft-deleted entry
Hard deleting a soft-deleted entry (global configuration)
Hard deleting a soft-deleted entry (connection or request criteria)
Configuring soft deletes by connection criteria
Enabling soft deletes by connection criteria
Disabling soft deletes by connection criteria
Configuring soft deletes by request criteria
Enabling soft deletes by request criteria
Disabling soft deletes by request criteria
Configuring soft-delete automatic purging
Configuring soft-delete automatic purging
Disabling soft-delete automatic purging
Soft and hard delete processes
Soft delete controls and tool options
Monitoring soft deletes
New monitor entries
Monitoring soft deletes
Access logs
Audit logs
Configuring the file-based audit log for soft deletes
Changelog
Configuring soft deletes on the changelog backend
Disabling soft deletes as a global configuration
Importing and exporting data
Importing data
Validating an LDIF file
About the database cache estimate
Tracking skipped and rejected entries
Running an offline import
Performing an offline import
Performing an offline LDIF import using a compressed file
Performing an offline LDIF import using a MakeLDIF template
Running an online LDIF import
Performing an online LDIF import
Scheduling an online import
Canceling a scheduled import
Adding entries to an existing Directory Server
Filtering data import
Exporting data
Performing an export
Performing an export from specific branches
Encrypting LDIF exports and signing LDIF files
Encrypting an LDIF export
Importing an encrypted LDIF file
Signing an export
Importing a signed LDIF file
Filtering data exports
Scrambling data files
Backing Up and Restoring Data
About backing up and restoring data
Retaining backups
Listing the available backups on the system
Backing up all backends
Backing up a single backend
Performing an offline restore
Assigning an ID to a backup
Running an incremental backup on all backends
Running an incremental backup on a single backend
Running an incremental backup based on a specific prior backup
Restoring an incremental backup
Scheduling an online backup
Scheduling an online restore
Encrypting a backup
Signing a hash of the backup
Restoring a backup
Moving or restoring a user database
Comparing the data in two Directory Servers
Comparing two Directory Servers using ldap-diff
Comparing configuration entries using config-diff
Comparing entries using source and target DN files
Comparing Directory Servers for missing entries only using ldap-diff
Reverting or replaying changes
Working with Groups
Overview of groups
About the isMemberOf and isDirectMemberOf virtual attribute
Using static groups
Creating static groups
Creating a static group
Adding a new member to a static group
Removing a member from a static group
Searching static groups
Determining if a user is a static group member
Determining the static groups to which a user belongs
Determining the members of a static group
Using dynamic groups
Creating dynamic groups
Searching dynamic groups
Determining if a user is a dynamic group member
Determining the dynamic groups to which a user belongs
Determining the members of a dynamic group
Using dynamic groups for internal operations
Using virtual static groups
Creating virtual static groups
Searching virtual static groups
Creating nested groups
Maintaining referential integrity with static groups
Monitoring the group membership cache
Using the entry cache to improve the performance of large static groups
Enabling the entry cache
Creating your own entry cache for large groups
Monitoring the entry cache
Tuning the index entry limit for large groups
Summary of commands to search for group membership
Migrating Oracle groups
Migrating static groups
Migrating static groups to virtual static groups
Migrating dynamic groups
Working with Indexes
Overview of indexes
General tips on indexes
Index types
System indexes
Viewing the system indexes
Managing local DB indexes
Viewing the list of local DB indexes
Viewing a property for all local DB indexes
Viewing the configuration parameters for local DB index
Modifying the configuration of a local DB index
Creating a new local DB index
Deleting a local DB index
Composite indexes
JSON indexes
Working with local DB VLV indexes
Viewing the list of local DB VLV indexes
Creating a new local DB VLV index
Modifying a VLV index's configuration
Rebuilding a VLV index
Deleting a VLV index
Working with filtered indexes
Creating a filtered index
Tuning indexes
About the exploded index format
About monitoring index entry limits
About the dbtest Index Status table
Configuring the index properties
About the Index Summary Statistics table
Managing Entries
Searching entries
Searching the root DSE
Searching all entries in the Directory Server
Searching for an access control instruction
Searching for the schema
Searching for a single entry using base scope and base DN
Searching for a single entry using the search filter
Searching for all immediate children for restricted return values
Searching for all children of an entry in sorted order
Limiting the number of returned search entries and search time
Getting information about how indexes are used in a search operation
Working with the matching entry count control
Adding entries
Adding an entry using an LDIF file
Adding an entry using the changetype LDIF directive
Adding multiple entries in a single file
Deleting entries using ldapdelete
Deleting an entry using ldapdelete
Deleting multiple entries using an LDIF file
Deleting entries using ldapmodify
Modifying entries using ldapmodify
Modifying an attribute from the command line
Modifying multiple attributes in an entry from the command line
Adding an attribute from the command line
Adding an attribute using the language subtype
Adding an attribute using the binary subtype
Deleting an attribute
Deleting one value from an attribute with multiple values
Renaming an entry
Moving an entry within a Directory Server
Moving an entry from one machine to another
Moving multiple entries from one machine to another
Working with the parallel-update tool
Running the parallel-update tool
Working with the watch-entry Tool
Working with LDAP transactions
Requesting a batched transaction using ldapmodify
Working with Virtual Attributes
Viewing the list of default virtual attributes
Viewing the list of default virtual attributes using dsconfig non-interactive mode
Viewing virtual attribute properties
Enabling a virtual attribute
Enabling a virtual attribute using dsconfig interactive mode
Enabling a virtual attribute using dsconfig non-interactive mode
Creating user-defined virtual attributes
Creating a user-defined virtual attribute in interactive mode
Creating a user-defined virtual attribute using dsconfig in non-interactive mode
Creating mirror virtual attributes
Creating a mirror virtual attribute using dsconfig in non-interactive mode
Editing a virtual attribute
Editing a virtual attribute using dsconfig in non-interactive mode
Deleting a virtual attribute
Working with Composed Attributes
Virtual attribute limitations
Performance limitations
Indexing limitations
Unexpected behavior for write operations
Overview of composed attributes
Composed attribute plugin configuration properties
Populate composed attribute values task
Composed attribute dependency considerations
Schema validation considerations
Replication considerations
Synchronization Server considerations
Directory Proxy Server considerations
Troubleshooting considerations
Security considerations
Limitations of composed attributes relative to virtual attributes
Encrypting Sensitive Data
About encrypting and protecting sensitive data
About the Encryption-Settings Database
Supported Encryption Ciphers and Transformations
Using the encryptions-settings Tool
Creating encryption-settings definitions
Changing the preferred encryption-settings definition
Deleting an encryption-settings definition
Configuring the encryption-settings database
Encrypting passphrase files
About backing up and restoring the encryption-settings definitions
Exporting encryption-settings definitions
Importing encryption-settings definitions
Enabling data encryption in the server
Using data encryption in a replicated environment
Dealing with a compromised encryption key
Configuring sensitive attributes
Creating a sensitive attribute
Configuring global sensitive attributes
Excluding a global sensitive attribute on a client connection policy
Working with the LDAP Changelog
Overview of the LDAP changelog
Key changelog features
Enabling access control filtering in the LDAP changelog
Useful changelog features
Example of the changelog features
Viewing the LDAP changelog properties
Viewing the LDAP changelog properties using dsconfig non-interactive mode
Enabling the LDAP changelog
Enabling the LDAP changelog using dsconfig non-interactive mode
Enabling the LDAP changelog using interactive mode
Changing the LDAP changelog database location
Changing the LDAP changelog location using dsconfig non-interactive mode
Resetting the LDAP changelog location using dsconfig non-interactive mode
Viewing the LDAP changelog parameters in the Root DSE
Viewing the LDAP changelog using ldapsearch
Viewing the LDAP changelog using ldapsearch
Viewing the LDAP change sequence numbers
Viewing LDAP changelog monitoring information
Indexing the LDAP changelog
Indexing a changelog attribute
Excluding attributes from indexing
Tracking virtual attribute changes in the LDAP changelog
Managing Access Control
Overview of access control
Key access control features
Improved validation and security
Global ACIs
Access controls for public or private backends
General format of the access control rules
Summary of access control keywords
Targets
Permissions
Bind rules
Access token validators
