UnboundID Directory Server Release Notes
UnboundID Directory Server Release Notes |
|
| Return to Documentation Index |
Following are notes for the most recent release of the UnboundID Directory Server which is version 3.2.3.0. Notes for the following versions of the Directory Server are also available in this document:
These known issues will be resolved in a future version of the Directory Server:
When reinitializing replication for a directory server, it is important not to disable and re-enable replication. If replication is ever disabled for a replica, then the cleanup-local-server command must be run before replication is re-enabled. Issue:DS-3159
When using a GSSAPI SASL Mechanism Handler the kerberos-service-principal property is only used to determine the protocol (i.e. "ldap"). The hostname will always be determined using the server-fqdn property. Issue:DS-5053
The following issues have been resolved with this release of the Directory Server:
Added a monitor entry (cn=Group Cache,cn=monitor) for the group cache that contains statistics for all the group implementations. Issue:DS-4728
Fix a bug with DN decoding from strings with special characters to ensure that the changelog will store a valid DN for the targetDN even if the original entry's DN was not properly escaped. Issue:DS-6061 SF#:1679
Fix the LastMod Plugin and the Changelog Backend so that the 'modifiersName' attribute will get correctly replicated and show up on changelog entries as the DN of the user who last modified the entry, for all operation types including DELETE. Issue:DS-4171
Update the file format used by "dsconfig --batch-file" to support using '\' as a line continuation character. If the last character on a line is a '\', then it will be removed and the following line concatenated on to it. Issue:DS-635
Improve performance of nested groups for the static group cache. Support for nested static groups is now always enabled and the setting for the ds-cfg-support-nested-groups property no longer applies. However, to support nesting of dynamic groups inside static groups, the ds-cfg-cache-user-to-group-mappings property must be disabled.
Added an option to limit the isMemberOf virtual attribute to only include groups that the user is a direct member (not through nested groups and/or dynamically derived) via the new ds-cfg-direct-memberships-only property. Issue:DS-6098
Update ldap-diff to use the schema of the target server when comparing entries. This enables comparing entries whose DN's include case-sensitive components. Issues:DS-2748,DS-6197
Ensure that critical and unsupported controls using a virtual attribute filter will fail since they are not supported in tandem. Issue:DS-6244 SF#:1694
Introduce a global property "ds-cfg-use-compact-sync-hist" that when enabled, will not encode historical single-valued attribute values if they are the same as the current value of the attribute for add and repl change types. This encoding will not be backwards compatible and all historical data must be flushed before reverting back to a previous version by exporting the replicated base DN without the ds-sync-hist attribute and re-importing the data. Issue:DS-6055
A new property named obscure-attribute on the audit logger allows specified attributes to have their values obscured in the audit log. The default setting for the Proxy Server is to obscure the userPassword and authPassword values. Each value of an obscured attribute is replaced in the audit log with a string of the form "***** OBSCURED VALUE *****". The default setting for Directory Server is not to obscure any attributes, since the values of password attributes appear in hashed form rather than in the clear. Issue:DS-5278
Fix a bug that prevented proxied authorization from working as expected during a search that crosses into a secondary backend. Issue:DS-6171 SF#:1686
Fix a bug that allows users with expired passwords to change attributes in their own entry other than password. Issue:DS-6054
Modify the ldap-diff tool to add LDAP connection options for SSL, StartTLS, and SASL authentication. Issue:DS-6034
Update the status tool to fix an issue in the tool may fail to connect to the server to retrieve some status information when the --no-prompt option is specified. Issue:DS-5989
Add support for a number of operational attributes which can be added to user entries in order to restrict who those users can proxy as when using proxied authorization, in addition to enhancing existing operational attributes tha can be used to restrict who a user can be proxied as. The complete list of attributes and intended use is as follows:
Fix a bug that prevented ACIs with a targetFilter from working properly with search operations with an entryUUID filter. Issue:DS-6102 SF#:1668
Nesting dynamic groups inside static groups are now always supported. The static group cache is now always enabled and the cache-user-to-group-mappings configuration property is no longer maintained. Issue:DS-6272
These issues were resolved with version 3.2.2.1 of the Directory Server:
Fix a problem where the collect-support-data tool could timeout when connecting over SSL, or prompt the user to verify the server certificate even when the --no-prompt argument was specified. Issue:DS-4823
These issues were resolved with version 3.2.2.0 of the Directory Server:
Fix an issue where DirectoryThreads did not set their context classloader to the one provided by our ClassLoaderProvider. This caused all the threads in the server to use the system classloader by default, which only has access to the classes specified on the classpath (i.e the core server libraries under the /lib directory). This becomes problematic if one of these threads calls into a library that uses Thread.getContextClassLoader() to load a class that is outside of the core server libraries (for example in an extension library). In this case it would use the system classloader and subsequently throw a NoClassDefError. Issue:DS-5876
Update the HTTPConnectionHandler to use Jetty version 8.1.0, which fixes several problems in the IO layer with respect to the latest JVMs and browsers. Switch the configuration to use Jetty's more efficient NIO socket connectors instead of the traditional blocking socket connectors. Issues:DS-5622,DS-5900
Add a new property override-local-password to the Pass Through Authentication Plugin so that with the default value of false, it will only attempt the bind remotely if and only if the local bind fails because there is not a local password defined. When set to true, it will attempt the bind remotely if the local bind fails for any reason.
The new override-local-password property changes the default behaviour of the Pass Through Authentication Plugin. To restore the previous behaviour, change the value to true. Issue:DS-5766
Add fix to handle SSL/TLS renegotiation attempts during secure communication. Issue:DS-5695
These features were added for version 3.2.1.0 of the Directory Server:
The server now includes an HTTP connection handler that can be used by Server SDK servlet extensions to provide HTTP access to the server.
These were known issues at the time of the release of version 3.2.1.0 of the Directory Server:
These issues were resolved with version 3.2.1.0 of the Directory Server:
Update the Subject Attribute to User Attribute Certificate Mapper so that duplicate mappings are not allowed for the same certificate attribute. Issue:DS-5547
Fix a bug where replication conflict entries were being filtered from search results, but counted towards the size limit. Issue:DS-5405 SF#:1604
Update the server to provide the ability to customize the client connection policy that is used for internal operations. Previously, the server would always use an internal policy that only knows about local backends, but in the Directory Proxy Server, this could prevent internal operations from accessing content in backend servers.
The Server SDK has also been updated to provide ClientContext and OperationContext methods that make it possible to get internal connections using either the server's configured default internal client connection policy or the policy associated with the client connection on which the request was received. Issue:DS-5553
Fix a bug that could cause the server to pass the old configuration into the isConfigurationChangeAcceptable method for a number of types of Server SDK extensions. Issue:DS-5597
Update the Server SDK to provide extensions a way to dynamically register their own monitor providers with the server, without requiring any server-side configuration objects. Issue:DS-5271
Fix a bug where virtual attributes were not being pared from changelog in the same way as non-virtual attributes Issue:DS-5608 SF#:1629
Fix a bug where access logger was not using the include-add-attribute-names property correctly Issue:DS-5549 SF#:1612
Update the replication server to avoid a potential deadlock when the server is under high load. Issue:DS-5647 SF#:1618
Added manage-extension tool to install and update extension bundles to the server. Issue:DS-5612
Fix an issue with the FIFO Entry Cache where under high load, improper thread synchronization could lead to an entry in the cache being corrupted. Issue:DS-5659 SF#:00001632
Update the LDAP Changelog monitor entry to have a unique object class: ds-changelog-backend-monitor-entry. Issue:DS-5059
Provide more monitoring for the LDAP Changelog backend especially for GetChangelogBatch request processing expose monitoring information for this backend in the Periodic Stats Logger. Issue:DS-5700
Improve performance of retrieving changes from the LDAP Changelog using the GetChangelogBatch request by reducing changelog entry processing for entries that are excluded by base DN. Issue:DS-5701
Provide config options to smooth out database delete operations during LDAP changelog purging to reduce impact on server throughput and response time. Issue:DS-5724
Address an issue where a directory server might resend duplicate changes when processing a GetChangelogBatch request in an environment that is under heavy load. Issue:DS-5656
Add workaround in SSL processing to detect potential buffer underflow or renegotiation even when processing appears to be OK. Issue:DS-5748 SF#:1636
Fix a bug where method level debug tracing could cause extraneous logging from other methods in the same class. Issue:DS-5760 SF#:1636
Address an issue where search index processing would examine more entries than necessary when executing AND searches that included fully-indexed, complex components, such as (&(app=X)(|(priv=A)(priv=B))). Issue:DS-5783
Add the ability to specify a reason when entering and leaving lockdown mode. This is recorded in the logs and in the alerts that are generated. Issue:DS-5331
These features were added for version 3.2.0.0 of the Directory Server:
AIX is now a supported deployment operating system.
In the LDAP changelog, add support for indexing changes separately for each modified attribute, which allows clients to more efficiently retrieve changes to a subset of attributes using the get-changelog-batch request.
Update the LDAP changelog to provide support for paring down the contents of changelog entries based on the access control and sensitive attribute restrictions that are in place for the entry that was added, deleted, or updated.
Introduce an audit-data-security tool that identifies potential risks or other notable security characteristics contained in directory data.
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations.
These were known issues at the time of the release of version 3.2.0.0 of the Directory Server:
These issues were resolved with version 3.2.0.0 of the Directory Server:
Fix a bug in the web-console new Attribute Type and new Objectclass dialogs which is some cases could cause a schema element saved erroneously into a file called 'New File...'. Issue:3410
Modify the web-console so that extraneous carriage returns are removed from files containing exported schema elements. Issue:3411
Fix a bug that could cause inaccurate timestamps to be displayed in the active operations monitor entry for operations that are still waiting in the work queue and have not yet been picked up for processing by a worker thread. Issue:3419
Fix an issue that led to work queue backlogs in DS when the Sync Server was synchronizing from an entry-balanced Proxy Server configuration. Issue:3431 SF#:1486
The dsreplication tool's cleanup-local-server subcommand will now remove the public key certificates of all formerly trusted replicas as a result of being removed from a replication topology. Issue:3385
Update command-line tools providing support for SASL authentication to add additional properties that may be used in conjunction with the GSSAPI mechanism. This includes the ability to control whether a ticket cache should be allowed and/or required, the ability to specify an alternate location for the ticket cache file, the ability to request that the Kerberos ticket-granting ticket be renewed, and the ability to supply a custom JAAS configuration file rather than using one automatically generated by the tool. Issue:3437
Fix a bug that prevents going back from the type selection when creating a new configuration object in dsconfig. Issue:2913 SF#:1435
Update a number of LDAP command-line tools to provide a new --help-sasl option that can be used to obtain information about the SASL mechanisms that are available for use and the supported options for those mechanisms. In addition, the command-line tool reference has been updated to provide a new page on supported SASL mechanisms and options. Issue:3452
The replication server changelogDb directory can now be relocated because the replication-db-directory property is no longer read-only. Also, the LDAP Changelog Backend database directory can be relocated because it now has a db-directory property. Issue:3359 SF#:00001484
The dsreplication command line utility has been updated to prevent multiple dsreplication instances to be changing the replication configuration simultaneously.
The utility has been updated to keep a history of invocations in the logs/tools/dsreplication.history file.
