PingDirectory Server 6.2.0.0 Release Notes - PingDirectory - 7.3

The Self-Service Account Manager (SSAM) application is no longer included in the Directory Server zip file. The source code for the application is available at https://github.com/pingidentity/ssam.

Updated the replication status table displayed by "dsreplication status" so that it includes a "Server ID" column. The "Server ID" column is only displayed if the "-a" option is passed.

Updated the authentication failure reasons generated for bind attempts that fail because of an incorrect password when account lockout is enabled. If the account is not yet locked, the authentication failure reason will include the number of remaining failed attempts before the account will be locked. If the failed attempt caused the account to be locked, the authentication failure reason will indicate whether the account is permanently or temporarily locked.

Also fixed an issue in the get password policy state issues control implementation in which the server would incorrectly indicate that a temporary lockout was permanent for the failed bind attempt that caused the account to be locked.

Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file.

Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file.

The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration.

The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration.

Updated the installer to discourage the use of weak root passwords.

When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.

When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.

In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints.

Updated the installer to discourage the use of weak root passwords.

When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.

When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.

In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints.

The setup tool's GUI mode has been deprecated, and will be removed in a future version of the product. Until then, it can still be accessed using the command 'setup --gui.' The --cli option is no longer necessary for starting setup in command-line mode.

The setup tool's GUI mode is no longer available.

The setup tool's GUI mode has been deprecated, and will be removed in a future version of the product. Until then, it can still be accessed using the command 'setup --gui.' The --cli option is no longer necessary for starting setup in command-line mode.

The setup tool's GUI mode is no longer available.

Updated PingDirectory Server, PingDirectoryProxy Server, PingDataSync, and PingDataGovernance with the capability to run as Windows Services.

Updated PingDirectory Server, PingDirectoryProxy Server, PingDataSync, and PingDataGovernance with the capability to run as Windows Services.

Enhanced the rebuild-index tool with the ability to rebuild all indexes, or all indexes in a specific state using the "--bulkRebuild" argument.

Enhanced the rebuild-index tool with the ability to rebuild all indexes, or all indexes in a specific state using the "--bulkRebuild" argument.

Added support for equality composite indexes, which combine a mandatory equality filter pattern (for example, "(uid=?)") with an optional base DN pattern (for example, "ou=?,ou=Customers,dc=example,dc=com") to improve the performance of certain types of searches in directories with a very large number of entries, and in particular with a very large number of non-leaf entries. Equality composite indexes offer two distinct advantages over the existing equality attribute indexes in these kinds of deployments:

- In deployments with a highly branched DIT in which clients often search with a base DN at or below one of these branch points, the use of a base DN pattern allows the server to efficiently maintain an index that is scoped to these branches so that the candidate set will only include entries from the targeted branch rather than from the entire backend. This means that individual index keys are much less likely to have ID sets that exceed the index entry limit, or that could require examining a large number of entries that are outside the scope of the search.

- In deployments with any DIT structure, equality composite indexes are much more efficient than equality attribute indexes at maintaining index keys that match a very large number of entries.

As with equality attribute indexes, equality composite indexes can be used to efficiently search for entries matching an equality filter or a substring filter with a subInitial component. These filters may be requested by themselves, or they may be inside an AND or OR filter.

Added support for equality composite indexes, which combine a mandatory equality filter pattern (for example, "(uid=?)") with an optional base DN pattern (for example, "ou=?,ou=Customers,dc=example,dc=com") to improve the performance of certain types of searches in directories with a very large number of entries, and in particular with a very large number of non-leaf entries. Equality composite indexes offer two distinct advantages over the existing equality attribute indexes in these kinds of deployments:

- In deployments with a highly branched DIT in which clients often search with a base DN at or below one of these branch points, the use of a base DN pattern allows the server to efficiently maintain an index that is scoped to these branches so that the candidate set will only include entries from the targeted branch rather than from the entire backend. This means that individual index keys are much less likely to have ID sets that exceed the index entry limit, or that could require examining a large number of entries that are outside the scope of the search.

- In deployments with any DIT structure, equality composite indexes are much more efficient than equality attribute indexes at maintaining index keys that match a very large number of entries.

As with equality attribute indexes, equality composite indexes can be used to efficiently search for entries matching an equality filter or a substring filter with a subInitial component. These filters may be requested by themselves, or they may be inside an AND or OR filter.

