Ping Identity Directory Server Release Notes |
|
Return to Documentation Index |
Notes for the following versions of the Ping Identity Directory Server are available in this document:
Updating to the latest version of the Directory Server addresses the following critical issues from previous versions. Affected servers should be updated.
Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely.
Fixed an issue that could cause the server to report an "Unable to decode a blacklist key" error while trying to open a local DB backend after an unclean shutdown.
The following enhancements were made to the topology manager to make it easier to diagnose the connection errors described in PDSTAGING-570:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
Addressed an issue where an InvalidKeyException could occasionally be reported by import-ldif. The error message for this problem resembles, "An unexpected error occurred during merge processing for index 'dc_example_dc_com_sn.equality': InvalidKeyException: The provided passphrase is invalid."
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
Addressed an issue in "dsreplication enable/initialize" that prevented servers from some previous versions (5.2.0.5 and earlier and 6.0.0.*) from initializing newer servers. Servers from these prior versions can now be used to enable replication with current versions of the server.
Fixed a very rare race condition with the Frequently Accessed Entry Cache which could lead to an index being marked as degraded and requiring a rebuild.
The problem is unlikely to happen outside of testing environments since it requires modifying a single entry over 1000 times per second across multiple servers concurrently.
Addressed an issue where an index key could incorrectly be reported as exceeding the index-entry-limit after one billion entries had been imported or added to the directory server. The directory server does not need to contain one billion entries at the same time to be affected by this issue since the entry ID will always increase for each added entry even if entries are deleted. Environments that have experienced this issue should export and reimport their data after applying this patch.
Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.
Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.
Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.
Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
1) Server B had not received changes directly from a client for a long time (beyond the purge delay),
2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
3) Server A is shutdown, and
4) While Server A is shutdown, the Server B processes one or more changes directly from the client.
Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).
Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.
Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.
Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.
Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
1) Server B had not received changes directly from a client for a long time (beyond the purge delay),
2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
3) Server A is shutdown, and
4) While Server A is shutdown, the Server B processes one or more changes directly from the client.
Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).
Fixed an issue where opening the backend database might fail with an IllegalStateException that references "exploded-index-background-deletes" when there are several backend exploded indexes.
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.
Added a fail safe to the pending changes queue for the Changelog Backend that can detect and ignore recovered changes that do not need to be committed in order to prevent holding up other changes in the queue.
Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.
SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.
It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.
Fixed a problem that could interfere with access to an exploded attribute index after performing an online index rebuild for that attribute.
Fix a bug in low level protocol buffer that could result in "uncaught exception" errors.
Improve server stability by disabling explicit garbage collections that were being caused by JMX connections.
Fix a bug in the LDAP Changelog where the changelog index manager could capture new changes for an attribute in one index after already hitting the end of another index. This created the possibility for changes to be missed when processing get-changelog-batch-requests at the same time that live traffic is happening.
Fix a bug that allows users with expired passwords to change attributes in their own entry other than password.
Address an issue where a directory server might resend duplicate changes when processing a GetChangelogBatch request in an environment that is under heavy load.
Update the PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl.
Fix a bug where PingDirectory Servers could potentially miss some update messages in large topologies after a restart.
Following are notes for version 7.3.0.7 of the Directory Server.
The following issues have been resolved with this release of the Directory Server:
Fixed an issue that could prevent the simple request criteria from properly evaluating a target entry filter or group membership for a modify DN operation after the change had already been applied to the backend. Issue:DS-39882
Fixed an issue that could cause access log messages for bind and StartTLS results to report the client connection policy that had previously been assigned to the connection rather than the new policy that is in place as a result of the operation. Issue:DS-39589
Fixed an issue where the restore tool was not restoring all dependencies of an incremental backup. Issue:DS-40154 SF#:00667875
Improved import-ldif indexing performance. Issue:DS-40951 SF#:00673457
Fixed an issue that prevented assured replication from working for requests received via SCIM or the REST API. Issue:DS-40561 SF#:00673606
Fixed an issue where the server was attempting to connect by an IP address rather than a hostname when DNS lookup was successful. Issue:DS-40366 SF#:00668508
To support multiple trace loggers, each trace logger now has its own resource key, which is shown in the "Resource" column in the output of "status". This key allows multiple alarms, due to sensitive message types for multiple trace loggers. Issue:DS-37955
Fixed an issue that could cause references to old servers to remain in config.ldif files after remove-defunct-server was run. Issue:DS-40263 SF#:00667501
Fix verify-index to correctly validate substring indexes containing multi-byte UTF-8 characters. Issue:DS-40321 SF#:00667874
Fixed an issue that stopped new extensions from being installed. Issue:DS-41054 SF#:00677974
Added a --duration argument to collect-support-data. When used, only the log files covering the specified duration before the current time will be collected. Issue:DS-40771
Allows users who were migrated from the admin backend to the topology to manage the topology. Migrated users are granted the "manage-topology" privilege if they do not already have it. Issue:DS-39799
Added a cache for password policies stored in user data rather than in the configuration. The cache will hold up to 500 policies by default, but the cache size can be configured (or the cache disabled) using the maximum-user-data-password-policies-to-cache property in the global configuration. Issue:DS-40681
Fixed a memory leak when performing SCIM queries on the Directory Server. Issue:DS-41206 SF#:00681395
These issues were resolved with version 7.3.0.5 of the Directory Server:
Critical: Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely. Issue:DS-40955
Critical: Fixed an issue that could cause the server to report an "Unable to decode a blacklist key" error while trying to open a local DB backend after an unclean shutdown. Issue:DS-40788
These issues were resolved with version 7.3.0.4 of the Directory Server:
Fixed an issue where some state associated with a JMX connection was not freed after the connection was closed. This led to a slow memory leak in servers that were monitored by an application that created a new JMX connection each polling interval. Issue:DS-40828
Fixed an issue in which an account that had been temporarily locked after too many failed authentication attempts could become re-locked with fewer than the expected number of subsequent failed attempts after the previous lockout period had elapsed. Issue:DS-40799
Fixed an issue with the interaction between deprecated password storage schemes and forced password reset. If a user's password is reset by an administrator using a password storage scheme that is subsequently configured as deprecated, the act of re-encoding the password with the new default scheme would have incorrectly cleared the password reset flag. Issue:DS-40744
These issues were resolved with version 7.3.0.3 of the Directory Server:
Fixed an issue that could cause the server to leak a small amount of memory each time it failed to establish an LDAP connection to another server. Issue:PDSTAGING-840
Fix an issue where an LDAP search across entry-balanced server sets sometimes returned 0 (success) even though all servers in one of the sets failed with a timeout. The search should return 52 (unavailable) in this situation. Issue:DS-40327 SF#:00672852
Important upgrade considerations for version 7.3.0.1 of the Directory Server:
The remove-sample-directory-data-aci.ldif file provided with the Delegated Admin installation package was updated in version 3.5.0 to reinstate permissions for users to change their own password (self-service password reset). If you have used an earlier version of this LDIF file, then consider manually adding the following ACI from the updated version:
dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update their own password"; allow (write) userdn="ldap:///self";)
These issues were resolved with version 7.3.0.1 of the Directory Server:
Fixed an issue where Delegated Admin would not work properly if the name of the REST Resource Type was not the same as the resource endpoint. Issue:DS-39347
Fixed an issue in which the management console was improperly sanitizing a server's hostname, which prevented switching servers in the console's Server drop-down list. Issue:DS-39510
Updated the Groovy scripting language version to 2.5.7. For a list of changes, visit groovy-lang.org and view the Groovy 2.5 release notes. As of this release, only the core Groovy runtime and the groovy-json module are bundled with the server. To deploy a Groovy-scripted Server SDK extension that requires a Groovy module not bundled with the server, such as groovy-xml or groovy-sql, download the appropriate jar file from groovy-lang.org and place it in the server's "lib/extensions" directory. Issues:DS-39176,DS-39308
Delegated Admin enhancements for constructed attributes.
- Allow a required attribute to be read-only if it is constructed.
- Add a configured list of "Update Constructed Attributes" on the REST resource type, similar to the "Post Create Constructed Attributes", so that constructed attributes can be updated when dependent attributes change.
- Handle constructed attributes which reference other constructed attributes. Issues:DS-39525,DS-39526
Fixed an issue where Delegated Admin search results were truncated and invalid upon encountering a Directory entry containing a Boolean or Integer syntax attribute whose values were invalid because they did not conform to the appropriate syntax. With this fix, the offending values are omitted from the results and a warning message is logged to the server errors log. Issue:DS-39693
Added a "cn=Server Status Timeline,cn=monitor" monitor entry to track a history of the local server's last 100 status changes and their timestamps. Updated the LDAP external server monitor to include attributes tracking health check state changes for external servers. The new attributes include the number of times a health check transition has occurred, timestamps of the most recent transitions, and messages associated with the most recent transitions. Issue:DS-17278
Fixed an issue that allowed replicated subtree deletes to cause OutOfMemory errors on replicas. Also fixed a related issue that would cause the replication log to fill up with mild errors. Issue:DS-39873 SF#:00670156
Important upgrade considerations for version 7.3.0.0 of the Directory Server:
To ensure correct search results with Delegated Admin, disable client caching by updating the Delegated Admin HTTP Servlet Extension to return response headers, and then stop and restart the server, as follows:
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --set "response-header:Cache-Control: no-cache, no-store, must-revalidate" --set "response-header:Expires: 0" --set "response-header:Pragma: no-cache"
These features were added for version 7.3.0.0 of the Directory Server:
Introduced a new capability called Server Profiles to manage PingDirectory instances following the DevOps principle of infrastructure-as-code. Administrators can export the configuration of a PingDirectory instance to a directory of text files called a Server Profile, track changes to these files in version control like Git, and install new instances of PingDirectory or update existing instances of PingDirectory from a Server Profile. Server Profiles support variable substitution in order to remove the settings unique to each pre-production or production environment from the Server Profile that is stored in version control.
Several improvements to support highly automated or orchestrated environments. Replication management tools have been improved to support typical workflows such as: simultaneous automated initialization of multiple instances such as during a scale out operation; automated initialization of instances despite other instances being unavailable such as during a replacement of a failed instance; automated planned removal of an instance such as during a scale down. Additionally, an HTTP status endpoint has been added to report overall instance health and availability to a cluster orchestrator like Kubernetes or to a network load balancer like AWS Network Load Balancer.
New features for delegated administration: using REST Resource Types, administrators can delegate management of new resource types, like groups and organizations, in addition to the user management features available previously. Using Delegated Access Rights, administrators now have independent controls over delegation of search, view, update, and create per resource type.
New plugin for pass-through authentication to PingOne for Customers. Pass-through authentication allows passwords to be managed by users and administrators in PingOne for Customers while still supporting legacy LDAP application connections on-prem.