The utility has been updated to keep the log of up to 10 dsreplication sessions in the logs/tools directory. Issues:2347,2716,623,661
Fix an issue where a subtree delete operation that timed-out could bring both replication and the LDAP changelog to a halt. Issue:3465
Fix a bug in which dsconfig and other tools may not properly evaluate path-based property values for remotely managed servers. Issue:3439 SF#:00001484
Fix an issue where the LDAP Changelog Backend could encounter a deadlock while purging old entries if changelog batch requests were simultaneously trying to read those entries. Issue:3080
Improve the consistency of performance for Sync through Proxy with Entry Balancing. When the Proxy Server is processing a Get Changelog Batch request and it has received maxChanges in total from the backend Directory Servers, it now cancels the outstanding requests in order to expedite the return of the result to the Sync Server. When the Directory Server receives a cancel request for a Get Changelog Batch request, it now stops processing the request and returns the result containing a resume token. Issue:3438 SF#:1492
Fix an issue in the Directory Server that could affect synchronizing changes through the Directory Proxy Server in an Entry Balanced environment that had global replication configured across all Directory Server instances. Under certain circumstances, the Directory Server would go too far back in the changelog when searching for the next batch of changes, and it might issue an incorrect warning that some changes had been purged. Issue:3543
Fix an issue in the Directory Server that could cause the Sync Server to show a large number of un-retrieved changes after restarting a sync pipe. This issue affected Sync through Proxy in an entry-balanced configuration. Issue:3543
Modify the update tool to handle potential issues migrating the admin-backend.ldif backend file if the ds-create-time attribute is present in the entry cn=all-servers,cn=Server Groups,cn=admin. Issue:3584 SF#:00001501
Update shell scripts used for the server and associated tools so that they will display a warning if it is not possible to set the desired number of file descriptors. Issue:3590
Fix a potential bug in index merge processing during import-ldif and rebuild-index processing that could cause the tool to silently complete without any indication of problems even if an error occurred. Issue:3590
Add je-property configuration to Changelog Backend to allow for advanced settings as needed. Issue:3600
Fix a bug when keeping track of an index that has exceeded the entry limit in the verify-index tool. Issue:3358
Fixed an issue in the LDAP Changelog where it could throw a NoSuchElementException either when it is first enabled or during replication replay. Issue:2760
Fix a bug where dsreplication cleanup-local-server command would fail in non-interactive mode if the changelogDir argument was not provided. Issue:3453
Update the JE backend to add new id2children-index-entry-limit and id2subtree-index-entry-limit configuration options that can be used to set the limits for these independently of the backend-wide default index entry limit. If these values are not set, then the backend-wide limit will continue to be used. Issue:3608
Change setup command to check for minimum required BDB JE version before running. Issue:3441
Update the CRYPT password storage scheme to make it possible to encode passwords using the 256-bit and 512-bit SHA-2 variants available in many Linux and UNIX distributions. These mechanisms apply multiple rounds of a very strong cryptographic digest to make the process of encoding passwords more expensive and significantly impede brute force, dictionary, and other kinds of attacks that may be launched by someone with access to a password's encoded representation. Issue:3593
Add support for a new "operation purpose" request control that clients can use to identify the intention for each request that they send to the server. The control may include the name and version of the application that created the request, the location in the application code from which the request was created (which may be automatically generated by the UnboundID LDAP SDK for Java), and a human-readable message explaining the purpose for the operation.
This can help improve security and debuggability because it can offer a kind of audit trail. If a request includes this control, then information from the control will be included in access log messages for those operations. Issue:3616
Add support for a number of operational attributes which can be added to user entries in order to restrict the way those users can authenticate and the circumstances under which they can be used for proxied authorization. Issue:3621
Fix an issue in the Directory Server that caused Sync Server polling to get stuck when changes had been purged from the changelog. Issue:3594
Increase the efficiency of LDAP changelog purging by reading less data from the database. Also, retry purge transactions that fail with a lock conflict exception. Issues:3595,3604 SF#:00001486
Update client connection policies to support two new configuration attributes. The required-operation-request-criteria property can be used to cause the server to reject any request which does not match the referenced request criteria, and the prohibited-operation-request-criteria property can be used to cause the server to reject any request which does match the referenced request criteria. Issue:3645
Add the ability to configure the LDAP Changelog backend to preload database files into the file system cache prior to purging changelog entries. This can eliminate high disk utilization during purging. Issue:3603 SF#:1486
Update the export-ldif tool to add a new "--encryptLDIF" option that can be used to cause the data to be encrypted as it is written. Also, update the import-ldif tool to add a new "--isEncrypted" option to make it possible to import LDIF data from an encrypted file. Both of these options are only available when running as a task with the server online, as is also the case when creating or restoring an encrypted backup. Issue:3617
Boost the performance of the Get Changelog Batch extended request in the Directory Server by using multiple threads to process the request. Issue:3606
Increase minimum heap size used by setup when no value is provided by end user. Issue:DS-3580
Fix a bug where a schema file shipped with the server was being listed as a custom schema. Issue:DS-3563
Update the LDIF export task to add support for digitally signing the contents of the LDIF export, and update the LDIF import task to add an option that can be used to verify the contents of the signature. If the import task is configured to verify signed content but the LDIF is not signed or has an invalid signature, then the import will complete but the server will place itself in lockdown mode to avoid the possibility of exposing untrusted data to clients. As with encrypted LDIF support, signing support is only available while the server is online and cannot be used in offline mode. Issue:DS-3617
Add a new argument to collect-support-data to control the number of jstack samples to collect. Issue:DS-4159
Update the FIFO entry cache to add support for new configuration options that make it possible to restrict the entry cache to holding only entries with at least a specified number of attribute values (either across all user attributes, or optionally across only a specified set of attributes). This can be used to avoid wasting cache memory with small entries that are very efficient to decode directly from the database and for which the entry cache does not provide significant benefit. Issue:DS-4210
Update the Directory Server to require a minimum Berkeley DB JE version of 4.1.10. Issue:DS-3549
Update dsconfig to make the list-properties subcommand more visible and more usable. This includes the following changes:
- The list-properties output will now be written to standard output rather than standard error. This makes it easier to process the output with text tools like grep.
- The list-properties subcommand can now be used with the "--offline" argument even if the server is running.
- A new "--complexity" argument has been added that can be used to customize the complexity level of the objects included in the output.
- A new "--includeDescription" argument has been added that can be used to include synopsis and description information in the output.
- The top-level dsconfig help now includes an example demonstrating the use of the list-properties option.
- A docs/config-properties.txt file containing this information is now provided with the server. This information was previously already available in the HTML config reference guide. Issue:DS-2985 SF#:00001413
Update a number of access loggers to provide a new max-string-length configuration property that specifies the maximum length of any string that may be included in a log message. If any string has more than this number of characters, then that string will be truncated and a placeholder will be apended to indicate the number of remaining characters in the original string. Issue:DS-3551
Update the server to provide a new additional-supported-control-oid configuration property in the root DSE backend that can be used to add a specified OID to the supportedControl attribute of the server's root DSE. This is primarily intended for compatibility with other servers which may include certain response control OIDs in this list even though LDAP specifications indicate that it should only include request control OIDs.
The Server SDK has also been updated to provide support for registering and deregistering supported control OIDs. This may be used for extensions which themselves add support for additional controls. Issue:DS-3467
Allow directory server to ignore illegal trailing space characters for existing schema files. Issue:DS-3586
Make it possible to configure the server to configure the number of file descriptors that it should attempt to use on UNIX-based systems. Previously, the server was hard-coded to try to use 65535 file descriptors. It is now possible to override this default by setting the NUM_FILE_DESCRIPTORS environment variable with the desired number of descriptors to use. Alternately, you can do this by creating a config/num-file-descriptors file with a single line, like:
NUM_FILE_DESCRIPTORS=12345
If an error occurs while attempting to use the desired number of file descriptors, then a message will be written to the terminal, and if the error occurs while starting the server, then a message will be logged to the server's error log. Issue:DS-3590
Fix a bug that prevented use of dsconfig with SASL options. Issue:DS-3535
Increase the concurrency of the FIFO Entry Cache when it contains a large number of entries. Issue:DS-4249
Add the ability to compress log files as they are written. This can significantly increase the amount of data that can be stored in a given amount of space so that log information can kept for a longer period of time. Because of the inherent problems with mixing compressed and uncompressed data, compression is something that can be enabled only at the time the logger is created, and compression cannot be turned on or off later. Further, because of problems in trying to append to an existing compressed file, if the server encounters an existing log file on startup, it will rotate that file and begin a new one rather than attempting to append to the previous file.
Compression is performed using the standard gzip algorithm, so compressed log files can be accessed using readly-available tools. Further, the summarize-access-log tool has been updated so that it can work directly on compressed log files rather than requiring them to be uncompressed first. However, because it can be useful to have a small amount of uncompressed log data available for troubleshooting purposes, administrators using compressed logging may wish to have a second logger defined that does not use compression and has rotation and retention policies that will minimize the amount of space consumed by those logs while still making them useful for diagnostic purposes without the need to uncompress files before examining them. Issue:DS-2983 SF#:00001410
Enable the isMemberOf virtual attribute by default so that it will be usable in an out-of-the-box deployment without any administrative action. Issue:DS-4267
Update the logic used for index evaluation so that it can skip evaluating some or all of the search filter against the entry if the parts which have been omitted are guaranteed to match the candidate entries based on the use of indexes. Issue:DS-4211
Add a new monitor entry for the FIFO Entry Cache that reports details on the operation of the cache. Also, update the Periodic Stats Logger to expose many of these statistics in a continuous fashion. Issues:DS-3657,DS-3658
Add a new option to the dsreplication tool that can be used to override a lock on the topology held by a separate invocation of the tool. This option should be used with caution. Issue:DS-3487
Update dsconfig to remove a redundant prompt when a user chose to "Change the value" of an existing property. Issue:DS-2140
Fix a bug that prevented collect-support-data from properly using SASL connection options Issue:DS-4239
Include a "Static Group Entry Cache" in the out-of-the-box configuration to improve server performance with large static groups whenever this entry cache is enabled. Issue:DS-4248
Fix an issue where, in rare circumstances, replication did not forward some update messages. Issue:DS-4329
Add a change to prevent server from being considered degraded when creating a new index. Issue:DS-4217
Address rare case when the dsreplication utility assigned the same identifier to a replication server and a replication domain causing a failure during online initialization. Issue:DS-3472
Fix a bug that could cause a search result to incorrectly indicate that zero entries were returned to the client. This only occurred when using a Server SDK plugin to return additional search entries to the client during processing. Issue:DS-4349
Improve search performance when an ACI references a group that does not exist. Issue:DS-4365
Modify updater tool to ignore conflicting configuration additions that already exist. Issue:DS-4352
Update the simple search entry criteria configuration object to indicate that the included-entry-filter options will be evaluated against the pared-down entry actually returned to the client rather than the complete entry that exists in the server. Issue:DS-4360
Improve the write throughput of the LDAP changelog when persistent searches are active in the directory, but none apply to the changelog content. Issue:DS-4494
Fix a bug where some configuration variables were not initialized during LDIF import on a changelog backend. Issue:DS-4419
Update the replication server monitor entry to include an ssl-encryption-available attribute that indicates whether the server supports replication over SSL.
Note that even if the server is configured to support replication over SSL, it does not mean that all communication actually uses SSL. The ssl-encryption attribute of the replication server handler monitor entries should be examined to determine where SSL is and is not in use for replication. Issue:DS-3238
Prevent improper state propagation in replication that used to result in increased protocol traffic. Issue:DS-4493
Add a new reject-insecure-requests global configuration option that can cause the server to reject all operations except StartTLS extended requests received over insecure connections. This makes it easier to allow clients to use StartTLS without allowing other requests over an insecure connection. Issue:DS-4397
Provide an alternate password policy in the out-of-the-box configuration that is significantly more secure than the default policy. This policy is not configured for use, but it can be selected as the default policy, used as a policy for a select set of users, or used as a template creating a new custom policy with a more secure starting point than the default policy.
In addition, a new sensitive attribute definition is included in the default configuration that declares userPassword and authPassword to be sensitive attributes and forbids them from being returned to clients, used in search filters, or targeted by compare operations, and also requires that adds and modifies including passwords be processed over a secure connection. This sensitive attribute definition is not used by anything by default, but it can be easily referenced in the sensitive-attribute option of a client connection policy to turn it on. Issue:DS-4396
A server restart is no longer required after setting up replication to use encrypted communication. Issue:DS-1459
Update server access loggers to add a number of new options:
- An option to include request details in search result entry messages. - An option to include request details in search result reference messages. - An option to include request details in intermediate response messages. - An option to include the names of attributes included in an add request. - An option to include the names of attributes targetd in a modify request. - An option to include the names of attributes included in a search result entry. - An option to include extended search request details, including the size limit, time limit, types only, and alias dereferencing behavior. Issue:DS-4404
Update the server to add a "--lockdownMode" argument which can be used to cause the server to be started in lockdown mode. Issue:DS-1488
Update the Directory Server to make it possible to define sensitive attributes as a global configuration option that will automatically apply across all client connection policies. It was previously only possible to associated sensitive attributes with individual client connection policies, and this option still exists. In addition, it is possible to indicate that a client connection policy should exclude one or more global sensitive attributes. Issue:DS-4402
Update the server to generate an administrative alert if it detects that a configuration change was made with the server offline (whether by manually editing the configuration file or using dsconfig in offline mode). Issue:DS-4407
Improve the 'excludeReplication' option on the export-ldif command to also exclude replication conflict entries in addition to replication related attributes. Issue:DS-3332
Update the server to provide better reporting around the use of third-party extensions. If any such extensions are loaded in the server, then the DNs of their configuration entries will be listed in the thirdPartyExtensionDN attribute of the cn=monitor entry. Further, some extensions are loaded at startup, and a message will be written to the error log with the DNs of all of their configuration entries. Please note that not all extensions are loaded at startup, in particular Sync extensions. Issue:DS-4398
Improve the performance of searches that do not return any results by not fetching the base entry of the search unless it contains referrals. Issue:DS-4525
Fix an issue in which terminal focus may be lost during command-line setup just before the Summary step is shown. Issue:DS-4551
Fix an issue in which dsconfig cannot set an unlimited value for an object property that supports an unlimited value. Issue:DS-4173
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations. By default, eight worker threads will be created for this purpose, but this may be altered via the num-administrative-session-worker-threads property in the work queue configuration.
