PingDirectory suite of products 9.0.0.0 (December 2021) - PingDirectory - 9.2

PingDirectory 9.2

bundle
pingdirectory-92
ft:publication_title
PingDirectory 9.2
Product_Version_ce
PingDirectory 9.2
category
Product
pd-92
pingdirectory
ContentType_ce
Page created: 15 Jul 2022 |
Page updated: 20 Jan 2023

New entry-balancing options

PingDirectory
Improved
Entry-balancing is a PingDirectoryProxy Server configuration that allows the entries within a portion of the directory information tree (DIT) to reside on multiple external servers. The entry counter, hash distinguished name (DN) and round-robin placement algorithms can now be configured to exclude backend sets for add operations allowing for greater control over the use of multiple servers for entry balancing.

You can interact with entries within the data store including LDAP and several REST APIs

PingDirectory
Improved
PingDirectory provides a number of interfaces for interacting with entries within the data store including LDAP and several REST APIs. In this release, the Directory REST API can now return any tagging options that are defined for an attribute. These tagging options are treated as subtypes of the same attribute while not explicitly declared in the schema.

CyberArk Conjur and Azure Key Vaults support added

PingDirectory
Improved
In an earlier release, PingDirectory added support for a passphrase provider API to secure administrative passphrases, pins or passwords. This release adds both CyberArk Conjur and Azure Key Vaults to the list of available passphrase and cipher stream providers. Cipher stream providers are used to protect the keys stored in the encryption settings database

OAuth tokens ca be used with the File Servlet

PingDirectory
Improved
Because administrators now have the ability to single sign-on (SSO) to the PingDirectory administrative console, the File Servlet used to download files from a server instance can now also use OAuth tokens for authentication along with the basic HTTP authentication method, such as username and password.

Apply your own branding to console elements.

PingDirectory, PingDirectoryProxy, PingDataSync
Fixed
The administrative console is one tool you can use to configure and manage PingDirectory servers. In this release, you can now apply your own branding to console elements such as background colors, images and logos, and certain text elements. Sign on, sign out, and configuration pages are included in possible configuration areas. For more information, see the README.txt file in the console .war file shipped with PingDirectory.

New --performLocalCleanup option added to the remove-defunct-server command

PingDirectory
Improved
To improve the defunct server topology cleanup process when your topology is unhealthy, such as during a network outage or disaster recovery, a new option to the remove-defunct-server command cleans up stale replication metadata before the server is added back into the topology. This new argument, --performLocalCleanup, allows administrators to easily take a server out of a topology for maintenance or troubleshooting and return the server back to the topology later. For more information on remove-defunct-server and its options, run bin/remove-defunct-server --help.

Added support for a pluggable pass-through authentication plugin

PingDirectory
Improved
Earlier PingDirectory Server versions support pass-through authentication to remote LDAP servers or to PingOne, which can be useful when migrating data into the Directory Server from another service, or when the Directory Server needs to coexist with another service that is an authoritative source for user passwords. This release adds support for a pluggable pass-through authentication plugin, which makes it possible to pass through simple bind requests to an arbitrary external service using a pass-through authentication handler to manage interaction with that service, and the Server SDK has been updated to allow creating custom pass-through authentication handlers. As with existing pass-through authentication support, this functionality is only available for LDAP simple binds, and it does not support SASL authentication. For more information on this plugin, see Working with pass-through authentication

Added new options to the dsreplication command to make replication faster

PingDirectory
Improved
In multi-server deployments, replication is used to maintain consistency of data and schema between the servers. With larger deployments, attempting to initialize replication for multiple servers can take longer. New options to the dsreplication command can now speed up this process by initializing replication on multiple servers in parallel. The number of servers can either be the entire set of servers in the deployment, or a subset of servers based on location, or instance name or a specific number. For more information on dsreplication subcommands, see Summary of the dsreplication Subcommands.

Added a new password storage scheme to provide enhanced security

PingDirectory
Improved
Typically, the passwords for administrative users have been stored directly in PingDirectory based on the configured password storage scheme. To provide enhanced security for those administrative accounts that need it, a new password storage scheme has been added that allows for the password to be stored in an external vault. Currently, Amazon AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault are supported.

The config-audit logs now tracks the originating account information when individual changes are made

PingDirectory
Improved
To better manage the configuration of multiple servers in large topologies, PingDirectory uses the config-audit log file to allow administrators to easily determine, replay or undo configuration changes made to servers. Previously, when modifying topology or cluster configuration, the original requesting account information was not logged. Now, to assist administrators and improve server auditing, the config-audit logs will track the originating account information that made individual changes. For circumstances where more protection is required, there is a new property that will redact any sensitive attributes that might be written to the log file (instead of the default obfuscation behavior). This includes instances where administrative users change their passwords and affects any other condition where the sensitive attribute might be displayed for informational purposes such as alerts.