New features for data encryption in transit and at rest: added support for TLS 1.3, ability to encrypt and automatically decrypt sensitive files such as tools.properties and keystore pin files using the server data encryption keys, and the ability to more easily and securely separate master keys from data encryption keys by protecting the server encryption settings database using either Amazon Key Management Service (AWS KMS) or HashiCorp Vault.
Improved replication resiliency to extended network partitions or downtime. The retention period for the replication changelog now supports a disk usage threshold in addition to an age limit for change retention. In combination, this means changes under typical load can be retained for longer than the age limit as long as the disk usage threshold is not exceeded.
Added support for Amazon Corretto JDK 8, Windows Server 2019, Red Hat Enterprise Linux 7.6, CentOS 7.6, Amazon Linux 2, and Docker 18.09.0 on Ubuntu 18.04 LTS.
These were known issues at the time of the release of version 7.3.0.0 of the Directory Server:
When dsreplication is run to add a server to the topology using another node that is not the topology master, it may fail with the following error:
"Error updating replication configuration on base DN dc=example,dc=com of server 'ds3' (ldaps://localhost:3636). See /Users//installs/7.2/s3/logs/tools/dsreplication.log for a detailed log of this operation. Details: A communication problem occurred while contacting the server: The connection to server localhost:3389 was closed while waiting for a response to an add request AddRequest(dn='cn=dc_example_dc_com,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config', attrs={Attribute(name=objectclass, values={'top', 'ds-cfg-replication-domain'}), Attribute(name=cn, values={'dc_example_dc_com'}), Attribute(name=ds-cfg-server-id, values={'11443'}), Attribute(name=ds-cfg-base-dn, values={'dc=example,dc=com'})}): A request sent on this client connection caused an internal error in the server. This connection will be terminated."
The workaround for this issue is to use the topology master for the --host1 parameter of dsreplication to add the new server into the topology. Issue:DS-38385
These issues were resolved with version 7.3.0.0 of the Directory Server:
HTTP Connection Handlers now accept client-provided correlation IDs by default. To adjust the set of HTTP request headers that may include a correlation ID value, change the HTTP Connection Handler's correlation-id-request-header property. Issue:DS-37617
Fixed an issue that could cause an error during an LDIF export of a data set with a large number of non-leaf entries. In such cases, the data is written to multiple files that are merged at the end of the export process. If the LDIF export was encrypted with a passphrase or an encryption settings definition, the merge process could fail, leaving the export spread across multiple files instead of aggregated into a single file.
This issue did not affect the usability or integrity of the export data. It could still be imported, although the administrator would need to list each of the export files in the correct order when performing the import. Issue:DS-38202
Updated the server to enable TLSv1.3 by default on JVMs that support it (Java 11 and higher). Issue:DS-38072
Updated the server to support encrypting the contents of the PIN files needed to unlock certificate key and trust stores. If data encryption is enabled during setup, then the default PIN files will automatically be encrypted.
Also, updated the command-line tool framework so that the tools.properties file (which can provide default values for arguments not provided on the command line), and passphrase files (for example, used to hold the bind password) can be encrypted. Issue:DS-38050
Added support for insignificant configuration archive attributes.
The configuration archive is a collection of the configurations that have been used by the server at some time. It is updated whenever a change is made to data in the server configuration, and it is very useful for auditing and troubleshooting. However, because the entries that define root users and topology administrators reside in the configuration, changes to those entries will also cause a new addition to the configuration archive. This is true even for changes that affect metadata for those entries, like updates to the password policy state information for one of those users. For example, if last login time tracking is enabled for one of those users (especially with high-precision time stamps), a new configuration may be generated and added to the configuration archive every time that user authenticates to the server. While it is important for this information to be persisted, it is not as important for it to be part of the server's configuration history.
This update can help avoid the configuration archive from storing information about updates that only affect this kind of account metadata. If a configuration change only modifies an existing entry, and if the only changes to that entry affect insignificant configuration archive attributes, then that change may not be persisted in the server's configuration archive.
By default, the following attributes are now considered insignificant for the purpose of the configuration archive:
* ds-auth-delivered-otp * ds-auth-password-reset-token * ds-auth-single-use-token * ds-auth-totp-last-password-used * ds-last-access-time * ds-pwp-auth-failure * ds-pwp-last-login-ip-address * ds-pwp-last-login-time * ds-pwp-password-changed-by-required-time * ds-pwp-reset-time * ds-pwp-retired-password * ds-pwp-warned-time * modifiersName * modifyTimestamp * pwdAccountLockedTime * pwdChangedTime * pwdFailureTime * pwdGraceUseTime * pwdHistory * pwdReset Issue:DS-37959
Fixed an issue with the client-side validation properties that the haystack password validator would return in a get password quality requirements extended response. Issue:DS-38291
Fixed an issue in the installer where the Administrative Console’s trust store type would be incorrectly set if it differed from the key store type. Issue:DS-38085 SF#:648467
Added logging for DNS lookups that take longer than a warning threshold. The default warning threshold is 10 seconds. Added the DNS Resolution monitor to track DNS lookup speed. Issue:DS-37430
Fixed an issue where changes to a dynamic group's member URL sometimes did not take effect until the next server restart. Issue:DS-38273 SF#:00654671
Critical: The following enhancements were made to the topology manager to make it easier to diagnose the connection errors described in PDSTAGING-570:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period. Issues:DS-38334,PDSTAGING-570 SF#:00655578
Replication now removes references to obsolete replicas, in both LDAP and in the BDB database. A replica is obsolete when it has been disabled and all changes are older than the replication purge delay. Issue:DS-37164 SF#:609257
Fixed ordering of consent-service-cfg.dsconfig commands so that bearer token authentication is enabled after its dependency, unprivileged consent. Issue:DS-38083
Added a target-database-size parameter to the Changelog Backend and the Replication Server configuration objects to allow the corresponding changelogs to grow on disk beyond the purge delay up to the specified total disk size.
It is possible that the changelog database size on disk exceeds this configured value since changes are never purged before the configured purge delay
A new "Changelog Database Target Size (Percent)" gauge is also included, which will raise an alarm if a changelog grows on disk above the specified limit.
So that the server can more easily achieve the target database disk size, the default log file size for both database environments has been reduced from 100MB to 10MB. Issue:DS-6401
Critical: The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry. Issues:DS-38344,PDSTAGING-570 SF#:00655578
Updated ACI processing for modify DN requests. The "export" and "import" rights are no longer required if the superior DN is provided, but has not changed. Issue:DS-38283
Fixed an issue that allowed a modify operation to alter an entry in a way that left it without one or more superior object classes. Issue:DS-37842
Fixed an issue that could cause entryUUID mismatches on replicas configured to automatically use entryUUID as the naming attribute for add requests matching a given set of connection or request criteria. Issue:DS-37757 SF#:00650408
Critical: The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master. Issues:DS-38335,PDSTAGING-570 SF#:00655578
Fixed an issue that could prevent certain types of initialization failures from appearing in the server error log by default. Issue:DS-38403
Fixed a Windows stop-server.bat issue where locales using commas for decimal separators could not shut down. Issue:DS-38272 SF#:00653079
Addressed several issues with the pass-through authentication plugin.
USE SEPARATE CONNECTIONS FOR SEARCH AND BIND REQUESTS
If the plugin is configured with a search filter pattern, then it may perform a search to find the entry in the external server that corresponds to the entry for the local user that is trying to bind. In such cases, search requests may have been issued over the same connections that were also been used to process bind operations. The change in authorization identity resulting from those bind attempts may interfere with the ability to perform the searches. The plugin has been updated to ensure that search and bind requests are now issued over separate connections.
ALLOW RETRY ATTEMPTS WITH A SINGLE EXTERNAL SERVER
If the plugin is configured with multiple external servers, then it can use some or all of those servers in a pass-through authentication attempt. If a search or bind attempt fails against the first server, and if that failure indicates that there may have been a problem with the server or the connection to it, then the plugin would have re-tried the operation in other servers until the attempt succeeds, the attempt fails in a way that does not indicate a problem with the server or the connection, or all servers have been tried. However, if only a single external server had been configured, then no retry attempt would have been made. The plugin has been updated so that if it is only configured with a single external server, and if a failure is encountered while communicating with that server that may benefit from retrying that operation, then the plugin will attempt to establish a new connection to that server and retry the operation.
UTILIZE ALL CONFIGURED EXTERNAL SERVERS
If the PingDirectory Server is configured with a location, then the pass-through authentication plugin will use that information to determine the order in which the external servers should be accessed. It will first attempt external servers in the same location as the PingDirectory Server, followed by servers in the most preferred failover location, the second-most preferred failover location, and so on. However, the plugin might have used external servers that did not have a location assigned, or that were assigned to a location that is not one of the PingDirectory Server's preferred failover locations. The plugin has been updated to ensure that these servers may be used, albeit with a lower priority than the other servers.
IMPROVE VISIBILITY OF PLUGIN PROCESSING RESULTS
The plugin offered very little information that could help an administrator troubleshoot problems with pass-through authentication processing. Some types of operations could be investigated by enabling debug logging with an appropriate scope, but no information about the pass-through authentication processing would appear in the PingDirectory Server access log. The plugin has been updated to add information about its processing to the bind operation's access log message, including the ultimate success or failure of the pass-through authentication attempt, the result of user mapping, and whether the local user's password was updated. Further, the plugin now makes more information about its internal processing available through the server's debug logging facility. Issues:DS-38415,DS-38418,DS-38419,DS-38420 SF#:00659490
Updated the file retention recurring task to no longer log an informational message if there are no log matching files to delete. Issue:DS-38421
To efficiently export entries from a backend with a large number of non-leaf entries, the export-ldif command produces multiple intermediate LDIF files that are merged after all entries have been processed. The tool now skips merging these files if sufficient disk space is unavailable to accommodate the intermediate files and the final merged file. The import-ldif command can accept multiple files as input, so merging the files is not essential. Issue:DS-38430
The Delegated Admin configuration has changed significantly. Delegated Admin Resource Types were removed and replaced by REST Resource Types. Delegated Administrators and Delegated Group Administrators were removed and replaced by Delegated Admin Rights and Delegated Admin Resource Rights. Previous configurations are converted to the new configuration definitions by the update tool when the server is updated. Issue:DS-37960
Addressed potential parsing errors in the periodic stats logger when the server is deployed in a non-English locale. Issue:DS-38205
Added a plugin that can allow users to authenticate to the Directory Server with credentials from corresponding accounts in the PingOne for Customers service. Issue:DS-37063
Updated the server to make the replication missing changes state persist across restarts. If a server is offline for longer than the configured purge delay, then replication cannot automatically bring the server back in-sync with the rest of the topology. To avoid serving stale data, the server enters lockdown mode when it has missed changes. Prior to this change, restarting the server would incorrectly clear this missing changes state, and it would not enter lockdown mode, which could lead to it serving stale data. Now the server must be reinitialized either from a recent backup or by using "dsreplication initialize" to clear the missing changes state. Issue:DS-37363 SF#:646294
Updated the result code map to allow overriding the default result code that the server returns when a client tries to perform a password-based bind as a user who doesn't have a password. Issue:DS-38336
Fixed a problem that could cause a negative etime to appear in the access log when using assured replication. Issue:DS-38190
Updated the pass-through authentication plugin to add a bind-dn-pattern configuration property that allows constructing the DN of the remote user from information in the local user entry. Alternately, if the remote server supports simple authentication with a bind DN value that is not actually a valid LDAP distinguished name, this property can be used to supply that identifier. For example, when passing through authentication to Microsoft Active Directory, this property can be used to construct a bind DN that is actually the user principal name (UPN) for the remote account.