Some administrative tools like dsconfig, status, collect-support-data, enter-lockdown-mode, and leave-lockdown-mode will automatically attempt to create an administrative session in which all operations they request will be processed in this dedicated pool. Other tools like ldapsearch, ldapmodify, ldapcompare, ldapdelete, ldappasswordmodify, backup, restore, import-ldif, export-ldif, and manage-tasks have a new "--useAdministrativeSession" argument that can be used to request that they attempt to use this dedicated thread pool for operations that they process. Further, the Commercial Edition of the UnboundID LDAP SDK for Java has been updated to provide support for the new start administrative session and end administrative session extended operations that are needed to use this feature, so third-party applications can also take advantage of this capability.
In order to request that operations be processed using the administrative session thread pool, the requester must have the use-admin-session privilege (which is included in the default set of privileges automatically granted to root users). The use of the administrative session thread pool will be recorded in the access log, and a new "using-administrative-session-worker-thread" property has been added to the simple request criteria and can be used to filter operations based on whether they are using this capability. Issue:DS-4401
Fix SASL support for the status command. Issue:DS-4313 SF#:1563
Update the changelog backend to provide support for paring down the contents of changelog entries based on the access control and sensitive attribute restrictions that are in place for the entry that was added, deleted, or updated. This capability is disabled by default, but it can be enabled using the apply-access-controls-to-changelog-entry-contents configuration property. If enabled, then the contents of attributes like changes, deletedEntryAttrs, ds-changelog-entry-key-attr-values, ds-changelog-before-values, and ds-changelog-after-values may be altered or removed based on what the requester can access in the target entry.
This change also includes support for a new option in the get changelog batch extended request. If the pareEntriesForUserDN element is present in the request, then the changelog entry contents may be further pared down to match the intersection between what is accessible to the requester and the user specified in that pareEntriesForUserDN element. If this element is included in the get changelog batch request, then this paring will be performed even if apply-access-controls-to-changelog-entry-contents has a value of false.
If the changelog entry content was altered as a result of this processing, then the changelog entry returned to the client may include additional information about what was removed. If the report-excluded-changelog-attributes configuration property is given a value of attribute-counts, then information about the number of suppressed user and operational attributes will be provided in the changelog entry through ds-changelog-num-excluded-user-attributes and ds-changelog-num-excluded-operational attributes. If it is given a value of attribute-names, then the names of the suppressed attributes will be provided in ds-changelog-excluded-user-attribute and ds-changelog-excluded-operational-attribute. Issue:DS-4157 SF#:00001409
Dramatically reduce the memory consumption of static groups, especially when the ratio of total memberships to unique members is high. The configuration property cache-user-to-group-mappings should only be disabled if nested group support is needed as it helps to reduce memory consumption. The property intern-member-dns is removed since it is no longer useful. Issue:DS-4698
Update the replication server to fix two potential race conditions that result in an error message "Replication server caught exception while listening for client connections null" . Issue:DS-4557
Fix a bug where collect-support-data was not passing all of the SASL arguments needed to the status command. Issue:DS-4816
Remove bind user and password prompts when starting dsconfig in interactive mode if valid SASL bind options are provided. Issue:DS-4579 SF#:1562
Change collect-support-data to not prompt for bind user/password when SASL arguments are provided. Issue:DS-4596
Fix a bug that could cause virtual and real values for the same attribute type to be returned as two separate attributes, which could cause problems with some kinds of LDAP clients. Issue:DS-4707
Update the Directory Server support for virtual attributes so that it is possible for multiple virtual attribute definitions to contribute values to the same attribute in an entry. Previously, only one virtual attribute definition would be used, and the process for selecting that one definition was not well defined.
As part of this solution, two new configuration properties have been added to virtual attribute definitions:
* multiple-virtual-attribute-evaluation-order-index -- This is a numeric value which can be used to assign relative priorities to virtual attribute definitions. Definitions will be evaluated in ascending order based on this index, and definitions without an explicitly-assigned index will be evaluated last. It is acceptable to have definitions with the same index, in which case their relative order will be determined based on lexicographic comparison of the name of the configuration object. It is also acceptable to have gaps in the ordering, so it is not necessary to define the order using only sequentially-increasing values.
* multiple-virtual-attribute-merge-behavior -- This specifies the behavior that the server should use when multiple virtual attribute definitions apply to the same multivalued attribute in a given entry (for single-valued attributes, the server will only ever use the first definition as determined by the order specified above). Values for this property may be "use-first-definition" (in which case only the first applicable virtual attribute definition may contribute values to an entry), "use-only-definitions-with-the-lowest-evaluation-order-index" (in which case the first applicable definition will be used, along with all other definitions that have the same evaluation order index as that first definition), or "use-all-definitions" (in which all applicable virtual attribute definitions may contribute values to the entry).
In the event that multiple virtual attribute definitions will be applied for a given attribute in an entry, the conflict-behavior and multiple-virtual-attribute-merge-behavior values for the first applicable definition will be used for all virtual attribute definitions applied for that attribute, even if subsequent definitions have behaviors that conflict with that of the first applicable definition. Issue:DS-2483
Update the logic the server uses for address patterns to support the use of subnet masks. It was previously only possible to use CIDR notation (e.g., "1.2.3.0/24") to specify the number of significant bits, but it is now possible to use subnet masks (e.g., "1.2.3.0/255.255.255.0") to specify address masks. Issue:DS-4710
Improve the server to now report group cache stats and memory usage at startup. Issue:DS-2855
Modify the tools to recognize instances of the Sun DSEE 7 Directory Server when deployed as part of the Oracle Identity Management 11g. Issue:DS-4716
Update the server to discourage disabling schema checking since this can lead to unexpected behavior in the server and client applications, as well as introduce performance problems. A warning message is printed when dsconfig or the console is used to update the configuration to disable schema checking. The server now generates an alert when schema checking is disbled. The --skipSchemaValidation option has been removed from import-ldif. Issue:DS-4336
Improve the config definition for the idle-lockout-interval password policy property to indicate that it relies on the last login time but may fall back on the password changed time or account creation time if no last login time is available. It also recommends having last login time tracking enabled for a period of time before enabling idle account lockout. Issue:DS-4878
Update the server to record access log information about certain requests rejected very early in the life of an operation that were not previously recorded, including:
- Operations requested by a user that must change his/her password before being allowed to perform any other operation. - Operations rejected because there is a bind in progress on the connection. - Operations rejected because the server is in lockdown mode. - Operations rejected as a result of the reject-unauthenticated-requests or reject-insecure-requests configuration option. - Operations rejected because a client has exceeded the maximum number of operations per connection or maximum concurrent operations per connection. Issue:DS-4912
Make a change to the entry encoding format for attributes with attribute options. This will primarily impact data sets which use a wide variety of attibute options (and especially those other than ";binary" or ";lang-*"). In data sets with a very wide variety of attribute options, LDIF import and LDAP add performance should be dramatically improved.
Note that this may have an impact on the ability to revert to an older version if the data makes use of attribute options other than ";binary" or ";lang-*". In such cases, or in cases in which the data may use attribute types not defined in the server schema, then you should export data to LDIF before performing the revert, and then re-import data from LDIF after the revert. Issue:DS-4869
Fix a bug in the attribute value password validator that can cause it to incorrectly reject add attempts if the password attribute itself is included in the set of attributes to examine. Issue:DS-4888
Update the changelog backend to add a new include-virtual-attributes property that can be used to indicate when virtual attributes can be included in changelog entries. Virtual attributes may be included in none, some, or all of the following cases:
- The set of attributes for an add operation - The set of deleted entry attributes for a delete operation - The set of changes for a modify operation (but only when use-reversible-form is true -- when it's false, the changes are what the client sent the server) - The before and after values for updated attributes (regardless of the value of use-reversible-form) - The key entry attributes Issue:DS-4714
Update the behavior of 'use-reversible-form' on the Changelog Backend to make sure it always includes a changelog entry, even if there was no net change to the directory entry. Changing attributes to the same value they already had will now result in an ADD and a DELETE of those same values showing up in the 'changes' attribute on a changelog entry, to provide an indication of what was in the original modification. Issue:DS-4957
Add support for the IBM JDK for the GSSAPI SASL bind mechanism handler and when using GSSAPI SASL binds with tools and utilities. Due to restrictions with the IBM JDK, when using tools and utilities and the option "ticketcache" is set, the bind will always fail if the credentials are not found in the specified ticket cache, even if the option "requirecache" option is false. Issue:DS-4749
Change the default low-space-error-percent-threshold to 1. This will help to avoid costly database recovery and/or replication initialization operations when the directory server runs out of disk space on default installations. Issue:DS-4872
Address an issue with the LDAP Changelog where a modify operation that added and deleted the same value for an attribute (effectively a no-op) would show up in the changelog incorrectly. Issue:DS-5005
The LDAP change log now supports attribute indexing so that the Sync Server can request changes that target specific attributes much faster. This feature is configured by the index-include-attribute and index-exclude-attribute properties on the Changelog Backend. Issue:DS-4938
Update the LDAP Changelog Backend to separate out virtual attributes from real attributes. There are now separate attributes for storing before/after values, key attributes, and added or deleted entry attributes which are virtual. Virtual attributes are not included in changelog entries at all by default, but can be included in any or all of before/after values, key entry attrs, added entry attributes, and deleted entry attributes using the 'include-virtual-attributes' property on the changelog backend. Issue:DS-5043
Fix a bug in which the server did not always properly handle changes to an attribute with the same attribute type as used in an entry's RDN and could reject an operation with a "not allowed on RDN" result when the RDN value itself was not actually altered. Issue:DS-4950
Improve the dsframework tool to support multi-valued server propreties. Issue:DS-5040
Fix a bug where Directory Servers could potentially miss some update messages in large topologies after a restart. Issue:DS-3592
Update the Local DB Backend so that the way that individual indexes (including system indexes) are preloaded aligns with the index's cache-mode setting. If a cache-mode is set to evict-leaf-immediately, then leaf nodes will never be preloaded. If a cache-mode is set to evict-bin-immediately, then nothing will be preloaded. Issue:DS-4860
Hide the include-backend-subtree-views property in client connection policy configuration objects in the Directory Server. The only legitimate use of this configuration property is in the Directory Proxy Server, so it should not be exposed in the Directory Server. Issue:DS-5057
Change collect-support-data and a couple of other tools to enable use of a tools.properties file when present. Issue:DS-4932 SF#:1563
Fix a bug that prevented configuration changes to attribute syntaxes (e.g., to allow zero-length directory string values) from taking effect without a server restart. Issue:DS-5060
Fix a bug to prevent server registry from corruption where, in some cases, the dsreplication detach subcommand used to update the server registry of the detached servers before the replication servers disconnected from each other. Issue:DS-5058
Fix a bug that required server restart when re-enabling virtual attributes. Issue:DS-5106
Fix an issue with replication where a server might miss some changes, specifically during stress tests that included a high volume of modify traffic and repeatedly killing the server process. Issue:DS-5227
Fix a bug that prevented use of stop-ds command on a remote server. Issue:DS-5279
These issues were resolved with version 3.1.0.0 of the Directory Server:
The dsreplication tool now requires specification of the --ignoreWarnings option when performing a pre-external-initialization operation using the --no-prompt option. Issue:3019
The dsreplication status output has been updated to include a table that lists replication servers and their important properties. Issue:3019
The dsreplication tool now disallows specification of an empty password for the global admin user account. Issue:3019
The dsreplication tool now prohibits enabling replication between two servers for base DNs of empty subtrees. Before enabling replication, at least one servers must have been initialized with data. Issue:3019
The dsreplication tool's interactive menu system has been overhauled to provide better organization and contextual help for its operations. Issue:3019
Add new global configuration attribute that allows specifying a SMTP timeout to use for all configured SMTP servers. Issue:2283
Change dsreplication command line interface to detect an invalid hostname provided during an interactive session, instead of failing at the end. Issue:2763
Update the server so that access log messages for operations the server tried to interrupt (e.g., as the result of an abandon or cancel request, because the client connection was being closed, because the server was shutting down, etc.) will include an additionalInfo element with more information about the reason for the cancel attempt. Issue:2971
Limit collect-support-data to only run against the local server it is ran from. All supported versions of the products have collect-support-data available, and should use that version to do any needed data collection. Issue:2827
Enhance timeout for SMTP External Servers to be used for socket I/O and connection based timeouts. Previously the timeout value applied only to socket I/O. Issue:2939
Fix an issue with export-ldif command that resulted in object classes always being included in the output. Issue:2482
Heartbeat messages on replication server connections used to be ignored. Issue:3016
The update and revert-update tools now respect that -Q/--quiet option which when specified, suppresses console output of messages that are not warnings or errors. In addition, the tools will not solicit input if the -n/--no-prompt option is specified. Issue:3056 SF#:00001432
Add an option for configuration group change failures to force configuration changes when one or more servers in the group are unable to process the operation. Forcing the change is optional and the user is given a chance to modify the configuration change and retry if they decline. The --applyChangeTo argument now allows a value of "server-group-force" to provide the same functionality non-interactively. Issue:789
Fix an issue where the Web Console provides a dsconfig command to modify root dn user aliases that does not work in dsconfig. Dsconfig will now accept those commands. Issue:1692 SF#:1238
Improves our port checking code for local ports to be more accurate. Issue:2621 SF#:1399
The dsconfig tool has been fixed to that it does not exit in an error when the root DSE entry is not available. Issue:3122
Add a new type of access logger which can be used to obtain very detailed information about requests and responses and the contexts in which the associated operations have been processed. This is primarily intended for troubleshooting purposes rather than general use, and the content is meant to be human-readable rather than machine-parsable. Further, because the output can be quite verbose, it is recommended that it only be enabled when attempting to diagnose a problem, and that it be used in conjunction with the filtered logging framework so that only potential messages of interest will be captured. Issue:3064
Update tools, such as searchrate, that use --ratePerSecond to not use 100% of one CPU when running at a low rate. The cutoff for this rate depends on the minimum amount of time that a process can sleep, which is operating system dependent.
