What's new in the PingDirectory 9.3 suite of products?
When dealing with server security, some customers require the ability to separate control of encryption settings from the typical directory administrator. In this release, several features have to added to restrict and/or revoking access to the encryption settings configuration with the ability to lock the encryption settings database with a password and by using a new monitor provider for the cipher stream provider itself. Several restrictions can be configured including the ability to prevent turning off data encryption, preventing changes to the cipher stream provider, preventing exportation of the encryption settings database and preventing access to the encrypt-file tool to decrypt files. Also, administrators can now set up a new PingDirectory instance with a pre-existing encryption settings database using the manage-profile command.
PingDirectory has previously allowed user entries to authenticate via pass-thru authentication to other systems such as Active Directory or PingOne. There has been a limit, however, to just one pass-thru authentication plugin. A new aggregate pass-thru authentication handler has been added to version 9.3 allowing for multiple, subordinate authentication plugins each with their own criteria to identify authentication requests to be processed. The configuration order will be used to determine the priority of the plugins. Different failure types can be configured that allow a failure in one subordinate handler to continue process in another handler.
PingDirectory provides several application interfaces (APIs) for creating efficient and powerful client applications for managing the data store. The Directory REST API has been enhanced to support specific LDAP extended operations. These include the Password Modify, Generate Password and Get Password Quality Requirements extended operations. Since JSON-format controls were recently supported in Directory REST API, all supported controls can be implemented with these extended operations as well. The Change Password extended operation allows user to modify their own password or another user’s (with proper permissions, of course). The Suggest Password extended operation will generate a list of potential passwords and provides details on if they would be valid under certain policies and the Password Requirements extended operation returns a comprehensive list of password quality requirements for a given user/policy if a certain operation is performed.
Several improvements to the dsreplication command will increase the performance when enabling replication and for retrieving the current status of the topology.
The configuration of sync pipes continues to be a sticking point for customers as the process can be quite difficult. Currently these are created using dsconfig, the admin console or the configuration API. There are OOTB dsconfig script files provided for creating a PingOne source and/or destination server. New OOTB scripts and documentation have been created specifically for bi-directional syncs between Active Directory and PingDirectory, a reference script for syncing from Active Directory to SCIMv2 and when using Kafka as a sync destination. These scripts include the necessary steps and documentation detailing how to customize these steps for a customer’s environment.
cache-durationto allow optional caching of key managers retrieved by a PKCS11 Key Manager Provider.
Added additional values for the
allow-pre-encoded-passwordsproperty in the password policy configuration. Previously, the value for this property could be either "false" or "true," but it can now be any of the following:
- false: Do not allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. This remains the default setting, and the behavior with this value remains the same.
- true: Allow pre-encoded passwords to be provided in add requests, self password changes, or administrative password resets. The behavior with this value remains the same.
- add-only: Allow pre-encoded passwords to be provided in add requests, but not in self password changes or administrative password resets.
- admin-reset-only: Allow pre-encoded passwords to be provided in administrative password resets, but not in add requests or self password changes.
- add-and-admin-reset-only: Allow pre-encoded passwords to be provided in add requests or administrative password resets, but not in self password changes.
The new values can be used to allow administrators to set pre-encoded passwords without allowing end users to do so for their own accounts. Allowing pre-encoded passwords for self password changes introduces the potential for several security risks, including permitting users to password validation, password expiration, and password history constraints; permitting users to use weakly encoded passwords; or allowing users to use passwords that are encoded so strongly that it could cause excessive resource consumption in the server.
Added account status notification types
account-authenticated account status notification
type that can be used to notify users or administrators when an account has
successfully authenticated with a bind request that matches a specified set
account-deleted account status notification type
that can be used to notify users or administrators when an account has been
removed with a delete request that matches a specified set of criteria.
Added support for a successful bind result criteria that can be used to classify successful bind operations based on the resulting authentication identity.
Added a UTF-8 password validator
Added the --showPartialBacklog
Added configuration properties to the Config File Handler backend
Added the configuration property
insignificant-config-archive-base-dn to the Config File
Handler backend. This property can be used to control the rate at which the
configuration archive grows by removing files that record only changes under
the specified base DN(s).
If an existing configuration entry is updated, but all of the changes are restricted to one or more of these base DNs, then the updated configuration will be added to the configuration archive, but that archived configuration file can be removed after the next configuration change.
By default, this property will apply to the topology registry subtree.
Added pass-through authentication handlers
Added an aggregate pass-through authentication handler that makes it possible to have multiple types of pass-through authentication enabled in the server at the same time.
