Critical fixes

This release of the Directory Server addresses critical issues from earlier versions. Update all affected servers appropriately.

No critical issues have been identified.

Resolved issues

The following issues have been resolved with this release of PingDirectory Server.

Ticket ID Description


To enhance initialization performance, the dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used (subject to the --parallelLimit option). The --sameLocationOnly and --destinationInstanceName options may be used to limit the destinations that are initialized.


Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced.


Added support for new extended operations that can be used to help manage the server's listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.


Updated the server to create the file if it does not exist for a backend containing encrypted data. This file may be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

DS-45480, DS-45636

  • Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain may be trusted if either the peer certificate or any of its issuers is found in the topology registry.

  • Updated the replace-certificate tool to add new list-topology-registry-listener-certificates and list-topology-registry-inter-server-certificates subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.

  • Updated the replace-certificate tool to add a new add-topology-registry-listener-certificate subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it may be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.

  • Updated the replace-certificate replace-listener-certificate subcommand to add --topology-registry-update-type and --trust-store-update-type arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options include suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers.

  • Updated the replace-certificate replace-listener-certificate subcommand to add an --ignore-current-listener-certificate-validity-window argument that will allow the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.


Resolved an issue where SCIM POST requests that violated a unique attribute constraint got an internal error instead of the expected SCIM error response.


Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.


Fixed an issue where the Directory Rest API returns an HTTP 500 error response when trying to retrieve a SCIM entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.


Updated PingDirectory products to use Kafka v2.8.1 which resolves CVE-2021-38153.