Added the only-cache-frequently-accessed option to the FIFO Entry Cache to allow only frequently accessed entries to be cached, and added a new Frequently Accessed Entry Cache to the default server configuration. This can speed up server performance when a few entries are accessed frequently, such as system accounts that are retrieved from the backend for each access that is done by the Directory Proxy Server or for frequently repeated queries over a small subset of data.

Added the only-cache-frequently-accessed option to the FIFO Entry Cache to allow only frequently accessed entries to be cached, and added a new Frequently Accessed Entry Cache to the default server configuration. This can speed up server performance when a few entries are accessed frequently, such as system accounts that are retrieved from the backend for each access that is done by the Directory Proxy Server or for frequently repeated queries over a small subset of data.

By default, replication no longer replicates entries from subordinate backends. For example, replication enabled for the base DN dc=example,dc=com would also allow replicating changes from another backend if the base DN of that backend was subordinate to dc=example,dc=com (for example, dc=child,dc=example,dc=com). Upgraded installations will not experience a behavior change. See the command help for the new "allow-inherited-replication-of-subordinate-backends" global configuration property.

By default, replication no longer replicates entries from subordinate backends. For example, replication enabled for the base DN dc=example,dc=com would also allow replicating changes from another backend if the base DN of that backend was subordinate to dc=example,dc=com (for example, dc=child,dc=example,dc=com). Upgraded installations will not experience a behavior change. See the command help for the new "allow-inherited-replication-of-subordinate-backends" global configuration property.

Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.

Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear.

Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.

Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear.

Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler.

Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler.

Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.

Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.

In order to avoid assured replication timeouts, replication will be disabled during explicit garbage collection.

In order to avoid assured replication timeouts, replication will be disabled during explicit garbage collection.

Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the Directory Server (for cases in which each server contains a complete copy of the data) or the Directory Proxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing).

Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the Directory Server (for cases in which each server contains a complete copy of the data) or the Directory Proxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing).

Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running.

Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running.

Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses.

Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses.

Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files.

Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files.

Added global configuration property replication-history-limit. When set, replication-history-limit specifies the maximum length of the operational attribute ds-sync-hist in bytes.

Added global configuration property replication-history-limit. When set, replication-history-limit specifies the maximum length of the operational attribute ds-sync-hist in bytes.

Updated the encryption-settings tool to provide the ability to export or import multiple encryption settings definitions with a single command.

Updated the encryption-settings tool to provide the ability to export or import multiple encryption settings definitions with a single command.

Updated the server to use the latest 7.0.6 release of Berkeley DB Java Edition.

Updated the server to use the latest 7.0.6 release of Berkeley DB Java Edition.

Updated support for the GSSAPI SASL mechanism to make it possible to configure whether the server should act as a GSSAPI acceptor or an initiator.

Updated support for the GSSAPI SASL mechanism to make it possible to configure whether the server should act as a GSSAPI acceptor or an initiator.

Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.

Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed.

Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.

Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed.

The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set.

The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set.

Removed the "ssl-encryption" attribute from replication related monitor entries that refer to communication that is internal to the server. Only "Remote Repl Server" entries still have an "ssl-encryption" attribute as that communication is over the network.

Removed the "ssl-encryption" attribute from replication related monitor entries that refer to communication that is internal to the server. Only "Remote Repl Server" entries still have an "ssl-encryption" attribute as that communication is over the network.

Updated "dsreplication initialize" to be more defensive when initializing a remote replica. Errors should be detected and reported much sooner.

Updated "dsreplication initialize" to be more defensive when initializing a remote replica. Errors should be detected and reported much sooner.

Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation.

Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation.

Fixed an issue where incorrect names were displayed in the usage for the start scripts.

Fixed an issue where incorrect names were displayed in the usage for the start scripts.

Replicating Directory Servers no longer wait on startup for the replication backlog to drop below startup-min-replication-backlog-count, when the replication backlog is due to replicas containing incorrect generation IDs.

Replicating Directory Servers no longer wait on startup for the replication backlog to drop below startup-min-replication-backlog-count, when the replication backlog is due to replicas containing incorrect generation IDs.

Updated the server to automatically store some JSON field values in a more compact manner in order to reduce the on-disk and in-memory footprint required for that data.

Updated the server to automatically store some JSON field values in a more compact manner in order to reduce the on-disk and in-memory footprint required for that data.

Added validation to the dsreplication command so that it no longer allows a server to be added to a domain when the requested restricted status does not match the restricted status of existing servers in the domain.