Enable the UseLargePages JVM flag during setup for Linux systems when the aggressive tuning option is used. Issue:2804
Update the Server SDK to add support for creating file-based access and error loggers. The new APIs are similar to the existing access and error logger APIs, but they take advantage of the server's existing high-performance and high scale log writer and provide support for advanced features like log file rotation and retention policies. Issue:3115
Add the ability to cancel an index rebuild task in the server. Previously, this was not possible and it could prevent an administrator from aborting an index rebuild, or even prevent the server from shutting down if a rebuild was in progress. Note that if an index rebuild is interrupted, then the index will remain untrusted and the rebuild must be re-invoked in order to allow that index to be properly generated before it will be used again. Issue:2955
The replication code has been updated to avoid a race condition when updates may not be delivered to a replica that was just added to the topology for a short period of time. Issues:2222,3159
Fix an issue where a disabled backend in the directory server could cause sync server endpoints to become out of sync when synchronizing through the proxy server. By default, a disabled backend now causes the directory server to set a degraded alert and to reject operations in the backend with the UNAVAILABLE result code. This allows the proxy server to route around the degraded directory server. Two new configuration properties on the backend control this behavior: set-degraded-alert-when-disabled and return-unavailable-when-disabled. Issue:3143
Update the way that the rebuild-index tool works in offline mode so that it can use multiple threads to provide better performance and scalability, and to reduce the amount of disk space consumed during the rebuild process. Also, update the way that the verify-index tool works when examining entries so that it can provide better performance and scalability, particularly when used to validate multiple indexes at the same time.
Update the rebuild-index tool so that it will monitor available disk space on volumes containing the database files and the temporary index files. If disk space gets too while rebuild-index processing is in progress, then it will log warning messages and may abort processing if available disk space becomes critically low. Issue:3251
Add the close-connections-on-explicit-gc option to the LDAP Connection Handler to allow connections to be closed gracefully when an explicit garbage collection is triggered by the Periodic GC Plugin or the Force GC Task. This allows hardware load balancers to more easily fail over to other instances. Outstanding operations will be given a chance to complete before connections are closed. Issue:2931
Update the Directory Server's support for interactive transactions so that it properly honors the writeLock flag in the interactive transaction specification request control. Issue:3263
Add a validate-acis tool that can be used to read access control definitions from an LDIF file or an LDAP directory in order to determine whether they will be accepted in an UnboundID Directory Server. Issue:3062
Update the move-entry tool so that it provides the ability to move multiple entries rather than just one. The --entryDN argument can be provided multiple times to specify the target entry DNs, or the new --entryDNFile argument may be used to specify the path to a file containing the DNs of the entries to move. If multiple entries are to be moved, then a separate transaction will be used for each. Issue:3111
An issue in the public key management process could cause replication to fail with certificate errors. Issue:3268
Fix an issue where a failed rebuild-index task did not release the lock it had acquired on the backend. Issue:3282
Make the download instructions for BDB JE more accurate. Issue:2980
Update collect-support-data to collect more system level information (especially on Linux) and validate that any value specified with the --pid option does not match the servers PID, since information about the server process is always collected. Issues:2920,2930,3152,3171,3206
The replication code has been updated to fix a rare race condition found when reinitializing a very small database immediately after starting the Directory Server. Issue:3302
Hide the subtree-view option in the Client Connection Policy configuration in DS and Sync. There is currently no way to create manual subtree views for these products, but this option may be add back for future features as needed. Issue:3125
Fix an issue where a valid ACI was rejected because the ACI name included a parenthesis. Issue:3145
Update the LDIF parser to reject entries with illegal trailing spaces with a better error message that more clearly explains what the problem is. Also, update the import-ldif and ldapmodify tools so that they provide a "--stripTrailingSpaces" option that can cause the LDIF parser to strip off illegal trailing spaces rather than rejecting the associated entry or change record. Issue:3216
Two new Local DB Backend configuration properties are available to control the behavior of the directory server when the contents of one or more Local DB Indexes are untrusted. An index is untrusted if it needs to be rebuilt, or is in the process of being rebuilt. The first property, 'set-degraded-alert-for-untrusted-index', determines whether the directory server enters a degraded state when the backend has an index whose contents are untrusted. The second property, 'return-unavailable-for-untrusted-index', determines whether the directory server returns UNAVAILABLE for any LDAP search operation that would use an untrusted index of the backend. The default settings are 'true', which allows a proxy server to fail over to an alternate directory server when the contents of one or more Local DB Indexes are untrusted. Issue:3143
Add a --missingOnly option to ldap-diff to allow the tool to only report on entries that exist on only one of the servers; entries that exist on both servers but are out-of-sync are ignored. Issue:2918
Update tools which can be used to schedule tasks to add a new "--task" argument that makes it explicit that the tool is intended to run as a task rather than in offline mode. At present, this argument is optional, but we intend to make it required in the future, and if a tool is invoked as a task without this new "--task" argument, then a warning message will be displayed recommending that it be used in the future.
In addition, if the "--task" argument is provided but the tool was not given an appropriate set of other arguments to allow it to connect and/or authenticate to the server, then an error message will be displayed and the tool will exit with an error. This behavior will also be exhibited for other arguments that are only applicable for tools running as tasks, including the "--start", "--dependency", "--failedDependencyAction", "--completionNotify", and "--errorNotify" arguments. Issue:3224
Update the manage-tasks tool so that it can detect cases in which the authenticated user doesn't have permission to access information about tasks in the server and will provide a more useful error message. It would previously always report that there were no tasks in the server, which may not be true and is not very helpful. Issue:2957
Change the default access logger configuration so that intermediate response messages will be suppressed rather than logged, although logging them can be enabled if desired. However, for operations that did send one or more intermediate response messages to the client, the result access log message will now include an intermediateResponsesReturned element that provides the number of intermediate response messages that were returned. Issue:3096
Fix an issue in online rebuild-index processing that can cause incorrect counts for the total number of entries and the number of entries processed so far. Issue:3283
Update tools which create scheduled tasks to display a message indicating that killing the tool will not interrupt the task. For tasks that can be interrupted, the tool will also display a manage-tasks command line that can be used to cancel that task. Issue:2954
Fix an issue in the subtree delete implementation that could cause subordinate entries to be deleted without removing the parent, and a failure result for the operation in the case that the number of subordinate entries exactly matched the subtree delete size limit. Also, slightly modify the interpretation of the subtree delete size limit to be the maximum number of subordinate entries that can be removed so that the base entry itself is not counted as part of this limit. Issue:3335
Update the Directory Server so that the backlog of replication changes is received from only one other server in case the instance was disconnected from the topology for a long period of time. Issues:1105,2886
Add support for the special values "*" and "+" to the LDAP changelog configuration so that all user attributes or all operational attributes can be included or excluded from changelog entries. Issue:3269
Update the LDAP changelog so that it will not create a changelog entry with an empty 'changes' attribute when all modifications within a replicated modify operation are discarded because they are stale with respect to the local entry. Issue:3349
Fix an issue in the migrate-sun-ds-config tool that could cause it to generate a configuration batch file that could not be successfully applied when it included the creation of a new backend. Issue:3129
These issues were resolved with version 3.0.3.0 of the Directory Server:
Upgrade the server to require Berkeley DB Java Edition 4.1.8, which fixes a potential deadlock issue found in version 4.1.7.
Add support to the LDAP changelog for capturing all the before/after values of a changed attribute. This can be capped at a maximum number of values to store per attribute. Also add support to the LDAP changelog for capturing the current value of any 'key' attributes on every change to an entry, regardless of whether they were the attributes that changed. Issues:3020,3060
Fix a bug in web consoles where version mismatch warning was not being displayed on initial login. Issue:3146 SF#:1459
Add an option to collect-support-data for collecting data from expensive processes. These expensive operations will not be executed by default. Issue:3176
Clarify the results of the status command when a user attempts to collect status from a remote server. Status results will always be based on the local server even if the user attempts to run the command on a remote server. Issue:3121
Fix an issue where debug messages logged by a command line tool (when using --enableDebug) might not be flushed to disk before the command exited. Issue:3218
Update the server's support for GSSAPI authentication to allow it to use a more flexible service principal. Previously, the service principal was hard-coded to be "ldap/" followed by the fully-qualified name of the system. This is still the default, but it is possible to override that in order to use a custom service principal. In addition, client tools which support GSSAPI authentication have been updated to support a "protocol" SASL option that can be used to specify the protocol for the service principal, and a "debug" SASL option that can enable GSSAPI debugging in the JVM. Issue:3262
Change replication server logic to prevent resending updates to pre-3.0 replication servers whenever they leave the replication topology, as this could temporarily lead to larger than expected backlogs. Issue:2911
These issues were resolved with version 3.0.2.0 of the Directory Server:
Modify the update tool to fix an issue where in some cases the tool would fail to migrate an older configuration, displaying errors related to duplicate LDIF change records. Issues:2942,2962,2967
The status-panel tool is no longer supported and has been removed from the server packaging. Issue:2973
Fix an issue where a Mirror Virtual Attribute Provider could cause a stack overflow in the directory server. Issue:2999
Fix in issue in the Directory Server that could cause a search result entry to be artificially delayed (and possibly returned after its subordinates) if a search spans multiple backends and is indexed in some of those backends but is unindexed in others. Issue:3008
Fix a regression with the stop-ds command where the port argument was ignored. Issue:2925
Fix a replication incompatibility issue between a version 2.1.2 server instance and a server instance updated to a later version. The updated server could not process replicated modify operations from the older version instance. Issue:2935
Fix an issue, where in rare cases, the flow control mechanism in the replication server delayed message. Issue:3027
If replication is enabled, the access logger now reports the replication change ID in the access log by default. Issue:3030
The command 'dsreplication cleanup-local-server' now removes all administrative information from the local server including any known servers and configured server groups. Any prior steps made to register the server with a replication topology or a configuration server group will need to be repeated if necessary. Issues:2792,2868
Fix an issue where the status command would warn that the port argument was ignored even though the argument was not provided. Issue:3052 SF#:1447
The command-line tools now use the full terminal width for output on Windows platforms. Issue:1019
Fix a potential issue that could cause an exception if a client tried to establish a secure connection to a server that already had the maximum number of concurrent client connections established for the associated client connection policy. Issue:3072
Add a document which describes differences in the default behavior between the UnboundID/Alcatel-Lucent 8861 Directory Server and Sun/Oracle DSEE and the reasons for those differences. With minor editing, this document may also be used as a dsconfig batch file to apply changes to the Directory Server to make it behave more like DSEE. Issue:2978
The 'dsreplication disable' command now removes the ds-sync-state attribute from the formerly replicated backend. Issue:2887
Fix an issue where a disable and enable of a local DB Backend could result in lost replication changes. Issue:3001
Fix a potential problem that could cause replication to break when merging two previously-disconnected topologies with multiple servers, or when concurrently adding multiple new servers to an existing replication topology. Issue:3114
Increase the default value for duplicate error messages (allow 2000 in 5 minutes) and alerts (allow 100 in 1 hour) before they are suppressed. Avoid duplicate suppression for certain types of alerts, such as configuration changes. Ensure that the severity of a duplicate alert summary message matches the severity of the duplicate messages being suppressed.