About access token validator processing
Access token validator types
Configuring a sample PingFederate access token validator
JWT access token validator
Handling signed tokens
Example: Use a locally configured trusted certificate
Example: Use the issuer's JWKS endpoint
Handling encrypted tokens
Mock access token validator
Third-party access token validator
Working with targets
target
targetattr
targetfilter
targattrfilters
targetscope
targetcontrol
extOp
Examples of common access control rules
Administrator access
Anonymous and authenticated access
Delegated access to a manager
Proxy authorization
Validating ACIs before migrating data
Validating ACIs from a file
Validating ACIs in another Directory Server
Migrating ACIs from Oracle to PingDirectory Server
Support for macro ACIs
Support for the roleDN bind rule
Targeting operational attributes
Specification of global ACIs
Defining ACIs for non-user content
Limiting access to controls and extended operations
Tolerance for malformed ACI values
About the privilege subsystem
Identifying unsupported ACIs
Working with privileges
Available privileges
Privileges automatically granted to root users
Assigning additional privileges for administrators
Assigning privileges to normal users and individual root users
Disabling privileges
Working with proxied authorization
Configuring proxied authorization
Restricting proxy users
About the ds-auth-may-proxy-as-* operational attributes
About the ds-auth-is-proxyable-* operational attributes
Restricting proxied authorization for specific users
Working with parameterized ACIs
$attr.attrName macro
Managing the Schema
About the schema
About the Schema Editor
Default Directory Server schema files
Extending the Directory Server schema
General tips on extending the schema
About managing attribute types
Attribute type definitions
Basic properties of attributes
Viewing attributes
Viewing attribute types using the Schema Editor
Viewing attribute types over LDAP
Viewing a specific attribute type over LDAP
Creating a new attribute over LDAP
Adding a new attribute to the schema over LDAP
Adding constraints to attribute types
Managing object classes
Object classes types
Object class definition
Basic object class properties
Viewing object classes
Managing an object class over LDAP
Creating a new object class using the Schema Editor
Extending the schema using a custom schema file
About managing matching rules
Matching rule definition
Default matching rules
Basic matching rule properties
Viewing matching rules
About managing attribute syntaxes
Attribute syntax definition
Default attribute syntaxes
Basic attribute syntax properties
Viewing attribute syntaxes
Using the Schema Editor utilities
Modifying a schema definition
Deleting a schema definition
Managing schema checking
Viewing the schema checking properties
Disabling schema checking
Managing matching rule uses
Matching rule use definitions
Viewing matching rule uses
Managing DIT content rules
DIT content rule definitions
Viewing DIT content rules
Managing name forms
Name form definitions
Viewing name forms
Managing DIT structure rules
DIT structure rule definition
Viewing DIT structure rules
About managing JSON attribute values
Configuring JSON attribute constraints
Adding constraints to JSON attributes
Managing password policies
Viewing password policies
Viewing password policies
Viewing a specific password policy
About the password policy properties
Access log
Replication considerations
Get Recent Login History control
Modifying an existing password policy
Creating new password policies
Creating a new password policy
Assigning a password policy to an individual account
Assigning a password policy using a virtual attribute
Deleting a password policy
Modifying a user's password
Validating a password
Retiring a password
Changing a user's password using the Modify operation
Changing a user's password using the Password Modify extended operation
Using an automatically-generated password
Enabling YubiKey authentication
Enabling social sign-on
Managing user accounts
Returning the password policy state information
Determining whether an account is disabled
Disabling an account
Enabling a disabled account
Assigning the manage-account access privileges to non-root users
Disabling password policy evaluation
Globally disabling password policy evaluation
Exempting a user from password policy evaluation
About managing password validators
Password validators
Configuring password validators
Viewing the list of defined password validators
Configuring the Attribute Value Password Validator
Configuring the Character Set Password Validator
Configuring the Length-Based Password Validator
Configuring the Regular Expression Password Validator
Configuring the Repeated Character Password Validator
Configuring the Similarity-Based Password Validator
Configuring the Unique Characters Password Validator
Managing Replication
Overview of replication
Replication versus synchronization
Replication terminology
Replication architecture
Eventual consistency
Replicas and replication servers
Authentication and authorization
Logging
Replication deployment planning
Location
User-defined LDAP
Disk space
Memory
Time synchronization
Communication ports
Hardware load balancers
PingDirectoryProxy
Displaying the server information for a replication deployment
Displaying all status information for a replication deployment
Enabling replication
Overview
Command-line interface
What happens when you enable replication
Initialization
Replica generation ID
Deploying a basic replication topology
Example deployment with non-interactive dsreplication
Deploying with non-interactive dsreplication
Using dsreplication with SASL GSSAPI (Kerberos)
Configuring assured replication
About the Replication Assurance Policy
About assured replication
Configuring assured replication
About the assured replication controls
Managing the topology
Adding a server to the topology
Disabling replication and removing a server from the topology
Replacing the data for a replicating domain
Advanced configuration
Changing the replicationChanges DB Location
Modifying the replication purge delay
Configuring a single listener-address for the replication server
Monitoring replication
Monitoring replication using cn=monitor
Replication best practices
About the dsreplication command-line utility
Replication conflicts
Types of replication conflicts
Naming conflict scenarios
Modification conflict scenarios
Troubleshooting replication
Recovering a replica with missed changes
Performing a manual initialization
Fixing replication conflicts
Fixing a modify conflict
Fixing a naming conflict
Fixing mismatched generation IDs
Replication reference
Summary of the dsreplication Subcommands
Summary of the Direct LDAP Monitor information
Summary of the Indirect LDAP Server Monitor information
Summary of the Remote Replication Server Monitor information
Summary of the Replica Monitor information
Summary of the Replication Server Monitor information
Summary of the Replication Server Database Monitor information
Summary of the Replication Server Database Environment Monitor information
Summary of the Replication Summary Monitor information
Summary of the replicationChanges Backend Monitor information
Summary of the Replication Protocol Buffer Monitor information
Advanced topics reference
About the replication protocol
Change number
Conflict resolution
WAN-friendly replication
WAN Gateway Server
WAN message routing
WAN Gateway Server selection
WAN replication in mixed-version environments
Recovering a replication changelog
Performing disaster recovery
Managing Logging
Default Directory Server logs
Types of log publishers
Viewing the list of log publishers
Enabling or disabling a default log publisher
Managing access and error log publishers
Managing file-based access log publishers
Access log format
Access log example
Modifying the access log using dsconfig interactive mode
Modifying the access log using dsconfig non-interactive mode
Modifying the maximum length of log message strings
Disabling logging of inter-server periodic search requests
Generating access logs summaries
About log compression
About log signing
About encrypting log files
Configuring log signing
Validating a signed file
Configuring log file encryption
Creating new log publishers
Creating a new log publisher
Creating a log publisher using dsconfig interactive command-line mode
Configuring log rotation
Configuring log rotation listeners
Configuring log retention
Configuring filtered logging
Managing Admin Alert Access Logs
About access log criteria
Configuring an Admin Alert Access Log publisher
Managing the Syslog-Based Access Log Publishers
Before you begin
Logging with syslog
Default access log severity level
syslog-facility properties
queue-size property
Configuring a Syslog-Based Access Log Publisher
Managing the File-Based Audit Log Publishers
Audit log format
Audit log example
Enabling the File-Based Audit Log Publisher
Obscuring values in the audit log
Managing the JDBC Access Log Publishers
Before you begin
Configuring the JDBC drivers
Configuring the log field mapping tables
Configuring the JDBC Access Log Publisher using dsconfig interactive mode
Configuring the JDBC Access Log Publisher using dsconfig non-interactive mode
Managing the File-Based Error Log Publisher
Error log example
Modifying the File-Based Error Logs
Managing the Syslog-Based Error Log Publisher
Syslog error mapping
Configuring a Syslog-Based Error Log Publisher
Creating File-Based Debug Log Publishers
Creating a File-Based Debug Log Publisher
Deleting a File-Based Debug Log Publisher
Managing Monitoring
The monitor backend
Monitoring disk space usage
Monitoring with the PingDataMetrics Server