Added validation to the dsreplication command so that it no longer allows a server to be added to a domain when the requested restricted status does not match the restricted status of existing servers in the domain.

Added a new plugin to monitor sub-operation phases and gather diagnostic information. The plugin supports adding a request criteria so that the monitoring can be scoped to a specific set of entries.

The information collected is exposed in a monitor entry named cn=Sub-Operation Timing in cn=monitor.

Added a new plugin to monitor sub-operation phases and gather diagnostic information. The plugin supports adding a request criteria so that the monitoring can be scoped to a specific set of entries.

The information collected is exposed in a monitor entry named cn=Sub-Operation Timing in cn=monitor.

The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product.

The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product.

Fixed an issue where character set password validators would not retain the values for character sets that differed only by case.

Fixed an issue where character set password validators would not retain the values for character sets that differed only by case.

The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made.

The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made.

Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend.

Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend.

Fixed a race condition that could cause a VLV index to become corrupted with a high concurrent modification rate involving values close to each other in the sort order. The problem was uncovered during internal testing with a configuration that is unlikely to be used in production environments.

Fixed a race condition that could cause a VLV index to become corrupted with a high concurrent modification rate involving values close to each other in the sort order. The problem was uncovered during internal testing with a configuration that is unlikely to be used in production environments.

Fixed an issue during upgrade where a backend initialization error could occur for the Changelog Backend indicating "Environment is Read-Only."

Fixed an issue during upgrade where a backend initialization error could occur for the Changelog Backend indicating "Environment is Read-Only."

Fixed an exception that prevented editing a Replication Synchronization Provider in the PingData Administrative Console.

Fixed an exception that prevented editing a Replication Synchronization Provider in the PingData Administrative Console.

Fixed an issue that could cause the server to incorrectly report the length of time until an account becomes locked after remaining unused for too long, or until an account becomes locked for failing to choose a new password in a timely manner after an administrative reset. The incorrect information would appear in account usability messages in a password policy state extended response or a get password policy state issues response control, and did not affect the server's ability to correctly enforce password policy.

Fixed an issue that could cause the server to incorrectly report the length of time until an account becomes locked after remaining unused for too long, or until an account becomes locked for failing to choose a new password in a timely manner after an administrative reset. The incorrect information would appear in account usability messages in a password policy state extended response or a get password policy state issues response control, and did not affect the server's ability to correctly enforce password policy.

Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the Directory Server. This includes:

- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.

- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the Directory Server.

- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism.

Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the Directory Server. This includes:

- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.

- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the Directory Server.

- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism.

Updated the commonly-used passwords dictionary to include many additional values, including known passwords used in several real-world breaches.

Updated the commonly-used passwords dictionary to include many additional values, including known passwords used in several real-world breaches.

Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction.

Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction.

Updated the password storage schemes using the crypt, PBKDF2, and scrypt algorithms to provide the ability to impose an upper bound on the length of the passwords that they will accept. By default, any attempt to use a password longer than 200 bytes will be rejected, although this limit can be adjusted with the max-password-length property in the password storage scheme configuration.

These algorithms involve expensive computation, and encoding or validating a longer password is more expensive than encoding or validating a shorter password. A malicious client may try to launch a denial of service attack by issuing bind requests with exceptionally long passwords (with no expectation that those passwords are correct). Imposing an upper limit on password length can mitigate such attacks by rejecting those bind requests without performing any of the expensive processing required to validate the password.

Although the bcrypt algorithm also involves expensive processing, it already provides protection against this type of attack by only evaluating up to 72 bytes of a password, so the server does not need to impose an upper limit for passwords used with this scheme.

Updated the password storage schemes using the crypt, PBKDF2, and scrypt algorithms to provide the ability to impose an upper bound on the length of the passwords that they will accept. By default, any attempt to use a password longer than 200 bytes will be rejected, although this limit can be adjusted with the max-password-length property in the password storage scheme configuration.

These algorithms involve expensive computation, and encoding or validating a longer password is more expensive than encoding or validating a shorter password. A malicious client may try to launch a denial of service attack by issuing bind requests with exceptionally long passwords (with no expectation that those passwords are correct). Imposing an upper limit on password length can mitigate such attacks by rejecting those bind requests without performing any of the expensive processing required to validate the password.

