PingDirectory suite of products 9.3.0.0 (June 2023) - PingDirectory - 9.3

PingDirectory

• When dealing with server security, some customers require the ability to separate control of encryption settings from the typical directory administrator. In this release, several features have to added to restrict and/or revoking access to the encryption settings configuration with the ability to lock the encryption settings database with a password and by using a new monitor provider for the cipher stream provider itself. Several restrictions can be configured including the ability to prevent turning off data encryption, preventing changes to the cipher stream provider, preventing exportation of the encryption settings database and preventing access to the encrypt-file tool to decrypt files. Also, administrators can now set up a new PingDirectory instance with a pre-existing encryption settings database using the manage-profile command.

• PingDirectory has previously allowed user entries to authenticate via pass-thru authentication to other systems such as Active Directory or PingOne. There has been a limit, however, to just one pass-thru authentication plugin. A new aggregate pass-thru authentication handler has been added to version 9.3 allowing for multiple, subordinate authentication plugins each with their own criteria to identify authentication requests to be processed. The configuration order will be used to determine the priority of the plugins. Different failure types can be configured that allow a failure in one subordinate handler to continue process in another handler.

• PingDirectory provides several application interfaces (APIs) for creating efficient and powerful client applications for managing the data store. The Directory REST API has been enhanced to support specific LDAP extended operations. These include the Password Modify, Generate Password and Get Password Quality Requirements extended operations. Since JSON-format controls were recently supported in Directory REST API, all supported controls can be implemented with these extended operations as well. The Change Password extended operation allows user to modify their own password or another user’s (with proper permissions, of course). The Suggest Password extended operation will generate a list of potential passwords and provides details on if they would be valid under certain policies and the Password Requirements extended operation returns a comprehensive list of password quality requirements for a given user/policy if a certain operation is performed.

• Several improvements to the dsreplication command will increase the performance when enabling replication and for retrieving the current status of the topology.

PingDataSync

The configuration of sync pipes continues to be a sticking point for customers as the process can be quite difficult. Currently these are created using dsconfig, the admin console or the configuration API. There are OOTB dsconfig script files provided for creating a PingOne source and/or destination server. New OOTB scripts and documentation have been created specifically for bi-directional syncs between Active Directory and PingDirectory, a reference script for syncing from Active Directory to SCIMv2 and when using Kafka as a sync destination. These scripts include the necessary steps and documentation detailing how to customize these steps for a customer’s environment.

Added property cache-duration to allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.

Added support for additional values for the allow-pre-encoded-passwords property in the password policy configuration. Previously, the value for this property could be either "false" or "true," but it can now be any of the following:

• false: Do not allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. This remains the default setting, and the behavior with this value remains the same.
• true: Allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. The behavior with this value remains the same.
• add-only: Allow pre-encoded passwords to be provided in add requests, but not in self password changes or administrative password resets.
• admin-reset-only: Allow pre-encoded passwords to be provided in administrative password resets, but not in add requests or self password changes.
• add-and-admin-reset-only: Allow pre-encoded passwords to be provided in add requests or administrative password resets, but not in self password changes.

The new values can be used to allow administrators to set pre-encoded passwords without allowing end users to do so for their own accounts. Allowing pre-encoded passwords for self password changes introduces the potential for several security risks, including permitting users to password validation, password expiration, and password history constraints; permitting users to use weakly encoded passwords; or allowing users to use passwords that are encoded so strongly that it could cause excessive resource consumption in the server.

Added an account-authenticated account status notification type that can be used to notify users or administrators when an account has successfully authenticated with a bind request that matches a specified set of criteria.

Added an account-deleted account status notification type that can be used to notify users or administrators when an account has been removed with a delete request that matches a specified set of criteria.

Added support for a successful bind result criteria that can be used to classify successful bind operations based on the resulting authentication identity.

Added a UTF-8 password validator that can be used to ensure that only valid UTF-8 strings can be used as passwords. Passwords can optionally be limited to only ASCII characters, and you can specify which Unicode character classes (for example, letters, numbers, punctuation, symbols, spaces, etc.) should be allowed.

Added the --showPartialBacklog option to dsreplication status to display information about the replica-partial-backlog attribute.