About the collection of system monitoring data
Monitoring key performance indicators by application
Configuring the external Servers
Preparing the servers monitored by the PingDataMetrics Server
Configuring the Processing Time Histogram plugin
Setting the connection criteria to collect SLA statistics by application
Proxy considerations for tracked applications
Monitoring using SNMP
SNMP implementation
Configuring SNMP
MIBS
Monitoring with the Administrative Console
Accessing the Processing Time Histogram
Monitoring with JMX
Running JConsole
Monitoring the Directory Server using JConsole
Monitoring using the LDAP SDK
Monitoring over LDAP
Profiling server performance using the Stats Logger
Enabling the Stats Logger
Configuring multiple Periodic Stats Loggers
Enabling and configuring the StatsD monitoring endpoint
Enabling and configuring the Stats Collector Plugin
Adding custom logged statistics to a Periodic Stats Logger
Configuring a custom logged statistic using dsconfig interactive
Configuring a custom stats logger using dsconfig non-interactive
Updating the Global Configuration
Monitoring PingDirectory metrics with Splunk
Sending PingDirectory metrics with StatsD
Configuring a StatsD monitoring endpoint
Configuring Splunk to receive StatsD metrics
Sending Metrics with the Periodic Stats Logger and the Splunk Universal Forwarder
Configuring the Periodic Stats Logger
Configuring the Splunk Universal Forwarder
Using the Directory Server app for Splunk
Managing Notifications and Alerts
Account status notifications
Account status notification types
Working with the Error Log Account Status Notification Handler
Disabling the Error Log Account Status Notification Handler
Removing a notification type from the Error Log Handler
Working with the SMTP Account Status Notification Handler
Configuring the SMTP server
Configuring a StartTLS connection to the SMTP server
Configuring an SSL connection to the SMTP server
Enabling the SMTP account status notification handler
Viewing the account status notification handlers
Associating account status notification handlers with password policies
Administrative alert handlers
Administrative alert types
Configuring the JMX connection handler and alert handler
Configuring the JMX connection handler
Configuring the JMX alert handler
Configuring the SMTP alert handler
Configuring the SNMP subagent alert handler
Email account status notification handler
Account status notification types
Message template file format
Customizing the message content
Working with the Alerts Backend
Viewing information in the Alerts Backend
Modifying the alert retention time
Configuring duplicate alert suppression
Working with alarms, alerts, and gauges
Viewing information in the Alarms Backend
Testing alerts and alarms
Testing alarms and alerts
Indeterminate alarms
Managing SCIM Servlet Extensions
SCIM 1.1 and 2.0 servlet extensions management
Overview of SCIM 1.1 fundamentals
Summary of SCIM 1.1 protocol support
About the Identity Access API
Configuring SCIM 1.1
Creating your own SCIM 1.1 application
Configuring the SCIM 1.1 servlet extension
Configuring SCIM manually
Enabling resource versioning
Configuring the SCIM servlet extension using the batch script
SCIM 1.1 servlet extension authentication
Configuring basic authentication using an identity mapper
Enabling OAuth authentication
Verifying the SCIM 1.1 servlet extension configuration
Configuring the Identity Access API
Configuring the Identity Access API
Disabling core SCIM resources
Verifying the Identity Access API configuration
Monitoring the SCIM servlet extension
Testing SCIM query performance
Monitoring resources using the SCIM extension
About the HTTP log publishers
Configuring advanced SCIM 1.1 extension features
Managing the SCIM 1.1 schema
About the SCIM schema
Mapping the LDAP schema to the SCIM resource schema
About the resource element
About the attribute element
About the simple element
About the complex element
About the simpleMultivalued element
About the complexMultiValued element
About the subAttribute element
About the canonicalValue element
About the mapping element
About the subMapping element
About the LDAPSearch element
About the resourceIDMapping element
About the LDAPAdd element
About the fixedAttribute element
Validating the updated SCIM schema
Mapping SCIM resource IDs
Using pre-defined transformations
Mapping LDAP entries to SCIM using the SCIM-LDAP API
SCIM authentication
SCIM logging
SCIM monitoring
Managing the SCIM 2.0 servlet extension
Supported SCIM 2.0 endpoints
Configuring SCIM 2.0 on your server
Creating Your Own SCIM 2 application
Authentication requirements for SCIM 2.0 requests
Defining permissions for SCIM 2.0 requests
SCIM 2.0 components
Correlated LDAP data views
Configuring an LDAP Mapping SCIM 2.0 resource type
Configuring a correlated LDAP data view
Configuring permissions for SCIM 2.0 operations
SCIM 2.0 searches
Using paged SCIM searches
SCIM 2.0 PATCH operations
Troubleshoot the SCIM 2.0 servlet extension
Disabling the SCIM 2.0 servlet extension
Troubleshooting a multiple correlation entry error
Managing Server SDK Extensions
About the Server SDK
Available types of extensions
DevOps and infrastructure-as-code
Limitations when automating PingDirectory Server deployments
Server profiles
Variable substitution
Profile structure
setup-arguments.txt
dsconfig/
server-root/
ldif/
server-sdk-extensions/
variables-ignore.txt
server-root/permissions.properties
misc-files/
About the manage-profile tool
manage-profile generate-profile
manage-profile setup
manage-profile replace-profile
Server Profiles in a Pets Service Model
Topology-management tools
Deployment automation
Setting up the initial topology
Prefer topology administrator accounts over root users
Initializing data on all servers
Replacing crashed instances and scaling up
Scaling down
Rolling updates
Troubleshooting PingDirectory Server
Directory Server gauges
Working with the collect-support-data tool
Server commands used in the collect-support-data tool
JDK commands used in the collect-support-data tool
Linux commands used in the collect-support-data tool
MacOS commands used in the collect-support-data tool
Invoking the collect-support-data tool as an administrative task
Available tool options
Running the collect-support-data tool
Directory Server Troubleshooting information
Error log
server.out log
Debug log
Replication repair log
Config audit log and the configuration archive
Access and audit log
Setup log
Tool log
je.info and je.config files
LDAP SDK debug log
About the monitor entries
Directory Server troubleshooting tools
Server version information
LDIF connection handler
dbtest tool
Index key entry limit
Embedded profiler
Invoking the profile viewer in text-based mode
Invoking the profile viewer in GUI mode
Oracle Berkeley DB Java Edition utilities
Troubleshooting resources for Java applications
Java troubleshooting tools
jps
jstack
jmap
jhat
jstat
Java diagnostic information
JVM crash diagnostic information
Troubleshooting resources in the operating system
Identifying problems with the underlying system
Examining CPU utilization
System-Wide CPU utilization
Per-CPU utilization
Per-process utilization
Examining disk utilization
Examining process details
ps
pstack
dbx / gdb
pfiles / lsof
Tracing process execution
Problems with SSL communication
Examining network communication
Common problems and potential solutions
General troubleshooting methodology
The Server will not run setup
A suitable Java environment is not available
Oracle Berkeley DB Java Edition is not available
Unexpected arguments provided to the JVM
The Server has already been configured or used
The Server will not start
The Server or other administrative tool is already running
There is not enough memory available
An invalid Java Environment or JVM option was used
An invalid command-line option was provided
The Server has an invalid configuration
You do not have sufficient permissions
The Server has crashed or shut itself down
Conditions for automatic server shutdown
The Server will not accept client connections
The Server is unresponsive
The Server is slow to respond to client requests
The Server returns error responses to client requests
The Server must disconnect a client connection
The Server is experiencing problems with replication
How to regenerate the Server ads-certificate
The Server behaves differently from Sun/Oracle
Troubleshooting ACI evaluation
Problems with the Administrative Console
Problems with the Administrative Console: JVM memory issues
Problems with the HTTP Connection Handler
Virtual process size on RHEL6 Linux is much larger than the heap
Providing information for support cases
Command-Line Tools
Available command-line tools
Saving options in a file
Creating a tools properties file
Evaluation of command-line options and file options
Sample dsconfig batch files
Running task-based tools
PingDirectoryProxy Server Administration Guide
Introduction to PingDirectoryProxy Server
Overview of the PingDirectory Server features
Overview of the Directory Server components and terminology
About locations
About LDAP external servers
About LDAP health checks
About load-balancing algorithms
About proxy transformations
About request processors
About server affinity providers
About subtree views
About the connection pools
About client connection policies
About entry balancing
Server component architecture
Architecture of a simple Directory Server deployment
Architecture of an entry-balancing Directory Server deployment
Directory Server configuration overview
Installing PingDirectoryProxy Server
Before you begin
System requirements
Platforms
Docker
Java Runtime Environment
Browsers
Defining a naming strategy for server locations
Installing Java