Although the bcrypt algorithm also involves expensive processing, it already provides protection against this type of attack by only evaluating up to 72 bytes of a password, so the server does not need to impose an upper limit for passwords used with this scheme.

The server now requires Java version 8.

The server now requires Java version 8.

Fixed an issue with the dictionary password validator that would cause it to stop processing the dictionary file once it encountered a blank line or a line containing only spaces. Any dictionary entries contained in the file after that point were incorrectly ignored.

Fixed an issue with the dictionary password validator that would cause it to stop processing the dictionary file once it encountered a blank line or a line containing only spaces. Any dictionary entries contained in the file after that point were incorrectly ignored.

Fixed an issue that could cause the server to compute a slightly incorrect password expiration time for an account that is within the password expiration warning interval, based on whether the server had provided an expiration warning to that user.

Fixed an issue that could cause the server to compute a slightly incorrect password expiration time for an account that is within the password expiration warning interval, based on whether the server had provided an expiration warning to that user.

Fixed an issue where user resource limits defined on the authorization entry where not being enforced after a remote bind using the pass-through authentication plugin.

Fixed an issue where user resource limits defined on the authorization entry where not being enforced after a remote bind using the pass-through authentication plugin.

Fixed an issue where subtree view restrictions could register "replication replay failed" alerts when attempting to replay a subtree delete operation.

Fixed an issue where subtree view restrictions could register "replication replay failed" alerts when attempting to replay a subtree delete operation.

Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.

Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.

Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned.

Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned.

Improved error reporting for the manage-extensions tool.

Improved error reporting for the manage-extensions tool.

Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.

Some of the changes include:

- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.

- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.

- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.

- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).

- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set.

Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.

Some of the changes include:

- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.

- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.

- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.

- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).

- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set.

Fixed an exception in the Local DB Index management menu that occurred when abandoning or resuming index creation.

Fixed an exception in the Local DB Index management menu that occurred when abandoning or resuming index creation.

Added the ability to customize the LDAP join size limit, which was previously hard-coded to 1000 entries. The ldap-join-size-limit global configuration property, which has a default value of 10000, can be used to set the default server-wide size limit. This default limit can be overridden on a per-user basis by setting the ds-rlim-ldap-join-size-limit operational attribute in the user's entry. It is also possible to use the maximum-ldap-join-size-limit property in the client connection policy configuration to set an absolute maximum join size limit for all requests received on connections associated with that client connection policy.

Added the ability to customize the LDAP join size limit, which was previously hard-coded to 1000 entries. The ldap-join-size-limit global configuration property, which has a default value of 10000, can be used to set the default server-wide size limit. This default limit can be overridden on a per-user basis by setting the ds-rlim-ldap-join-size-limit operational attribute in the user's entry. It is also possible to use the maximum-ldap-join-size-limit property in the client connection policy configuration to set an absolute maximum join size limit for all requests received on connections associated with that client connection policy.

Fixed an issue where the milliseconds reported in the modifyTimestamp attribute could be up to 100 ms behind the actual modification time.

Fixed an issue where the milliseconds reported in the modifyTimestamp attribute could be up to 100 ms behind the actual modification time.

Updated the SCIM interface to reliably produce JSON rather than XML in response to a GET operation if an Accept header is not present, or when an Accept header provided by the client does not indicate a preference between JSON and XML.

Updated the SCIM interface to reliably produce JSON rather than XML in response to a GET operation if an Accept header is not present, or when an Accept header provided by the client does not indicate a preference between JSON and XML.

Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.

Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.

The Administrative Console is no longer compatible with older versions of the server.

The Administrative Console is no longer compatible with older versions of the server.

Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.

Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.

The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the Directory Proxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).

The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced.

Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.

Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.

The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the Directory Proxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).

The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced.

Fixed an issue where repeated modifications to a single entry could result in a replication backlog of all changes. A side effect of this change is that changing the number of replication replay threads now requires a server restart.

Fixed an issue where repeated modifications to a single entry could result in a replication backlog of all changes. A side effect of this change is that changing the number of replication replay threads now requires a server restart.

Eliminated a spurious warning message written to the server error log for changes that are part of an LDAP transaction or an atomic multi-update operation while a persistent search is active.

Eliminated a spurious warning message written to the server error log for changes that are part of an LDAP transaction or an atomic multi-update operation while a persistent search is active.

Updated the SCIM 1.1 interface to treat query parameters (such as sortBy, sortOrder, startIndex) case-insensitively.

