PingDirectory suite of products 9.1.0.0 (June 2022) - PingDirectory - 9.2

Log files can contain potentially contain sensitive or identifiable information that you might not necessarily want recorded in the clear. The server can now be configured to support sanitizing access logs as they are being written. It is available for any writer-based or JSON-formatted access log, and elements in the log message can either be sanitized, redacted, or omitted altogether. This includes the ability to genericize diagnostic messages written to the access or error log. For more information, see Log sanitization.

PingDirectory provides a robust logging system allowing for detailed analysis of the server's functioning. Included is support for creating log files written using JSON format. The summarize-access-log command, which is used to display a number of metrics about operations processed within the server, now supports processing JSON formatted access logs.

The Directory REST API allows developers to create customized application for managing the entries in a directory instance. The Directory REST API now supports controls previously only available through LDAP calls. This includes the ability to do joins allowing for advanced data modeling of relationships.

In deployments with replicating PingDirectory instances, conflicts can occur if the same entry is added to different servers at the same time. Many conflicts can be handled automatically and, in such cases, the server whose add attempt creates a conflict, now returns a CONFLICT result in the replication response control and LDAP result code.

Updated the JSON-formatted access logger to include the requester IP address in disconnect, security negotiation, and client certificate log messages when appropriate.

PingOne recently added support for multi-valued attributes. Now, using PingOne as a sync destination, multi-valued attributes can be synchronized as either a one-time data migration or as part of a continual real-time synchronization strategy.

When using PingOne as a sync destination, PingDataSync Server provides support for synchronizing data to custom attributes that are defined in the PingOne environment. This includes attributes defined as multi-valued or JSON in PingOne.

An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.

One recommendation to work around this issue is to not set these password policy attributes on administrator accounts that are stored in cn=config. If you do need --set force-change-on-reset:true or --set force-change-on-add:true, you must clear the mustChangePassword flag by running the following command each time you change the password:

$ bin/manage-account set-must-change-password \
    --mustChangePassword false \
    --targetDN cn=<admin cn>

The setup command might fail on Windows operating systems because of the presence of Bouncy Castle JAR files in the lib directory that begin with bc. The JAR files are mentioned in an error message similar to the following: An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server's classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process. A temporary workaround is to delete the JAR files that begin with bc from the lib directory before attempting to run setup again.

If you update an existing installation to the 9.1 release of the server and then subsequently want to revert that update, Bouncy Castle libraries from the 9.1 release might not be properly removed from the lib directory, resulting in both the older and newer versions of the library being in the lib directory. This should not cause any problems with the server, but it might result in warning messages in the server's error log about different versions of the same JAR file in the classpath (for example, The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bc-fips-1.0.2.1.jar, bc-fips-1.0.2.3.jar and The following classpath entries appear to be multiple versions of the same jar, which may cause server issues: bctls-fips-1.0.11.4.jar, bctls-fips-1.0.13.jar). This message can be safely ignored. You can eliminate this warning by stopping the server and manually removing the newer versions of the jar files referenced in the warning message.

JSON-formatted join request controls with their criticality set to false are rejected as if their criticality were true by non-search requests.

Fixed an issue that prevented the server from refreshing the monitor data used to detect and warn about an upcoming certificate expiration. This could cause the server to continue to warn about an expiring certificate even after that certificate had been replaced. For information on log sanitization, see Log sanitization.

The status tool now shows the current collect-support-data version.

Fixed issues that prevented obtaining key and trust store PINs with the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers.

Updated the server to create the esTokenizer.ping file if it does not exist for a backend containing encrypted data. This file might be needed to open the database environment for a backend containing encrypted indexes, but it would not have been automatically created when upgrading from a pre-7.0 server to a later version with support for encrypted indexes.

Fixed an issue where password policies specified using a virtual attribute were sometimes not correctly applied to users.

Updated the active operations monitor provider to improve the string representations of active operations and persistent searches. The timestamps now have a precision of milliseconds rather than seconds, and the strings can now be parsed using the access log API in the UnboundID LDAP SDK for Java.

Fixed an issue that caused the encode-password tool to fail when the AES256 password storage scheme is enabled.

Added support for synchronizing data to custom attributes defined in PingOne destinations. This includes multi-valued attributes and JSON attributes in the PingOne environment.

Updated the manage-topology add-server command to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.

Updated the sanitize-log tool to better align with the server's support for sanitizing log messages as they are logged. Changes include:

• It is preconfigured with default behaviors for an expanded set of log fields.
• It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.
• It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.
• It now uses syntax-aware redaction and tokenization.
• It offers support for specifying a default behavior to use on a per-syntax basis.
• It can obtain its settings from a log field behavior definition in the server configuration.

Added support for improved assured replication result codes when replication conflicts occur. For processed assured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.

Fixed an issue in which the password policy state extended operation could be used to create duplicate authentication failure time or grace login use time values.

Added a docker-pre-start-config command-line tool for PingData Docker containers. Use the tool before the server is started to make configuration changes to the server that depend on the running container’s environment.

Added a --excludeSetupArguments argument for the manage-profile generate-profile command. Added a --skipValidation argument for the manage-profile replace-profile command. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and replace-profile subcommands to fail when a server profile includes an encryption-settings-db file in the profile's <server-root>/pre-setup/ directory.

