New entry-balancing options
add
operations
allowing for greater control over the use of multiple servers for entry
balancing.You can interact with entries within the data store including LDAP and several REST APIs
CyberArk Conjur and Azure Key Vaults support added
OAuth tokens ca be used with the File Servlet
Apply your own branding to console elements.
New --performLocalCleanup option added to the remove-defunct-server command
bin/remove-defunct-server --help
.Added support for a pluggable pass-through authentication plugin
Added new options to the dsreplication command to make replication faster
Added a new password storage scheme to provide enhanced security
The config-audit logs now tracks the originating account information when individual changes are made
PingDataSync can now include Active Directory account state information
Entry balancing and global index
If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.
In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn't exist (for example, with a noSuchObject result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.
There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind operation fails, the backend server is likely to return an invalidCredentials result regardless of whether the target user entry exists in that backend set. If the bind attempt fails in one backend set because the target user exists but their account is in a state that doesn't allow it to authenticate (for example, if their password is expired or their account is locked), then the bind response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.
Fixed an issue
where secret keys under cn=Topology
,cn=config
could be lost when removing a server from the topology
dsreplication
disable
or remove-defunct-server tools, its
secret keys will now be distributed among the remaining members of the topology.
The keys from the rest of the topology will also be copied to the server being
removed.Fixed lost access to keys used for reversible password encryption when removing servers from the topology
Because this change only applies to the most recent version of
remove-defunct-server and dsreplication
disable
, if you are removing a server from a multi-version
topology, you should run that tool from the most recent version. In the
past dsreplication and
remove-defunct-server could only be run from an
older version, but now in the case of removing a server from the
topology, they should be run from the most recent version in the
topology. If you run the tool from an older server, it will not include
this fix, and you might lose access to secret keys from servers that are
removed from the topology.
Fixed Directory REST API
Added LDAP pass-through authentication handler
Added authentication support for passwords stored in several services
The dsreplication initialize-all
command now initializes multiple target servers in parallel when the
--parallel
option is used
dsreplication
initialize-all
command now initializes multiple target servers in
parallel when the --parallel
option is used (subject to the
--parallelLimit
option). The
--sameLocationOnly
and
--destinationInstanceName
options can be used to limit the
destinations that are initialized.Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change
Added sorting to the Name and Category columns of the monitor table
Added replica-partial-backlog
attribute
to replication summary monitor
replica-partial-backlog
attribute that
shows how each origin replica contributes partial backlog with the
per-origin-replication-backlog
property. The
replica-partial-backlog
attribute also shows the change
numbers used for the calculation.Updated the server to record the original requester distinguished name (DN) and IP address
Fixed issues related to server handing of controls in search requests
Added support for obtaining secrets from CyberArk Conjur
Added support for obtaining secrets from Azure Key Vault
New global configuration properties to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request
Fixed proxied authorization issue
Fixed
manage-profile replace-profile
keystore files
issue
manage-profile
replace-profile
did not correctly handle keystore files with a
.bcfks extension while in FIPS-140-2-compliant
mode.Fixed View API Commands issue
Fixed silent replication failure
moddn
change would silently fail to
replicate.Added new --performLocalCleanup
argument to remove-defunct-server
--performLocalCleanup
, to
remove-defunct-server that simplifies the replication
artifact cleanup process. To clean up replication artifacts on earlier releases
of the Directory Server, run remove-defunct-server with no
bind arguments while the server is offline.Added a PKCS #11 cipher stream provider
Server instances can now be safely mirrored to older servers in mixed-version topologies
Fixed an issue where secret keys under
cn=Topology
,cn=config
could be lost when
removing a server from the topology
When a server is removed with the dsreplication disable
or
remove-defunct-server tools, its secret keys are now
distributed among the remaining members of the topology. The keys from the
rest of the topology will also be copied to the server being removed.
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Because this change only applies to the most recent version of
remove-defunct-server and dsreplication
disable
, if you are removing a server from a multi-version
topology, you should run that tool from the most recent version. In the
past dsreplication and
remove-defunct-server could only be run from an
older version, but now in the case of removing a server from the
topology, they should be run from the most recent version in the
topology. If you run the tool from an older server, it does not include
this fix, and you might lose access to secret keys from servers that are
removed from the topology.