Added a PingOne pass-through authentication handler that can be used to authenticate to the PingOne service. This handler provides the same functionality as the standalone PingOne pass-through authentication plugin, but it can be used with the aggregate pass-through authentication handler to support pass-through authentication to PingOne in conjunction with other types of services.
replication-missing-changes-riskalert is now raised during replication server connections if the backlog is within a configurable percent of the purge delay. By default, the new
missing-changes-alert-threshold-percentreplication server configuration parameter is set to 80%.
Added new properties to the Config File Handler Backend
Added two new properties to the Config File Handler Backend for managing the config archive and limiting its impact on server performance.
The first property is
controls whether or not changes to the config backend are recorded in the
config archive. Existing records in the archive are unaffected by changes to
The second property is
max-config-archive-size, which limits
the number of config files that will be maintained by the archive. When a
new file is added to the archive, if the resulting number of files exceeds
the value of this property, then the oldest files will be deleted from the
archive until the total is equal to the configured value.
Added a property that lets you control servlet information
include-servlet-information-in-error-pagesconfiguration property to give you control over whether servlet information gets printed on HTTP error pages or remains hidden (by default).
Added support for encrypted PKCS #8 private key PEM files
Added caching logic
Addressed a performance issue when adding new directory servers to large replicated topologies spanning multiple geographic locations.
Added support for syncing booean-valued attributes
Added support for restricting administrators' access to encrypted data
Updated the server to support a separation of duties between those responsible for administering the server itself and those responsible for managing the encryption settings definitions used for data encryption. This is implemented through a combination of four new capabilities that were added:
- The ability to configure data encryption restrictions that can impose limitations around the administration of data encryption and access to decrypted data, including the ability to disable encryption, to change the cipher stream provider used to protect the encryption settings database, the ability to create backups or LDIF exports that are unencrypted or encrypted with a passphrase instead of an encryption settings definition, and the ability to use the encrypt-file tool to decrypt files.
- The ability to freeze the encryption settings database with a specified password. While it is frozen, the encryption settings database will operate in read-only mode so that it is not possible to create or remove definitions, change the preferred definition, or alter the set of active data encryption restrictions. The database can only be unfrozen with the password that was initially used to freeze it.
- The ability to set up the server with a pre-existing encryption settings
database. This is best done with the manage-profile setup command using
a server profile that uses
--encryptDataWithPreExistingEncryptionSettingsDatabasein the setup-arguments.txt file, that includes one or more batch files in the pre-setup-dsconfig directory with changes to configure and active the associated cipher stream provider, and that includes the encryption settings database and any metadata files needed by the cipher stream provider in the appropriate locations below the server-root/pre-setup directory.
- Support for a new monitor provider that can periodically ensure that the encryption settings database can be read without relying on any caching that the cipher stream provider might be using to improve performance and reliability. After a prolonged outage, it can also optionally shut down the server or force it into lockdown mode as a way of preventing or limiting access to encrypted data. This can be used as a way of revoking access to encrypted data in the event that those responsible for managing encryption settings definitions deem it necessary by removing or disabling an external element (for example, an external KMS encryption key or a secret read from a password vault) that the cipher stream provider depends on for access to the encryption settings database.
Added a disallowed characters password validator
replication-not-purging-obsolete-replicasalert will be raised at server startup if a replication server is not configured to purge obsolete replicas. It is recommended that replication servers always be configured to do so.
Added a check-replication-domains tool
Improved error handling for LDAP external servers
collect-support-data administrative task
collect-support-dataadministrative task to allow specifying the start and end times for the range of log messages to include in the support data archive.
Updated the LDAP connection handler
Updated the LDAP connection handler so that changes to the set of enabled TLS protocols and cipher suites take effect immediately and will be used for any new LDAPS or LDAP+StartTLS connections that are established after the change is made. This applies for changes made directly in the connection handler configuration, and if the connection handler is not configured with an explicit set of TLS protocols or cipher suites, then it also applies to changes made in the crypto manager configuration.
A restart is still required to apply TLS protocol or cipher suite changes to other types of connection handlers, as well as for replication.
Updated the modifiable password policy state plugin
ds-pwp-modifiable-state-jsonattribute to be included in add requests for the purpose of specifying certain elements of the new account's password policy state.
Updated setup to encrypt the tools.pin file in certain situations
Improved how a backup of the config backend is handled
Improved password modify extended requests
Updated the pass-through authentication handler
Updated the replace-certificate tool
Updated the Directory REST API with a new method for changing passwords
Updated the Directory REST API to add support for a means of changing passwords that is analogous to the LDAP password modify extended operation.