Also, updated the pass-through authentication plugin to add an included-local-entry-base-dn configuration property that can be used to indicate which local entries are eligible for pass-through authentication. By default, pass-through authentication is automatically enabled for all users contained in any public backend, but this property can be used to restrict that set of users without the need to define a request criteria. This change also ensures that the server no longer attempts to pass through authentication attempts for root users or topology administrators by default (although if that ability is desired, it can be re-enabled by adding "cn=config" as an included-local-entry-base-dn value). Issues:DS-37063,DS-38012,DS-38497 SF#:00652865
Added a cipher stream provider that can be used to protect the contents of the encryption settings database with a key from the Amazon Key Management Service. Issue:DS-15734 SF#:3718
The response header used for correlation IDs may now be set at the HTTP Servlet Extension level using the correlation-id-response-header configuration property. If set, this property overrides the HTTP Connection Handler's correlation-id-response-header property. Issues:DS-38090,DS-38564,DS-38567
Added a cipher stream provider that can be used to protect the contents of the encryption settings database with a secret passphrase obtained from a HashiCorp Vault instance. Issue:DS-38512
Enabled assured replication by default for all add, delete, and modify DN operations. Enabled assured replication by default for all modify operations that alter passwords or key password policy state attributes.
The server will now wait (up to a maximum of one second) for these types of changes to be replicated to all available local servers before returning the response to the client. This can help avoid issues that may arise if a client sends a write request, and then immediately sends another request that depends on that previous request. If the two requests are routed to different servers, then the second operation may fail or yield an unexpected result if the change from the first request has not yet been replicated.
This change will only take effect for new installations. It will not apply to existing installations that are updated to the new release. Issue:DS-38021
Updated the behavior the server exhibits if an attribute type definition is removed from the schema while it is still referenced by a local DB backend's compaction dictionary.
In an attempt to minimize the amount of disk space and memory needed to store information in the database, the server compacts the data in several ways. One of its compaction techniques is to reference attribute types by tokens rather than their full name. It maintains a dictionary of these tokens so that it can quickly translate between an attribute type and its corresponding token. If an attribute has been used in at least one entry in the backend since the last LDIF import, then this dictionary should include a token for that attribute type.
On startup, the server will read this compaction dictionary into memory. Previously, if it encountered a reference to an attribute type that had been used in the backend but is no longer defined in the schema, it would abort the startup process. This behavior has been changed so that it will instead generate an administrative alert to warn administrators of the problem and provide information about how to address the issue, but it will no longer abort the startup process. The server will also generate an administrative alert if it encounters an entry whose encoded representation includes a token that is associated with an undefined attribute type.
In addition, the server has also been updated so that it will no longer permit attribute types or object classes to be removed from the schema if they are referenced in a compaction dictionary. Issue:DS-38193 SF#:00653079
Updated performBackendDeregistrationProcessing and performBackendRegistrationProcessing to ignore disabled notification managers instead of throwing a null error. Issue:DS-38663 SF#:00660432
Fixed an issue where a constructed virtual attribute could not be configured for an attribute that was marked as SINGLE-VALUE in the LDAP schema. Issue:DS-38722
Updated the encrypt-file tool to display a notice recommending the use of the --decompress-input argument when decrypting a file that also appears to be GZIP-compressed. Issue:DS-38739
Updated the server to better sanitize information included in diagnostic messages included in responses to clients. In some cases (for example, in the event of a unique attribute conflict), a response diagnostic message could disclose the existence of another entry in the server. Issue:DS-37805
Added an HTTP servlet extension that can be used to retrieve the server's current availability state. It accepts any GET, POST, or HEAD request sent to a specified endpoint and returns a minimal response whose HTTP status code may be used to determine whether the server considers itself to be AVAILABLE, DEGRADED, or UNAVAILABLE. The status code for each of these states is configurable, and the response may optionally include a JSON object with an "availability-state" field with the name of the current state.
Two instances of this servlet extension are now available in the default configuration. A request sent to /available-state will return an HTTP status code of 200 (OK) if the server has a state of AVAILABLE, and 503 (Service Unavailable) if the server has a state of DEGRADED or UNAVAILABLE. A request sent to the /available-or-degraded-state will return an HTTP status code of 200 for a state of AVAILABLE or DEGRADED, and 503 for a state of UNAVAILABLE. The former may be useful for load balancers that you only want to have route requests to servers that are fully available. The latter may be useful for orchestration frameworks if you wish to destroy and replace any instance that is completely unavailable. Issue:DS-18060
The Amazon Corretto JRE is now supported. Prior to being supported, the Amazon Corretto JRE resulted in a warning that the JRE was "unrecognized and is likely untested and unsupported." Issue:DS-38839
Fixed an issue that could cause the server to encounter an internal error when processing a set subtree accessibility extended operation against an empty backend. Issue:DS-38892
Fixed a bug where the startIndex value for SCIM requests would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file. Issue:DS-38670 SF#:00643950
Fixed a problem in which a member could not be added to a group via SCIM unless the group's object class was groupOfUniqueNames. Issue:DS-38524 SF#:00659236
Critical: Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords. Issues:DS-38897,DS-38908
Enabled secure JMX connections. Clients must specify the truststore when running applications, and possibly the type and password for the truststore. Issue:DS-17630 SF#:00644418,00651967
Fixed an issue in which backups of the encryption settings database could be encrypted with a key from the encryption settings database. Issue:DS-38550
Added an indent-ldap-filter tool that can make it easier to visualize the structure and components of a complex search filter. Issue:DS-38849
Make Fingerprint Certificate Mapper and Subject DN to User Attribute Certificate Mapper disabled by default on fresh installations. This will not affect upgrades from installations where these mappers are enabled. Issue:DS-37839
The "dsreplication disable" command now correctly removes replica IDs (ds-cfg-replication-domain-server-id values) from the topology data when a subset of the replication domains is disabled. Issue:DS-38643
Fixed an issue that interfered with assigning privileges using a mirror virtual attribute. If the values to mirror in the ds-privilege-name attribute were contained in another entry, then the privileges would have only been granted if the source attribute could be retrieved by unauthenticated clients. Issue:DS-38893 SF#:00661298
Updated the server to prevent creating virtual attributes that use the "aci" or "ds-cfg-global-aci" attribute types. Also, updated the server to prevent creating virtual attributes that use the "member" or "uniqueMember" attribute types unless the virtual attribute is one that will provide the membership list for a virtual static group.
Virtual attributes cannot be used to define access control rules or assign static group membership. Previously, the server silently ignored any access control rules or static group members defined through virtual attributes, which may have caused an administrator to mistakenly believe that they were in effect. Issue:DS-38874
Fixed an issue where inter-server bind requests would fail if the cipher used reported a maximum unencrypted block size of 0. Issue:DS-38737 SF#:00658314
Fixed an issue that would throw an exception when trying to delete an entry containing uncached attributes if the LDAP changelog was enabled and using reversible form. Issue:DS-38957 SF#:00662848
Added the --skipHostnameCheck command line option to the setup script, which bypasses validation of the provided hostname for the server. Issue:DS-38109
Updated the ldapdelete command-line tool to improve robustness and add features. Some of the new features include support for client-side subtree delete, deleting entries that match search filters, following referrals, writing failures to a rejects file, rate limiting, and support for a variety of additional controls. Issue:DS-36474
Made changes to reduce potential lock conditions in proxy replication LDAP health checks. Issue:DS-38525 SF#:00660190
Changed the default value of the HTTP Configuration property include-stack-traces-in-error-pages from 'true' to 'false'. Disabling this property prevents information about exceptions thrown by servlet or web application extensions from being revealed in HTTP error responses. Issue:DS-38864
Added a set of message types to Trace Log Publishers that records events related to access token validation. Issue:DS-38913
Improved the diagnostic message the server returns when rejecting a proxied authorization attempt because the target account's password policy state does not permit that user to authenticate. Issue:DS-36685
Servers that are removed from replication with the "dsreplication disable" command are now also removed from the topology when the last non-schema domain is disabled. This allows the state of the servers after the disable to be closer to the pre-enabled state. Issue:DS-38077
Removed the version information page from the docs/build-info.txt endpoint. This information is now available in build-info.txt, which is located in the root directory. Issue:DS-39086
Internal connections created by HTTP requests are now associated with one of the configured client connection policies. A client connection policy may be selected using simple client connection criteria matching the client address, the user performing the request, and the protocol "HTTP/1.1". This change affects the following HTTP interfaces: SCIM, Directory REST API, Consent API and Delegated Admin API. Issue:DS-38873
Important upgrade considerations for version 7.2.1.0 of the Directory Server:
To ensure correct search results with Delegated Admin, disable client caching by updating the Delegated Admin HTTP Servlet Extension to return response headers, and then stop and restart the server, as follows:
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --set "response-header:Cache-Control: no-cache, no-store, must-revalidate" --set "response-header:Expires: 0" --set "response-header:Pragma: no-cache"
These were known issues at the time of the release of version 7.2.1.0 of the Directory Server:
When dsreplication is run to add a server to the topology using another node that is not the topology master, it may fail with the following error:
"Error updating replication configuration on base DN dc=example,dc=com of server 'ds3' (ldaps://localhost:3636). See /Users//installs/7.2/s3/logs/tools/dsreplication.log for a detailed log of this operation. Details: A communication problem occurred while contacting the server: The connection to server localhost:3389 was closed while waiting for a response to an add request AddRequest(dn='cn=dc_example_dc_com,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config', attrs={Attribute(name=objectclass, values={'top', 'ds-cfg-replication-domain'}), Attribute(name=cn, values={'dc_example_dc_com'}), Attribute(name=ds-cfg-server-id, values={'11443'}), Attribute(name=ds-cfg-base-dn, values={'dc=example,dc=com'})}): A request sent on this client connection caused an internal error in the server. This connection will be terminated."
