Added support to sanitize access logs to protect sensitive information
Added support for processing JSON-formatted access logs
summarize-access-log
command, which is used to display a
number of metrics about operations processed within the server, now supports
processing JSON formatted access logs.Updated Directory REST API
Added conflict error messages for replicated PingDirectory deployments
JSON-formatted access logger updated
PingDataSync Server supports PingOne as a sync destination
Synchronize data to custom attributes defined in the PingOne environment
Repeating cycle when resetting a password
If your password policy for an admin user (such as a topology
administrator or rootDN) is set with --set
force-change-on-reset:true
or --set
force-change-on-add:true
, you cannot update that
administrator’s password without it being considered an administrator
reset.
An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.
One recommendation to work around this issue is to not set these password
policy attributes on administrator accounts that are stored in
cn=config
. If you do need --set
force-change-on-reset:true
or --set
force-change-on-add:true
, you must clear the
mustChangePassword
flag by running the following
command each time you change the password:
$ bin/manage-account set-must-change-password \
--mustChangePassword false \
--targetDN cn=<admin cn>
setup tool failure due to Bouncy Castle JAR files
bc
. The
JAR files are mentioned in an error message similar to the following: An
unexpected error occurred while attempting to copy the non-FIPS Bouncy
Castle jar file into the server's classpath: FileSystemException:
lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it
is being used by another process
. A temporary workaround is to
delete the JAR files that begin with bc
from the
lib directory before attempting to run
setup again.Bouncy Castle libraries are not removed from the lib directory.
JSON-formatted controls rejected
false
are rejected as if their criticality were
true
by non-search requests.Fixed an issue that prevented the server from refreshing monitor data
Fixed the status tool
Fixed key and trust store PIN issues
Updated the server to create the esTokenizer.ping file if it does not exist
Password policies using virtual attributes are now correctly applied
Improved string representations of active operations and persistent searches
The encode-password tool now works with AES256 password storage
Support added for synchronizing custom attributes defined in PingOne destinations
Set a consistent priority index when adding two PingDataSync servers into a new failover topology
manage-topology add-server
command to
set a consistent priority index when adding two PingDataSync servers into a new failover
topology. The server listed as the remote server in the command-line arguments
is given the higher priority index, which results in an overall lower priority
compared to the other server.Updated the sanitize-log tool
- It is preconfigured with default behaviors for an expanded set of log fields.
- It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.
- It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.
- It now uses syntax-aware redaction and tokenization.
- It offers support for specifying a default behavior to use on a per-syntax basis.
- It can obtain its settings from a log field behavior definition in the server configuration.
Improved assured replication result codes for conflicts
processed
assured levels, for
each replica that has a replication conflict resulting in an alternate
distinguished name (DN) being updated, a CONFLICT result will be
returned. If any such conflicts are detected, a result code of 68
(ENTRY_ALREADY_EXISTS) will be returned.Fixed password policy state extended operation
Added a new Docker command-line tool
Added a new argument
for manage-profile generate-profile
--excludeSetupArguments
argument for the
manage-profile generate-profile
command. Added a
--skipValidation
argument for the manage-profile
replace-profile
command. This argument allows skipping the final
server validation step when running on an offline server and allows generating a
server profile that does not include a setup-arguments.txt file. Updated the
setup and replace-profile
subcommands to fail when a server
profile includes an encryption-settings-db file in the
profile's <server-root>/pre-setup/
directory.Fixed an issue with server privileges
Improved protections around the
dw-pwp-modifiable-state-json
operational
attribute
Updated the server to protect against attempts to modify the
ds-pwp-modifiable-state-json
operational attribute
without the Modifiable Password Policy State plugin enabled. The plugin is
disabled by default, and the server would previously allow writes to that
attribute with the plugin disabled, but those writes would just pollute the
entry and have no effect on its password policy state. The server now only
allows updates to ds-pwp-modifiable-state-json
if the
Modifiable Password Policy State plugin is enabled. Similarly, the server
also rejects attempts to add entries that contain the
ds-pwp-modifiable-state-json
operational attribute,
even with the Modifiable Password Policy State plugin disabled. Writes to
this attribute are only supported for modify operations,
and the server would properly reject add attempts
targeting that attribute if the plugin had been enabled but would not reject
those attempts if the plugin were disabled.
The server now also prohibits administrators from using the
ds-pwp-modifiable-state-json
operational attribute to
update their own password policy state, and it prohibits attempts to update
ds-pwp-modifiable-state-json
operational attribute in
an another user's entry in the same modify request that
also resets that user's password. The former restriction prevents certain
kinds of changes that could allow an administrator to exempt themselves from
certain password policy restrictions while the latter protects against
potential conflicts that could arise from two modifications in the same
request that attempt to alter a user's password policy state.
Fixed a backwards compatibility issue with the migrate-ldap-schema tool
--useSSL
argument to indicate that SSL should be used to secure communication with both
servers, whereas a newer version did not allow that argument but instead
required both --sourceUseSSL
and
--targetUseSSL
. Similarly, support for the
--useStartTLS
argument was inadvertently dropped, requiring
both --sourceUseStartTLS
and
--targetUseStartTLS
. The legacy arguments have been
restored.Removed two password policies for non-password users
Updated Kafka version
Fixed incorrect index skipping
Updated the topology registry and the replace-certificate tool
Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.
Made the following updates to the replace-certificate tool:
- Added new
list-topology-registry-listener-certificates
andlist-topology-registry-inter-server-certificates
subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry. - Added a new
add-topology-registry-listener-certificate
subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server. - Updated the
replace-certificate replace-listener-certificate
subcommand to add--topology-registry-update-type
and--trust-store-update-type
arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers. - Updated the
replace-certificate replace-listener-certificate
subcommand to add an--ignore-current-listener-certificate-validity-window
argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.
Fixed an access log reporting issue
Added support for JSON-formatted request and response controls
Updated the server Bouncy Castle cryptographic library versions
Added support for generic strings in access and error log messages
Updated the local DB backend to disable the index cursor entry limit by default
This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.
In the unlikely event that this limit is actually needed in a directory
environment, it can still be activated by setting the
com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit
system property to the desired value.
Fixed gauge alarm issues
Fixed server lockdown issue in newly initialized databases
dsreplication initialize
) could go into lockdown mode
and report that the server ...may have missed one or more
update(s). if the source server is in the pre-external-initialize
state. This generally occurred only if the initialized server was restarted
right after initialization completed.Updated the export-reversible-passwords tool
Fixed a server operation rejection issue
true
, but if the
criticality is false
, the server continues processing the
operation as if that control had not been requested.Fixed a replication protocol message issue
Updated to LDAP SDK version 6.0.5
Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.
Fixed a server issue causing internal errors during monitoring
Fixed a Directory REST API error with mismatched time syntax attribute values
YYYYMMDDhhmmssZ
.Fixed Proxy server manage-profile
replace-profile
errors
In PingDirectoryProxy Server,
manage-profile replace-profile
sometimes failed with an
error similar to the following:
The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) ...
This fix ensures that the configuration is loaded prior to the merge that the error message refers to.