PingDataSync can now include Active Directory account state information

PingDataSync
Improved
Many customers use PingDataSync Server to either migrate from Active Directory or use Active Directory in conjunction with PingDirectory to manage user accounts. Administrators can now configure PingDataSync to include account state information set in Active Directory specifically lockout time, the last time the password was set and whether or not the account is disabled. This information can now be properly set within PingDirectory based on the information set in the account in Active Directory.

Entry balancing and global index

PingDirectoryProxy
Issue

If the DirectoryProxy Server is configured to use entry balancing and cannot use the global index to determine which backend sets should be used to process an operation, it broadcasts the request to all backend sets, and it will examine the results obtained from each of the backend sets to determine which is the best one to return to the client.

In previous releases, the server always preferred a success result over a non-success result, but if the operation failed in all backend sets, then the DirectoryProxy Server could have selected a result from a backend server in which the target entry didn't exist (for example, with a noSuchObject result code) rather than from one in which the entry did exist but the operation failed for some other reason. The 9.0.0.0-EA release addresses this by examining the result codes for all broadcast operations and prioritizing failure results indicating that the target entry exists in the associated backend set over those that do not.

There are still known cases, however, in which the DirectoryProxy Server might select a less appropriate result to return to the client. For example, if a bind operation fails, the backend server is likely to return an invalidCredentials result regardless of whether the target user entry exists in that backend set. If the bind attempt fails in one backend set because the target user exists but their account is in a state that doesn't allow it to authenticate (for example, if their password is expired or their account is locked), then the bind response from that server might include response controls that would be useful to return to the client, but the 9.0.0.0-EA release might not choose that response as the one to return to the client. This will be addressed in the 9.0.0.0 GA release later this year.

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology

PingDirectory, PingDataSync
Fixed
When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys will now be distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

Fixed lost access to keys used for reversible password encryption when removing servers from the topology

PingDirectory
FixedDS-44591
The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.
Note:

Because this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it will not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

Fixed Directory REST API

PingDirectory
FixedDS-37117
Fixed an issue where the Directory REST API encountered internal server errors while processing entries whose attributes have LDAP tagging options.

Added LDAP pass-through authentication handler

PingDirectory
FixedDS-38498, DS-38621
An LDAP pass-through authentication handler has also been provided, which allows the new plugin to be used as an alternative to the existing LDAP-specific pass-through authentication plugin. The new implementation provides additional functionality not available in the previous plugin, including the ability to indicate whether pass-through authentication should be allowed for accounts that are locked or have expired passwords and the ability to set timeouts that will be used when interacting with external LDAP servers. It also has improved default settings and offers better diagnostic information about its processing.

Added authentication support for passwords stored in several services

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-40671
Added support for password storage schemes that allow users to authenticate with passwords stored in the Amazon AWS Secrets Manager service, the Microsoft Azure Key Vault service, a CyberArk Conjur instance, or a HashiCorp Vault instance.

The dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used

PingDirectory
FixedDS-40796
To enhance initialization performance, the dsreplication initialize-all command now initializes multiple target servers in parallel when the --parallel option is used (subject to the --parallelLimit option). The --sameLocationOnly and --destinationInstanceName options can be used to limit the destinations that are initialized.

Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-40926
Added a global configuration property to indicate that the values of sensitive configuration properties should be redacted when constructing the dsconfig representation for a configuration change, which could be included in the server's configuration audit log or administrative alerts whenever a configuration change is applied. By default, the values of configuration properties that are defined as sensitive will be obscured rather than redacted, which allows the change to be replayed without revealing the actual value of the property. However, it is now possible to redact such values rather than obscuring them, which provides stronger protection against exposing those values, but could interfere with the ability to replay the configuration audit log if it contains changes involving sensitive properties.

Added sorting to the Name and Category columns of the monitor table

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-42752
Added sorting functionality to the Name and Category columns of the monitor table in the administrative console.

Added replica-partial-backlog attribute to replication summary monitor

PingDirectory
FixedDS-42961
To help with replication backlog analysis, the replication summary monitor now includes a replica-partial-backlog attribute that shows how each origin replica contributes partial backlog with the per-origin-replication-backlog property. The replica-partial-backlog attribute also shows the change numbers used for the calculation.

