Added new access control bind rules and a new access control target
- Added a new "secure" access control bind rule that can be used to make access control decisions based on whether the client is using a secure connection (for example, LDAPS or LDAP with StartTLS) to communicate with the server. Using the bind rule secure="true" indicates that the ACI only applies to requests received over a secure connection, while secure="false" indicates that the ACI only applies to requests received over an insecure connection.
- Added a new "connectioncriteria" access control bind rule that can be used to make access control decisions based on whether the client connection matches a specified set of connection criteria. The value of the bind rule can be either the name or the full DN of the configuration object that defines the desired connection criteria.
- Added a new "requestcriteria" access control target that can be used to make access control decisions based on whether the operation request matches a specified set of request criteria. The value of the target can be either the name or the full DN of the configuration object that defines the desired request criteria.
Added an audit data security recurring task
Added new stats to track operations when using UnboundIDSyncDestination
Added support for Java 17
Added a SCIM 2.0 sync destination
Added new password storage schemes
For more information about password storage schemes, see Supported password storage schemes.
Added an HTTP servlet extension to support Prometheus
Fixed issues with data security auditors
- Fixed an issue in which the locked account data security auditor did not include the number of validator-locked entries in the summary generated when completing processing for a backend.
- Fixed an issue in which the expired password data security auditor could incorrectly report that an entry has an old password even when it has been changed more recently than the configured password evaluation age.
- Fixed an issue with the weakly encoded password data security auditor that could prevent it from detecting passwords encoded with certain schemes.
- Updated the weakly encoded password data security auditor so passwords encoded using unsalted SHA-1 digests, salted SHA-1 digests, salted MD5 digests, and the MD5 variant of the CRYPT password storage scheme are now considered weak by default.
- Updated the Server SDK to add support for creating custom data security auditors.
For more information about data security auditors, see Auditing data content.
Removed support for incremental backups
Exploded indexes are no longer created unexpectedly
Fixed an issue with dsreplication
The hibernate-validator library in the management console has been updated to version 6.2.1
To close a vulnerability found in hibernate-validator 5.4.3 in the management console, we are updating the console to version 6.2.1. This newer version requires use of jakarta-validator 2.0.2 rather than the older javax-validator 1.1.0, therefore we are upgrading directory to use jakarta-validator 2.0.2 to preserve compatibility.
When moving to version 2, javax-validator was moved to jakarta, but still uses the javax namespace, and therefore no code changes need to be made other than dependencies. In the future, if we move to jakarta-validator v3 however, we will need to move to the jakarta namespace.
Fixed an issue causing the replication initialize task to fail
Resource limits are now set for the topology admin user
Fixed an issue with replication enablement
Fixed an issue causing slow response time
Fixed an issue causing sync to slow down
Fixed an issue preventing changes to certain password policy state attributes from being applied
Exposed previously hidden properties in the PingDirectoryProxy server
maximum-modifications-per-modify-requestproperties in the global configuration. These properties were previously only visible in the PingDirectory server configuration, but they also apply to requests that pass through the PingDirectoryProxy server.
The migrate-ldap-schema tool now removes incorrect single quotes
Users are no longer prevented from changing their own passwords
New servers can now be enabled into a large topology
Enhanced the audit-data-security tool to use new data security auditors
- Accounts with password policy state issues that might currently or soon affect their usability.
- Accounts with an activation time in the future, an expiration time in the past, or an expiration time in the near future.
- Accounts with passwords encoded using deprecated password storage schemes.
- Accounts for users that have not authenticated in longer than a specified length of time.
- Accounts that are configured to use a nonexistent password policy and are therefore unable to authenticate.
- Entries that match a specified search filter.
Also, the locked account auditor is now able to identify validation-locked accounts, and the weakly encoded password auditor can now flag passwords encoded with SMD5, SHA, and SSHA, and also the MD5 variant of the CRYPT scheme.
For more information about the audit-data-security tool, see Auditing data content.
Improved logging with the addition of new features
- The IP addresses of the clients with the most failed bind attempts (in case a single client is trying to access multiple accounts, as might happen in a credential stuffing attack).
- The addresses of the users with the most consecutive authentication failures (that is, most failures between successes or most failures without a success).
- The identification of filters with parentheses, ampersands, pipes, single quotes, and double quotes, which might indicate an unsuccessful LDAP filter injection attempt.
- The identification of filters with the words "select" and "from", which might indicate an unsuccessful SQL injection attempt.
- The identification of the most common used and missing privileges.
- The tracking of the number of components used in filters as an increase in the number of filters with more components, which might suggest a successful injection attempt.
For more information about the summarize-access-log tool, see Logging Tools
Access control improvements
PingDirectory provides a number of features to manage control to data within the data store including Access Control Instructions and connection criteria. In this release, the access control handler now provides support for a bind rule that can make it possible to make access control decisions based on whether the client connection is secure or whether the client connection matches a given set of connection criteria or if a target that makes it possible to determine whether the rule applies to a given request based on request criteria.
Updated global configuration
Added support for generating digital signatures with a key obtained from an encryption settings definition
Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.
Added support for HTTP forward proxy
- The Amazon Key Manager cipher stream provider
- The Amazon Secrets Manager cipher stream provider
- The Amazon Secrets Manager passphrase provider
- The Amazon Secrets Manager password storage scheme
- The Azure Key Vault cipher stream provider
- The Azure Key Vault passphrase provider
- The Azure Key Vault password storage scheme
- The PingOne pass-through authentication plugin
- The PingOne sync source and destination
- The Pwned Passwords password validator
- The SCIMv1 sync destination
- The SCIMv2 sync destination
- The Twilio alert handler
- The Twilio OTP delivery mechanism
- The UNBOUNDID-YUBIKEY-OTP SASL mechanism handler
The replication-purge-obsolete-replicas property is now set to true by default
replication-purge-obsolete-replicasglobal configuration property is now set to true by default for new and upgraded PingDirectory servers so that obsolete replicas are purged.
The replace-certificate tool now re-prompts user for path to valid file containing certificates
Updated replication enable synopsis
Updated the dsconfig tool
Enhanced the replication server
Updated Amazon AWS external server configuration
dsreplication enable subcommand description differs based on operating system
There is a known issue with the description of the dsreplication enable subcommand differing based on the operating system. On MacOS, an updated description is shown:
"Update the configuration of the servers to replicate the data under the specified base DN(s). If one of the two servers is already part of an existing replication topology, then that server must be specified as the first server. This is because the schema of the second server will be updated to match the schema of the first. The configuration of all the servers in the existing topology will also be updated, so it is sufficient to perform this operation once for each new server that is added to the topology. The server-to-server replication communication is always secured with SSL."
But on some operating systems, including Windows and CentOS, the older description is shown that doesn't mention the schema initialization.