The workaround for this issue is to use the topology master for the --host1 parameter of dsreplication to add the new server into the topology. Issue:DS-38385
These issues were resolved with version 7.2.1.0 of the Directory Server:
Critical: The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period. Issue:DS-38334 SF#:00655578
Critical: The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved. Issue:DS-38344 SF#:00655578
Added logging for DNS lookups that take longer than a warning threshold. The default warning threshold is 10 seconds. Added the DNS Resolution monitor to track DNS lookup speed. Issue:DS-37430
Critical: The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master. Issue:DS-38335 SF#:00655578
Fixed an issue that could cause an error during an LDIF export of a data set with a large number of non-leaf entries. In such cases, the data is written to multiple files that are merged at the end of the export process. If the LDIF export was encrypted with a passphrase or an encryption settings definition, the merge process could fail, leaving the export spread across multiple files instead of aggregated into a single file.
This issue did not affect the usability or integrity of the export data. It could still be imported, although the administrator would need to list each of the export files in the correct order when performing the import. Issue:DS-38202
The Delegated Admin configuration has changed significantly. Delegated Admin Resource Types were removed and replaced by REST Resource Types. Delegated Administrators and Delegated Group Administrators were removed and replaced by Delegated Admin Rights and Delegated Admin Resource Rights. Previous configurations are converted to the new configuration definitions by the update tool when the server is updated. Issue:DS-37960
Addressed several issues with the pass-through authentication plugin.
USE SEPARATE CONNECTIONS FOR SEARCH AND BIND REQUESTS
If the plugin is configured with a search filter pattern, then it may perform a search to find the entry in the external server that corresponds to the entry for the local user that is trying to bind. In such cases, search requests may have been issued over the same connections that were also been used to process bind operations. The change in authorization identity resulting from those bind attempts may interfere with the ability to perform the searches. The plugin has been updated to ensure that search and bind requests are now issued over separate connections.
ALLOW RETRY ATTEMPTS WITH A SINGLE EXTERNAL SERVER
If the plugin is configured with multiple external servers, then it can use some or all of those servers in a pass-through authentication attempt. If a search or bind attempt fails against the first server, and if that failure indicates that there may have been a problem with the server or the connection to it, then the plugin would have re-tried the operation in other servers until the attempt succeeds, the attempt fails in a way that does not indicate a problem with the server or the connection, or all servers have been tried. However, if only a single external server had been configured, then no retry attempt would have been made. The plugin has been updated so that if it is only configured with a single external server, and if a failure is encountered while communicating with that server that may benefit from retrying that operation, then the plugin will attempt to establish a new connection to that server and retry the operation.
UTILIZE ALL CONFIGURED EXTERNAL SERVERS
If the PingDirectory Server is configured with a location, then the pass-through authentication plugin will use that information to determine the order in which the external servers should be accessed. It will first attempt external servers in the same location as the PingDirectory Server, followed by servers in the most preferred failover location, the second-most preferred failover location, and so on. However, the plugin might have used external servers that did not have a location assigned, or that were assigned to a location that is not one of the PingDirectory Server's preferred failover locations. The plugin has been updated to ensure that these servers may be used, albeit with a lower priority than the other servers.
IMPROVE VISIBILITY OF PLUGIN PROCESSING RESULTS
The plugin offered very little information that could help an administrator troubleshoot problems with pass-through authentication processing. Some types of operations could be investigated by enabling debug logging with an appropriate scope, but no information about the pass-through authentication processing would appear in the PingDirectory Server access log. The plugin has been updated to add information about its processing to the bind operation's access log message, including the ultimate success or failure of the pass-through authentication attempt, the result of user mapping, and whether the local user's password was updated. Further, the plugin now makes more information about its internal processing available through the server's debug logging facility. Issues:DS-38415,DS-38418,DS-38419,DS-38420 SF#:00659490
Fixed an issue that could cause entryUUID mismatches on replicas configured to automatically use entryUUID as the naming attribute for add requests matching a given set of connection or request criteria. Issue:DS-37757 SF#:00650408
Updated the server to make the replication missing changes state persist across restarts. If a server is offline for longer than the configured purge delay, then replication cannot automatically bring the server back in-sync with the rest of the topology. To avoid serving stale data, the server enters lockdown mode when it has missed changes. Prior to this change, restarting the server would incorrectly clear this missing changes state, and it would not enter lockdown mode, which could lead to it serving stale data. Now the server must be reinitialized either from a recent backup or by using "dsreplication initialize" to clear the missing changes state. Issue:DS-37363 SF#:646294
Updated the pass-through authentication plugin to add a bind-dn-pattern configuration property that allows constructing the DN of the remote user from information in the local user entry. Alternately, if the remote server supports simple authentication with a bind DN value that is not actually a valid LDAP distinguished name, this property can be used to supply that identifier. For example, when passing through authentication to Microsoft Active Directory, this property can be used to construct a bind DN that is actually the user principal name (UPN) for the remote account.
Also, updated the pass-through authentication plugin to add an included-local-entry-base-dn configuration property that can be used to indicate which local entries are eligible for pass-through authentication. By default, pass-through authentication is automatically enabled for all users contained in any public backend, but this property can be used to restrict that set of users without the need to define a request criteria. This change also ensures that the server no longer attempts to pass through authentication attempts for root users or topology administrators by default (although if that ability is desired, it can be re-enabled by adding "cn=config" as an included-local-entry-base-dn value). Issues:DS-37063,DS-38012,DS-38497 SF#:00652865
These issues were resolved with version 7.2.0.1 of the Directory Server:
Updated the Server SDK as follows:
* Made it possible for a pre-parse bind plugin to convert a simple bind request to a SASL bind request, or to convert a SASL bind request to a simple bind request.
* Added the InternalOperationAttachmentSASLMechanismHandler class to the set of examples that we include with the Server SDK. This SASL mechanism handler uses attachments to provide the details of a successful or failed authentication attempt, and it can be used in conjunction with a pre-parse bind plugin that performs the majority of the authentication processing for an operation.
* Fixed an issue in the SASL bind result factory implementation that prevented a provided matched DN from being included in the response sent to the client.
* Added an OperationContext.appendAdditionalLogMessage method, which makes it possible to include additional text in the access log message for an operation without including that text in the response returned to the client. Issue:DS-37921 SF#:651359
Introduced new Delegated Admin configuration which allows users created by delegated administrators to manage their own profiles within PingFederate.
- To configure this feature ensure the PingFederate local identity schema from local-identity-pingdirectory.ldif has been added to PingDirectory per PingFederate documentation for customer identities.
- Create a constructed attribute for pf-connected-identity (for example where entryUUID is the PingFederate user ID attribute) dsconfig create-constructed-attribute --attribute-name pf-connected-identity --set attribute-type:pf-connected-identity --set value-pattern:auth-source=pf-local-identity:user-id={entryUUID}
- Configure the Delegated Admin resource type. dsconfig set-delegated-admin-resource-type-prop --type-name users --add auxiliary-ldap-objectclass:pf-connected-identities --set post-create-constructed-attribute:pf-connected-identity Issue:DS-38116
Important upgrade considerations for version 7.2.0.0 of the Directory Server:
The Delegated Admin web app now supports creation of new users. Installations created using older versions of the install script require a command like the following to be run after upgrade. The 'sn' attribute is a required attribute for inetOrgPerson entries.
dsconfig create-delegated-admin-attribute --type-name users --attribute-type sn --set "display-name:Last Name"
To enable user creation, one of the new configuration properties org-entry-dn or org-search-filter must be set on the Delegated Admin resource type.
These features were added for version 7.2.0.0 of the Directory Server:
Introduced a Directory REST API to create, read, update and delete (CRUD) any object in the directory using JSON over HTTP. Compared to the SCIM-based Identity Access API (introduced in 4.0), the Directory REST API offers more capability without the configuration overhead and SCIM protocol limitations. See https://apidocs.pingidentity.com/pingdirectory/directory/v1/api/guide/ for more information.
Overhauled the way in which the directory evaluates and processes search expressions. The new search planner leverages index statistics in order to process search expressions in the most effective order. The search planner now considers the overall size of each index, specific values that have too many matches, and the relative distribution of values.
Improved composite indexes. Composite indexes are used to improve performance for searches where attributes are often searched together, like a customer tenant identifier alongside a person’s name. Whereas previously you could only index a combination of the DN of ancestor objects with a single attribute of descendant objects, now you can define a composite index using a pattern that combines equality expressions and at most one substring expression. For example, you can create a composite index covering the entire expression (&(tenantId=?)(cn= \ *? \ *)).
Improved integration with some third-party software. Now the changelog backend (which makes available all recent changes to directory entries) supports paging over LDAP using the Simple Paged Results Control (RFC 2696). This enables third-party data integration software to more efficiently obtain a list of recent changes over LDAP. Previously the Simple Paged Results Control only worked for LDAP searches against user data stored in backends like userRoot.
Improved the scheduled tasks feature designed to help automate maintenance tasks on the directory server. Now you can schedule the execution of whitelisted commands on the directory server host, create routine LDIF exports for multiple backends, make the server administratively enter or leave “lockdown” mode, and clean up old files from disk, like historical log files and LDIF exports.
Improved group management in the delegated user administration web app (packaged separately.) Whereas before delegated administrators could add users to groups and remove users from groups, now admins can add and remove sub-groups as well.
Added support for Oracle Java JDK 11 and OpenJDK 11. Added support for RedHat 7.5, CentOS 7.5, and Ubuntu 18.04 LTS.
These issues were resolved with version 7.2.0.0 of the Directory Server:
Fixed a defect where the compression-mechanism and compression-parameter properties were not hidden in ReplicationServerConfiguration.xml. Issue:DS-36483
Fixed an issue in the backup tool where --signHash could be used without --hash. Issue:DS-36132
Fixed an issue with the Dictionary Password Validator where configuring case-sensitive-validation=false would only work if the input file included the lower-case version of all passwords. The server now automatically converts the passwords to lower-case in memory when configured with case-sensitive-validation=false. Issue:DS-36801
Fixed an issue where an entry could be added to the server with invalid privileges. Issue:DS-5964
Fixed an issue where the server would not prevent an invalid entry with more than one structural object class from being added, if any of those classes was a groupOfURLs. Issue:DS-35516
Fixed bug where named pipe can't be used as log file. Issue:DS-35553
Fixed an issue in which the server could return an incorrect result code for add and modify DN requests that included a malformed DN. Issue:DS-36910
Added support for an exec task that can invoke commands on the server. There are several safeguards in place to prevent unauthorized users from invoking arbitrary commands on the server system, including a new exec-task privilege and a whitelist file that must be updated to include the absolute paths of the allowed commands. A new schedule-exec-task tool helps create an exec task from the command line, and the LDAP SDK has also been updated to allow interacting with exec tasks programmatically. Issue:DS-35873
Added support for recurring exec tasks. Issue:DS-35873
Added an attributes-modifiable-with-ignore-no-user-modification-request-control global configuration property that will a select set of operational attributes declared with the NO-USER-MODIFICATION constraint to be updated in a modify request that includes the ignore NO-USER-MODIFICATION request control. At present, this is only supported for the creatorsName, createTimestamp, modifiersName, and modifyTimestamp attributes. Issue:DS-36729
Updated the recurring LDIF export task to support exporting the contents of multiple backends. Issue:DS-37037
Updated the server to enable automatic LDIF exports by default for new installations. Every day at 1:05 a.m. (in the JVM's default time zone, which is generally the time zone configured for the underlying system), the server will export the contents of each non-administrative backend to a file in the "ldif" directory immediately below the server root. The LDIF exports will always be compressed, and they will be encrypted if the global configuration is set to encrypt LDIF exports by default (which will be enabled if encryption is configured during setup). The LDIF exports will be rate limited to ten megabytes per second to minimize the impact on server performance, and exports will be retained for seven days.