Added the configuration property insignificant-config-archive-base-dn to the Config File Handler backend. This property can be used to control the rate at which the configuration archive grows by removing files that record only changes under the specified base DN(s).

If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file can be removed after the next configuration change.

By default, this property will apply to the topology registry subtree.

Added an aggregate pass-through authentication handler that makes it possible to have multiple types of pass-through authentication enabled in the server at the same time.

Added a PingOne pass-through authentication handler that can be used to authenticate to the PingOne service. This handler provides the same functionality as the standalone PingOne pass-through authentication plugin, but it can be used with the aggregate pass-through authentication handler to support pass-through authentication to PingOne in conjunction with other types of services.

A replication-missing-changes-risk alert is now raised during replication server connections if the backlog is within a configurable percent of the purge delay. By default, the new missing-changes-alert-threshold-percent replication server configuration parameter is set to 80%.

Added two new properties to the Config File Handler Backend for managing the config archive and limiting its impact on server performance.

The first property is maintain-config-archive, which controls whether or not changes to the config backend are recorded in the config archive. Existing records in the archive are unaffected by changes to this property.

The second property is max-config-archive-size, which limits the number of config files that will be maintained by the archive. When a new file is added to the archive, if the resulting number of files exceeds the value of this property, then the oldest files will be deleted from the archive until the total is equal to the configured value.

Added the include-servlet-information-in-error-pages configuration property to give you control over whether servlet information gets printed on HTTP error pages or remains hidden (by default).

When setting up the server with a private key read from a PEM file, or when using manage-certificates to import a certificate chain and private key from PEM files, that private key PEM file can now contain an encrypted private key, and you can specify the password needed to decrypt it. When using manage-certificates to export a private key, you can now specify a password to use to encrypt the key.

Addressed a performance issue when adding new directory servers to large replicated topologies spanning multiple geographic locations.

Added support for syncing Boolean-valued attributes for PingOne destinations.

Updated the server to support a separation of duties between those responsible for administering the server itself and those responsible for managing the encryption settings definitions used for data encryption. This is implemented through a combination of four new capabilities that were added:

• The ability to configure data encryption restrictions that can impose limitations around the administration of data encryption and access to decrypted data, including the ability to disable encryption, to change the cipher stream provider used to protect the encryption settings database, the ability to create backups or LDIF exports that are unencrypted or encrypted with a passphrase instead of an encryption settings definition, and the ability to use the encrypt-file tool to decrypt files.
• The ability to freeze the encryption settings database with a specified password. While it is frozen, the encryption settings database will operate in read-only mode so that it is not possible to create or remove definitions, change the preferred definition, or alter the set of active data encryption restrictions. The database can only be unfrozen with the password that was initially used to freeze it.
• The ability to set up the server with a pre-existing encryption settings database. This is best done with the manage-profile setup command using a server profile that uses --encryptDataWithPreExistingEncryptionSettingsDatabase in the setup-arguments.txt file, that includes one or more batch files in the pre-setup-dsconfig directory with changes to configure and active the associated cipher stream provider, and that includes the encryption settings database and any metadata files needed by the cipher stream provider in the appropriate locations below the server-root/pre-setup directory.
• Support for a new monitor provider that can periodically ensure that the encryption settings database can be read without relying on any caching that the cipher stream provider might be using to improve performance and reliability. After a prolonged outage, it can also optionally shut down the server or force it into lockdown mode as a way of preventing or limiting access to encrypted data. This can be used as a way of revoking access to encrypted data in the event that those responsible for managing encryption settings definitions deem it necessary by removing or disabling an external element (for example, an external KMS encryption key or a secret read from a password vault) that the cipher stream provider depends on for access to the encryption settings database.

The validator can be used to reject proposed passwords that contain any of a specified set of characters. It can be configured with characters that cannot appear anywhere in a password, as well as with characters that are disallowed only at the beginning or end of a password.

A replication-not-purging-obsolete-replicas alert will be raised at server startup if a replication server is not configured to purge obsolete replicas. It is recommended that replication servers always be configured to do so.