Updated the SCIM 1.1 interface to treat query parameters (such as sortBy, sortOrder, startIndex) case-insensitively.

The SCIM 1.1 interface has been changed to reject searches specifying a sortBy parameter that cannot be processed, rather than processing the search as if the parameter had not been present.

The SCIM 1.1 interface has been changed to reject searches specifying a sortBy parameter that cannot be processed, rather than processing the search as if the parameter had not been present.

SCIM 1.1 clients can obtain diagnostic information about how the Directory Server processes a search query, by specifying attributes=debugsearchindex as a query parameter.

SCIM 1.1 clients can obtain diagnostic information about how the Directory Server processes a search query, by specifying attributes=debugsearchindex as a query parameter.

HTTP TRACE requests have been disabled, and will now return an HTTP status code of 405 Method not allowed.

HTTP TRACE requests have been disabled, and will now return an HTTP status code of 405 Method not allowed.

Updated the server to dynamically calculate the optimal replication window and queue sizes from the configured num-recent-changes value on the backend. Increasing the num-recent-changes setting can lead to an increased peak server modification rate and reduce the possibility of replication backlogs. Since the combined window and queue sizes must not exceed the num-recent-changes value, the window-size and queue-size configuration settings on the Replication Server are no longer configurable separately.

Updated the server to dynamically calculate the optimal replication window and queue sizes from the configured num-recent-changes value on the backend. Increasing the num-recent-changes setting can lead to an increased peak server modification rate and reduce the possibility of replication backlogs. Since the combined window and queue sizes must not exceed the num-recent-changes value, the window-size and queue-size configuration settings on the Replication Server are no longer configurable separately.

Fixed an issue that could cause the server to add a second entryUUID value to an entry being imported from LDIF, if that entry used entryUUID as an RDN attribute but didn't include it in the set of attributes for the entry.

Fixed an issue that could cause the server to add a second entryUUID value to an entry being imported from LDIF, if that entry used entryUUID as an RDN attribute but didn't include it in the set of attributes for the entry.

Fixed an issue where notification delivery could halt after processing a subtree delete operation within a multi-update request.

Fixed an issue where notification delivery could halt after processing a subtree delete operation within a multi-update request.

Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security.

Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security.

Fixed a problem that could cause the backup utility to compute an incorrect hash when performing an online backup.

Fixed a problem that could cause the backup utility to compute an incorrect hash when performing an online backup.

Updated the SCIM 1.1 SDK to improve the performance of the User groups and Group members attributes. The virtual attribute "isDirectMemberOf" is used by this enhancement, and should be enabled.

Updated the SCIM 1.1 SDK to improve the performance of the User groups and Group members attributes. The virtual attribute "isDirectMemberOf" is used by this enhancement, and should be enabled.

Replication will no longer generate or accept replication changes that have timestamps that are too far in the future.

Replication will no longer generate or accept replication changes that have timestamps that are too far in the future.

Improved the error reporting associated with search involving isMemberOf failing when the global size limit is reached.

Improved the error reporting associated with search involving isMemberOf failing when the global size limit is reached.

Updated the Server SDK to provide support for privileges. It is now possible to determine whether a user has a given privilege, and to obtain a list of the privileges that have been assigned to a user.

Updated the Server SDK to provide support for privileges. It is now possible to determine whether a user has a given privilege, and to obtain a list of the privileges that have been assigned to a user.

Updated the Server SDK to provide support for groups. It is now possible to determine whether a user is a member of a specified group, to obtain the set of groups in which a user is a member, and to iterate over the members of a specified group.

Updated the Server SDK to provide support for groups. It is now possible to determine whether a user is a member of a specified group, to obtain the set of groups in which a user is a member, and to iterate over the members of a specified group.

The aci and objectClass indexes have enforced minimum index entry limits to ensure proper server performance. The enforced minimum will be used unless a higher value is specified.

The aci and objectClass indexes have enforced minimum index entry limits to ensure proper server performance. The enforced minimum will be used unless a higher value is specified.

When a replicated backend does not contain the expected generation ID an alarm will be raised.

When a replicated backend does not contain the expected generation ID an alarm will be raised.

Updated to Berkeley DB Java Edition 7.3.7.

Updated to Berkeley DB Java Edition 7.3.7.