Updated the server to record the original requester distinguished name (DN) and IP address

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-43056
Updated the server to record the original requester distinguished name (DN) and IP address in access log and config audit log messages for mirrored configuration changes.

Fixed issues related to server handing of controls in search requests

PingDirectory, PingDirectoryProxy
FixedDS-43582
Fixed a couple of issues in which the server might not properly handle other controls included in a search request containing a join request control. For search operations passing through the Directory Proxy Server, other response controls could have been inadvertently stripped from search result entries when adding the join result control. Further, if a search request included a join request control in conjunction with one or more other controls, the request control immediately following the join request control might not have been properly handled.

Added support for obtaining secrets from CyberArk Conjur

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-43917
The Conjur cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Conjur passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service. The server can authenticate to Conjur using a username and a password or an API key.

Added support for obtaining secrets from Azure Key Vault

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSYnc
FixedDS-43918
The Azure Key Vault cipher stream provider can use a retrieved secret to generate the encryption key used to protect the contents of the encryption settings database. The Azure Key Vault passphrase provider can be used in other cases in which the server might need a clear-text secret, including as a PIN needed to access a certificate key store or as credentials for authenticating to an external service.

New global configuration properties to impose limits on the maximum number of attributes that can be present in an add request and the maximum number of modifications in a modify request

PingDirectory
FixedDS-43959, DS-44924
These can be used to avoid potential denial of service attacks. Both limits are set to 1000 by default, which is likely to be adequate for all legitimate use cases, and neither property affects the number of values that can be provided for an attribute.

Fixed proxied authorization issue

PingDirectory
FixedDS-44081
Addressed an issue where proxied authorization would fail in rare cases for usernames with 57 or 58 characters and DNs with 108 or 109 characters.

Fixed manage-profile replace-profile keystore files issue

PingDirectory, PingDirectoryProxy, PingDataSync
FixedDS-44280, DS-45027, DS-45037
Fixed an issue where manage-profile replace-profile did not correctly handle keystore files with a .bcfks extension while in FIPS-140-2-compliant mode.

Fixed View API Commands issue

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44329
Resolved an issue where the View API Commands link appeared to be disabled in the administrative console.

Fixed silent replication failure

PingDirectory
FixedDS-44454
Fixed an issue where non-DN modifications associated with a moddn change would silently fail to replicate.

Added new --performLocalCleanup argument to remove-defunct-server

PingDirectory
FixedDS-44495
Added a new argument, --performLocalCleanup, to remove-defunct-server that simplifies the replication artifact cleanup process. To clean up replication artifacts on earlier releases of the Directory Server, run remove-defunct-server with no bind arguments while the server is offline.

Added a PKCS #11 cipher stream provider

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44519
Added a PKCS #11 cipher stream provider that can require access to a certificate in a PKCS #11 token to unlock the server's encryption settings database. Only certificates with RSA key pairs can be used because Java virtual machines (JVMs) do not currently provide adequate key wrapping support for elliptic curve key pairs.

Server instances can now be safely mirrored to older servers in mixed-version topologies

PingDirectory
FixedDS-44577
Server instances, which are within a mirrored subtree, can now be safely mirrored to older servers in mixed version topologies. This is done by adding the following to server instances: objectclass: extensibleObject.

Fixed an issue where secret keys under cn=Topology,cn=config could be lost when removing a server from the topology

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44591

When a server is removed with the dsreplication disable or remove-defunct-server tools, its secret keys are now distributed among the remaining members of the topology. The keys from the rest of the topology will also be copied to the server being removed.

The cipher secret keys in the topology that are affected by this change are used by reversible password storage schemes (except for AES256, which uses the encryption settings database). If you are using a reversible password storage scheme other than AES256, prior to this fix, you could lose access to keys that had been used for reversible password encryption when removing servers from the topology.

Note:

Because this change only applies to the most recent version of remove-defunct-server and dsreplication disable, if you are removing a server from a multi-version topology, you should run that tool from the most recent version. In the past dsreplication and remove-defunct-server could only be run from an older version, but now in the case of removing a server from the topology, they should be run from the most recent version in the topology. If you run the tool from an older server, it does not include this fix, and you might lose access to secret keys from servers that are removed from the topology.

Added PingData Administrative Console configuration capability

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44595
The PingData Administrative Console can now be configured to supply PINs to its trust stores through the oidc-trust-store-pin-passphrase-provider and trust-store-pin-passphrase-provider settings. This means trust store types that require passphrases (ex: PKCS12 or BCFKS) are now properly supported.

