Added support to sanitize access logs to protect sensitive information
Added support for processing JSON-formatted access logs
summarize-access-logcommand, which is used to display several metrics about operations processed within the server, now supports processing JSON formatted access logs.
Updated Directory REST API
Added conflict error messages for replicated PingDirectory deployments
JSON-formatted access logger updated
PingDataSync Server supports PingOne as a sync destination
Synchronize data to custom attributes defined in the PingOne environment
Repeating cycle when resetting a password
If your password policy for an admin user (such as a topology
administrator or rootDN) is set with
force-change-on-add:true, you cannot update that
administrator’s password without it being considered an administrator
An administrator reset results in the prompt of another required password reset, so using these password policy attributes sends an administrator in a repeating cycle when resetting the password.
One recommendation to work around this issue is to not set these password
policy attributes on administrator accounts that are stored in
cn=config. If you do need
force-change-on-add:true, you must clear the
mustChangePassword flag by running the following
command each time you change the password:
$ bin/manage-account set-must-change-password \ --mustChangePassword false \ --targetDN cn=<admin cn>
setup tool failure because of Bouncy Castle JAR files
bc. The JAR files are mentioned in an error message similar to the following:
An unexpected error occurred while attempting to copy the non-FIPS Bouncy Castle jar file into the server's classpath: FileSystemException: lib\bcprov-jdk15to18-1.71.jar: The process cannot access the file because it is being used by another process. A temporary workaround is to delete the JAR files that begin with
bcfrom the lib directory before attempting to run setup again.
Bouncy Castle libraries are not removed from the lib directory.
JSON-formatted controls rejected
falseare rejected as if their criticality were
trueby non-search requests.
Fixed an issue that prevented the server from refreshing monitor data
Fixed the status tool
Fixed key and trust store PIN issues
Updated the server to create the esTokenizer.ping file if it does not exist
Password policies using virtual attributes are now correctly applied
Improved string representations of active operations and persistent searches
The encode-password tool now works with AES256 password storage
Support added for synchronizing custom attributes defined in PingOne destinations
Set a consistent priority index when adding two PingDataSync servers into a new failover topology
manage-topology add-servercommand to set a consistent priority index when adding two PingDataSync servers into a new failover topology. The server listed as the remote server in the command-line arguments is given the higher priority index, which results in an overall lower priority compared to the other server.
Updated the sanitize-log tool
- It is preconfigured with default behaviors for an expanded set of log fields.
- It can be configured to suppress the default log field behavior configuration and only explicitly specified configuration.
- It offers support for additional sanitization options, including omitting fields and differentiating between values should be redacted or tokenized in their entirety or by components.
- It now uses syntax-aware redaction and tokenization.
- It offers support for specifying a default behavior to use on a per-syntax basis.
- It can obtain its settings from a log field behavior definition in the server configuration.
Improved assured replication result codes for conflicts
processedassured levels, for each replica that has a replication conflict resulting in an alternate distinguished name (DN) being updated, a CONFLICT result will be returned. If any such conflicts are detected, a result code of 68 (ENTRY_ALREADY_EXISTS) will be returned.
Fixed password policy state extended operation
Added a new Docker command-line tool
Added a new argument
--excludeSetupArgumentsargument for the
manage-profile generate-profilecommand. Added a
--skipValidationargument for the
manage-profile replace-profilecommand. This argument allows skipping the final server validation step when running on an offline server and allows generating a server profile that does not include a setup-arguments.txt file. Updated the setup and
replace-profilesubcommands to fail when a server profile includes an encryption-settings-db file in the profile's <server-root>/pre-setup/ directory.
Fixed an issue with server privileges
Improved protections around the
Updated the server to protect against attempts to modify the
ds-pwp-modifiable-state-json operational attribute
without the Modifiable Password Policy State plugin enabled. The plugin is
disabled by default, and the server would previously allow writes to that
attribute with the plugin disabled, but those writes would just pollute the
entry and have no effect on its password policy state. The server now only
allows updates to
ds-pwp-modifiable-state-json if the
Modifiable Password Policy State plugin is enabled. Similarly, the server
also rejects attempts to add entries that contain the
ds-pwp-modifiable-state-json operational attribute,
even with the Modifiable Password Policy State plugin disabled. Writes to
this attribute are only supported for modify operations,
and the server would properly reject add attempts
targeting that attribute if the plugin had been enabled but would not reject
those attempts if the plugin were disabled.