Directory Server privileges that are assigned through virtual attributes now apply consistently when accessing topology-related features through the administrative console.

Updated the server to protect against attempts to modify the ds-pwp-modifiable-state-json operational attribute without the Modifiable Password Policy State plugin enabled. The plugin is disabled by default, and the server would previously allow writes to that attribute with the plugin disabled, but those writes would just pollute the entry and have no effect on its password policy state. The server now only allows updates to ds-pwp-modifiable-state-json if the Modifiable Password Policy State plugin is enabled. Similarly, the server also rejects attempts to add entries that contain the ds-pwp-modifiable-state-json operational attribute, even with the Modifiable Password Policy State plugin disabled. Writes to this attribute are only supported for modify operations, and the server would properly reject add attempts targeting that attribute if the plugin had been enabled but would not reject those attempts if the plugin were disabled.

The server now also prohibits administrators from using the ds-pwp-modifiable-state-json operational attribute to update their own password policy state, and it prohibits attempts to update ds-pwp-modifiable-state-json operational attribute in an another user's entry in the same modify request that also resets that user's password. The former restriction prevents certain kinds of changes that could allow an administrator to exempt themselves from certain password policy restrictions while the latter protects against potential conflicts that could arise from two modifications in the same request that attempt to alter a user's password policy state.

A former version of the tool allowed the --useSSL argument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both --sourceUseSSL and --targetUseSSL. Similarly, support for the --useStartTLS argument was inadvertently dropped, requiring both --sourceUseStartTLS and --targetUseStartTLS. The legacy arguments have been restored.

Minimum and maximum age password policies are no longer applied for users without a password.

Updated PingDirectory products to use Kafka 2.8.1, which resolves.

Fixed an issue in which the server could incorrectly skip certain indexes when evaluating search criteria. In cases where the server can determine where the results from one index should already be encompassed by results from another index that is already in use for the search, it ignores the redundant index. However, there were cases in which an index would be ignored even if the already-in-use index was not actually suitable for that search (for example, because its index entry limit had been exceeded).

Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.

Made the following updates to the replace-certificate tool:

• Added new list-topology-registry-listener-certificates and list-topology-registry-inter-server-certificates subcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.
• Added a new add-topology-registry-listener-certificate subcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.
• Updated the replace-certificate replace-listener-certificate subcommand to add --topology-registry-update-type and --trust-store-update-type arguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers.
• Updated the replace-certificate replace-listener-certificate subcommand to add an --ignore-current-listener-certificate-validity-window argument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.

Fixed an issue where access logs incorrectly reported negative processing times for certain operations.

Most existing controls have been updated to support an alternative JSON encoding, which might make it easier to use certain controls in clients written with APIs that do not provide direct support for those controls.

Updated the server to use the latest versions of the FIPS 140-2-compliant and non-FIPS-compliant Bouncy Castle cryptographic libraries.

Updated the text-formatted and JSON-formatted access and error loggers to provide an option to use generic versions of strings in log messages. If enabled, error messages, additional log info messages, disconnect reasons, and authentication failure reasons will use a string with placeholders instead of context-specific values that could potentially include identifiable or sensitive information.

This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.

In the unlikely event that this limit is actually needed in a directory environment, it can still be activated by setting the com.unboundid.directory.server.backends.jeb.AttributeIndex.cursorEntryLimit system property to the desired value.

Fixed issues where gauges could raise an alarm and create an alert, but not create an alert when that same alarm was later cleared, making it unclear when the reported condition had abated.

Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server ...may have missed one or more update(s). if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.

Updated the export-reversible-passwords tool to fix a potential issue in which the tool could encounter a timeout while waiting for the response from the server. Updated the export reversible passwords extended operation handler to provide support for canceling an export that is in progress. If the export-reversible-passwords tool is terminated, or if the associated extended operation is abandoned or canceled, then the export process now stops processing. Previously, it ignored the cancel request and continued processing the export until all entries in the backend had been examined.

Fixed an issue in which the server would always reject an operation with a request control that the client did not have permission to use, regardless of the control's criticality. It continues to reject the operation if the disallowed control has a criticality of true, but if the criticality is false, the server continues processing the operation as if that control had not been requested.

Fixed an issue that allowed replication protocol messages to be dropped.

Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.

Fixed a PingDirectory server issue that could cause an internal error to be logged while monitoring database statistics for read-only backends.

Fixed an issue where the Directory REST API returns an HTTP 500 error response when trying to retrieve a System for Cross-domain Identity Management (SCIM) entry whose corresponding LDAP entry contains a valid Generalized Time Syntax attribute value not matching the specific format YYYYMMDDhhmmssZ.

In PingDirectoryProxy Server, manage-profile replace-profile sometimes failed with an error similar to the following:

The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) 
... 

This fix ensures that the configuration is loaded prior to the merge that the error message refers to.

Updated Jackson Databind to 2.13.3.

Updated the commons-codec library to version 1.13.

Updated the Google Guava dependency in common libraries.

The Directory REST API no longer includes RDN values in modify requests to update the DN of an entry, because RDN values are updated by default in modify DN requests.