Fix an issue that could cause search result entries returned by a persistent search to be significantly delayed. Issue:3128
Address an issue where Server SDK extensions running within a command line tool could cause the process to run out of memory if they logged a high volume of error log messages. Issue:3173
These issues were resolved with version 3.0.1.0 of the Directory Server:
Change collect-support-data tool to prompt for missing LDAP connection arguments if needed. Issue:2461
Fix an issue where an incorrect search base DN would be written in the access log when a search operation spanned multiple backends.
Add support for a new exclude branch request control, which may be used to suppress search result entries below one or more base DNs. Issue:2845
Update the Directory Server so that when processing a search operation, it will try to consolidate the last search result entry with the search result done message so that we try to send both messages in the same packet. This improves search performance and reduces network congestion. Issue:2853
Update sensitive attribute support to utilize the intermediate client request control if present in the client request in order to determine whether all downstream clients communicated with the server over a secure connection, rather than just considering the communication with the immediate client. This can help make more intelligent determinations for operations requested through a Directory Proxy Server instance. Issue:2852
Update the server so that some of the specialized access loggers (e.g., failed operations and expensive operations) do not include messages about intermediate responses. Issue:2822
Update the attribute value password validator to provide the ability to perform substring matching on passwords. With this capability enabled, it is possible to reject passwords which are substrings of attribute values, or to reject passwords which contain substrings of attribute values. Issue:2579
The replication changelog backend (replicationChanges) is now always enabled to facilitate restoring the replication changelog database from another server before replication is enabled. Issue:2645
Fix a bug that could prevent the use of object classes which reference attribute types whose name begins with a numeric digit or contains an underscore character. Although such names are technically invalid, the server may allow based on the value of the allow-attribute-name-exceptions global configuration property. Issue:2882
Fix a bug that could cause some command-line tools (including ldapsearch and ldapmodify) to fail when parsing DNs containing attributes whose names require the attribute-name-exceptions feature in the server, even if that feature was enabled. Issue:2883
Fix a bug in the import-ldif tool that caused it to ignore the server's check-schema global configuration property and always perform schema checking unless the --skipSchemaValidation argument was provided. Issue:2891
Fix a regression that was causing replication initialization to fail if the domain name included a dot character. Issue:2894
Address an issue with collect-support-data when run on Windows where certain commands that were executed would timeout without reading the full output of the command.
Replication now issues an alert if the replica is unable to publish all updates messages to the replication server before shutting down. Issue:2720
Upgrade the server to require Berkeley DB Java Edition 4.1.7, which fixes a couple of notable bugs found in version 4.1.6.
Add a new external server type for configuring SMTP servers. This can be used to provide secure connections and authentication to outgoing mail servers. Issue:1150
Fix a bug in which one or more backend indexes could be incorrectly considered trusted if LDIF import or index rebuild processing was interrupted before completing index-related processing. Issue:1944
The SNMP Master Agent Plugin is no longer exposed as configurable because it is not a supported component. It is only used for test purposes.
During shutdown, suppress replication error log messages that are triggered by closing connections to remote replication servers. Issue:2349
Fix a bug in the web console that prevented the creation of configuration objects with a slash character in the name. Issue:2836
Add the ability to log debug statements from server components that are running within the context of a command line tool. This also enables logging from third-party extensions developed with the Server SDK to be captured when run from the context of a command line tool. Issue:2834
The dsframework tool has been modified so that whenever a server is registered or updated with port values whose corresponding protocol enablement properties (ldapEnabled, ldapsEnabled) are not present, the tool will automatically set the value of the enablement property to "true". Issue:783
The dsreplication enable subcommand in interactive mode used to fail when one of the Directory Server instances had the global administrator user defined. Issue:2843
Update replication messages and monitor attributes to use the term "Replication Backlog" instead of "Missing Changes" since "Missed Changes" refers to changes that have been lost due to purging. Issue:2736
dsreplication detach subcommand now requires that all servers in the topology to run version 3.0 or later. Issue:2844
These features were added for version 3.0.0.0 of the Directory Server:
Database Cache Compaction - With many datasets the database cache now uses 10-20% less memory to cache the same data.
Server SDK - Server-side SDK for extending the functionality of the core server.
Entry Encryption - Full entry-level encryption for Local DB backends.
Sensitive Attributes - An additional layer of protection from exposing data that is considered sensitive by allowing you to define policy that restricts how clients interact with a set of attribute types. For instance, you can define policy that will perform some of the following actions: 1) Reject add, compare, modify, or search requests that target these attributes, 2) Force clients to connect with a secure connection to interact with them, or 3) Automatically strip them out of entries before returning them to clients.
Virtualization Support - Achieved "VMware Ready Status" for all of our server products, which we now support deploying in VMware environments.
Global Replication - Support for replicating shared data between data sets in an Entry Balanced environment. This includes centrally managing and monitoring replication for all Directory Servers in an Entry Balanced environment.
These were known issues at the time of the release of version 3.0.0.0 of the Directory Server:
These issues were resolved with version 3.0.0.0 of the Directory Server:
Fix a bug that could cause a recursion loop resulting in a stack overflow when using aggregate connection criteria. Issue:2240
Expose version information for many of the libraries used by the server in both "status --fullVersion" and in the "cn=Version,cn=monitor" entry. It will always include the LDAP SDK version number, and if available may also include any or all of the Berkeley DB JE, JZlib, SNMP4J, SNMP4J Agent, and SNMP4J AgentX library versions strings.
Add a configuration option that may be used to indicate whether the server should shut down in the event that a severe error (e.g., out of memory) is raised within the JVM that indicates it may not be able to continue running properly. Issue:2265
The dsjavaproperties tool now supports options for generating, regenerating, and updating the config/java.properties file. Issue:2280
Fix a bug in the support for the simple paged results control that could cause it to fail for a search that was unindexed. Issue:2286
Fix a bug in the timestamp-naming mechanism used in log file rotation which could cause log files that were manually renamed to still get rotated and eventually deleted if their names were still parsable as the original file name. Issue:1285
Fix a bug in the implementation of the userattr access control bind rule that could cause an access control rule to fail to properly match entries. Issue:2310
Fix a bug in the server that may cause the server to incorrectly parse some extensible match search filters from their string representations. Issue:2313
Update the stop script so that the "restart" option will correctly restart the server after a successful shutdown Issue:2329 SF#:1362
Address an issue where the dsreplication command line utility in interactive mode ignored the selection from a server list and used the currently connected server to execute subcommands. This issue affected the disable, initialize, and initialize-all subcommands. Issue:2335
Issue an new admin alert when a replication operation fails to be replayed due to abnormal circumstances. Issue:2353 SF#:1368
Update dsconfig to work correctly in environments with a server-group set. This issue only affected dsconfig when run in a partially interactive mode where some of the configuration arguments were provided on the command line. The user is now prompted whether the configuration change should be applied to the current server or all servers in the group. Issue:2373 SF#:1370
Address an issue where the Unique Attribute Plugin incorrectly detected conflicts when under heavy. Issue:1873
Web Console displays a communication error alert when editing configurations objects if the server has been disconnected. Issue:2270 SF#:1239
Fix a bug in which the server and tool JVM configurations in java.properties would lack -Xms and/or -Xmx options if the amount of memory specified as the maximum heap size was not available when setup was run. Issue:890
Fix a bug in which setup fails if the 'locks' directory is missing, setup erroneously indicated that the server was running.
