PingDirectory suite of products 9.0.0.0 (December 2021) - PingDirectory - 9.0

Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add operations allowing for greater control over the use of multiple servers for entry balancing.

PingDirectory provides a number of interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.

In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database

Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.

The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt file in the console .war file shipped with PingDirectory.

To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server and its options, run bin/remove-defunct-server --help.

Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication

In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication subcommands, see Summary of the dsreplication Subcommands.

Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.

To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.

Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.

If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.

In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn't exist (for example, with a noSuchObject result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.

There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind operation fails, the backend server is likely to return an invalidCredentials result regardless of whether the target user entry exists in that backend set. If the bind attempt fails in one backend set because the target user exists but their account is in a state that doesn't allow it to authenticate (for example, if their password is expired or their account is locked), then the bind response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.

An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.

Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.

To enhance initialization performance, the dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used (subject to the --parallelLimit option). The --sameLocationOnly and --destinationInstanceName options can be used to limit the destinations that are initialized.

Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change, which could be included in the server's configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.

Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.

To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog property. The replica-partial-backlog attribute also shows the change numbers used for the calculation.

Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.

Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.

The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.

The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.

These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.

Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.

Fixed an issue where manage-profile replace-profile did not correctly handle keystore files with a .bcfks extension while in FIPS-140-2-compliant mode.

Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.

Fixed an issue where non-DN modifications associated with a moddn change would silently fail to replicate.

Added a new argument, --performLocalCleanup, to remove-defunct-server that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server with no bind arguments while the server is offline.

Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server's encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.

Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider and trust-store-pin-passphrase-provider settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.

The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks when using single sign-on (SSO) to authenticate with the managed server.

Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.

The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.

Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server's default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.

Addressed an issue where symmetric keys were not being sanitized in the config-audit.log.

Updated the export-ldif tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.

• Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
• Added the ability to use a properties file to obtain default values for command-line arguments.
• Improved the ability to use different TLS-related settings for the source and target servers.
• Improved support for SASL authentication.

Updated the migrate-ldap-schema tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.

Fixed an issue in which remove-defunct-server would remove attributes from config.ldif if they were identical apart from case.

Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.

Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.

Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.

Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure.

Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.

Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.

• Addressed an issue that caused remove-defunct-server to hang.
• Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode.

For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.

Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.

Fixed an issue where explicit createTimestamp values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.

This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.

Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.

In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.

Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.

Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes

Added support for new extended operations to help manage the server's listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.

Added support for the use of JDKs obtained through BellSoft.

Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager phase during server startup.

Added a scroll bar to the administrative console's Server list to ensure all servers are accessible regardless of screen size.

Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.

Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.

Addressed an issue where icons on the dashboards were not properly displayed.

Because pwdAccountLockedTime cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD to pwdAccountLockedTime.

Synchronize from Active Directory userAccountControl bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled on AD-LDS) to PingDirectory attribute ds-pwp-account-disable. Because ds-pwp-account-disabled cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled.

Synchronize from Active Directory attribute pwdLastSet with the password changed time to PingDirectory attribute pwdChangedTime. Because pwdChangedTime can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime.

Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit for the Sync class.

Addressed an issue where PingDataSync was not syncing entries to PingOne environments due to rate-limiting responses from PingOne.

Addressed an issue where the max-rate-per-second configuration setting was not being applied to the resync tool.