PingDirectory suite of products (October 2023) - PingDirectory - 9.3

PingDirectory 9.3

PingDirectory 9.3
PingDirectory 9.3

Fixed an issue with replace modifications


Fixed an issue that could prevent replace modifications for attribute types with subordinate types (for example, postalAddress) from being properly applied.

Fixed an issue that affects password policies stored outside the server configuration

FixedDS-43034, DS-47832

Fixed a regression that was introduced in the release while making changes to allow additional values for the allow-pre-encoded-passwords property in the password policy configuration. The issue only affects password policies stored outside of the server configuration in local DB backends, and only those policies that include the ds-cfg-allow-pre-encoded-passwords attribute.

As part of the change to allow additional values for the allow-pre-encoded-passwords configuration property, we changed the syntax for the underlying attribute type from Boolean to directory string. When storing values for Boolean attributes in entries that reside in local DB backends, the server may compact the value to reduce the amount of space to store the data on disk and in memory. When the syntax for the attribute type was changed, the server no longer recognized that the value was compacted, which prevented it from properly interpreting that value.

This fix allows the server to recognize and properly interpret compacted values for the ds-cfg-allow-pre-encoded-passwords attribute when parsing a password policy definition contained in a local DB backend. Note that when the password policy entry is retrieved, the attribute may still appear to have a corrupt value, as the value that is actually stored in the entry would still represent the compacted token rather than the logically equivalent Boolean value. Replacing the value of the ds-cfg-allow-pre-encoded-passwords attribute in affected entries with the appropriate value is the best way to address that.

Made improvements to the Configuration API


The Configuration API no longer treats patch operations with empty arrays as invalid. Instead, it now resets configuration attributes for replace operations with an empty array and ignores add operations with an empty array.

Fixed an issue with the remove-defunct-server command


Fixed an issue with running remove-defunct-server against servers configured with an AES256 password storage scheme where encryption settings were not initialized before initializing password policy components.

Fixed an issue with processing search operations


Fixed an issue that could allow the server to continue processing a search operation for longer than the allowed time limit. Previously, the server would not check the time limit in the course of index processing to identify potential matching entries, and in certain cases where the server had to iterate across a very large number of index keys (for example, when evaluating a range or substring filter component that could match a very large number of entries), the allowed time limit could be exceeded in that portion of the processing.

Fixed an issue that caused a null pointer exception to be thrown


Fixed an issue where a null pointer exception would be thrown when adding a sync server to a topology of two or more existing sync servers using manage-topology add-server.

Improved Active Directory Sync sources


For Active Directory Sync sources, when setting the startpoint to the end-of-changelog, extraneous data is no longer sent from the Active Directory server to the Sync server. With this change, setting the startpoint to end-of-changelog should be faster, particularly for slow networks.

Fixed an issue when enabling or disabling a user in PingOne


Resolved an issue with synchronizing the enabled attribute of a user in a PingOne destination. This issue only occurred when attempting to enable or disable a user in PingOne from the source server.

To create an attribute mapping that will modify the enabled status of a user in PingOne, use the dsconfig tool to create a constructed attribute mapping of the following form. This will ensure that enabled will always have a well-defined value, even if the source attribute is not present on an entry in the source server.
dsconfig create-attribute-mapping --type constructed --map-name mapName --mapping-name enabled --set conditional-value-pattern:'(sourceAttribute=*) : {sourceAttribute}' --set conditional-value-pattern:'(!(sourceAttribute=*)) : true'