Fix a bug that prevented the display in dsconfig and the web console of configuration objects whose name contained a slash character. Issue:2244 SF#:1373
Update the directory server to allow attributes marked with NO-USER-MODIFICATION to be set if the Replication Repair Control (1.3.6.1.4.1.30221.1.5.2) is included in an add operation. This functionality was already available if the Ignore No User Modification Control (1.3.6.1.4.1.30221.2.5.5) was provided in addition to the Replication Repair Control. Issue:2361
Modify the update tool to disallow the update tool from being used from a package in which setup has been run. Issue:2464
Provide a custom title renderer that escapes configuration object names in the web console. This avoids a theoretical security concern with configuration object names that contain embedded JavaScript. Issue:2454
Fix a bug in the ldapmodify command-line tool that caused it to incorrectly treat a 'referral' result as success. Referrals are still not supported by this tool, but it will now treat them as a special kind of error and will provide a more useful message. Issue:1062
Update the status command to include information about the replication changelog database. Issue:2449
Update the UnboundID work queue configuration so that it is not possible to configure a value of zero for the number of write queues. Previously, if a nonzero number of write worker threads was configured with zero write queues, then the server would encounter an error and would be unable to start. Issue:2119
Update the local database backend so that if an index is found to be in a degraded state, it will now include both the backend ID and base DN in the message that is generated in addition to the name of the affected index. Previously, the message would only include the index name. Issue:2445
Online import-ldif now supports the --skipFile argument. Issue:841 SF#:00001350
Fix an issue, where in some cases, the Directory Server shutdown process was significantly delayed because of an improper shutdown of a replication related thread. Issue:2430
Generate a warning message at startup if the server is unable to determine the IP address or hostname of the local system, or if the local system's hostname resolves to a different IP address. These conditions may indicate a problem with the system configuration that could cause certain server components to break or function abnormally. Issue:2318
Creating an additional local database backend no longer generates severe warning messages in the server error log about degraded indexes. Issue:1113
Change the way that the serverUUID value is generated so that it is based on a combination of the system's primary IP address and the canonical server root path. This can be used to help detect cases in which a new server instance is created by copying the files associated with an existing server instance, which would have previously created two instances with the same serverUUID value. In the event that the stored serverUUID does not match the generated value, a log message will be generated to warn administrators of the change, and the newly-generated UUID will continue to be used. Issue:2470
Fix a NullPointerException error that could result from the use of targetscope="onelevel" in an ACI. Issue:2404
The import-ldif tool now verifies that the LDIF file argument is specified as an absolute path in case of an online import. Issue:2385
Fix a bug in the audit logger where the value of binary attributes could show up incorrectly when the audit logger was configured with use-reversible-form=true. Issue:2472
Remove support for the --append option of import-ldif since it was frequently used incorrectly, and in many situations led to situations that were difficult to recover from. Bulk adding entries to a backend that already has data can be done using the ldapmodify or parallel-update commands. Issues:1916,2427,54 SF#:00001299
Fix a bug that refused all writes to a backend when the write-ability mode was set to internal-only. Issue:949
Update the dbtest tool messages to make it clear that only backends of type local DB are supported. Issue:2436
Fix an issue where referential integrity fails when an entry referencing a deleted entry contains two attributes being managed by the referential integrity plugin. Issue:2365
Change the backend finalizers to run in parallel during shutdown to speed up the shutdown process. Issue:2110
Prevent cleaner and checkpoint threads from being interrupted before backend environment is closed. Issue:2020
Update the server to make it possible for change subscription handlers to be notified only of changes on a particular set of change subscriptions. Previously, change subscription handlers would always be notified of changes to any change subscription defined in the server. Issue:2475
Fix an issue when performing a modify operation to create an ACI that returned a result of Insufficient Access Rights instead of Invalid Attribute Syntax when the aci attribute was malformed. Issue:2477 SF#:1376
Fix a bug that could cause incorrect behavior for unindexed searches with a base DN equal to a base DN of the backend if one or more common-compact-parent-dn values were defined for entries below that base DN. In that case, only entries in the backend but not below any of the defined common compact parent DNs may be returned. Issue:2481 SF#:00001380
Improve the output of the ldapsearch tool to mention that a password has expired when the bind occurs. Issue:1981 SF#:1227
Fix a bug that prevented updating a user entry that needs a password change. Issue:2492 SF#:9999
Fix a bug where a virtual attribute rule based on group membership could cause the server to shut down. Issue:2434
Modify the updater so that the --ignoreWarnings option can be used to continue with update when there are warnings related to version compatibility issues. This allows an update to be run in a non-interactive environment, such as a script. Issue:2495
Set the autocomplete flag on the login form of the web console to be explicitly set to false. Issue:2496 SF#:1383
Update the audit logger to use the filtering criteria specified in the configuration. Issue:2443
The admin alerts list no longer includes alert types that are clearly not applicable to the product. Issue:1738
Update generated command line arguments (such as for dsconfig) to be quoted in a mechanism specific to the operating system where they are generated and to eliminate all escaping with \, which had caused problems when replaying certain commands. This is done with as much portability across systems as possible. Issue:2455
Update the server to improve its behavior when dealing with attribute types that were switched from user to operational, or vice versa. In such cases, existing entries would treat them as user or operational based on the state of those attributes at the time the entry was written and as such operations involving those attributes may behave incorrectly. Issue:2546 SF#:00001379
Fix a bug that made it possible to re-use a password in the password history using ldappasswordmodify. Issue:2497
Enabling replication between the current and prior version of the product may cause schema initialization problems. The code has been updated so that configuration schema elements are not overridden when enabling replication. When adding a Directory Server to a replication topology running a prior version of the product, it is recommended to use a server from the topology as the first server of the dsreplication command. Alternatively, schema replication may be excluded during dsreplication enable by using the --noSchemaReplication argument. Issue:2555
Improved status command output to better inform the user of how the local server status was determined, based on the arguments provided. Issue:2487
Cap db-evictor-critical-percentage configuration for backends so that the total cache percentage never goes above 90%. Issue:2285
Update cli documentation to include new commands for updating and reverting a server installation. Issue:2573 SF#:1390
Update the Directory Server to add support for sensitive attributes, which can be used provide an additional layer of protection to avoid leaking data that might be considered sensitive. It is possible to reject add, compare, modify, or search requests which target sensitive attributes, or to restrict them so that they may only be allowed over secure connections, and it is also possible to always strip those attributes out of entries returned to the client, or to allow them to only be returned to clients using secure connections. Issue:2412
Tools using a scope argument are now correctly documented in the CLI documentation. Issue:2594
Several enhancements to the Periodic Stats Logger: all columns in the output can now be turned on/off, many more built-in metrics are available to be logged, and additional custom metrics driven off of cn=monitor entries can be added by creating Custom Logged Status objects. Issue:2039
The naming of the replication domain configuration has been updated to facilitate scripted installations by removing the replication domain ID from the name. Issue:2245
Fix a bug that did not use the password policy during an add operation if it was assigned using a virtual attribute. Issue:2622 SF#:1398
Fix an issue in the Directory Server which would cause ldap-diff to miss entries from a subordinate local DB backend when the scope of the comparison includes more than one local DB backend. This could be the case for an entry-balanced Directory Server. Issue:2618
Fix a problem where import-ldif would never finish if entries were rejected with invalid attribute syntax. Issue:2514
Change the way abandon and cancel requests are run in order to prevent request handler threads from being detained while these operations wait to get back results. Issue:2631 SF#:1395
The server now issues an alert when it has begun the startup process. Issue:2642
The server now issues an alert when a JVM pause (possibly due to garbage collection) has been detected. Issue:2637
The web console now allows the specification of multiple LDAP servers to be used for authentication and discovery of topology servers. Issue:2466
The web console now supports specification of a server from its login page. Issue:2190
In case a replica is backlogged, the Directory Server is supposed to issue an alert. The Directory Server is also expected to delay completing the startup until the size of the backlog (if any) has been determined. In some cases, the Directory Server did not issue an alert before the startup had completed. Issue:2662
The entry checksum virtual attribute provider has been extended to allow excluding attributes from the checksum calculation. The provider has also been updated to ignore the insertion order of attribute values when calculating the checksum. Checksums of two identical entries used to differ if the values of at least one multi-valued attribute had been added in different order. Issue:1156
The import-ldif tool new features option --addMissingRdnAttributes which when present will silently add attribute/values from the RDN components of the DN that do not appear in the set of attribute values for the entry. When this option is not present, import-ldif will now reject such entries. Issue:2612
Update the ldappasswordmodify tool to supply the bind password as the user's current password when making a self-change. This is convenient when making a root user password change so that the current password does not have to be specified twice in the command line arguments. Issue:2525
Provide better descriptions in the MIB for SNMP trap variable bindings. Issue:2508
Fix an issue where explicitly requested attributes would not be returned when an access control rule allowing access to them contained a target filter on an attribute that was not one of those requested. Issue:2564
The file-based loggers now optionally support millisecond level precision. Issue:2603
Fix an issue where the referential integrity plugin would not perform all the appropriate actions for all kinds of ModifyDN operations. Issue:2498
Fix an issue where stop-ds on a replicated server could hang after logging an error indicating that the Replication Server db thread had exited while holding one or more read locks. Issue:2668
Add a "invoke-gc-day-of-week" property to the Periodic GC Plugin so that it can be configured to run only on certain days of the week. Issue:2660
Update the Periodic Stats Logger so that on shutdown it logs stats from the final interval. Issue:2684
Add an option, db-compact-key-prefixes, to the Local DB Backend. This exposes a new feature of BDB JE 4.1.6, which leads to a reduction in the memory needed to cache the database. It defaults to true. Issue:2693
If there are only two replicated servers in the topology, then dsreplication disable subcommand will disable replication on both servers. The disable subcommand will only target the specified server if there are more than two replicated servers in the topology. Issue:1794
Improve output when JVM errors occur in scripts used to set up environment for command line tools. Issue:2172
Fix a bug in the restore tool that could prevent it from operating in "dry-run" (used to verify a backup without restoring it) mode with the server online. Issue:2692
Update the default JVM arguments to improve garbage collection tuning.
Update dsjavaproperties to validate that all java-home properties specified in config/java.properties reference valid Java installations. Issue:2719
Fix an issue where the alerts backend could write an incomplete LDIF backing file if an error were to occur during the write. Also, if an error in the LDIF file is discovered when the server is started, the alerts backend will now read as much as it can from the file and preserve a copy of the bad file. Issue:2700
The dsreplication initialize, initialize-all subcommands have been updated to detect if the source server has active unavailable alerts. In interactive mode, these utilities will display a warning and will not allow the user to select these servers.
The dsreplication status subcommand has been updated to display a warning about any server that has either unavailable or degraded alerts. These servers may not be displayed and may affect the reported number of missing changes. Issue:2707
Add support for logging intermediate response messages that are returned to the client. Intermediate response logging will be enabled by default, but may be disabled if desired. Issue:2428
Modify the import-ldif tool to help guard against accidentally overwriting existing backend data. The new -r/--overwriteExistingEntries option must be present when performing an import into a backend with a branch that already contains entries (although the option need not be present if a branch contains just a single base entry). It should be noted that existing scripts that perform an import-ldif may need to be modified to include this option in order to function as before. Issue:2478 SF#:00001378
Fix a bug where the web-console's schema editor could write object class definitions to the server that did not include the object class's type. This occurred when no attempt to change the default value STRUCTURAL was made in the object class creation dialog. Issue:2749
The dsreplication remove-defunct-server command used to remove the defunct server from the server registry when an incorrect replication port was provided even though the displayed message suggested otherwise. The remove-defunct-server subcommand also used to refuse defunct server replication port argument values larger than 32767. Issue:2751
Address an issue with the web console where it would not allow read-only configuration properties to be set when an object was initially created. Issue:2730
These issues were resolved with version 2.2.0.0 of the Directory Server:
Add support for an LDAP join control, which can be used to provide an SQL-like join capability which can be used to request that the server return other entries which are related to entries matching the initial search criteria. Issue:1012
Modify the command-line argument parsers to generate a warning message if an argument value is the same as the short or long form for another argument. This can help prevent users from forgetting to supply a value for an argument which requires one. Issue:944
Streamline the process for sending responses to LDAP clients to use a stream-based approach and avoid the creation of a number of intermediate objects.
Add support for the permissive modify request control, which may be used to allow a modify operation to succeed even if it tries to add a value which already exists or remove a value which does not exist. Issue:131
Change the way that search result entries are prepared for return to the client to make the process more efficient and create less garbage.
Update the access log format so that result log messages for operations containing certain controls will include information about that control. For the assertion request control, the assertion filter will be provided. For the matched values request control, the matched values filter will be provided. For the pre-read, post-read, and get authorization entry request controls, the requested attributes will be provided. For the join request control, the join rule (including nested join rules) will be provided. For the server-side sort control, the sort order will be provided. For the virtual list view request control, the offset or assertion error, before count, and after count will be provided. For the simple paged results control, the page size will be provided.
Update MakeLDIF to add a "
Add a new configuration property for alert handlers that makes it possible to filter the types of alerts that should be processed based on the alert severity. By default, all types of alerts will be processed.
Provide a new alert handler that can be used to execute a specified command whenever an alert is generated within the server. The details of the alert notification will be provided as arguments when executing that command. The arguments will be provided in the following order: the name of the alert type, the OID for the alert type, the alert severity, the fully-qualified name of the Java class that generated the alert, the unique identifier assigned to that alert, and the text of the alert message. The alert handler will ensure that only one instance of the command may be invoked at a time to avoid problems from commands that aren't safe to run concurrently. If multiple alerts are generated concurrently, then they will be queued and the command will be executed sequentially for each of them. Issue:1146
Update the ldapsearch and ldapmodify tools so that in the event that an error response is received from the server, the diagnostic message from that error response will be displayed to the user rather than the generic error message that had previously been used.
Add a new error log alert handler, which makes it possible to control which types of alerts should be logged (based on either the alert severity or specific alert type). Further, the severity of the log message will reflect the severity of the alert notification.
Update the collect-support-data tool to archive information about the upgrade history of the server installation.
Update the LDAP changelog so that changelog entries now contain createTimestamp, modifyTimestamp, creatorsName, and modifiersName attributes. This can be optionally disabled if desired. Issue:1163
Update the LDAP changelog to add support for searches using the persistent search request control.
Generate administrative alerts for any operation which results in a change to the defined set of access control rules in the server, including global ACIs. Issue:1203
Improve the mechanism used to automatically tune the number of database lock tables. It will now be more scalable on systems with more than 100 CPUs, and will operate correctly for work queue implementations which do not have an explicit number of worker threads.
Update the cursor-across-indexes method of priming the backend so that it can use multiple threads to prime separate databases concurrently.
Modify the enter-lockdown-mode and leave-lockdown-mode tools to allow them to connect to any local address rather than requiring the request to be sent over the loopback address. Issue:1144
Fix a bug that could cause replication to be halted if the replication window size was changed in a manner that was not coordinated across all servers. Issue:1235
Provide the ability to force an explicit garbage collection on startup if the initialization of any request processor takes longer than a specified period of time. This can help improve garbage collection behavior in the Directory Proxy Server when a global index is enabled and automatically primed on startup.
Update the LDAP connection handler to disable TLS renegotiation by default, which can eliminate a vulnerability in which a man-in-the-middle could potentially inject arbitrary cleartext between TLS negotiation and initial data from the client.
Allow the Berkeley DB checkpoint interval to be altered within the server configuration. It was previously hard-coded at 60 seconds.
Avoid setting the "-XX:ParallelCMSThreads" JVM argument on systems containing a single CPU. This option has been observed to cause the JVM to fail to run properly, particularly in virtualized environments. Issue:1300
Update the active operations monitor entry to include attributes which provide the number of operations and persistent searches currently in progress within the server.