The server now also prohibits administrators from using the
ds-pwp-modifiable-state-json operational attribute to
update their own password policy state, and it prohibits attempts to update
ds-pwp-modifiable-state-json operational attribute in
an another user's entry in the same modify request that
also resets that user's password. The former restriction prevents certain
kinds of changes that could allow an administrator to exempt themselves from
certain password policy restrictions while the latter protects against
potential conflicts that could arise from two modifications in the same
request that attempt to alter a user's password policy state.
Fixed a backwards compatibility issue with the migrate-ldap-schema tool
--useSSLargument to indicate that SSL should be used to secure communication with both servers, whereas a newer version did not allow that argument but instead required both
--targetUseSSL. Similarly, support for the
--useStartTLSargument was inadvertently dropped, requiring both
--targetUseStartTLS. The legacy arguments have been restored.
Removed two password policies for non-password users
Updated Kafka version
Fixed incorrect index skipping
Updated the topology registry and the replace-certificate tool
Updated the topology registry to allow using issuer certificates when determining whether to trust the certificate chain presented by another server in the topology. Previously, a server's certificate chain would only be trusted if the server certificate itself was found in the topology registry. Now, a certificate chain can be trusted if either the peer certificate or any of its issuers is found in the topology registry.
Made the following updates to the replace-certificate tool:
- Added new
list-topology-registry-inter-server-certificatessubcommands that can be used to display a list of the listener or inter-server certificates for a specified server instance in the topology registry.
- Added a new
add-topology-registry-listener-certificatesubcommand that can be used to add one or more certificates to the set of listener certificates for an instance in the topology registry. This subcommand does not alter the contents of any key store, and it can be used to add an issuer certificate to the topology registry or to add a new peer listener certificate in advance of actually activating that certificate on the server.
- Updated the
replace-certificate replace-listener-certificatesubcommand to add
--trust-store-update-typearguments that allow indicating which types of certificates to include in the topology registry and trust store, respectively. Available options suppressing the update, only adding the listener certificate itself, only adding the listener certificate's issuers, or adding both the listener certificate and its issuers.
- Updated the
replace-certificate replace-listener-certificatesubcommand to add an
--ignore-current-listener-certificate-validity-windowargument that allows the tool to establish a connection to the server even if its certificate has expired or is not yet valid so that a non-valid certificate can be replaced.
Fixed an access log reporting issue
Added support for JSON-formatted request and response controls
Updated the server Bouncy Castle cryptographic library versions
Added support for generic strings in access and error log messages
Updated the local DB backend to disable the index cursor entry limit by default
This limit (which is not exposed in the configuration) reflects the maximum number of index keys that the server cursors through when evaluating a single substring or range filter component. If the limit is reached, then that component is considered unindexed, and the server will rely on other filter components or the search scope for the filter to be indexed. This limit was originally intended to help prevent the server from spending too much time evaluating an expensive filter component when other components might be better, but we have since dramatically improved the logic the server uses to determine the order in which the server should evaluate filter components and when to skip potentially expensive components, so it is unlikely that this option will ever be needed. Further, the former limit of 100,000 could have unnecessarily caused the server to consider a search unindexed when it could actually be efficiently processed using indexes.
In the unlikely event that this limit is actually needed in a directory
environment, it can still be activated by setting the
system property to the desired value.
Fixed gauge alarm issues
Fixed server lockdown issue in newly initialized databases
dsreplication initialize) could go into lockdown mode and report that the server ...may have missed one or more update(s). if the source server is in the pre-external-initialize state. This generally occurred only if the initialized server was restarted right after initialization completed.
Updated the export-reversible-passwords tool
Fixed a server operation rejection issue
true, but if the criticality is
false, the server continues processing the operation as if that control had not been requested.
Fixed a replication protocol message issue
Updated to LDAP SDK version 6.0.5
Updated to LDAP SDK for Java version 6.0.5 for bug fixes and new functionality.
Fixed a server issue causing internal errors during monitoring
Fixed a Directory REST API error with mismatched time syntax attribute values
Fixed Proxy server
In PingDirectoryProxy Server,
manage-profile replace-profile sometimes failed with an
error similar to the following:
The tool was unable to merge configuration from the existing server into the new server: LDAPException(resultCode=80 (other) ...
This fix ensures that the configuration is loaded before the merge that the error message refers to.