Added a check-replication-domains tool to check the current list of known replication domains and indicate whether any obsolete domains are present. Learn more about Discovering obsolete replicas.

Improved error handling for LDAP external servers that are configured with an authorization-method value of rebind. If the bind attempt fails in a way that indicates that the connection is no longer valid, the PingDirectoryProxy server might now attempt the rebind in a different server or on a newly recreated connection.

Updated the collect-support-data administrative task to allow specifying the start and end times for the range of log messages to include in the support data archive.

Updated the LDAP connection handler so that changes to the set of enabled TLS protocols and cipher suites take effect immediately and will be used for any new LDAPS or LDAP+StartTLS connections that are established after the change is made. This applies for changes made directly in the connection handler configuration, and if the connection handler is not configured with an explicit set of TLS protocols or cipher suites, then it also applies to changes made in the crypto manager configuration.

A restart is still required to apply TLS protocol or cipher suite changes to other types of connection handlers, as well as for replication.

Updated the modifiable password policy state plugin to allow the ds-pwp-modifiable-state-json attribute to be included in add requests for the purpose of specifying certain elements of the new account's password policy state.

Updated setup so that if it is configured to write a tools.pin file containing the default bind password to supply when running command-line tools, and if it is also configured to enable data encryption in the server, then it will encrypt the contents of that tools.pin file.

If during a backup of the config backend, a file is deleted from the config/archived-configs directory, that deleted file will now be ignored instead of causing the backup to fail.

Updated the server to allow password modify extended requests to include a proxied authorization request control.

Updated the pass-through authentication handler configuration to make it possible to configure each handler with an optional set of connection criteria, request criteria, and included local entry base DNs. When using the aggregate pass-through authentication handler, this makes it easier to indicate which handler should be used for a given bind operation.

Updated the replace-certificate tool to support obtaining the source certificate chain and private key from PEM-formatted or DER-formatted files when replacing a listener or inter-server certificate. This is an alternative to requiring the new certificate to be provided in a key store.

Updated the Directory REST API to add support for a means of changing passwords that is analogous to the LDAP password modify extended operation.

Updated the Directory REST API to add support for a means of suggesting one or more new passwords for a user. This is analogous to the LDAP generate password extended operation.

Updated the Directory REST API to add support for a means of getting the requirements that a password will be required to satisfy for an add, self password modify, or administrative password reset operation. This is analogous to the LDAP get password quality requirements extended operation.

Improved the response time of dsreplication enable command on large topologies with more than 20 servers.

The following data encryption improvements were made:

• We updated the encryption-settings create command to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key for the definition.
• We updated most cipher stream providers to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key used to protect the encryption settings database, and to use a higher default value.
• We updated the file-based cipher stream provider to support being configured with a metadata file that allows it to use stronger encryption for protecting the encryption settings database than when no metadata file is configured. A metadata file will automatically be configured when enabling data encryption during setup when not using a pre-existing encryption settings database.
• We improved encryption strength for encryption settings exports, backups, LDIF exports, log files and other file encryption, preferring 256-bit AES over 128-bit when available, and using a higher PBKDF2 iteration count to derive the key.
• We improved file encryption performance in the common case of using an encryption settings definition instead of a passphrase.
• We updated the encryption settings backend to provide additional information about each encryption settings definition, and updated the base entry for that backend to indicate if the encryption settings database is frozen or configured with any data encryption restrictions.

Improved performance of dsreplication commands in topologies with a large number of PingDirectory servers and/or high network latency.

Improved response time of dsreplication command.

Improved various timeouts for replication enable and remove defunct server operations to scale with the size of the topology. Smaller sized topologies should not be impacted by these changes.

Updated the server's behavior when it is configured to attempt to automatically authenticate a client connection using a certificate chain presented during TLS negotiation. Previously, if the client presented a certificate chain that could not be used to successfully authenticate the client, the server would have allowed the connection to remain established in an unauthenticated state, which could cause problems with applications that expect the connection to be authenticated. It will now terminate the client connection and log a disconnect message with details about the authentication failure.