The search-filter-pattern property of the Pass Through Authentication Plugin now allows modifiers (such as "ldapFilterEscape" and "trim") to be used with attribute substitutions. This addresses an issue where binary attributes were not properly escaped in the LDAP filter. See the documentation for the search-filter-pattern property for more information.

The search-filter-pattern property of the Pass Through Authentication Plugin now allows modifiers (such as "ldapFilterEscape" and "trim") to be used with attribute substitutions. This addresses an issue where binary attributes were not properly escaped in the LDAP filter. See the documentation for the search-filter-pattern property for more information.

Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:

- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.

In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.

Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.

Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest.

Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:

- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.

In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.

Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.

Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest.

Fixed a bug where transactions grew read-write locks in the lock table without removing them when no longer needed.

Fixed a bug where transactions grew read-write locks in the lock table without removing them when no longer needed.

Updated the server so that multiple entryDN virtual attributes can be created with different attribute types.

Updated the server so that multiple entryDN virtual attributes can be created with different attribute types.

An LDAP search with indexed and virtual attribute filters will return the indexed results if the virtual attribute fails to return any results, for example, if the virtual results exceed the size limit.

An LDAP search with indexed and virtual attribute filters will return the indexed results if the virtual attribute fails to return any results, for example, if the virtual results exceed the size limit.

Fixed an issue that could cause the pre-read and post-read response controls to be created with a criticality of true.

Fixed an issue that could cause the pre-read and post-read response controls to be created with a criticality of true.

If the server is shutting down, replication will not try to connect to other servers in the topology, which can speed up server shutdown when remote servers are unresponsive.

If the server is shutting down, replication will not try to connect to other servers in the topology, which can speed up server shutdown when remote servers are unresponsive.

Fixed an issue that prevented users from using the adminPasswordFile argument with dsreplication.

Fixed an issue that prevented users from using the adminPasswordFile argument with dsreplication.

Updated the memory usage calculation of the group cache to occur in a background thread. This eliminates the possibility of blocking application threads in rare situations where the group cache calculation is expensive. Also, any time that the calculation takes longer than 10 seconds, the server will stop maintaining the memory usage for the group cache since in environments with a very high number of groups, this could lead to garbage collection pauses over 5 seconds.

Updated the memory usage calculation of the group cache to occur in a background thread. This eliminates the possibility of blocking application threads in rare situations where the group cache calculation is expensive. Also, any time that the calculation takes longer than 10 seconds, the server will stop maintaining the memory usage for the group cache since in environments with a very high number of groups, this could lead to garbage collection pauses over 5 seconds.

Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog.

Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog.

The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root.

The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root.

The virtual attribute "isDirectMemberOf" is now enabled by default in PingDirectory Server.

The virtual attribute "isDirectMemberOf" is now enabled by default in PingDirectory Server.

Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information.

Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information.

Fixed an issue where an OR filter involving multiple IsMemberOf clauses would return no matches

Fixed an issue where an OR filter involving multiple IsMemberOf clauses would return no matches

Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK.

Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK.

Updated to Berkeley DB Java Edition 7.4.5.

Updated to Berkeley DB Java Edition 7.4.5.

Fixed the task based tools to allow the use of password files and prevent passing a bind DN to the server when using a SASL External bind request.

Fixed the task based tools to allow the use of password files and prevent passing a bind DN to the server when using a SASL External bind request.

Fixed an issue in which the server would incorrectly accept a DN containing an attribute value that started with an unescaped plus sign (for example, "telephoneNumber=+1 800 555 1234,ou=People,dc=example,dc=com"). In a DN, plus signs are used to separate the name-value pairs in a multivalued RDN, and any plus sign contained in an RDN value must be escaped with a backslash (like "telephoneNumber=\+1 800 555 1234,ou=People,dc=example,dc=com"). These kinds of malformed DNs are likely to cause problems with clients that encounter them, and the server now correctly rejects them.

Fixed an issue in which the server would incorrectly accept a DN containing an attribute value that started with an unescaped plus sign (for example, "telephoneNumber=+1 800 555 1234,ou=People,dc=example,dc=com"). In a DN, plus signs are used to separate the name-value pairs in a multivalued RDN, and any plus sign contained in an RDN value must be escaped with a backslash (like "telephoneNumber=\+1 800 555 1234,ou=People,dc=example,dc=com"). These kinds of malformed DNs are likely to cause problems with clients that encounter them, and the server now correctly rejects them.

Replication initialization has been enhanced to allow multiple initializations to run concurrently in some cases. When the initializations are for the same base DN each server may only participate in a single initialization. When the initializations are for different base DNs, there is no such limit.