Preparing the operating system
Configuring the file descriptor limits
Enabling the server to listen on privileged ports (Linux)
Setting the file system flushes
Disabling file system swapping
About editing OS-level environment variables
Installing sysstat and pstack (Red Hat)
Installing dstat (SUSE Linux)
Omitting vm.overcommit_memory
Managing system entropy
Setting file system event monitoring (inotify)
Tuning the I/O scheduler
Getting the installation packages
Signing on to the Administrative Console
Ping license keys
Installing the Directory Proxy Server
About the setup tool
Installing Directory Proxy Server in interactive mode
Installing the first Directory Proxy Server in interactive mode
Installing additional Directory Proxy Server instances in interactive mode
Installing the first Directory Proxy Server in non-interactive mode
Installing additional Directory Proxy Server in non-interactive mode
Installing the Directory Proxy Server with a truststore in non-interactive mode
Directory Server folder layout
Uninstalling the Server
Uninstalling the server in interactive mode
Uninstalling the server in non-interactive mode
Uninstalling selected components in non-interactive mode
Upgrading the PingDirectoryProxy Server
Upgrade overview and considerations
Upgrading servers in a topology
Upgrading the Directory Proxy Server
Reverting an update
Getting Started with Directory Server
Running the server
Starting the Directory Server
Running the server as a foreground process
Starting the server at boot time
Signing on to the Administrative Console
Stopping the Directory Server
Scheduling a server shutdown
Restarting the server
Running the server as a Microsoft Windows service
Registering the server as a Windows service
Running multiple service instances
Deregistering and uninstalling services
Configuring log files for services
Configuring the Directory Proxy Server
About the configuration tools
Using the create-initial-proxy-config tool
Configuring a standard Directory Proxy Server deployment
About the dsconfig configuration tool
Using dsconfig in interactive command-line mode
Changing the dsconfig object menu
Using dsconfig in non-interactive mode
Getting the equivalent dsconfig non-interactive mode command
Using dsconfig batch mode
Using PingDirectory Server or PingDirectoryProxy Server with PingFederate OAuth tokens
Topology configuration
Topology master requirements and selection
Topology components
Monitor data for the topology
Using the Configuration API
Authentication and authorization with the Configuration API
The Configuration API and the dsconfig tool relationship
GET example
GET list example
PATCH example
Configuration API paths
Sort and filter objects
Update properties
Administrative actions
Updating servers and server groups
Configuration API responses
Working with the Directory REST API
Generating a summary of configuration components
Configuring server groups
DNS caching
IP address reverse name lookups
Configuring traffic through a load balancer
Managing root user accounts
Default root privileges
Configuring locations
Configuring locations using dsconfig
Modifying locations using dsconfig
Configuring batched transactions
Configuring server health checks
About the default health checks
About creating a custom health check
Configuring a health check using dsconfig
Configuring LDAP external servers
About the prepare-external-server tool
Configuring server communication using the prepare-external-server tool
Configuring an external server using dsconfig
Configuring authentication with a SASL external certificate
Servers and certificates
Listener certificates
Replacing listener certificates
Inter-server certificates
Replacing the inter-server certificate
X.509 certificates
Certificate subject DNs
Certificate key pairs
Certificate extensions
Certificate chains
About representing certificates, private keys, and certificate signing requests
Certificate trust
Keystores and truststores
Transport Layer Security (TLS)
TLS handshakes
Key agreement
LDAP StartTLS extended operation
About the manage-certificates tool
Available subcommands
Common arguments
Listing the certificates in a keystore
Generating self-signed certificates
Generating certificate signing requests
Importing signed and trusted certificates
Exporting certificates
Using manage-certificates as a simple certification authority
Enabling TLS support during setup
Enabling TLS support after setup
Configuring key and trust manager providers
Configuring connection handlers
Updating the topology registry
Troubleshooting TLS-related issues
Log messages
manage-certificates check-certificate-usability
ldapsearch
Using low-level TLS debugging
Enabling low-level debugging
Using the debug log publisher
Configuring load balancing
Configure failover load-balancing for load spreading
Configuring load balancing using dsconfig
Configuring criteria-based load-balancing algorithms
Preferring failover LBA for write operations
Routing operations to a single server
Routing operations from a single client to a specific set of servers
Understanding failover and recovery
Configuring HTTP connection handlers
Configuring an HTTP connection handler
HTTP correlation IDs
Configuring HTTP correlation ID support
HTTP correlation ID example
Configuring proxy transformations
Configuring proxy transformations using dsconfig
Configuring request processors
Configuring request processors using dsconfig
Passing LDAP controls with the proxying request processor
Configuring server affinity
Configuring subtree views
Client connection policy configuration
About the client connection policy
When a client connection policy is assigned
Restricting the type of search filter used by clients
Defining Request Criteria
Setting Resource Limits
Defining the operation rate
Client connection policy deployment example
Define the connection policies
How the policy is evaluated
Configuring a client connection policy using dsconfig
Configuring globally unique attributes
About the Globally Unique Attribute plugin
Configuring the Globally Unique Attribute plugin
Configuring the Global Referential Integrity plugin
Sample Global Referential Integrity plugin
Configuring an Active Directory Server back-end
Setting up SSO to PingDirectory from PingOne
Managing Access Control
Overview of access control
Key access control features
Improved validation and security
Global ACIs
Access controls for public or private backends
General format of the access control rules
Summary of access control keywords
Targets
Permissions
Bind rules
Access token validators
About access token validator processing
Access token validator types
Configuring a sample PingFederate access token validator
JWT access token validator
Handling signed tokens
Example: Use a locally configured trusted certificate
Example: Use the issuer's JWKS endpoint
Handling encrypted tokens
Mock access token validator
Third-party access token validator
Working with targets
target
targetattr
targetfilter
targattrfilters
targetscope
targetcontrol
extOp
Examples of common access control rules
Administrator access
Anonymous and authenticated access
Delegated access to a manager
Proxy authorization
Validating ACIs before migrating data
Validating ACIs from a file
Validating ACIs in another Directory Server
Migrating ACIs from Oracle to PingDirectory Server
Support for macro ACIs
Support for the roleDN bind rule
Targeting operational attributes
Returning all user and operational attributes in a schema search
Exclude attributes
Specification of global ACIs
Defining ACIs for non-user content
Limiting access to controls and extended operations
Tolerance for malformed ACI values
About the privilege subsystem
Identifying unsupported ACIs
Working with privileges
Available privileges
Privileges automatically granted to root users
Assigning additional privileges for administrators
Assigning privileges to normal users and individual root users
Disabling privileges
Deploying a Standard Directory Proxy Server
Introduction
Automatic server discovery
Joining a PingDirectoryProxy Server to an existing PingDirectory Server topology
Joining a topology with interactive setup
Joining a topology with non-interactive setup
Joining a topology with manage-profile setup
Joining a topology with manage-topology add-server
Creating an LDAP external server template
Defining the load-balancing algorithm configuration
Associating PingDirectory Server instances with the appropriate load-balancing algorithms
Automatic backend server discovery with entry balancing
Creating a standard multi-location deployment
Overview of the deployment steps
Installing the first Directory Proxy Server
Configuring the first Directory Proxy Server
Defining locations
Configuring the external servers in the east and west locations
Configuring the external servers in the east location
Configuring the external servers in the west location
Apply the configuration to the Directory Proxy Server
Configuring additional Directory Proxy Server instances
Testing external server communications after initial setup
Testing a simulated external server failure
Expanding the deployment
Overview of deployment steps
Preparing two new external servers using the prepare-external-server tool
Adding the new PingDirectory Servers to the Directory Proxy Server
Adding new locations
Editing the existing locations
Adding new health checks for the central servers
Adding new external servers
Modifying the load-balancing algorithm
Testing external server communication
Testing a simulated external server failure
Merging two data sets using proxy transformations
Overview of the attribute and DN mapping
About mapping multiple source DNs to the same target DN
Example of a migrated sample customer entry
Overview of deployment steps