Added PingData Administrative Console configuration capability
oidc-trust-store-pin-passphrase-provider
and
trust-store-pin-passphrase-provider
settings. This means
trust store types that require passphrases (ex: PKCS12 or BCFKS) are now
properly supported.The PingData Administrative Console can now retrieve
files created from collect-support-data
or
server-profile
tasks
collect-support-data
or server-profile
tasks when using single sign-on (SSO) to authenticate with the managed
server.Updated the file servlet
Improved includePath
argument
validation performed by the manage-profile generate-profile
tool
includePath
argument is used to provide an absolute path or
a path outside the server root. It will accept but warn about paths that
reference files that do not exist.Fixed an issue that caused an internal root account to be subject to the server's default password policy
Fixed symmetric keys issue
config-audit.log
.Updated the export-ldif tool
Made several improvements to the ldap-diff tool
- Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
- Added the ability to use a properties file to obtain default values for command-line arguments.
- Improved the ability to use different TLS-related settings for the source and target servers.
- Improved support for SASL authentication.
Updated the migrate-ldap-schema tool
Fixed q remove-defunct-server issue
Improved performance for modify operations
Addressed a connection error in remove-defunct-server
Fixed an error when backing up an encrypted backend
Addressed an issue where simple binds on entries
ds-pwp-auth-failure
.Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites
Fixed an issue in which the server might not use appropriate resource limit values
Fixed server hang issues
- Addressed an issue that caused remove-defunct-server to hang.
- Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode.
For the initilaze-all
dsreplication subcommand avoid closing connections to remote
servers multiple times
initilaze-all
dsreplication subcommand avoid closing connections to remote
servers multiple times in order to apply the new generation
ID.Added support for Eclipse Foundation JDKs
Fixed an issue where explicit
createTimestamp
values are replicated to peer
servers
createTimestamp
values are replicated to peer servers using a default timestamp format rather
than the non-default format value stored on the first server.Updated the mirror virtual attribute provider to include an option to bypass access control evaluation for the internal searches that it performs
Fixed a Ping Directory Server performance issue involving high CPU usage
Removed -XX:RefDiscoveryPolicy=1
from the default start-server Java arguments
Fixed a composed attribute plugin issue
Fixed an issue where a server with a newly initialized database could go into lockdown mode
dsreplication initialize
) could go into lockdown mode
and report that the server might have missed one or more updates. This generally
occurred only if the initialized server was restarted right after initialization
completed.Changed default tab in the administrative console
Added support for new extended operations
replace-certificate
tool to add support for replacing and
purging certificates in a remote instance, and to allow skipping validation for
the new certificate chain.Added support for BellSoft JDKS
Improved performance of server encryption
Added a scroll bar to the administrative console's Server list
Updated the entry counter, hash DN, and round robin placement algorithms
Improved server logic
Fixed dashboard icon issue
Addressed an issue where icons on the dashboards were not properly displayed.
Synchronize from Active Directory attribute
lockoutTime
source systems to PingDirectory attribute
pwdAccountLockedTime
pwdAccountLockedTime
cannot be written to
directly, an extended operation is used. This synchronization depends on a
direct attribute mapping that maps from
pwdAccountLockedTimeFromAD
to
pwdAccountLockedTime
.Added direct attribute mapping that maps from
ds-pwp-account-disabled-from-ad
to
ds-pwp-account-disabled
userAccountControl
bit indicating that the account is
disabled (bit #2) (or msDS-UserAccountDisabled
on AD-LDS) to
PingDirectory attribute
ds-pwp-account-disable
. Because
ds-pwp-account-disabled
cannot be written to directly, an
extended operation is used. This synchronization depends on a direct attribute
mapping that maps from ds-pwp-account-disabled-from-ad
to
ds-pwp-account-disabled
.Added direct attribute mapping that maps from
pwdChangedTimeFromAD
to
pwdChangedTime
pwdLastSet
with the password changed time to PingDirectory attribute
pwdChangedTime
. Because pwdChangedTime
can
not be written to directly an extended operation is used. This synchronization
depends on a direct attribute mapping that maps from
pwdChangedTimeFromAD
to
pwdChangedTime
.Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes
replace-all-attr-values-limit
for the
Sync
class.Fixed an issue where PingDataSync was not syncing entries to PingOne environments
Fixed a max-rate-per-second
configuration setting
max-rate-per-second
configuration setting was not being applied to the resync
tool.