Replication initialization has been enhanced to allow multiple initializations to run concurrently in some cases. When the initializations are for the same base DN each server may only participate in a single initialization. When the initializations are for different base DNs, there is no such limit.

Added the ability to configure connection or request criteria that can identify add requests for entries that should be named with the server-generated entryUUID value. Although the server provides a name with entryUUID request control that can be included in add requests to specifically indicate that the entry should use entryUUID as the naming attribute, it may also be desirable to use criteria to identify requests from clients that cannot use the control, but that may benefit from this functionality.

Added the ability to configure connection or request criteria that can identify add requests for entries that should be named with the server-generated entryUUID value. Although the server provides a name with entryUUID request control that can be included in add requests to specifically indicate that the entry should use entryUUID as the naming attribute, it may also be desirable to use criteria to identify requests from clients that cannot use the control, but that may benefit from this functionality.

Updated the isMemberOf virtual attribute provider to add an optional included-group-filter configuration property. If provided, the virtual attribute will only include the DNs of groups in which the associated user is a member and that also match the given filter. For example, configuring an included-group-filter of "(objectClass=groupOfURLs)" would ensure that only dynamic groups are listed in the values of the virtual attribute.

Updated the isMemberOf virtual attribute provider to add an optional included-group-filter configuration property. If provided, the virtual attribute will only include the DNs of groups in which the associated user is a member and that also match the given filter. For example, configuring an included-group-filter of "(objectClass=groupOfURLs)" would ensure that only dynamic groups are listed in the values of the virtual attribute.

Replication no longer hangs when disabled for some, but not all, servers for a restricted domain.

Replication no longer hangs when disabled for some, but not all, servers for a restricted domain.

A check was added to make sure a search with a vlv sort doesn't exceed the search time limit.

A check was added to make sure a search with a vlv sort doesn't exceed the search time limit.

Added a new salt-length-bytes configuration property to the Salted MD5, Salted SHA-1, Salted SHA-256, Salted SHA-384, and Salted SHA-512 password storage schemes. If configured, this property will specify the size of the salt generated for new encoded passwords. If it is not defined, the server will continue to use the default size of eight bytes (64 bits).

This property only controls the size of the salt used when encoding new passwords. The server already had the ability to interpret encoded passwords with different salt lengths, so any existing passwords encoded with a different salt length will continue to work.

Added a new salt-length-bytes configuration property to the Salted MD5, Salted SHA-1, Salted SHA-256, Salted SHA-384, and Salted SHA-512 password storage schemes. If configured, this property will specify the size of the salt generated for new encoded passwords. If it is not defined, the server will continue to use the default size of eight bytes (64 bits).

This property only controls the size of the salt used when encoding new passwords. The server already had the ability to interpret encoded passwords with different salt lengths, so any existing passwords encoded with a different salt length will continue to work.

The Pass Through Authentication Plugin will now record Last Login Time and Last Login IP Address in the event of a successful remote bind, regardless of the value of try-local-bind.

The Pass Through Authentication Plugin will now record Last Login Time and Last Login IP Address in the event of a successful remote bind, regardless of the value of try-local-bind.

Fixed an issue that could cause different versions of the same schema elements to appear in the server's subschema subentry. If a schema element was defined in an earlier file but then overridden in a later schema file, or if an existing schema element was changed on the fly with the add schema file task (or the load-ldap-schema-file tool, which uses that task behind the scenes), then the schema entry would incorrectly show both the previous and updated versions of the schema element.

Fixed an issue that could cause different versions of the same schema elements to appear in the server's subschema subentry. If a schema element was defined in an earlier file but then overridden in a later schema file, or if an existing schema element was changed on the fly with the add schema file task (or the load-ldap-schema-file tool, which uses that task behind the scenes), then the schema entry would incorrectly show both the previous and updated versions of the schema element.

Fixed an issue that could cause the entry in a pre-read or post-read response control to include virtual attributes that don't have any values.

Fixed an issue that could cause the entry in a pre-read or post-read response control to include virtual attributes that don't have any values.

Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs.

Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs.

Sync Attribute Mapping modifier names, such as "jsonEscape", are now case insensitive.

Sync Attribute Mapping modifier names, such as "jsonEscape", are now case insensitive.

Updated the 'changes' attribute in the changelog backend to use the correct previous value when use-reversible-form is set to true.

