PingDirectory suite of products 9.3.0.2 (October 2023) - PingDirectory - 9.3

Fixed an issue that could prevent replace modifications for attribute types with subordinate types (for example, postalAddress) from being properly applied.

Fixed a regression that was introduced in the 9.3.0.0 release while making changes to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. The issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.

As part of the change to allow additional values for the allow-pre-encoded-passwords configuration property, we changed the syntax for the underlying attribute type from Boolean to directory string. When storing values for Boolean attributes in entries that reside in local DB backends, the server may compact the value to reduce the amount of space to store the data on disk and in memory. When the syntax for the attribute type was changed, the server no longer recognized that the value was compacted, which prevented it from properly interpreting that value.

This fix allows the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. Note that when the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address that.

The Configuration API no longer treats patch operations with empty arrays as invalid. Instead, it now resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.

Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme where encryption settings were not initialized before initializing password policy components.

Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.

Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

For Active Directory Sync sources, when setting the startpoint to the end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this change, setting the startpoint to end-of-changelog should be faster, particularly for slow networks.

Resolved an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.

dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'