Daily LDIF exports will only be enabled by default for new installations. The recurring task chain will be created in instances that are updated to this release, but that chain will not be enabled. Issue:DS-36453
Added support for a delay task, which can be used on its own or as a recurring task. It is primarily intended to be used as a spacer between other tasks, and can sleep for a specified period of time, wait for the server to be idle (that is, there are no outstanding operations and all worker threads are idle), or wait for sets of search criteria to match at least one entry (for example, until a monitor entry indicates that the server is in a desired state). Issue:DS-36510
Replication now sends heartbeat and monitoring information less frequently to reduce the high network overhead that had been observed in topologies with more than fifty servers. The interval between monitoring data updates is now configurable through the remote-monitor-update-interval property on the Replication Server configuration object. Issue:DS-36694
Added recurring task support for placing the server in lockdown mode and taking the server out of lockdown mode. While in lockdown mode, the server reports itself as unavailable to the Directory Proxy Server and only accepts requests from a restricted set of clients. Issue:DS-37066
Added support for a new file retention task that can identify files in an indicated directory that match a given pattern and remove any matching files that fall outside of the specified retention criteria. You can specify the minimum number of files that should be retained, the minimum age of files that should be retained, the minimum aggregate size of files that should be retained, or any combination thereof. The files that match the pattern will be sorted by timestamp so that if any files are to be removed, the most recent files will be retained and the oldest files will be deleted.
The file retention task can be scheduled as a standalone task or as a recurring task. Two instances of the file retention recurring task have been defined in the default configuration: one that can clean up old expensive operation dump files, and another that can clean up old work queue backlog thread dump files. In each case, the recurring task is configured to keep at least the 100 most recent files, and no files less than 30 days old will be removed. While these recurring tasks are defined in the out-of-the-box configuration, they are not part of any recurring task chain and therefore will not actually be invoked unless they are configured as part of a chain.
The PingDirectory Server and PingDirectoryProxy Server now include recurring tasks in the out-of-the-box configuration that can clean up old expensive operation dump log files or work queue backlog thread dump log files if too many of them have collected in the server logs directory. For each type of file, if there are more than 100 of them in the server logs directory, then any of the remaining files that are more than 30 days old are candidates for removal. A recurring task chain will perform this cleanup every day at 12:05 a.m. in the JVM's default time zone. Issues:DS-35652,DS-36559
Fixed an issue preventing third-party tasks from loading correctly. Issue:DS-17771
Updated the server to allow delaying the response to failed bind operations by a specified length of time. While the response is delayed, no other operations will be allowed on the connection. This can be used instead of, or in addition to, account lockout as a means of limiting the rate at which an attacker may try to guess user passwords. Issue:DS-1132
Fixed an issue causing unexpected crashes in dsconfig when backing out of certain screens.
Updated the out-of-the-box configuration to clean up old lock conflict details log files if too many of them have accumulated. If there are more than 100 of them in the server logs directory, then any of the remaining files that are more than 30 days old are candidates for removal. The cleanup will occur every day at 12:05 a.m. in the JVM's default time zone. Issue:DS-37181
A header containing a correlation ID is now added to outgoing HTTP servlet responses, allowing HTTP responses to be correlated with log messages across server instances. The name of the correlation ID response header defaults to "Correlation-Id" but may be changed by setting the HTTP Connection Handler's correlation-id-response-header property. By default, the server will generate a globally unique correlation ID automatically, but the correlation-id-request-header configuration property may be used to optionally specify one or more request headers that provide an existing correlation ID value from the requesting client. The correlation ID header can be disabled on a per-HTTP Connection Handler basis using the use-correlation-id-header configuration property.
For Server SDK extensions that have access to the current HttpServletRequest, the correlation ID can be retrieved as a String via the HttpServletRequest's "com.pingidentity.pingdata.correlation_id" attribute. For example: <code>(String) request.getAttribute("com.pingidentity.pingdata.correlation_id");</code> Issue:DS-36209
HTTP Connection Handlers will now raise an alarm during initialization if a context path conflict is detected. Issue:DS-35909
Fixed an issue in which the HTTP Servlet Config Monitor could cause an exception in an HTTP Servlet Extension when attempting to determine its context paths. This caused the status tool and the Administrative Console to potentially omit the HTTP Servlet Extension from the list of active HTTP extensions. Issue:DS-37131
Multiple instances of the SCIM HTTP Servlet Extension may now be created, allowing for multiple SCIM 1.1 service configurations per server instance. For more information, please refer to the "Managing the SCIM Servlet Extension" chapter of the Administration Guide. Issue:DS-35865
Bearer token authentication for the Consent API may now be enabled or disabled using the bearer-token-auth-enabled property of the Consent HTTP Servlet Extension. Issue:DS-36519
Added a plugin that supports encrypting the values of operational attributes intended to hold sensitive information, including TOTP shared secrets, delivered one-time passwords, password reset tokens, and single-use tokens. Issue:DS-36511
The SCIM v1 servlet extension is no longer enabled by default for new installations. Existing installations will be unaffected on an upgrade. Customers are encouraged to use the new "Directory REST API" for REST access from now on. Issue:DS-36988
Added a Mock Access Token Validator, which accepts access tokens without validating the authenticity of the tokens using a trusted authorization server or signing certificate. When enabled, a Mock Access Token Validator accepts bearer tokens in the form of a plain text JSON object containing an arbitrary set of claims. Mock Access Token Validators are intended for test or demonstration use only and should never be enabled in production deployments or used to access sensitive data. Issue:DS-36433
Updated the server to support sending persistent search results asynchronously, which protects against a blocked persistent search client from interfering with write operation processing. Issue:DS-14799 SF#:3030
Updated the client connection policy configuration to add a maximum-concurrent-operations-per-connection-exceeded-behavior property that specifies the behavior that the server should exhibit if a client tries to exceed the limit set by the maximum-concurrent-operations-per-connection property. Previously, any requests in excess of the maximum-concurrent-operations-per-connection limit would have been rejected with a busy result. The server now offers additional choices for the result code to use when rejecting requests (including admin limit exceeded, constraint violation, unavailable, unwilling to perform, or other), and the server can also be configured to close the connection and abandon all outstanding operations on that connection. Issue:DS-36585
Added support for the simple paged results control to the changelog backend. Issue:DS-37389
Updated num-worker-threads and *-worker-thread-percent-busy attributes to exclude admin queue threads from the worker thread count. These attributes will now better reflect the actual number of worker threads available. Issue:DS-37262
The replication server now has a configuration property "replication-purge-minimum-retain-count," which is similar to the existing configuration property "replication-purge-delay" except that a minimum number of changes are enforced instead of a maximum age. The "replication-purge-minimum-retain-count" property may be helpful in those cases where a replication server will experience long delays, (exceeding the "replication-purge-delay") of infrequent traffic while not connected to the other replication servers. Issue:DS-37356
Fixed an issue in support for the get effective rights request control that could cause the server to incorrectly report that an anonymous user could have read access to an entry if there are any ACIs that make use of the "ldap:///all" bind rule. The issue affected only get effective rights processing and did not actually expose any server data to unauthorized users. Issue:DS-37416 SF#:00646129
Added a time limit retention policy to support removing log files older than a specified age. Issue:DS-37492
Updated the audit log to provide the option to include a number of additional fields, including:
* The server product name. * The server instance name. * The OIDs of any controls include in the request. * Details of any intermediate client or operation purpose request controls include in the request. * Whether the operation was replicated. * Whether the operation was an internal operation. * Whether the operation was processed by an administrative session worker thread.
In addition, operation-specific log messages can include the following additional fields:
* For add operations, the log can now indicate whether the operation was an undelete. * For delete operations, the log can now indicate whether the operation was a soft delete, whether the operation was a delete of a soft-deleted entry, and whether the operation was the base or a subordinate entry of a subtree delete. Further, virtual attributes are separated from real attributes in the record of the deleted entry. * For modify operations, the log can now indicate whether the entry was a modify of a soft-deleted entry. Issue:DS-37352
Updated the server to include a data recovery log in the default configuration. This is an audit log with a configuration optimized for enabling replay or reversion of changes should the need arise. The logger will be defined in the configuration for all new installations and updates of existing installations, but it will only be enabled by default for new installations. The log will always be compressed, and it will be encrypted if data encryption is enabled in the server. Issue:DS-37515
To facilitate testing in multiple GC (garbage collection) environments, GC JVM options having been moved to separate Java properties in the java.properties file. The new ".gc-type" suffix will select the GC type to use, and the new ".gc-<GC type>-args" suffix will have the JVM options for that GC type. Issue:DS-6930
Critical: Addressed an issue where an InvalidKeyException could occasionally be reported by import-ldif. The error message for this problem resembles, "An unexpected error occurred during merge processing for index 'dc_example_dc_com_sn.equality': InvalidKeyException: The provided passphrase is invalid." Issue:DS-37313
These issues were resolved with version 7.0.1.4 of the Directory Server:
Fixed an issue where deleting an attribute index on a Directory Server with encryption enabled, recreating it with the same name but differently cased, and then rebuilding it would cause searches on that index to return incorrect results. Issue:DS-38808 SF#:00662130
These were known issues at the time of the release of version 7.0.1.3 of the Directory Server:
When dsreplication is run to add a server to the topology using another node that is not the topology master, it may fail with the following error:
"Error updating replication configuration on base DN dc=example,dc=com of server 'ds3' (ldaps://localhost:3636). See /Users//installs/7.2/s3/logs/tools/dsreplication.log for a detailed log of this operation. Details: A communication problem occurred while contacting the server: The connection to server localhost:3389 was closed while waiting for a response to an add request AddRequest(dn='cn=dc_example_dc_com,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config', attrs={Attribute(name=objectclass, values={'top', 'ds-cfg-replication-domain'}), Attribute(name=cn, values={'dc_example_dc_com'}), Attribute(name=ds-cfg-server-id, values={'11443'}), Attribute(name=ds-cfg-base-dn, values={'dc=example,dc=com'})}): A request sent on this client connection caused an internal error in the server. This connection will be terminated."