About the schema
Creating proxy transformations
Creating the Attribute Mapping Proxy Transformations
Creating the DN mapping proxy transformations
Creating a request processor to manage the proxy transformations
Creating subtree views
Editing the client connection policy
Testing proxy transformations
Deploying an Entry-Balancing Directory Proxy Server
Deploying an entry-balancing proxy configuration
Determining how to balance your data
Entry balancing and ACIs
Overview of deployment steps
Installing the Directory Proxy Server
Configuring the entry-balancing Directory Proxy Server
Configuring the placement algorithm using a batch file
Rebalancing your entries
About dynamic rebalancing
Configuring dynamic rebalancing
About the move-subtree tool
About the subtree-accessibility tool
Managing the global indexes in entry-balancing configurations
Creating a global attribute index
Reloading the global indexes
Reloading all of the indexes
Reloading the RDN and UID index
Priming the backend server using the --fromDS option
Monitoring the size of the global indexes
Sizing the global indexes
Priming the global indexes on startup
Configuring all indexes at startup
Configuring the global indexes manually
Persisting the global index from a file
Priming or reloading the global indexes from Sun Directory servers
Working with alternate authorization identities
About alternate authorization identities
Configuring alternate authorization identities
Managing Entry-Balancing Replication
Overview of replication in an entry-balancing environment
Replication prerequisites in an entry-balancing deployment
About the --restricted argument of the dsreplication command-line Tool
Using the --restricted argument of the dsreplication command-line tool
Checking the status of replication in an entry-balancing deployment
Example of configuring entry-balancing replication
Assumptions
Configuration summary
Installing the Directory Server
Creating the database backends and defining the replication set name
Creating and setting the locations
Importing the entries
Enabling replication in an entry-balancing deployment
Checking the status of replication
Managing the Directory Proxy Server
Managing logs
About the default logs
Error log
server.out log
Debug log
Audit log
Config audit log and the configuration archive
Access and audit log
Setup log
Tool log
LDAP SDK debug log
Types of log publishers
Creating new log publishers
Creating a new log publisher
Creating a log publisher using dsconfig interactive command-line mode
About log compression
About log signing
About encrypting log files
Configuring log signing
Validating a signed file
Configuring log file encryption
Configuring log rotation
Configuring log rotation listeners
Configuring log retention
Setting resource limits
Setting global resource limits
Setting client connection policy resource limits
Monitoring the Directory Proxy Server
Monitoring system data using the PingDataMetrics Server
Monitoring the server using the status tool
About the monitor entries
Working with alarms, alerts, and gauges
Testing alarms and alerts
Indeterminate alarms
Administrative alert handlers
Configuring the JMX connection handler and alert handler
Configuring the JMX connection handler
Configuring the JMX alert handler
Configuring the SMTP alert handler
Configuring the SNMP subagent alert handler
Working with virtual attributes
Managing Monitoring
The monitor backend
Monitoring disk space usage
Monitoring with the PingDataMetrics Server
Monitoring key performance indicators by application
Configuring the external Servers
Preparing the servers monitored by the PingDataMetrics Server
Configuring the Processing Time Histogram plugin
Setting the connection criteria to collect SLA statistics by application
Updating the Global Configuration
Proxy considerations for tracked applications
Monitoring using SNMP
SNMP implementation
Configuring SNMP
MIBS
Monitoring with the Administrative Console
Accessing the Processing Time Histogram
Monitoring with JMX
Running JConsole
Monitoring the Directory Server using JConsole
Monitoring using the LDAP SDK
Monitoring over LDAP
Profiling server performance using the Stats Logger
Enabling the Stats Logger
Configuring multiple Periodic Stats Loggers
Adding custom logged statistics to a Periodic Stats Logger
Configuring a custom logged statistic using dsconfig interactive
Configuring a custom stats logger using dsconfig non-interactive
Enabling and configuring the StatsD monitoring endpoint
Sending Metrics to Splunk with StatsD
DevOps and Infrastructure as Code
Server profiles
Variable substitution
Profile Structure
setup-arguments.txt
dsconfig/
server-root/
server-sdk-extensions/
variables-ignore.txt
server-root/permissions.properties
misc-files/
About the manage-profile tool
manage-profile generate-profile
manage-profile setup
manage-profile replace-profile
Server Profiles in a Pets Service Model
Troubleshooting PingDirectoryProxy Server
Garbage Collection Diagnostic Information
Working with the Troubleshooting Tools
Working with the collect-support-data tool
Available tool options
Running the collect-support-data tool
Directory Server troubleshooting tools
Server version information
PingDirectory Server gauges
LDIF connection handler
Embedded profiler
Invoking the profile viewer in text-based mode
Invoking the profile viewer in GUI mode
Troubleshooting resources for Java applications
Java troubleshooting tools
jps
jstack
jmap
jhat
jstat
Java diagnostic information
Garbage Collection Diagnostic Information
JVM crash diagnostic information
Troubleshooting resources in the operating system
Identifying problems with the underlying system
Monitoring system data using the PingDataMetrics Server
Examining CPU utilization
System-Wide CPU utilization
Per-CPU utilization
Per-process utilization
Examining disk utilization
Examining process details
ps
pstack
dbx / gdb
pfiles / lsof
Tracing process execution
Problems with SSL communication
Examining network communication
Common problems and potential solutions
General troubleshooting methodology
The Server will not run setup
A suitable Java environment is not available
Unexpected arguments provided to the JVM
The Server has already been configured or used
The Server will not start
The Server or other administrative tool is already running
There is not enough memory available
An invalid Java Environment or JVM option was used
An invalid command-line option was provided
The Server has an invalid configuration
You do not have sufficient permissions
The Server has crashed or shut itself down
Conditions for automatic server shutdown
The Server will not accept client connections
The Server is unresponsive
The Server is slow to respond to client requests
The Server returns error responses to client requests
The Server must disconnect a client connection
Problems with the Administrative Console
Problems with the Administrative Console: JVM memory issues
Troubleshooting Global Index Growing Too Large
Recovering forgotten Proxy User password
Providing information for support cases
SCIM 1.1 and 2.0 servlet extensions management
Overview of SCIM 1.1 fundamentals
Summary of SCIM 1.1 protocol support
About the Identity Access API
Creating your own SCIM 1.1 application
Configuring SCIM 1.1
Before You Begin
Configuring the SCIM 1.1 servlet extension
Configuring the SCIM servlet extension
Enabling resource versioning
Configuring LDAP Control Support on All Request Processors (Proxy Only)
SCIM 1.1 servlet extension authentication
Enabling HTTPS communications
Configuring basic authentication using an identity mapper
Enabling OAuth authentication
Using HTTP basic authentication with bare UID on the Directory Proxy Server
Verifying the SCIM 1.1 servlet extension configuration
Configuring advanced SCIM 1.1 extension features
Managing the SCIM 1.1 schema
About the SCIM schema
Mapping the LDAP schema to the SCIM resource schema
About the resource element
About the attribute element
About the simple element
About the complex element
About the simpleMultivalued element
About the complexMultiValued element
About the subAttribute element
About the canonicalValue element
About the mapping element
About the subMapping element
About the LDAPSearch element
About the resourceIDMapping element
About the LDAPAdd element
About the fixedAttribute element
Validating the updated SCIM schema
Mapping SCIM resource IDs
Using pre-defined transformations
Mapping LDAP entries to SCIM using the SCIM-LDAP API
SCIM authentication
SCIM logging
SCIM monitoring
Configuring the Identity Access API
Configuring the Identity Access API
Disabling core SCIM resources
Verifying the Identity Access API configuration
Monitoring the SCIM servlet extension
Testing SCIM query performance
About the HTTP log publishers
Monitoring resources using the SCIM extension
Managing the SCIM 2.0 Servlet Extension
Supported SCIM 2.0 Endpoints
Configuring SCIM 2.0 on Your Server
Creating Your Own SCIM 2 Application
Authentication Requirements for SCIM 2.0 Requests
Defining Permissions for SCIM 2.0 Requests
SCIM 2.0 Components
Correlated LDAP data views
Configuring an LDAP mapped SCIM resource type
Configuring Permissions for SCIM 2.0 Operations Proxy
SCIM 2.0 Searches
Using paged SCIM searches
SCIM 2.0 PATCH Operations
Troubleshooting the SCIM 2.0 Servlet Extension
Disabling the SCIM 2.0 Servlet Extension
Managing Server SDK Extensions
About the Server SDK
Available types of extensions
Command-Line Tools
Available command-line tools
Saving Options in a File
Creating a tools properties file
Evaluation of command-line options and file options
Sample dsconfig batch files
Running task-based tools
Consent Solution Guide
Introduction to the Consent Service and Consent API