Updated the 'changes' attribute in the changelog backend to use the correct previous value when use-reversible-form is set to true.

Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions.

Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions.

Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:

- Whether the password update is a self change or an administrative reset

- Whether to accept or reject pre-encoded passwords

- Whether to perform or skip password quality validation for the new password

- Whether to check to see if the new password matches the current password or any password in the user's history

- Whether to enforce or ignore the minimum password age constraint

- Which password storage scheme to use when encoding the new password

- Whether the user must be required to choose a new password before being permitted to request any other operations

Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:

- Whether the password update is a self change or an administrative reset

- Whether to accept or reject pre-encoded passwords

- Whether to perform or skip password quality validation for the new password

- Whether to check to see if the new password matches the current password or any password in the user's history

- Whether to enforce or ignore the minimum password age constraint

- Which password storage scheme to use when encoding the new password

- Whether the user must be required to choose a new password before being permitted to request any other operations

Updated the password policy state extended operation to make it possible to determine whether the target user has a static password. Also, updated the server's support for the get password policy state issues functionality so that it will include an account usability notice if the target user does not have a static password. Either of these can be used to determine whether the user may authenticate with a mechanism that requires a static password (for example, using an LDAP simple bind or a SASL PLAIN bind).

Updated the password policy state extended operation to make it possible to determine whether the target user has a static password. Also, updated the server's support for the get password policy state issues functionality so that it will include an account usability notice if the target user does not have a static password. Either of these can be used to determine whether the user may authenticate with a mechanism that requires a static password (for example, using an LDAP simple bind or a SASL PLAIN bind).

Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where

1) Server B had not received changes directly from a client for a long time (beyond the purge delay),

2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,

3) Server A is shutdown, and

4) While Server A is shutdown, the Server B processes one or more changes directly from the client.

Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where

1) Server B had not received changes directly from a client for a long time (beyond the purge delay),

2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,

3) Server A is shutdown, and

4) While Server A is shutdown, the Server B processes one or more changes directly from the client.

Updated the audit log publisher to include the replication change ID in applicable changes by default.

Updated the audit log publisher to include the replication change ID in applicable changes by default.

Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).

Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).

Fixed an incompatibility between password modify extended operations and the changelog encryption plugin.

Fixed an incompatibility between password modify extended operations and the changelog encryption plugin.

The dsreplication initialize-all option now correctly uses the host name, port, and connection security of the replica servers that were provided during dsreplication enable, rather than the values provided during server setup.

The dsreplication initialize-all option now correctly uses the host name, port, and connection security of the replica servers that were provided during dsreplication enable, rather than the values provided during server setup.

A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com.

A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com.

Modified the server to not examine recent changes within the backend when initially started by the updater to look for post-update errors. This can speed the update process by several minutes in some environments.

Modified the server to not examine recent changes within the backend when initially started by the updater to look for post-update errors. This can speed the update process by several minutes in some environments.

Updated license files for 3rd party libraries

Updated license files for 3rd party libraries

Update the default global ACIs so that a user can modify their own password when the Changelog Password Encryption Plugin is enabled.

Update the default global ACIs so that a user can modify their own password when the Changelog Password Encryption Plugin is enabled.

Removed the ability to create custom HTTP trace loggers using the Server SDK.

Removed the ability to create custom HTTP trace loggers using the Server SDK.

Updated the NotificationManager class within the Server SDK to provide access to the entry before and after the change rather than only the raw request object.

Updated the NotificationManager class within the Server SDK to provide access to the entry before and after the change rather than only the raw request object.

Fixed an issue where the Self-Service Account Manager (SSAM) sample would not install.

Fixed an issue where the Self-Service Account Manager (SSAM) sample would not install.

Added a safeguard to limit the size of the buffer used to create a notification of a transaction. The notification will be discarded if some of the changes could not be found and the limit is reached.

Added a safeguard to limit the size of the buffer used to create a notification of a transaction. The notification will be discarded if some of the changes could not be found and the limit is reached.

Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes.

Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes.

Fixed an issue where a subtree delete operation could stall operation processing (SalesForce Case 00623381).

Fixed an issue where a subtree delete operation could stall operation processing (SalesForce Case 00623381).

Addressed an issue that could cause a server to never clear its replication backlog after being initialized with "dsreplication initialize".

Addressed an issue that could cause a server to never clear its replication backlog after being initialized with "dsreplication initialize".