Fix a potential problem in replication that could result in the servers becoming out of sync in the event of conflicting add operations performed on different servers concurrently. Issues:655,655
Update the UnboundID work queue to change the default capacity from unlimited to 1000 operations, and to add the ability to block for a specified period of time (up to 60 seconds by default) if the work queue is full before giving up and rejecting the operation. This can help prevent clients using asynchronous requests from being able to continually enqueue requests without bound.
Update the server to provide the ability to keep track of the length of time that an operation was required to wait on the work queue before being picked up for processing by a worker thread. This can be used to identify cases in which client threads were forced to wait for a long time for a worker thread to become available, which may indicate a configuration problem or problems due to an inefficient client. It is also possible to define the maximum length of time that an operation may be allowed to wait on the work queue before being rejected with a "busy" response. If queue time monitoring is enabled, then it will appear in access log messages and in the processing time histogram monitor entry, and it may be used in simple result criteria objects.
Add support for creating a special type of equality indexes which include an optional filter such that the index will only be used for search operations whose filter contains the target filter, as well as an equality component including the target attribute.
Update the work queue monitor entry to include a num-busy-worker-threads attribute which indicates the number of worker threads that are in the process of actively processing a request rather than waiting for new work to do.
Add a new Periodic Stats Logger plugin, which can be used to write various server statistics to a file in CSV format with detailed information about processing that occurred within the Directory Server or Directory Proxy Server, as well as the JVM in which the server is running, within the interval since the last update.
Update the server so that it will return a result of "unavailable" rather than "unwilling to perform" for operations from unauthorized clients when operating in lockdown mode.
Add a number of new access loggers to the server configuration which may be used to troubleshoot problems in the server. One will log information about any operation which did not complete successfully to the logs/failed-ops log file. Another will log information about any operation which takes more than 1000 milliseconds to complete to the logs/expensive-ops file. Another will log information about search operations which did not return any entries to the logs/searches-returning-no-entries file. Of these new loggers, only the one writing to the logs/failed-ops file is enabled by default.
Update the UnboundID work queue to add support for maintaining separate pools of worker threads for read and write operations, which can help minimize the performance impact for read operations in the event that write operations are temporarily blocked by expensive processing (e.g., database contention, I/O backlog, etc.). It is also possible to split worker threads across multiple internal queues for reduced contention. This has been observed to provide significantly improved performance on systems with large numbers of CPUs.
Fix a problem which could cause a replication conflict if two modify DN operations were processed in immediate succession in such a manner that the second operation attempted to rename an entry so that it held the same DN as had previously been used by the entry targeted by the first modify DN operation.
Update the system information monitor entry to include information about the system account being used to run the server and a list of all system properties defined in the JVM.
Update the UnboundID work queue to provide the ability to select the type of queue to be used. Also, update the LDAP connection handler to provide the ability to create a separate request handler thread for each connection, rather than allowing request handlers to potentially read requests from multiple clients.
Add the ability to request that changes written to the server audit log be formatted in a reversible form, such that it will be easier to see exactly what change was made, and revert to the previous values used within the entry if desired. In some cases (e.g., modify DN and delete operations), comments may be used to provide information about the previous state of the entry. Issue:970
Add support for a number of different types of resource limits within the server, including: the maximum number of connections that may be established at any given time, the maximum number of concurrent connections from any client (based on either IP address or bind DN) or group of related clients, the maximum number of operations that may be processed over the life of a client connection, the maximum number of operations that may be processed concurrently for a single client connection, the maximum rate at which a single client or a group of related clients may request operations, the maximum length of time that a client connection may remain established, the types of request controls which may be used, the types of search filters which may be used, the minimum number of characters required in substring filters, and caps on resource consumption allowed during search operations.
Add the ability to compress replication communication between servers. Compression will be enabled by default when communicating with a nonlocal replication server. Issue:1319
Update the dbtest tool to add an option to the list-database-containers subcommand that makes it possible to list information about only a single database. This can help improve the ability to use the tool efficiently in an environment with a very large number of entries.
Add a new global configuration option which makes it possible to specify the maximum length of time that the server shutdown process may take before it attempts to interrupt threads which have not yet completed their processing. In most cases, server threads will react to a shutdown in a timely manner and no interrupt is needed.
Improve the shutdown process so that it is less likely to interrupt database threads in a way that could require a lengthy recovery process at startup. The shutdown time has been improved in the general case, and in the abnormal case the server is more patient and will wait for a longer period of time to allow for a graceful shutdown, periodically providing information about the threads that are still running. Issues:1559,1583
Make a change to the UnboundID work queue in order to provide a small performance improvement.
Update the Directory Server so that access log messages for extended operations now include human-readable names for the operation type in addition to the numeric OID when possible.
Fix a bug in the parallel-update tool that could cause operations to be retried even when the --neverRetry argument was provided. Also, when the tool is configured to retry operations, the reject file will now include the result code and diagnostic message received from the last failure after no more progress can be made, rather than providing a generic message.
Fix a bug in the collect-support-data tool that could cause it to make incorrect use of a password file when capturing the output of the status command. Issue:1593
Update the alert generated in the event of a replication backlog so that it no longer counts replicas that are in the process of being initialized. Issue:1123
Update the SNMP alert handler so that the traps it creates have a more sensible value for the uptime field. Previously, the uptime value was always zero, but it will now reflect the length of time that the Directory Server has been online.
Improve the accuracy of the update-sent and update-received attributes in replication server handler monitor entries.
Fix a problem in which percentages logged during online replica initialization were incorrect after approximately 21 million entries had been processed. Issue:1612
Fix a bug in which LDAP request handlers might not properly close the selectors used to read requests from clients. This could cause a memory leak over time, particularly in servers configured to use the request-handler-per-connection option.
Improve the access log message generated whenever a connection is terminated because of a decoding error encountered while reading data from the client. The message will now include the contents of the packet received from the client, indicating the point at which the problem was encountered.
Update the replication mechanism to improve the order in which changes are replayed, and to adjust the use of locking in the replay process to improve the mechanism for ensuring that dependencies between changes are properly upheld. Issue:900
Fix a bug in the LDAP connection handler in which the server could incorrectly handle a request in which the ASN.1 length of the LDAP message was encoded using multiple bytes that were split across separate packets.
Fix a bug in which a search operation which was part of an interactive transaction might not use the corresponding database transaction for part of its processing.
Update the Directory Server to provide the ability to re-try the process of generating the index candidate list in the event of a timeout on the first attempt. Previously, if such a timeout occurred, then the server would proceed with the search as unindexed, which could be very expensive.
Improve the process for stopping threads when the server is shutting down, and provide additional debugging information that may be useful if any threads are slow to stop running. Issue:900
Update the ldap-diff tool to take advantage of the stream directory values extended operation when it is available. This can dramatically improve the performance of the tool when attempting to identify the set of all entries in the server. Issue:794
Update the Directory Server to make replication conflict entries invisible under normal circumstances. They will now only be visible in base-level searches, if the filter contains an equality component of "(objectClass=ds-sync-conflict-entry)", or if the request includes a control with OID 1.3.6.1.4.1.30221.2.5.13. Issue:1660
Update the unique attribute plugin so that it will ignore any replication conflict entries when attempting to determine whether a particular attribute value is already in use within the server. Issue:1661
Fix a bug in the implementation of the stream directory values extended operation that could cause it to fail to work properly across subordinate backends.
Update the ldap-diff tool to provide support for reading the DNs of all the entries in one or both directories from files instead of obtaining them over LDAP. In directories which do not support the stream directory values extended operation, this may provide a significantly faster way to obtain this information if it is already available in some form.
Fix a bug in the ldap-diff tool that could cause it to report incorrect percent complete values when comparing data sets of more than 20 million entries.
Change the default access log format to log only a single line per operation containing details of both the request and response rather than separate lines for requests and responses. In the case of the Directory Proxy Server, that single line will also include information about the backend server to which the request was forwarded, although forward failure messages will still be logged as separate lines by default. Issue:1677
Fix a problem that could cause problems with replication in the event that the base entry for a backend (which contains important replication metadata) is deleted. Issue:1003
Update the Directory Server to add support for interrupting the stream directory values extended operation in the event that the client connection is terminated or the request is abandoned or canceled.
Update a number of password storage schemes using salted digests to provide support for salts of arbitrary length rather than requiring them to use a fixed length. This can be useful for encoded passwords imported from external sources.
Fix a bug in the dsreplication tool that could prevent it from adding a replica into the all-servers group if replication had previously been enabled but was subsequently disabled on that replica. Issue:1674
Fix a bug in the upgrade tool that could cause the same warning message multiple times if the version obtained from the server was different from what was expected (e.g., because a server jar file had previously been replaced without using the upgrade tool). Issue:1640
Modify the default work queue to make use of multiple queues by default, which can improve performance and scalability on multi-CPU systems.
Update the parallel-update tool to add the ability to use the permissive modify request control, which may be used to request that the server ignore attempts to add attribute values which are already present or remove attribute values which are not present.
Update the ldap-diff tool to make it more likely that its output can be replayed without any alteration. The order of operations has been updated so that all deletes are listed first, followed by all modifies, and finally all adds. In addition, all delete operations are ordered such that subordinate entries will always be removed before their ancestors.
Update the implementation of the CRYPT password storage scheme to provide support for the 256-bit and 512-bit SHA-2 digests in the format used by the Linux and Solaris crypt tool. This may make it easier to import existing passwords from accounts in a Linux or UNIX environment.
Update the Directory Server to improve the ability to interrupt the process for priming backends if an attempt is made to abort the startup process.
Update the scripts used to stop the server to prevent them from falling through to try to stop the server over LDAP if the attempt to kill the process fails or times out, since the attempt to stop the server over LDAP would fail without at least the appropriate authentication credentials, and could potentially be dangerous in some contexts.
Change the process for selecting the salt used to encode passwords during LDIF import processing so that the salt is computed in a deterministic manner but that will be different for every entry. This makes it possible to preserve resistance to dictionary attacks while ensuring that passwords will be encoded in a consistent manner if the same LDIF file containing clear-text passwords is imported into multiple servers. Previously, this could cause problems if attempts were made to establish replication between those servers. Issue:1142
Update the system information monitor entry to include information about all environment variables defined in the server process. In addition, it will now attempt to determine and report the process ID of the JVM in which the server is running.
Update the logic for sending an e-mail message from the server so that it will always attempt to determine the fully-qualified name of the system to include in the HELO/EHLO request. In the event that the fully-qualified name cannot be determined, then the IP address of the server will be used rather than using an unqualified name. Issue:1337
Update the server to make it possible to configure the length of time that name-to-IP address mappings may be cached within the server. This may be useful in environments in which the addresses associated with a particular hostname may change frequently. Issue:941
Update the upgrade and revert-upgrade tools to ignore directories that contain backup files. Issue:1143
Update the schema backend to make it possible to replace the schema using an LDIF import, and to fix a problem that could occasionally cause multiple values to be reported for the createTimestamp and modifyTimestamp attributes. Issue:1441
Update the Directory Server to change the implementation of the show-all-attributes configuration option in the schema and root DSE backends to be more robust, particularly for clients requests explicitly requesting a specific set of attributes. Issue:1590
Update the logic used to identify previous log files that had been rotated so that only files with names that might have been created by the rotation process will be candidates for removal by the retention policy. Issue:1285
Update the Directory Server to add a search shutdown plugin which can be used to perform a specified internal search when the server is shutting down and have the results of that search written to a specified file. This may be useful, for example, to automatically dump the contents of the monitor backend on shutdown. Issue:1334
Fix a potential bug in the access control handler to correct its behavior for access control rules with a deny action without any target attribute specification. Issue:1269
Update the server so that when creating a duplicate of an existing configuration object, some key properties may be excluded from the clone so that they must be explicitly configured by the administrator rather than automatically using the same value as the object being duplicated. This can help prevent problems in which a duplicated value was inadvertently used. Issue:1675
Add support for a new CLIENT-CERTIFICATE access log message type which can be used to log information about any certificate presented by a client when negotiating a secure communication channel. Issue:1756
Update the Directory Server to provide an option to automatically authenticate clients that have presented their own certificate during SSL or StartTLS negotiation. This option is disabled by default. Issue:1748
Update the replication mechanism to generate an administrative alert if too many outstanding changes are detected at startup. In addition, the server will place itself in a degraded operation mode until the backlog has been reduced below a configured threshold. Issue:1606
Fix a bug in the upgrade tool that could cause it to behave incorrectly if the server contained custom extensions. Issue:1469
Fix a bug that may cause intermittent failures for search operations with large result sets when SSL or StartTLS is in use. Issue:1330
Update the replication server to provide the ability to listen for communication with other replication servers only on a specific address rather than all addresses associated with the system. Issue:940
Fix a bug in replication monitor entries that could cause the server to incorrectly report that another replica was up to date if a response could not be obtained from that replica in a timely manner. The monitor will now reflect the last known state of that replica rather than always reporting that it is up to date. Issue:1607
Add a plugin which may be used to allow the server to act as an SNMP sub-agent rather than requiring it to always operate only as a master agent. Issue:1723
Update the Directory Server to fix a bug that could interfere with the ability to use compressed communication with replication servers. Issue:1708
Update the Directory Server so that the firstChangeNumber and lastChangeNumber attributes are included in the set of operational attributes which may be treated as user attributes if the show-all-attributes option is enabled. Issue:1825
Fix a bug in the server in which the namingContexts attribute of the root DSE could incorrectly contain DNs which are subordinate to other DNs already present in the list of naming contexts (e.g., if the server is configured with subordinate backends or nested subtree views).