Consent Service overview
Consent API overview
How consents are collected
How consents are enforced
How applications use the Consent API
Configuring the Consent Service
Configuration overview
Example configuration scenarios
Setting up with the configuration scripts
Setting up in a replicated PingDirectory Server environment
Configuration reference
General Consent Service configuration
Creating a container entry for consent records
Creating an internal service account
Configure an identity mapper
Authentication methods
Configuring basic authentication
Configuring bearer token authentication
Configuring Consent Service scopes
Authorization
Managing Consents
Overview of consent management
Consent definitions and localizations
Creating a consent definition and localization
Perform an audit on consents
Logging
Correlating user and consent data
Troubleshooting the Consent Service
Error cases
Delegated Admin Application Guide
Delegated Admin overview
Introduction to Delegated Admin
Features
Installing Delegated Admin
Installation locations
Prerequisites
Supported browsers
Obtaining the installation files
Before you install
Preparing to install Delegated Admin on a PingDirectory Server
Preparing to install Delegated Admin on a replicated instance of PingDirectory Server
Installing the application
Unix or Linux
Windows
All environments
PingDirectoryProxy Server
Replicated instances of PingDirectory Server
External web server
All locations except PingDirectoryProxy Server
Next steps
Upgrading Delegated Admin
Upgrade considerations
Upgrade PingDirectory Server
Overview and considerations
Upgrading servers in a topology
Upgrading PingDirectory Server
Upgrade the application
Configuring Delegated Admin
Configuration overview
Authentication configuration
Configuring delegated administrator rights on PingDirectory Server
Parameterized Delegated Administrator Rights
Configuring user self-service
Configuring attributes and attribute search on PingDirectory Server
Constructed attributes
Setting an attribute to read-only
Users and groups
Enable user creation
Enabling Account Information tab content
Manage groups
Create a group
Adding a user to a group
Adding a new user to a configured group
Adding a user from the Manage Users window
Adding a user from the Manage Groups window
Generic resource types
Defining a generic resource type
Setting up a DN reference attribute
Creating and configuring a new REST resource type
Differentiating resource types within the same subtree
Configuring a resource's summary display in the Delegated Admin GUI
Customizing UI form fields
Setting up email invitations for a new user
Editing and copying the email template to PingDirectory Server
Creating request criteria to match Delegated Admin user ADD requests
Creating an SMTP external server
Creating a multi-part Email Account Status notification handler for user ADD requests
Enabling the referential integrity plugin
Enabling log tracing
Specify a custom hostname and port for your Directory Server
Changing the application logo
Configure the session timeout
Verifying the installation
Reporting
Compatibility matrix
Configuring PingFederate Server
Configuring PingFederate as the identity provider
Configuring the OAuth server
Configuring PingDirectory Server as the token validator (create OAuth client for PingDirectory)
Configuring Delegated Admin as a new client (create OAuth client for Delegated Admin)
Setting Cross-Origin Resource Sharing (CORS) settings
Optional configuration tasks
PingDataSync Server Administration Guide
Introduction to PingDataSync Server
Overview of PingDataSync Server
Data synchronization process
Synchronization architecture
Change tracking, monitoring, and logging
Synchronization modes
Standard synchronization
Notification synchronization
PingDataSync operations
Real-time synchronization
Data transformations
Bulk resync
The sync retry mechanism
Configuration components
Sync flow examples
Modify operation example
Add operation example
Delete operation example
Delete after source entry is re-added
Standard modify after source entry is deleted
Notification add, modify, modifyDN, and delete
Sample synchronization
Installing PingDataSync Server
System requirements
Platforms
Docker
Java Runtime Environment
Browsers
Upgrade overview and considerations
Install the JDK
Optimize the Linux operating system
Setting the file descriptor limit
Set the file system flushes
Install sysstat and pstack on Red Hat
Install the dstat utility
Disable file system swapping
Manage system entropy
Set file system event monitoring (inotify)
Tune IO scheduler
Enable the server to listen on privileged ports
Ping license keys
Installing PingDataSync
Signing on to the Administrative Console
Server folders and files
Start and stop the server
Start the server as a background process
Start the server at boot time
Stop the server
Restart the server
Run the server as a Microsoft Windows service
Register the service
Run multiple service instances
Deregister and uninstall
Log files
Uninstalling the Server
Update servers in a topology
Update the server
Reverting an update
Revert an update
Revert from version 7.x to a version earlier than 7.0
To revert to the most recent server version
Install a failover server
Administrative accounts
Change the administrative password
Configuring PingDirectory Server
Configuration checklist
External servers
Sync pipes
Sync classes
Sync user account
Configure PingDirectory Server in Standard mode
Use the create-sync-pipe tool to configure synchronization
Configuring attribute mapping
Configure server locations
Use the Configuration API
Authentication and authorization
Relationship between the Configuration API and the dsconfig tool
API paths
Sorting and filtering configuration objects
Update properties
Administrative actions
Update servers and server groups
Configuration API responses
Configuration with the dsconfig tool
Use dsconfig in interactive mode
Use dsconfig in non-interactive mode
Use dsconfig batch mode
Topology configuration
Topology master requirements and selection
Topology components
Monitor data for the topology
Servers and certificates
Listener certificates
Replacing listener certificates
Inter-server certificates
Replacing the inter-server certificate
X.509 certificates
Certificate subject DNs
Certificate key pairs
Certificate extensions
Certificate chains
About representing certificates, private keys, and certificate signing requests
Certificate trust
Keystores and truststores
Transport Layer Security (TLS)
TLS handshakes
Key agreement
LDAP StartTLS extended operation
About the manage-certificates tool
Available subcommands
Common arguments
Listing the certificates in a keystore
Generating self-signed certificates
Generating certificate signing requests
Importing signed and trusted certificates
Exporting certificates
Using manage-certificates as a simple certification authority
Enabling TLS support during setup
Enabling TLS support after setup
Configuring key and trust manager providers
Configuring connection handlers
Updating the topology registry
Troubleshooting TLS-related issues
Log messages
manage-certificates check-certificate-usability
ldapsearch
Using low-level TLS debugging
Domain Name Service (DNS) caching
IP address reverse name lookups
Configure the synchronization environment with dsconfig
Configure server groups with dsconfig interactive
Start the Global Sync configuration with dsconfig interactive
Prepare external server communication
HTTP connection handlers
Configure an HTTP connection handler
HTTP correlation IDs
Configure HTTP Correlation ID Support
HTTP Correlation ID Example Use
Resync tool
Test attribute and DN maps
Verify the synchronization configuration
Populate an empty sync destination topology
Set the synchronization rate
Synchronize a specific list of DNs
Realtime-sync tool
Start real-time synchronization globally
Start or Pause synchronization
Set startpoints
Restart synchronization at a specific change log event
Change the synchronization state by a specific time duration
Schedule a real-time sync as a task
Configure the PingDirectory Server backend for synchronizing deletes
Configure DN maps
Configure a DN map by using dsconfig
Configure synchronization with JSON attribute values
Synchronize ubidEmailJSON fully
Synchronize a subset of fields from the source attribute
Retain destination-only fields
Synchronize a field of a JSON attribute into a non-JSON attribute
Synchronize a non-JSON attribute into a field of a JSON attribute
Synchronize multiple non-JSON attributes into fields of a JSON attribute
Correlating attributes based on JSON fields
Configure fractional replication
Configure failover behavior
Conditions that trigger immediate failover
Failover server preference
Configuration properties that control failover behavior
The max-operation-attempts property
The response-timeout property
The max-failover-error-code-frequency property
The max-backtrack-replication-latency property
Configure traffic through a load balancer
Configure authentication with a SASL external certificate
Configure an LDAPv3 Sync Source
Server SDK extensions
Synchronize with PingOne
Prerequisites
Worker application
PingOne user resource model
Setting up SSO to PingDirectory from PingOne
Synchronize changes to a PingOne environment
Create a PingOne sync destination
Configure JSON attribute mapping
Configure constructed attribute mapping
Correlating entries
Considerations and limitations
Synchronize changes from a PingOne environment
Create a PingOne sync source
Configure attribute mapping
Considerations and limitations
Synchronize with Active Directory and other directory servers
Overview of configuration tasks
Configuring synchronization with Active Directory
Active Directory sync user account