The workaround for this issue is to use the topology master for the --host1 parameter of dsreplication to add the new server into the topology. Issue:DS-38385
These issues were resolved with version 7.0.1.3 of the Directory Server:
Added logging for DNS lookups that take longer than a warning threshold. The default warning threshold is 10 seconds. Added the DNS Resolution monitor to track DNS lookup speed. Issue:DS-37430
Fixed a bug where the startIndex value for SCIM requests would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file. Issue:DS-38670 SF#:00643950
Fixed an issue that could cause an error during an LDIF export of a data set with a large number of non-leaf entries. In such cases, the data is written to multiple files that are merged at the end of the export process. If the LDIF export was encrypted with a passphrase or an encryption settings definition, the merge process could fail, leaving the export spread across multiple files instead of aggregated into a single file.
This issue did not affect the usability or integrity of the export data. It could still be imported, although the administrator would need to list each of the export files in the correct order when performing the import. Issue:DS-38202
Critical: Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords. Issues:DS-38897,DS-38908
These issues were resolved with version 7.0.1.2 of the Directory Server:
Fixed a bug where the totalResults value for SCIM requests using page parameters would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file. Issue:DS-37597 SF#:00643950
Updated the Server SDK as follows:
* Made it possible for a pre-parse bind plugin to convert a simple bind request to a SASL bind request, or to convert a SASL bind request to a simple bind request.
* Added the InternalOperationAttachmentSASLMechanismHandler class to the set of examples that we include with the Server SDK. This SASL mechanism handler uses attachments to provide the details of a successful or failed authentication attempt, and it can be used in conjunction with a pre-parse bind plugin that performs the majority of the authentication processing for an operation.
* Fixed an issue in the SASL bind result factory implementation that prevented a provided matched DN from being included in the response sent to the client.
* Added an OperationContext.appendAdditionalLogMessage method, which makes it possible to include additional text in the access log message for an operation without including that text in the response returned to the client. Issue:DS-37921 SF#:651359
These issues were resolved with version 7.0.1.1 of the Directory Server:
Fixed an issue with the Dictionary Password Validator where configuring case-sensitive-validation=false would only work if the input file included the lower-case version of all passwords. The server now automatically converts the passwords to lower-case in memory when configured with case-sensitive-validation=false. Issue:DS-36801
Fixed bug where named pipe can't be used as log file. Issue:DS-35553
Fixed an issue in support for the get effective rights request control that could cause the server to incorrectly report that an anonymous user could have read access to an entry if there are any ACIs that make use of the "ldap:///all" bind rule. The issue affected only get effective rights processing and did not actually expose any server data to unauthorized users. Issue:DS-37416 SF#:00646129
Replication now sends heartbeat and monitoring information less frequently to reduce the high network overhead that had been observed in topologies with more than fifty servers. The interval between monitoring data updates is now configurable through the remote-monitor-update-interval property on the Replication Server configuration object. Issue:DS-36694
These features were added for version 7.0.1.0 of the Directory Server:
New capabilities have been added to the Delegated Admin application (packaged separately). Now directory administrators can delegate the responsibility of managing group memberships for users in the PingDirectory Server. Administrators can delegate to individuals or groups of users, and assign authority over one or more groups in the PingDirectory Server.
Added a new mirrored virtual attribute capability that mirrors the value of an attribute from an entry relative to the entry being retrieved. For example, you could include an attribute from the parent entry. This can eliminate a second search request to the server when a client needs a user entry as well as information from some related entry.
Improved the way the PingDirectoryProxy distributes requests in the failover load-balancing configuration. This is especially helpful for multi-tenant environments to better distribute requests per tenant. Now you can configure a load-spreading base DN such that requests to DIT branches below the load-spreading base DN are balanced among the PingDirectory servers. The proxy will automatically maintain affinity between servers and DIT branches.
Added new monitoring data points and data history to aid in performance tuning and troubleshooting. Now the monitoring backend stores occurrences and time spent for several operations, including a histogram distribution of time spent. Operations tracked include time waiting on file system synchronization and time spent at the proxy per directory server operation.
These were known issues at the time of the release of version 7.0.1.0 of the Directory Server:
An ACI starting with "GENERATED D-ADMIN ACCESS" is generated automatically by the server from Delegated Admin configuration. Do not create your own custom ACI with the same prefix, for example by copying and pasting from the generated ACI. A custom ACI with this prefix will be deleted when the server is restarted, and whenever a Delegated Admin configuration change causes the Delegated Admin ACI to be regenerated. Issue:DS-37044
While upgrading servers in a mixed-version environment, where some of the servers are still using the admin backend while others have been updated to the topology registry, do not attempt to make size changes to the topology. No existing servers may be removed (using dsreplication disable), or new servers added (using dsreplication enable) when in this transitional state of partially-updated servers. When all of the servers have been updated to the topology registry, sizing changes can be made. This restriction is temporary only while crossing the admin backend to topology registry boundary. In post 7.0.1 releases, changes to the topology size will be allowed, even in mixed-version environments. Issue:PDSTAGING-402 SF#:00643987
It is not possible to add a new server to an existing replication topology of 7.0.0.0 servers. The problem is addressed in 7.0.1.0. In order to add a new server, all existing servers must be updated to at least 7.0.1.0. Issue:DS-36946
Servers to be monitored by the PingDataMetrics Server must have an instance name of less than 256 characters. A server's instance name is specified during setup. Issue:DS-36788
These issues were resolved with version 7.0.1.0 of the Directory Server:
Fixed an issue where the isMemberOf virtual attribute provider would indirectly evaluate other virtual attributes, which could lead to significant slow down in search processing. Issue:DS-36703
Added the Replication State Detail (ds-sync-state-detail) virtual attribute, which provides a more detailed version of "ds-sync-state" attribute. The additional information can be used for debugging replication issues. Issue:DS-16766
Fixed an issue in which an unprivileged Consent API client could modify the actor value of a consent record. Issue:DS-36814
Improved the behavior that the server exhibits under certain network conditions when it is not possible to write to a client without blocking. This includes:
* If the server cannot write data to a client after waiting for a length of time specified by the connection handler's max-blocked-write-time-limit configuration property, the access log message indicating that the client has been disconnected because of an I/O timeout will now more clearly indicate that the reason was the inability to write data to the client.
* The server now limits the number of threads that can be blocked while trying to send data to the same client over the same client connection. If too many threads would have been blocked while trying to send data over the same connection, that connection will be terminated, and the disconnect access log message will include the reason for the disconnect.
* If the server is trying to send data to the client that it considers optional (for example, certain types of unsolicited notifications), then the server may skip sending that optional data if the write would have caused the server thread to block. Issue:DS-36325 SF#:00627663
Delegated Admin operations now appear in the LDAP access log. Issue:DS-37021
Added a configuration option to allow a null serverFQDN for the GSSAPI SASL mechanism to allow an unbound SASL server connection. Issue:DS-36642 SF#:00637397
Enabling replication for restricted domains now creates a server group for each replication set when replication servers are added. Server groups enable initializing restricted domains interactively. Issue:DS-37047
Changed Resource IDs produced by the Delegated Admin API so that they no longer contain percent characters from Base64 padding. Issue:DS-37132
Updated the mirror virtual attribute provider to allow a DN map to identify the entry containing the attribute to mirror. Issue:DS-36987
Updated the keys and values used in the monitoring JMX MBeans to conform with best practices. The keys "type" and "name" are now used in place of "Rdn1" and "Rdn2".
To maintain backwards compatibility with existing monitoring solutions, installations upgrading to this release will retain the old behavior, but they can revert to the default behavior by changing the Global Configuration property jmx-use-legacy-mbean-names to false. Issue:DS-37235
The Notification Delivery Thread will now log unexpected errors rather than throwing them as exceptions. Issue:DS-37292 SF#:00645037
Prevent a notification destination from assuming the master notification delivery role if that server is in lockdown mode or replication hasn't finished initialization. Issue:DS-37362 SF#:00646374
Important upgrade considerations for version 7.0.0.0 of the Directory Server:
This release introduces significant changes to the way servers in a topology are configured with information about each other. Once a server has been upgraded from a pre-7.0 version to 7.0 or later, reverting to the previous version is not supported. Before beginning the upgrade process, make sure you have read and understood the Administration Guide's chapter "Upgrading the Server".
SCIM 2 error responses, including Config API error responses, now represent the "status" field as a JSON string rather than as a number. Clients written to expect the earlier version format will need to be updated. In particular, clients written using the SCIM 2 SDK for Java should upgrade to version 2.2.0 or higher.
Indexes are now automatically encrypted when data encryption is enabled on the server. For deployments in which data encryption is already enabled, it is recommended that you export the data to LDIF and re-import it to ensure that its indexes are also encrypted.
The Administrative Console now uses server information found in the topology registry to populate its server selection control. If the Console is used to manage a legacy server that does not use the topology registry, then the server selection control will not be populated. To manage a different server, the administrator will need to log out of the Console and provide the other server's connection details from the login page.
These features were added for version 7.0.0.0 of the Directory Server:
Added support for encrypting indexes. Enabling encryption does have a small performance impact. The exact impact varies based on the data set and load. In our testing,
Added a new delegated user administration web application (packaged separately). This web UI enables the server administrator to delegate profile management and some privileged operations to others within the enterprise.
Made several security improvements for backups, LDIF exports, and log files. Encryption can be done using a specified passphrase, making it easier to decrypt and use files outside of the server cluster, such as when importing them or reviewing them on a different server. Also, servers can be configured to encrypt backups and exports by default, so that administrators do not inadvertently create an unencrypted artifact.
Added the capability to automatically purge data after the data has expired. This feature can be applied to delete directory entries, like new accounts that have not fully completed the signup process, or PingFederate persistent grants that have expired. This feature can also be applied to delete individual JSON attributes of a directory entry. Purging expired data is enabled through the Purge Expired Data plugin.
Added new schema and REST API that can be used to build a system to collect, enforce, and manage fine-grained data authorizations or privacy preferences for users stored within the directory.
Added a new feature for running recurring maintenance tasks, like backup and LDIF export, without the dependency on Linux cron or Windows schedulers.
Simplified management tasks related to configuring servers in a large cluster topology or in an automated deployment. Most notably, servers can now be added to a cluster while other servers are offline.