Updated the Directory REST API to suggest user passwords
Updated the Directory REST API to add support for a means of suggesting one or more new passwords for a user. This is analogous to the LDAP generate password extended operation.
Updated the Directory REST API for obtaining password quality requirements
Updated the Directory REST API to add support for a means of getting the requirements that a password will be required to satisfy for an add, self password modify, or administrative password reset operation. This is analogous to the LDAP get password quality requirements extended operation.
Improved the response time of dsreplication enable command
Improved data encryption
The following data encryption improvements were made:
- We updated the encryption-settings create command to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key for the definition.
- We updated most cipher stream providers to make it possible to specify the PBKDF2 iteration count that should be used when deriving the encryption key used to protect the encryption settings database, and to use a higher default value.
- We updated the file-based cipher stream provider to support being configured with a metadata file that allows it to use stronger encryption for protecting the encryption settings database than when no metadata file is configured. A metadata file will automatically be configured when enabling data encryption during setup when not using a pre-existing encryption settings database.
- We improved encryption strength for encryption settings exports, backups, LDIF exports, log files and other file encryption, preferring 256-bit AES over 128-bit when available, and using a higher PBKDF2 iteration count to derive the key.
- We improved file encryption performance in the common case of using an encryption settings definition instead of a passphrase.
- We updated the encryption settings backend to provide additional information about each encryption settings definition, and updated the base entry for that backend to indicate if the encryption settings database is frozen or configured with any data encryption restrictions.
Improved performance of dsreplication command
Improved dsreplication command response time
Improved various timeouts for replication enable and remove defunct server operations
Updated the server's behavior when authenticating a client connection
Improved the server's support for UTF-8 password strings
Updated replace-certificate replace-inter-server-certificate
Fixed an issue in the pluggable pass-through authentication plugin
Fixed an issue when processing a modify operation
Fixed the server's handling for subtree searches
Fixed an issue that prevented search result entry messages from being logged
Fixed an issue with IntraSync User operational attributes
Fixed an issue with permit-export-reverable-passwords
Fixed an issue with passwords within minAge
minAgenow responds with an UNABLE_TO_PERFORM code rather than INVALID_CREDENTIALS.
Fixed an issue with the
manage-profile --setupscript did not correctly find the necessary paths.
Fixed an issue with expired passwords and remaining grace logins
Fixed an issue with normalized search substrings
Fixed an issue with unindexed searches
compact-common-parent-dnvalues that are at least two levels below the backend's base DN, then searches based below the backend base DN but above a
compact-common-parent-dnvalue could have excluded entries from subtrees for which compaction had been configured. This issue has been fixed, but because it caused certain records to be stored in an incorrect order in the underlying database, customers affected by the issue will need to export the backend data to LDIF and re-import it to have the database rebuilt with the correct ordering.
Fixed an issue with the password modify extended operation and the no-operation control
Also fixed an issue in which the sever would not return the generated new password in the response to a password modify extended request that included a no-operation request control and did not specify a new password.
Fixed a replication issue causing unstable master selection
Fixed an issue causing improper modify request processing
ds-pwp-modifiable-state-jsonattribute in conjunction with one or more other attributes. If the update to
ds-pwp-modifiable-state-jsondid not actually result in any changes to the user's password policy state, then the server could have short-circuited processing for the operation and returned a success result without processing the other modifications targeting other attributes.
Fixed an issue with index name length
Fixed an issue with the password policy state extended operation
Fixed an issue that could cause the password policy state extended operation to return misleading results for some requesters. Previously, the server would always retrieve the target user's entry on an internal connection authorized as the user that requested the external operation, and would use that entry to construct its internal representation of the password policy state. This ensured that the operation would only be allowed if the requester had the necessary permission to retrieve the target user's entry, but if the requester didn't have permission to retrieve all of the operational attributes used to represent components of the target user's password policy state, then the perceived state used for subsequent processing in that operation might not be accurate, which could cause the server to return incorrect information about the user's account state.
To address this problem, the server first ensures that the requester has the necessary permission to issue the extended request and to access the target user's entry, but it will then retrieve the entry again on an internal connection that is not subject to access control restrictions. This ensures that it will always get a complete and accurate representation of the user's password policy state so that it can return the correct information to the requester.
If the operation is used in an attempt to update the target user's password policy state, then the requester must still have the necessary access control permission to write to the appropriate operational attributes for that request.