Preparing external servers
Configuring sync pipes and sync classes
Configuring password encryption
Password sync agent
Install the password sync agent
Upgrade or uninstall the password agent
Manually configure the password sync agent
Synchronize with Relational Databases
Use the server SDK
RDBMS synchronization process
DBSync example
Example directory server entries
Configure DBSync
Create the JDBC extension
Implement a JDBC sync source
Implement a JDBC sync destination
Configure the database for synchronization
Considerations for synchronizing to database destination
Configure a directory-to-database sync pipe
Create the sync pipe
Configure the sync pipe and sync classes
Considerations for synchronizing from a database source
Synchronize a specific list of database elements
Synchronize with Apache Kafka
Restrictions
Configure a Kafka sync destination
SSL configuration
Message format
Example ADD
Example MODIFY
Example DELETE
Message customization
Synchronize through PingDirectoryProxy servers
Synchronization through a Proxy Server overview
Change log operations
PingDirectory Server and PingDirectoryProxy Server tokens
Change log tracking in entry balancing deployments
Example configuration
Configure the source PingDirectory Server
Configure a proxy server
Configure PingDirectory Server
Test the configuration
Index the LDAP changelog
Changelog synchronization considerations
Synchronize in Notification Mode
Notification mode overview
Implementation considerations
Use the server SDK and LDAP SDK
Notification mode architecture
Sync source requirements
Failover capabilities
Notification sync pipe change flow
Configure notification mode
Use the create-sync-pipe-config tool
LDAP change log features required for notifications
LDAP change log for Notification and Standard Mode
Implementing the server extension
Configure the Notification sync pipe
Considerations for configuring sync classes
Create the sync pipe
Configure the sync source
Configure the destination endpoint server
Access control filtering on the sync pipe
Considerations for access control filtering
Configure the sync pipe to filter changes by access control instructions
Configuring Synchronization with SCIM
Synchronize with a SCIM sync destination overview
SCIM destination configuration objects
Considerations for synchronizing to a SCIM destination
Rename a SCIM resource
Password considerations with SCIM
Configure synchronization with SCIM
Configure the external servers
Configure the PingDirectory Server sync source
Configure the SCIM sync destination
Configure the sync pipe, sync classes, and evaluation order
Configure communication with the source server
Start the sync pipe
Map LDAP schema to SCIM resource schema
<resource> element
<attribute> element
<simple> element
<complex> element
<simpleMultiValued> element
<complexMultiValued> element
<subAttribute> element
<canonicalValue> element
<mapping> element
<subMapping> element
<LDAPSearch> element
<resourceIDMapping> element
<LDAPAdd> element
<fixedAttribute> element
Identify a SCIM resource at the destination
Managing Logging, Alerts, and Alarms
Logs and log publishers
Types of log publishers
View the list of log publishers
Log compression
Configuring log file encryption
Synchronization logs and messages
Sync log message types
Creating a new log publisher
Configuring log signing
Configure log retention and log rotation policies
Configure the log rotation policy
Configure the log retention policy
Configure log listeners
System alarms, alerts, and gauges
Alert handlers
Configure alert handlers
Testing alerts and alarms
Use the status tool
Synchronization-specific status
Enabling and configuring the StatsD monitoring endpoint
Sending Metrics to Splunk with StatsD
Monitor PingDirectory Server
DevOps and Infrastructure as Code
Server profiles
Variable substitution
Profile Structure
setup-arguments.txt
dsconfig/
server-root/
server-sdk-extensions/
variables-ignore.txt
server-root/permissions.properties
misc-files/
About the manage-profile tool
manage-profile generate-profile
manage-profile setup
manage-profile replace-profile
Server Profiles in a Pets Service Model
Troubleshooting PingDataSync Server
PingDirectory Server gauges
Synchronization troubleshooting
Management tools
Troubleshooting tools
Use the status tool
Using the collect-support-data tool
Use the Sync log
Sync log example 1
Sync log example 2
Sync log example 3
Troubleshooting synchronization failures
Troubleshooting "Entry Already Exists" failures
Troubleshooting "No Match Found" failures
Troubleshooting "Failed at Resource" failures
Installation and maintenance issues
The setup program will not run
The server will not start
The server has shutdown
The server will not accept client connections
The server is unresponsive
Problems with the Administrative Console
Problems with SSL communication
Conditions for automatic server shutdown
Insufficient memory errors
Enabling JVM debugging
Command-Line Tools
Available command-line tools
Saving Options in a File
Creating a tools properties file
Evaluation of command-line options and file options
Sample dsconfig batch files
Sample dsconfig batch files
Running task-based tools
PingDataMetrics Server Administration Guide
Introduction to PingDataMetrics Server
PingDataMetrics Server overview
PingDataMetrics Server components
Data collection
Performance data
System and status data
Charts and dashboards
PostgreSQL DBMS details
Installing the PingDataMetrics Server
Supported platforms
Install the JDK
Configure a non-root user
Optimize the Linux OS
Setting the file descriptor limit
Set the filesystem flushes
Install sysstat and pstack on Red Hat
Install the dstat utility
Disabling filesystem swapping
Manage system entropy
Setting filesystem event monitoring (inotify)
Tuning the I/O scheduler
Enable the server to listen on privileged ports
Configure servers to be monitored
Disk space requirements and monitoring intervals
Tracked applications
Ping license keys
Installing the server
Signing on to the Administrative Console
Server folders and files
Add monitored servers to the PingDataMetrics Server
Using the monitored-servers tool
Removing monitored servers
Start and stop the server
Starting the PingDataMetrics Server as a background process
Starting the PingDataMetrics Server as a foreground process
Starting the PingDataMetrics Server at boot time
Stopping the PingDataMetrics Server
Restarting the PingDataMetrics Server
Uninstalling the Server
Update servers in a topology
Updating the server
Reverting an update
Revert an update
Revert from version 7.x to a version prior to 7.0
Reverting to the latest server version
Administrative accounts
Changing the administrative password
Managing the PingDataMetrics server
PingDataMetrics server error logging
Logging retention policies
Logging rotation policies
Creating log publishers
Error log publisher
Configure log file encryption
Setting log file encryption
Backend monitor entries
Disk space usage monitor
Notifications and alerts
Configure alert handlers
The alerts backend
Viewing information in the alerts backend
Modify the alert retention time
Configure duplicate alert suppression
System alarms, alerts, and gauges
Testing alerts and alarms
Back up the PingDataMetrics Server database
Historical data storage
Planning the DBMS backup
Starting the DBMS backup
Restoring a DBMS backup
Management tools
Available command-line utilities
The tools.properties file
Tool-specific properties
Specify default properties files
Evaluation order
HTTP Connection Handlers
Configuring an HTTP connection handler
HTTP correlation IDs
Configuring HTTP correlation ID support
Configure the correlation ID response header
Accept an incoming correlation ID from the request
HTTP correlation ID example use
Topology configuration
Topology master requirements and selection
Topology components
Server configuration settings
Topology settings
Monitor data for the topology
Updating the server instance listener certificates
Removing the self-signed certificate
Prepare a new keystore with the replacement key-pair
Updating the server configuration to use the new certificate
Updating the ads-truststore file to use the new key-pair
Retiring the old certificate
Use the configuration API
Authentication and authorization
Relationship between the Configuration API and the dsconfig tool
GET example
GET list example
PATCH example
API paths
Sort and filter configuration objects
Update properties
Administrative actions
Update servers and server groups
Configuration API responses
Domain name service (DNS) caching
IP address reverse name lookups
Configure traffic through a load balancer
Configuring authentication with a SASL external certificate
Server SDK extensions
Collecting data and metrics
Metrics overview
Count metrics
Continuous metrics
Discrete metrics
Dimensions
Query overview
Select query data
Aggregate query results
Format query results
The query-metric tool
Performance data collection
System monitoring data collection
Stats Collector plugin
System utilization monitors
External collector daemon
Server clock skew
Tuning data collection
Reducing the data collected
Reducing the frequency of data collection
Reducing the frequency of sample block creation
Reducing PingDataMetrics Server impact on performance
Data processing
Importing data
Aggregating data
Monitoring for service level agreements
SLA thresholds
Threshold time line
Configuring an SLA object
Configuring charts and dashboards
Available dashboards
Customizing the LDAP dashboard
Debug dashboard customization
Preserve customized files
The Chart Builder tool
Chart presentation details
Chart Builder parameters
Chart properties file
Available charts for PingData servers
Charts for all servers