Added a new syntax of Access Control Instructions (ACI) that can dramatically reduce the number of nearly identical ACI used in multi-tenant or multi-organization directories. The new format is parameterized by attributes of the binding user’s DN. For example, the server can extract the “HR" value from a binding user such as uid=Fred,o=HR,dc=data, and use that value to check membership within the related privileged group cn=Admins,o=HR,dc=data. A single parameterized ACI can be written to support groups HR, Finance, IT, Development, Marketing, and so on.
Added management features for SSL/TLS certificates. The default certificates used in inter-server replication can be replaced; validation of client certificates for HTTPS-based services like the SCIM REST API can be configured; and you can reload from the trust store for HTTPS client certificates without restarting the server or the HTTP-based services.
Added support for these operating system versions: Ubuntu LTS 16.04, CentOS 7.4, RedHat Linux 7.4, SUSE Enterprise 12 SP3
These issues were resolved with version 7.0.0.0 of the Directory Server:
Fixed an issue where a JSON object or attribute could not be deleted if it contained a field with two indexed values differing only in case. Issue:DS-35558 SF#:00624892
Support for the IBM JDK has been retired. Issue:DS-35536
Critical: Addressed an issue in "dsreplication enable/initialize" that prevented servers from some previous versions (5.2.0.5 and earlier and 6.0.0.*) from initializing newer servers. Servers from these prior versions can now be used to enable replication with current versions of the server. Issue:DS-35528 SF#:624368
Changed the default settings for the Directory Changelog to include all entry attributes during a delete so that matching can be more reliable. Issue:DS-14248
Updated the JMX connection handler's monitor provider so that when a JMX connection is closed, it is removed from the list of established connections. After a JMX client disconnects, it may take the server a few minutes to detect the closure and update the monitor. Issue:DS-35576
The admin backend and the tool used to manage it, dsframework, have been replaced by the topology registry and dsconfig, respectively. The topology registry is automatically mirrored across all servers in the topology, so administrative information is kept in-sync on all servers at all times. Issues:DS-14281,DS-14282,DS-14283,DS-14284,DS-17197,DS-17366,DS-4570
Added a new manage-certificates tool that can be used to perform a number of functions related to TLS certificate management. Issue:DS-17891
Added a new Monitor Entry for SSL Cipher Suite and Protocol information. It is available under cn=SSL Context,cn=monitor. Issue:DS-35601
Added a missing double-quote to bat/transform-ldif.bat, which prevented the command from being invoked successfully on Windows systems. Issue:DS-35648
Critical: Fixed a very rare race condition with the Frequently Accessed Entry Cache which could lead to an index being marked as degraded and requiring a rebuild.
The problem is unlikely to happen outside of testing environments since it requires modifying a single entry over 1000 times per second across multiple servers concurrently. Issue:DS-35616 SF#:00625189
Enhanced the ACI handling code to reduce contention when updating the set of active ACIs. In systems that have a very high number of entries that include ACIs, this enhancement significantly improves the throughput of operations that add and delete ACIs. Issue:DS-35659 SF#:00626121
In replicated environments, updating attributes with a very large number of attribute options is now much faster. There is a potential for a 2X increase in storage for these entries, but updating an entry with 1000 attribute options is now 100 times faster. Issue:DS-35571 SF#:00618521
Updated JZlib from version 1.0.7 to 1.1.3 to address an ArrayIndexOutOfBoundsException that could occur when replication servers disconnected during a scheduled garbage collection. Issue:DS-35538 SF#:00624681,00626541
The dsreplication command's remove-defunct-server and cleanup-local-server sub-commands have been replaced by a new command called remove-defunct-server. The new command supports all of the functionality that was provided by the sub-commands. Issue:DS-17197
Eliminated a misleading error message triggered by sorting entries during a search. Issue:DS-35549 SF#:00624848
Updated the Frequently Accessed Entries Cache to eliminate cache lock contention when the server is starting, and increased parallelism in general. Also, updated the cache to penalize frequently modified entries to improve garbage collection and reduce heap fragmentation. Issue:DS-35580
Addressed an error that occurs if a password policy DN is modified during an operation that is dependent on that password policy. Issue:DS-18203 SF#:00621824
Changed enable-sub-operation-timer on the Global Configuration to be true by default. This exposes operation timing information in the Sub-Operation Timing Monitor and any Operation Timing Access Log Publishers that have been configured. Enabling this tracking has about a 3% impact on operation throughput and latency, which will not be noticeable in most deployments and is an acceptable tradeoff for understanding where operation processing time is spent. However, it can be explicitly set to false to turn this tracking off. Issue:DS-35709
Added two database checkpoints to be performed in the backend prior to each online backup. If the backup is restored, this limits the database recovery time when the database environment is opened for the first time, which significantly improves the server startup time. Also, incremental backups will not contain redundant files that are unchanged from the base backup. Issue:DS-35534
Removed the max-passes option from the Periodic GC Plugin. This setting was sometimes necessary in Java 1.6, but setting it higher than 1 now just increases the amount of time it takes the plugin to complete a full garbage collection. Issue:DS-35593
Updated the server to include an instance of the Periodic Stats Logger Plugin that is enabled out-of-the-box to aid in diagnosing support issues. The "Historical Stats Logger" plugin will log performance statistics to logs/monitor-history/historical-dsstats.csv every five minutes. This works in concert with the "Monitor History" plugin, which logs the full contents of cn=monitor to logs/monitor-history every five minutes. The tail of this csv file is automatically included in the output generated by collect-support-data. Issue:DS-35581
Fixed a defect where a web application extension's base context path could be set to "/" with no name. Issue:DS-18204
Fixed an intermittent deadlock in assured replication. Issue:DS-35494
Updated the PingDirectory Server to require a minimum Berkeley DB Java Edition version of 7.5.11.
Builds of the server that ship with the Berkeley DB JE jar file actually include a pre-release jar file for version 7.5.12 that fixes an issue that could result in lock conflicts internally within JE under heavy concurrent load in an I/O-bound database. Organizations that receive a PingDirectory Server build that does not include the Berkeley DB Java Edition jar file are recommended to contact Oracle support to obtain this fix under their own JE support contract. Issue:DS-35551
Added support for multiple client connection policies for sensitive attributes. Support for different sensitive attributes per client requires the use of multiple client connection policies with the same names on the PingDirectory Server and the Proxy Server. When a client request is processed by a Proxy Server, the PingDirectory Server looks for a policy in its own configuration with the same name as the one in the Proxy Server. The PingDirectory Server then uses this policy rather than the one associated with the Proxy Server's connection. Issue:DS-35750
Updated how indexes respond to corrupt records. An index with a corrupt record no longer goes offline and degrades its server. The index instead raises an alarm and continues to process requests. Such an index should be rebuilt, but it will continue to be used and will return the correct results for unaffected keys. Issue:DS-35537 SF#:00621671
Updated the SMTP account status notification handler to add support for extracting email addresses from JSON attributes, including an optional filter that could be used for things like only sending messages to verified and/or preferred addresses. Issue:DS-15146
Critical: Addressed an issue where an index key could incorrectly be reported as exceeding the index-entry-limit after one billion entries had been imported or added to the directory server. The directory server does not need to contain one billion entries at the same time to be affected by this issue since the entry ID will always increase for each added entry even if entries are deleted. Environments that have experienced this issue should export and reimport their data after applying this patch. Issue:DS-35790 SF#:00625942
Fixed a defect where configuring a Directory server on a Windows machine with a space in the home directory pathname would cause server setup to fail. Issue:DS-35583
Fixed a password policy issue that could arise if a user authenticated with a password that was stored with a deprecated password storage scheme. If the password policy for that user is configured with a force-change-on-reset value of true, then the internal update used to re-encode that password would have incorrectly been classified as an administrative reset and the user would have been required to choose a new password after the next successful bind. Issue:DS-35933
Updated the server to add support for new "reject unindexed search" and "permit unindexed search" request controls, which make it possible to have more fine-grained control over when the server should process an unindexed search. Issue:DS-17158
Made several improvements to the verify-index tool:
* Fixed an issue that could cause the tool to report an inaccurate estimate for the number of records to process.
* Fixed an issue that could cause the tool to perform more processing than necessary when verifying JSON or composite indexes without the --clean argument.
* Improved performance when verifying composite indexes.
* Improved validation for equality indexes configured with an additional filter.
* If any validation errors are encountered, it is now much easier to access the details of those validation errors, and the error messages are much clearer. Issues:DS-14242,DS-16519,DS-35778
Updated the LDIF export task so that the server will now execute the export-ldif command in a separate process. This is safer than the former export task mechanism because it ensures that the exported LDIF file will reflect the contents of the backend at a specific point in time (the time the export-ldif process opened the database). Issue:DS-35898
Added an "Expensive Write Operations Access Logger" that adds detailed timing information to logs for add, delete, modify, or modify-dn operations that take longer than the configured threshold (one second by default). Log messages include information about the most expensive phases of operation processing, which can help diagnose the cause of performance outliers. Issue:DS-35582
Updated ACIs to add support for parameterized DNs. Using the new syntax, attribute values will be extracted from matching resource DNs and substituted into parameterized target DNs and bind rule group DNs. Parameterized ACIs can be used in a multi-tenant environment, where each tenant has an administrators group. In the past, an ACI needed to be duplicated for each tenant. Now, one parameterized ACI can be used. For example, the parameterized ACI
(target="ldap:///o=($1),dc=example,dc=com")(version 3.0; acl "Subtree Admin Group members may search for and read entries in their subtree."; allow (search, read) groupdn="ldap:///cn=Subtree Admin Group,ou=groups,o=($1),dc=example,dc=com"
allows members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Customers, dc=example,dc=com" to search for and read entries in the "o=Customers, dc=example,dc=com" subtree, allows members of a group with DN "cn=Subtree Admin Group,ou=groups,o=Partners,dc=example,dc=com" to search for and read entries in the "o=Partners, dc=example,dc=com" subtree, and so on for any substitution value for the "($1)" parameter variable. Issue:DS-5930 SF#:00001959
The dsreplication "enable" and "initialize" commands now support adding or initializing a server using a topology file in non-interactive mode. The topology file must contain the list of servers that are already in the topology and may be obtained by running the "manage-topology export" command. An LDAP connection to the first available server in the list is used to add or initialize the new server into the topology. Issue:DS-35797
Added the ability to configure data encryption during setup using a randomly generated key, a key generated from a user-supplied passphrase, or a key obtained from an export of another server's encryption settings database. When setting up multiple instances, providing the same encryption passphrase to each instance will ensure that all instances have the same encryption key.
The encryption-settings tool has also been updated to allow creating encryption settings definitions from a passphrase, to allow providing a description when creating a new encryption settings definition, and to record a create timestamp for new definitions. It is now possible to create ciphers that use the Galois Counter Mode (GCM) cipher mode (for example, using a cipher transformation of "AES/GCM/PKCS5Padding") for authenticated encryption. Definitions created with with just a cipher algorithm but no transformation will now use stronger settings.