Improved the server's support for passwords provided as UTF-8 strings containing non-ASCII characters with multiple Unicode representations. Previously, bind attempts with such a password would only succeed if the request included the password with exactly the same sequence of bytes used at the time the password was set. Now, the bind might also be able to succeed when the provided password contains the same logical set of characters but using a different Unicode normalization form.

Updated replace-certificate replace-inter-server-certificate to prevent using a certificate with an RSA key size greater than 3072 bits. It previously only required a minimum key size of 2048 bits without imposing a maximum size limit, but some of the cryptographic processing performed during inter-server authentication fails when using certificates with key sizes larger than 3072 bits.

Fixed an issue in the pluggable pass-through authentication plugin that could prevent it from continuing with a local bind attempt if try-local-bind is false but the configured handler reports that the target user does not exist in the external service.

Fixed an issue that could arise when processing a modify operation that contains a replace modification in which the attribute description has an attribute type and does not have any attribute options. If the target entry contained any attributes with the same attribute type but that also had one or more attribute options, then those attributes would have been incorrectly removed from the entry.

Fixed an issue with the server's handling for subtree searches with an empty base DN. The server correctly returned entries from top-level backends (that is, backends whose base DNs were server naming contexts) but failed to return entries from subordinate backends.

Fixed an issue that prevented search result entry messages from being logged for operations passing through the PingDirectoryProxy server.

Fixed an issue that caused missing IntraSync User operational attributes after running the manage-profile replace-profile subcommand.

Fixed an issue that prevented including permit-export-reversible-passwords in the set of privileges that can be automatically inherited by root users and topology administrators.

Fixed an issue where attempting to change a password that's within the minAge now responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.

Fixed an issue where the manage-profile --setup script did not correctly find the necessary paths.

Fixed an issue that prevented a user with an expired password but one or more remaining grace logins from being allowed to change their own password on a request that was authorized with the proxied authorization request control.

Fixed an issue where normalized search substrings that were empty matched everything instead of nothing.

Fixed an issue that could prevent certain unindexed searches from returning all matching entries in the scope of the search. If a backend is configured with compact-common-parent-dn values that are at least two levels below the backend's base DN, then searches based below the backend base DN but above a compact-common-parent-dn value could have excluded entries from subtrees for which compaction had been configured. This issue has been fixed, but because it caused certain records to be stored in an incorrect order in the underlying database, customers affected by the issue will need to export the backend data to LDIF and re-import it to have the database rebuilt with the correct ordering.

Fixed an issue in which the server could return multiple password validation details response controls in the response to a password modify extended request that included a password validation details request control and did not specify a new password, indicating that the server should generate a new password for the target user.

Also fixed an issue in which the sever would not return the generated new password in the response to a password modify extended request that included a no-operation request control and did not specify a new password.

Fixed an internal error that could cause a replicated PingDirectory server topology to have unstable master selection.

Fixed an issue that could prevent the server from properly processing a modify request that contained an update to the ds-pwp-modifiable-state-json attribute in conjunction with one or more other attributes. If the update to ds-pwp-modifiable-state-json did not actually result in any changes to the user's password policy state, then the server could have short-circuited processing for the operation and returned a success result without processing the other modifications targeting other attributes.

Fixed an issue with indexes where index names could exceed the maximum file name length of 255 characters.

Fixed an issue that could cause the password policy state extended operation to return misleading results for some requesters. Previously, the server would always retrieve the target user's entry on an internal connection authorized as the user that requested the external operation, and would use that entry to construct its internal representation of the password policy state. This ensured that the operation would only be allowed if the requester had the necessary permission to retrieve the target user's entry, but if the requester didn't have permission to retrieve all of the operational attributes used to represent components of the target user's password policy state, then the perceived state used for subsequent processing in that operation might not be accurate, which could cause the server to return incorrect information about the user's account state.

To address this problem, the server first ensures that the requester has the necessary permission to issue the extended request and to access the target user's entry, but it will then retrieve the entry again on an internal connection that is not subject to access control restrictions. This ensures that it will always get a complete and accurate representation of the user's password policy state so that it can return the correct information to the requester.

Fixed an issue where obsolete replicas were sometimes not being purged from replication servers.

Fixed an issue where case insensitivity was not correctly handled when working with static topologies.