PingDirectory Server charts
PingDirectoryProxy Server charts
PingDataSync Server charts
PingDataMetrics Server charts
PingDataGovernance Server charts
Velocity templates
Supporting multiple content types
Velocity context providers
Velocity Tools context provider
Troubleshooting PingDataMetrics Server
PingDataMetrics Server gauges
Using the collect-support-data tool
Slowing queries based on sample cache size
Troubleshooting insufficient memory errors
Unexpected query results
Conditions for automatic server shutdown
Troubleshooting installation and maintenance issues
The setup program will not run
The server will not start
The server has shut down
The server will not accept client connections
The server is unresponsive
Problems with the administrative console
Troubleshooting problems with SSL communication
PingDataMetrics Server API reference
Connection and security
Adding a REST API user
Securing error messages
Response codes
List monitored instances
Retrieve monitored instance
List available metrics
Retrieve a metric definition
Perform a metric query
Data set structure
Google Chart Tools Datasource protocol
Access alerts
Retrieve event types
Retrieve events
LDAP SLA
Retrieve the SLA object
Pagination
FIPS 140-2 Compliance for PingDirectory
Introduction to FIPS 140-2 compliance
Differences between FIPS 140-2-compliant and non-FIPS-compliant modes
Setting up the server in FIPS 140-2-compliant mode
Ensure sufficient entropy
Resolve entropy exhaustion
Setting up certificate key and trust stores
Setting up data encryption
Installing the server in FIPS 140-2-compliant mode
PingDirectory Security Guide
Introduction
Threat vectors in an identity environment
Securing the host system
Minimize installed software
Keep systems patched
Minimize network services
Configure filesystem security
Enable time synchronization
Apply recommended OS-level tuning
Run the PingDirectory software in a container
Maintain the Java Virtual Machine
Minimize access to the underlying system
Managing the server without shell access to the underlying system
Use system logging and auditing
Configuring data encryption
Enabling data encryption during setup
Managing the encryption settings database
Listing encryption settings definitions
Creating encryption settings definitions
Removing encryption settings definitions
Exporting encryption settings definitions
Importing encryption settings definitions
Setting the preferred encryption settings definition
Re-encrypting data in the database
Managing data encryption in the global configuration
Configuring cipher stream providers
Encrypting backups
Encrypting LDIF exports
Encrypting, sanitizing, and signing log files
Sanitizing log files
Signing log files
Encrypting TOTP secrets and delivered tokens
Encrypting support data archives
Other files that can be encrypted
The encrypt-file tool
Centralized logging
Logging to a shared filesystem
Copying files to a centralized system
Ingesting logs into a log management system
Logging with syslog
Logging to a remote database
Custom loggers created with the Server SDK
TLS overview
Understanding X.509 certificates
Certificate subject DNs
Certificate key pairs
Certificate extensions
Certificate chains
Representing certificates, private keys, and certificate signing requests
Understanding certificate trust
Understanding key and trust stores
Understanding TLS
TLS handshake
Key agreement
The LDAP StartTLS extended operation
Managing certificates
The manage-certificates tool
Available subcommands
Commonly used arguments
Listing the certificates in a key store
Generating self-signed certificates
Generating certificate signing requests
Importing signed and trusted certificates
Exporting certificates
Using manage-certificates as a simple certification authority
The PingDirectory Server’s use of certificates
Listener certificates
The inter-server certificate
Replacing listener certificates
Replacing the inter-server certificate
PKCS #11 support in the PingDirectory Server
Using PKCS #11 in the PingDirectory Server
Performing initial preparation for PCKS #11 support in PingDirectory Server
Enabling PKCS #11 support during setup
Enabling PKCS #11 support after setup
Enabling TLS in the PingDirectory Server
Enabling TLS support during setup
Enabling TLS support after setup
Configuring key and trust manager providers
Configuring connection handlers
Updating the topology registry
Configuring supported TLS protocols and cipher suites
Using TLS in command-line tools
Common arguments for TLS communication
Troubleshooting TLS-related problems
Log Messages
manage-certificates check-certificate-usability
Low-level TLS debugging
Additional mechanisms for securing communication
Secure name service configuration
Name service caching
Strong TCP sequence numbers
Reject source-routed packets
Reject ICMP redirects
Encrypt all inter-system communication
Restricting client access
Restricting access through network access controls
Restricting access through connection handlers
Restricting access through client connection policies
Restricting access through operational attributes in user entries
Restricting access with plugins
Lockdown mode
Criteria
Connection criteria
Simple connection criteria
Aggregate connection criteria
Third-party connection criteria
Request Criteria
Simple request criteria
Root DSE request criteria
Aggregate request criteria
Third-party request criteria
Result criteria
Simple result criteria
Replication assurance result criteria
Aggregate result criteria
Third-party result critera
Search entry criteria
Simple search entry criteria
Aggregate search entry criteria
Third-party search entry criteria
Search reference criteria
Simple search reference criteria
Aggregate search reference criteria
Third-party search reference criteria
Authentication
LDAP simple authentication
SASL authentication
Standard SASL mechanisms
Proprietary SASL mechanisms
Third-Party SASL Mechanisms
HTTP client authentication
Pass-through authentication
Identity mapping
Certificate mapping
Using alternate authorization identities
The retain identity request control
Delaying responses to failed bind attempts
Password policies
Assigning password policies to users
Maintaining password policies in user data
Password storage schemes
Supported password storage schemes
Fast algorithms versus expensive algorithms
Deprecated password storage schemes
Pre-encoded passwords
Password validators
Supported password validators
Configuring password validators for updates
Configuration password validators for binds
Recommended password validator configuration
Password history
Password expiration
Failure lockout
Alternative failure lockout actions
Sign on history tracking and idle account lockout
Recent sign on history
Last login time and IP address
Idle account lockout
Self password changes
Requiring current passwords for self password changes
Administrative password reset
Password generators
Random password generator
Passphrase password generator
Third-party password generator
Password retirement
Password reset tokens
Account status notifications
Other password policy configuration properties
Managing password policy state
Externally modifiable user attributes
Administrative password reset
The password policy state extended operation and the manage-account tool
The ds-pwp-state-json and ds-pwp-modifiable-state-json operational attributes
The password update behavior control
The retire password and purge password controls
Authentication-related controls and extended operations
The authorization identity request control
The get authorization entry request control
The “Who am I?” extended request
The account usable control
The password policy control
The password expiring and password expired controls
The get password policy state issues control
The get password quality requirements extended operation
The password validation details control
The generate password request control
The generate password extended operation
Access control
ACI syntax
ACI targets
ACI rights
ACI bind rules
Parameterized ACIs
Defining ACIs in user data
Defining global ACIs
The get effective rights request control
Debugging ACI issues
Other ways of restricting requests and data access
Rejecting unauthenticated requests
Privileges
Client connection policy restrictions
Sensitive attributes
Writability mode
User resource limits
Defining resource limits in the global configuration
Defining resource limits in operational attributes
Defining resource limits in client connection policies
Defining resource limits in search requests
Controls for interacting with resource limits
Considerations for account security
Require secure communication
Prevent unauthenticated requests
Delay bind responses after too many authentication failures
Require strong authentication
Use non-identifiable user DNs
Use separate accounts for each administrator
Prefer topology administrator accounts over root users
Disable or delete the initial root account
Logging
Types of loggers
Log file rotation and retention
Filtered logging
Log file compression
Log file encryption
Log parsing APIs
Logging Tools
Change logging
The data recovery log
Monitoring
Monitor entries
The availability state servlet
Administrative alerts
Alarms and gauges
Account status notifications
Stats logging
External monitoring
Auditing
Auditing configuration changes
Auditing data access
Auditing data content
For Groovy-scripted extensions, place the necessary Groovy scripts in the
appropriate directory based on the package for those scripts after the
lib/groovy-scripted-extensions directory.
Create a new Groovy Scripted HTTP Servlet extension, specifying the fully-qualified
Groovy class name for the script-class
property, and providing any
appropriate arguments in the script-argument
property.