Update the server to generate an administrative alert when starting or completing an index rebuild, and to mark that server as degraded while the rebuild is in progress. Issue:1603
Update the Directory Server to add official support for LDAP transactions as defined in RFC 5805. This implementation is identical to the existing support for batched transactions, but now uses the official OIDs for the controls and extended operations as defined in the RFC. Issue:1811
Add a tool which may be used to dump the DNs of all entries below a specified base DN in the server. This tool uses the stream directory values extended operation and may therefore operate in a very efficient manner.
Update the setup process so that the server will be configured without an LDAP connection handler if the "--no-prompt" argument is provided without an "--ldapPort" argument. This option is only available for use when using the non-interactive setup mechanism. Issue:1759
Update the server to improve logging performance under heavy load, particularly on systems with relatively slow single-threaded performance.
Update the replication mechanism to help avoid cases in which a replication server may be flooded with the same set of changes from multiple servers after being offline for an extended period of time. Issue:1815
Change the behavior of the dsconfig tool when creating a new configuration object so that the user will first be prompted about whether to create a completely new configuration object or clone an existing object. This simplifies the interface and makes it less likely that an administrator will incorrectly attempt to clone an existing object rather than creating a new one. Issue:1747
Fix a bug that could potentially cause an error message to be reported when attempting to access a database in read-only mode when that database did not contain compaction information for all base DNs associated with that backend. This could cause unexpected errors in some rare corner cases (e.g., attempting to perform an LDIF export of a backend that has never been initialized and does not contain any database files). Issue:1114
Update a number of access log retention policies to make them more robust and to fix bugs that could prevent old log files from being removed when the appropriate conditions were met. Over long periods of time, this could potentially cause available disk space to run low and necessitate the manual removal of files to avoid running out of space. Issues:1867,1867
Update the dsreplication tool so that when operating on an existing server (e.g., to initialize or disable a server), the user is allowed to choose the target server from a list rather than being prompted to enter all of the information for connecting to the server. Issues:1613,1893
Update the Directory Server to add the ability to limit the number of unindexed searches which may be in progress at any given time. This can help avoid problems in cases in which unindexed searches may be occasionally required if the client issuing those searches does so too frequently and consumes all available worker threads.
Update the Directory Server to make it possible to prioritize the way that information is stored in the database cache. It is now possible to indicate that contents of some system or attribute indexes should be considered high priority, while the contents of others should be considered low priority or perhaps not cached at all. This capability may be useful to achieve optimal performance and memory behavior on systems which do not have enough memory to fully cache all database contents.
Modify the upgrade process so that schema definitions are always migrated before the configuration. In some rare cases, attempting to migrate the configuration before the schema could lead to failures in the upgrade process. Issue:1812
Update the server to include more useful information in access log messages reporting the closure of a client connection as a result of an I/O error.
Update the changelog backend so that changelog records for deleted entries may include the values of a specified set of virtual attributes associated with an entry at the time it was removed. Issue:1897
Fix a bug in the Directory Server in which it could potentially return entries that were outside the requested search scope when processing a search across subordinate backends. Issue:1934
Fix a potential problem in the replication server that could cause attempts to communicate with other replicas to fail if any of them were in a state in which they accepted TCP connections but did not respond to any communication attempts. Issue:1434
Fix a potential bug in replication that may cause delete operations made in quick succession to be replayed in an incorrect order in a manner that could result in failures if those entries had a hierarchical relationship. Issue:1701
Update the repeated characters password validator to provide the ability to reject a password if it contains multiple consecutive characters from the same character set, rather than only rejecting passwords with the same character repeated too many times. Issue:1940
Add support for a new regular expression password validator which can be used to require that all passwords match a given pattern, or to reject any password which matches a given pattern. Issue:1941
Update the dsreplication tool to better handle scenarios in which the name provided by a user to reference a server does not match the name stored for that server in the administration data repository. Issue:1613
Modify the upgrade tool so that it will not attempt to initialize the replication subsystem during upgrade processing. Issue:1953
Update the Directory Server to fix potential problems in its support for SSL or StartTLS communication if the server was not able to access a complete block of encrypted information at once. Issue:1330
Fix a bug that could prevent a disabled access logger from being removed from the server configuration.
Update the server to prevent multiple loggers from being configured with the same target log file. Issue:1676
Update the Directory Server so that it will generate an administrative alert if an attempt to initialize a backend fails. Previously, this would have resulted in a message written to the error log but would not have caused an administrative alert. Issue:1475
Update the Directory Server to add the ability to identify that some databases within a backend should be primed in their entirety while others should have only their internal nodes primed.
Update the Directory Server to introduce a significantly more compact encoding for the index which correlates entry DNs and entry IDs.
Update the Directory Server to add the ability to prime the contents of a backend to the filesystem cache using non-sequential reads in a manner to attempt to overcome the limitation imposed by filesystems like ZFS that prevent extended sequential reads from being cached. Also, make it possible to configure multiple prime methods for a single backend.
Significantly revise the upgrade tool in an attempt to make it more robust and minimize the amount of work required for performing an upgrade. Issues:1927,1931,2031,2037
Add support for a new search-and-mod-rate command line tool which operates in a manner similar to the searchrate tool but that will also modify any entries returned from the search.
Modify the way that the Directory Server compresses entries for storage in the JE backend. The previous implementation caused the server to consume a significant amount of memory, which eliminated any potential benefit of compressing the entries.
Fix a potential bug in the way that the search time limit is enforced that could cause a time limit exceeded result to be returned too soon in a rare corner case.
Update the Directory Server so that access log messages for replicated changes may optionally include the replication change number.
Rename the upgrade tool to be "update", and rename the revert-upgrade tool to be "revert-update".
Update the Directory Server to add support for removing replication artifacts from the server. A new "-R" option has been provided to the export-ldif tool that can cause the resulting LDIF file to exclude replication state information, and a cleanup-local-server tool has been added that can be used to remove all replication-related information from the configuration, schema, and server registry. Issue:1913
Update the dsreplication tool so that when disabling replication in a server, all replication state is removed from disabled backends and removes historical values from the server registry. Issue:1913
Update the Directory Server to fix a bug in access control evaluation that could cause evaluation to be performed incorrectly for filters containing a NOT component. This may cause the server to incorrectly prevent clients from seeing search result entries that they should be allowed to access. Issue:1757
Update the Directory Server to log information during task processing that may not have been previously captured in the task entry. This primarily impacted LDIF import and export tasks, and index rebuild and verify tasks.
Update the Directory Server to correctly handle delete operations which included the subtree delete request control. Issue:2066
Update the Directory Server to provide the option to use a dedicated evictor thread for evicting content from the database cache. This may help provide better and more consistent performance in environments which do not have enough memory to fully cache all database contents.
Update the Directory Server so that it will prefer to connect to a co-resident replication server under most conditions rather than connecting to an external replication server instance. Issue:1946
Update the Directory Server to make the lockdown-mode privilege usable by non-root users. Issue:1109
Update the server so that it includes a patch version number in addition to the existing major, minor, and point version numbers. This can help better distinguish versions with the same major, minor, and point version numbers which differ only based on patches applied.
Update the Directory Server to abort the startup process with an error message if the admin data backend includes a malformed entry. Previously, malformed entries in the admin data backend would be silently ignored. Issue:2049
Update the Directory Server to make the online replica initialization process significantly more efficient. Issue:1915
Update the dsreplication tool to warn the user if the supplied hostname is not fully qualified, which may cause problems in environments with multiple subdomains. Issue:2093
Update the Directory Server so that the schema backend uses a new 99-schema-backend-state.ldif file to store state information rather than including it in 99-user.ldif. Issue:1056
Fix a problem with the way that schema replication could be performed if the schema was modified with the server offline and those modifications included malformed schema elements. Issue:986
Update the collect-support-data tool to change the way that the jstack tool is invoked to dramatically reduce the impact that it has on the running process. Issue:2038
Update the Directory Server to add the ability to collect high-precision timing for various phases of operation processing. A new operation timing access logger is available that can be used to get access to this information.
Update the access logger so that updates to replica state information in the base entry for a replication domain are excluded by default. Issue:1804
Update the dsreplication tool so that it is less likely to incorrectly warn an administrator that the initialization process has hung. Issue:1952
Update the export-ldif and verify-index tools so that they can be used against a server whose database files are contained on a read-only filesystem, including a ZFS snapshot. Issue:71
Update the Directory Server to dramatically improve the performance exhibited when making topology changes to a large replication environment. Issue:2061
Update the Directory Server to add the ability to monitor the process of opening a Berkeley DB Java Edition environment for a backend. In the event that the open process takes a significant amount of time (e.g., because a database recovery is in progress), the server may notify the administrator that startup is still active and directs them to the JE log file for potential information on the progress for opening the environment. Issue:967
Update the alert backend to be able to handle entries with unrecognized alert types. This is unlikely to occur in normal conditions, but could cause a problem in deployments in which the server was upgraded and subsequently reverted, and an alert was generated in the upgraded server that uses an alert type not defined in the older version. Issue:2126
Change the way that the worker thread percent busy values are calculated in the work queue monitor entry to make them more accurate. Also, add new recent-average-queue-size and current-worker-thread-percent-busy monitor attributes. Issue:1982
Update the Directory Server to require Berkeley DB Java Edition version 3.3.100.
Update the Directory Server to provide the ability to detect the addition of new tools when updating from one version to another. If one or more new tools are provided, the java.properties file will be updated to provide an appropriate JVM configuration for them. Issues:2148,2150
Update the dsreplication tool so that the status subcommand includes the ability to determine if an external initialization is in progress. Issue:1309
Add a new pre-parse bind plugin that can be used to intercept a simple bind request and convert it to a SASL EXTERNAL bind under the appropriate conditions. This may be necessary to provide compatibility for some broken LDAP clients (in particular Microsoft Outlook) which expect the server to automatically authenticate the client using the provided certificate and then ignore any subsequent anonymous simple bind.
Update the Directory Server so that it will generate an administrative alert and place the server in a degraded state if a failure is encountered while initializing the replication server. Issue:2052
Modify the update process to require that the system user performing the update is the same as the system user used to run the server. This will help prevent files from being created or altered during the update process with permissions that would prevent the server from being able to access them when the server is started as the appropriate user. Issue:2158
The SNMP MIB files have been moved to resource/mib. There are now no differences in the alert MIB provided with Directory Server and Directory Proxy Server. Issue:2170
Modify the update tool to ensure that the documentation is updated for the new release if appropriate. Issue:2178
Update the dsconfig tool and the Web administration console so that they inform the administrator of any administrative action (e.g., disabling and re-enabling the specified component, or restarting the server) that may be required as a result of a configuration change to be made. Issues:211,2132
Update the subject attribute to user attribute certificate mapper to provide support for VeriSign certificates whose subject contained an emailAddress attribute with an unusual encoding. Issue:2177
Update the Directory Server support for the LDAP join control to include a new reverse DN join rule type, which can be used to perform joins in which the target entries include a specified attribute with a value that is the DN of the source entry. Issue:2218