The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44601
The PingData Administrative Console can now retrieve files created from collect-support-data or server-profile tasks when using single sign-on (SSO) to authenticate with the managed server.

Updated the file servlet

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44602
Updated the file servlet to add support for token-based authentication using an OAuth 2.0 access token or an OpenID Connect ID token. The servlet previously only supported basic authentication.

Improved includePath argument validation performed by the manage-profile generate-profile tool

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44604
The tool will only use relative paths that exist below the server root, and it previously silently ignored absolute paths or relative paths that referenced files outside of the server root. It will now exit with an error if the includePath argument is used to provide an absolute path or a path outside the server root. It will accept but warn about paths that reference files that do not exist.

Fixed an issue that caused an internal root account to be subject to the server's default password policy

PingDirectory, PingDirectoryProxy
FixedDS-44623
Fixed an issue that caused an internal root account (used for processing certain types of internal operations) to be subject to the server's default password policy. With some password policy configurations, if a DirectoryProxy Server attempted to perform an internal operation that targeted data in a backend Directory Server, that operation could have been incorrectly rejected.

Fixed symmetric keys issue

PingDirectory
FixedDS-44648
Addressed an issue where symmetric keys were not being sanitized in the config-audit.log.

Updated the export-ldif tool

PingDirectory
FixedDS-44669
Updated the export-ldif tool to always base64 encode values with any ASCII control characters. The LDIF specification in RFC 2849 only requires base64 encoding for the NUL, LF, and CR control characters, and those are the only control characters that were previously base64 encoded. However, the specification also permits base64 encoding for any type of character, and always base64 encoding all control characters is safer and reduces the chance for errors when working with values containing such characters.

Made several improvements to the ldap-diff tool

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44757
  • Added the ability to perform a byte-for-byte comparison of attribute values rather than using schema-based logical equivalence.
  • Added the ability to use a properties file to obtain default values for command-line arguments.
  • Improved the ability to use different TLS-related settings for the source and target servers.
  • Improved support for SASL authentication.

Updated the migrate-ldap-schema tool

PingDirectory
FixedDS-44758
Updated the migrate-ldap-schema tool to provide more flexibility for TLS negotiation, support for SASL authentication, support for using a properties file, and better validation for migrated attribute type and object class definitions.

Fixed q remove-defunct-server issue

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44793
Fixed an issue in which remove-defunct-server would remove attributes from config.ldif if they were identical apart from case.

Improved performance for modify operations

PingDirectory
FixedDS-44884
Improved performance for modify operations that need to insert an entry ID into the middle of a very large composite index ID set.

Addressed a connection error in remove-defunct-server

PingDirectory
FixedDS-44892
Addressed a connection error in remove-defunct-server when the tool tried to migrate secret keys on a single-instance topology (i.e., a server that is not part of a replication topology). The tool now only moves secret keys if the server is part of a topology.

Fixed an error when backing up an encrypted backend

PingDirectory
FixedDS-44904
Fixed a race condition that could sporadically cause an error when backing up an encrypted backend.

Addressed an issue where simple binds on entries

PingDirectory
FixedDS-44931
Addressed an issue where simple binds on entries without passwords would not update the relevant password policy attributes, such as ds-pwp-auth-failure.

Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-44940
Updated the crypto manager configuration to add properties for controlling the set of TLS protocols and cipher suites that will be used for outbound connections, as well as properties for controlling whether to enable TLS cipher suites that rely on the SHA-1 digest algorithm or the RSA key exchange algorithm.

Fixed an issue in which the server might not use appropriate resource limit values

PingDirectory, PingDirectoryProxy
FixedDS-44942
Fixed an issue in which the server might not use appropriate resource limit values for accounts that bind with pass-through authentication. In such cases, the server might apply size limit, time limit, idle time limit, and other constraints from the global configuration instead of alternative values for those limits set in the user entry.

Fixed server hang issues

PingDirectory
FixedDS-45032
  • Addressed an issue that caused remove-defunct-server to hang.
  • Addressed an issue that caused remove-defunct-server to hang when performing replication artifact cleanup in non-interactive mode.

For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times

PingDirectory
FixedDS-45038
For the initilaze-all dsreplication subcommand avoid closing connections to remote servers multiple times in order to apply the new generation ID.

Added support for Eclipse Foundation JDKs

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45039
Added support for the use of Java Development Kits (JDKs) obtained through Eclipse Foundation.

Fixed an issue where explicit createTimestamp values are replicated to peer servers

PingDirectory
FixedDS-45056
Fixed an issue where explicit createTimestamp values are replicated to peer servers using a default timestamp format rather than the non-default format value stored on the first server.

Updated the mirror virtual attribute provider to include an option to bypass access control evaluation for the internal searches that it performs

PingDirectory
FixedDS-45060
This might allow the virtual attribute to provide values from another entry even if the requester would not otherwise have permission to access those values.

Fixed a Ping Directory Server performance issue involving high CPU usage

PingDirectory
FixedDS-45115
Fixed a Ping Directory Server performance issue involving high CPU usage when writing LDAP data to certain clients using TLSv1.3 connection security.

Removed -XX:RefDiscoveryPolicy=1 from the default start-server Java arguments

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45124
In rare cases, this argument was related to segmentation faults in the JVM, especially when used with the G1 garbage collector.

Fixed a composed attribute plugin issue

PingDirectory
FixedDS-45153
Fixed an issue that prevented the composed attribute plugin from working for operations that are part of a multi-update request.

Fixed an issue where a server with a newly initialized database could go into lockdown mode

PingDirectory
FixedDS-45154
Fixed an issue where a server with a newly initialized database (through dsreplication initialize) could go into lockdown mode and report that the server might have missed one or more updates. This generally occurred only if the initialized server was restarted right after initialization completed.

Changed default tab in the administrative console

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45160
Changed the default tab in the administrative console to Modify when updating an existing server resource with new changes

Added support for new extended operations

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45162
Added support for new extended operations to help manage the server's listener and inter-server certificates. Updated the replace-certificate tool to add support for replacing and purging certificates in a remote instance, and to allow skipping validation for the new certificate chain.

Added support for BellSoft JDKS

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45190
Added support for the use of JDKs obtained through BellSoft.

Improved performance of server encryption

PingDirectory
FixedDS-45203
Resolved a performance issue that could cause servers installed using a server encryption option to spend several minutes waiting in the Initializing Crypto Manager phase during server startup.

Added a scroll bar to the administrative console's Server list

PingDirectory, PingDirectoryProxy, PingDataMetrics, PingDataSync
FixedDS-45284
Added a scroll bar to the administrative console's Server list to ensure all servers are accessible regardless of screen size.

Updated the entry counter, hash DN, and round robin placement algorithms

PingDirectoryProxy
FixedDS-44678
Updated the entry counter, hash DN, and round robin placement algorithms to make it possible to exclude specified backend sets from consideration when adding new entries to an entry-balanced topology.

Improved server logic

PingDirectoryProxy
FixedDS-44798
Improved the logic the server uses to select the best result to return to the client when an operation fails in an entry-balanced topology after the request was broadcast to all backend sets. In some cases, the server could have incorrectly returned a result from a backend set in which the target entry did not exist instead of a more appropriate result from the backend set that did contain the entry.

Fixed dashboard icon issue

PingDataMetrics
FixedDS-44224

Addressed an issue where icons on the dashboards were not properly displayed.

Synchronize from Active Directory attribute lockoutTime source systems to PingDirectory attribute pwdAccountLockedTime

PingDataSync
FixedDS-44513
Because pwdAccountLockedTime cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdAccountLockedTimeFromAD to pwdAccountLockedTime.

Added direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled

PingDataSync
FixedDS-44636
Synchronize from Active Directory userAccountControl bit indicating that the account is disabled (bit #2) (or msDS-UserAccountDisabled on AD-LDS) to PingDirectory attribute ds-pwp-account-disable. Because ds-pwp-account-disabled cannot be written to directly, an extended operation is used. This synchronization depends on a direct attribute mapping that maps from ds-pwp-account-disabled-from-ad to ds-pwp-account-disabled.

Added direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime

PingDataSync
FixedDS-44660
Synchronize from Active Directory attribute pwdLastSet with the password changed time to PingDirectory attribute pwdChangedTime. Because pwdChangedTime can not be written to directly an extended operation is used. This synchronization depends on a direct attribute mapping that maps from pwdChangedTimeFromAD to pwdChangedTime.

Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes

PingDataSync
FixedDS-44922
Fixed an issue where the PingDataSync server failed to synchronize certain modifications involving multiple attributes with the same base name but with different option tags, and any of these attributes having more values in the source entry than the replace-all-attr-values-limit for the Sync class.

Fixed an issue where PingDataSync was not syncing entries to PingOne environments

PingDataSync
FixedDS-45134
Addressed an issue where PingDataSync was not syncing entries to PingOne environments due to rate-limiting responses from PingOne.

Fixed a max-rate-per-second configuration setting

PingDataSync
FixedDS-45138
Addressed an issue where the max-rate-per-second configuration setting was not being applied to the resync tool.