The default encryption settings export format now provides stronger encryption. Newer server instances should be able to import encryption settings exported from other servers without issue. When exporting encryption settings for import into older servers, use the new --use-legacy-export-format argument. Issues:DS-15223,DS-35895
The task that sets the generation ID now waits for the replica to be connected before preceding. This should prevent errors such as "The generation ID could not be reset for domain dc=example,dc=com because it is NOT connected to the replication." Issue:DS-35995 SF#:00625582
The dsreplication "enable" and "initialize" commands now support adding or initializing a server using a topology file in non-interactive mode. The topology file must contain the list of servers that are already in the topology, and may be obtained by running the "manage-topology export" command. An LDAP connection to the first available server in the list (preferably in the same location as the new server) is used to add or initialize the new server into the topology. Issue:DS-35797
The create-systemd-script command now suggests placing the script created in "/etc/systemd/system." Issue:DS-35868
Added an ldap-debugger tool that acts as a simple LDAP proxy between a client and a directory server and decodes all requests and responses that pass through it. Issue:DS-17883
Added an encrypt-file tool that can encrypt and decrypt data with a user-supplied passphrase, an encryption settings definition, or a topology key shared among server instances. It includes support for decrypting the content in encrypted backups, LDIF exports, and log files. Issue:DS-36054
Fixed an issue with compressed logging that could leave some data buffered in memory and not actually written out to disk until the logger is closed. Issue:DS-36070 SF#:00628238
Enhanced schema validation. Backends with compacted attribute types will not open if any of the attribute types are missing from the schema. Issue:DS-35997 SF#:00630605
Added support for encrypted logging, using a key generated from an encryption settings definition. Encrypted log files may be decrypted with the encrypt-file tool. Issue:DS-6970
Made a number of improvements to backend backup and restore, and to LDIF export and import:
* Added the ability to encrypt backups and LDIF exports with a key generated from a user-supplied passphrase or with a key generated from an encryption settings definition. Previously, encrypted backups and LDIF exports only used a secret key that was known only to servers within the replication topology. The new options make it easier to restore encrypted backups and import encrypted LDIF files in servers outside of the replication topology. The encrypt-file utility can be used to decrypt encrypted backups and LDIF exports, regardless of how the encryption key was obtained.
* Added the ability to limit the rate at which backups and LDIF exports will be written to disk, which can help avoid performance problems that result from these operations saturating the disk subsystem.
* Added new global configuration properties for automatically encrypting backups and LDIF exports by default, which will be set to true if data encryption is enabled during setup.
* Added new global configuration properties that can specify which encryption settings definitions will be used to obtain the encryption keys for automatically encrypted backups and LDIF exports. If not specified, then the server will use its preferred encryption settings definition, or an internal topology key if no encryption settings definitions are available.
* Added a new configuration property for automatically compressing encrypted LDIF exports.
* Updated the backup tool to add new --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments that can be used to specify which key to use for encrypting the backup. Added a new --doNotEncrypt argument that can be used to force a backup to be unencrypted even if automatic encryption is enabled. Added a new --maxMegabytesPerSecond argument that can be used to impose a limit on the rate at which the backup may be written to disk.
* Updated the restore tool to add new --promptForEncryptionPassphrase and --encryptionPassphraseFile arguments that can be used to provide a user-supplied passphrase for use in accessing the contents of an encrypted backup. For backups encrypted with an encryption settings definition or an internal topology key, the server will automatically be able to determine the correct key.
* Updated the export-ldif tool to add new --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments that can be used to specify which key to use for encrypting the export. Added a new --doNotEncrypt argument that can be used to force an LDIF export to be unencrypted even if automatic encryption is enabled. Added a new --maxMegabytesPerSecond argument that can be used to impose a limit on the rate at which the LDIF file may be written to disk.
* Updated the import-ldif tool to add new --promptForEncryptionPasshprase and --encryptionPassphraseFile arguments that can be used to provide a user-supplied passphrase for use in accessing the contents of an encrypted LDIF export. The --isEncrypted and --isCompressed arguments are no longer necessary, as the tool can automatically detect encryption and compression (although those arguments are still available to preserve backward] compatibility), and it can automatically identify the correct key for exports encrypted with a key obtained from an encryption settings definition or an internal topology key. Issues:DS-12157,DS-35896 SF#:3628
Updated setup to include key usage, extended key usage, and subject alternative name extensions in the self-signed certificates that it generates. Issues:DS-35727,DS-35728
Added support for backup retention. When performing a backup, it is now possible to specify a minimum number of backups to retain or a minimum age of backups to retain. If either or both are specified, and if the new backup completes successfully, then any previous backups in the same directory that do not satisfy that criteria will be removed.
The remove-backup tool has also been updated to allow specifying the number of backups to retain or the minimum age for backups to retain as an alternative to providing the specific backup ID for the backup to remove. If retention criteria is specified, then any backups in the target directory that do not satisfy that criteria will be removed. Issue:DS-36111
Added a new Purge Expired Data Plugin that can be used to delete entries or JSON attributes that have expired. The plugin has several configuration properties that include controlling how expired data is identified and how it is purged. Issue:DS-6850
Updated the GSSAPI SASL mechanism handler to support alternate authorization identities, to support the "dn:" and "u:" formats for those authorization identities, and to allow the use of different identity mappers for authentication and authorization identities. Issue:DS-35869
Implemented invocation logging for several server tools, which will write to logs/tools/tool-invocation.log by default upon startup and shutdown. Some of the information recorded by log entries include the tool's start and completion times, the command-line arguments used to initialize them, and the name of the system account used to launch the tool. To modify this behavior, edit the config/tool-invocation-logging.properties file. Issue:DS-4406
Updated the rebuild-index tool so that the bulkRebuild argument's usage description and error message make it clear that it cannot be used when running the tool as a task or while server is online. Issue:DS-36092 SF#:00630477
Updated tools that interact with log or LDIF files to support reading from input files that are compressed and encrypted and writing to compressed and encrypted output files. Issue:DS-36075
Enhanced the implementation of filters having to do with "changeNumber" in the "changelog" backend so that it now correctly interprets filters that include all changes. Issue:DS-12087
Fixed an issue to address null addresses associated with internal connections when used in conjunction with address-based ACI evaluations, such as IP and DNS bind rules. Issue:DS-36239
Added support for TLS1.2 with STARTLS to connect to an SMTP server. Issue:DS-36093 SF#:00631871
Added the ability to generate administrative alert notifications when a task starts running, when it completes successfully, or when it fails to complete successfully. Also added the ability to send an email message to a specified set of users when a task starts running or completes successfully, which complements the existing ability to send an email message when a task fails to complete successfully or when it completes with any state, regardless of success or failure. Issue:DS-426
Added support for TLS1.2 with STARTLS to connect to SMTP server Issue:DS-36093 SF#:00631871
Added a close-connections-when-unavailable property to the LDAP Connection Handler configuration. This allows a connection handler to be closed whenever the server sets an unavailable alert type, such as when backend data is unavailable. This should trigger clients to failover to another server. When the unavailable alert type is cleared, the connection handler is started again. When using this configuration setting, we recommend using two connection handlers: one for client traffic, with this option set to true, and one for administration and monitoring, with this option set to false. This allows the server to be visible to administrators but not to clients. Issue:DS-36025
Provided the means to request that the server dynamically reload the certificate key and trust stores used by all HTTP connection handler instances that provide support for HTTPS. The request can be made using a new reload HTTP connection handler certificates task, the reload-http-connection-handler-certificates tool, or programmatically from a Server SDK extension using the ServerContext#reloadHTTPConnectionHandlerCertificates method. Issue:DS-35990 SF#:00629638
Added a new Cleanup Expired PingFederate Persistent Access Grants Plugin. An instance of this plugin can be created to automatically delete expired persistent access grant entries that were created by PingFederate. This is preferable to PingFederate's cleanup process since it can be run on multiple servers and throttles the background delete operations to prevent impacting client traffic. Issues:DS-35694,DS-36189
Fixed an issue that could cause the server to incorrectly classify some search requests as unindexed. Issue:DS-36312 SF#:00631691
Fixed an issue where a configuration change to enable a Delegated Administrator could be incorrectly rejected after a configuration change to the parent Delegated Admin Resource Type. Issue:DS-36377
The error message for a null changelog token when the current server is the Master has been removed Issue:DS-36339 SF#:00632706
Made the sending of heartbeats between replication servers more efficient. Issue:DS-18222
The update tool now enforces specification of a new product license when updating to a new major version. The license can be specified using the --licenseKeyFile command-line options, or by copying the license file to the top-level directory of the server package used to perform the update. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html, or contact sales@pingidentity.com. Issue:DS-35523
Fixed a rare race condition that would cause "dsreplication enable" or "dsreplication initialize" to fail. This issue has only been seen in automated testing environments with resource-constrained virtual machines. Issue:DS-36439
In addition to specifying an exact set of desired cipher suites for the LDAP and HTTP Connection Handlers, administrators can now specify inclusions to, or exclusions from, the set of cipher suites selected by the server. Issue:DS-36088
Added support for recurring tasks, which can be used to automatically invoke certain kinds of administrative tasks based on a specified schedule.
At present, only certain kinds of tasks can be scheduled as recurring tasks. This includes both backups and LDIF exports, each of which provides retention support to limit the amount of disk space that the backups and LDIF files consume. It also includes support for any kind of task in which each instance of the task should use exactly the same values for all of the task-specific attributes. The Server SDK also provides an API for creating custom third-party recurring task implementations. Issue:DS-426
Changed server behavior so it will now mark a JSON index as corrupt if it can’t find a key, instead of having the operation fail. Issue:DS-36403 SF#:00633652
Updated the server to reduce contention when converting between strings and the bytes that comprise those strings. Issue:DS-36328 SF#:626850
Added a sanitize option to the Monitor History Plugin that, if enabled, will redact the small amount of potentially personally identifiable information that could appear in search filters and LDAP DNs within the monitor. This makes it easier to share the monitor history files with the support team in secure environments. Issue:DS-36545
Fixed an issue that could cause certain special characters in LDAP URLs to be doubly encoded. Issue:DS-36272 SF#:00633656
Increased the default size of the queue used to hold alert notifications so they can be asynchronously processed by a background thread. This makes it less likely that the queue will become full if many alerts are generated in a short period of time, which would cause subsequent attempts to generate alerts to block while the server catches up. Also updated the server to log a message when the queue becomes full so that administrators will be aware of the problem and will have suggestions for addressing it. Issue:DS-36360 SF#:635134
Improved the server's handling of DNs and RDNs that contain characters whose UTF-8 encodings require more than two bytes. Issue:DS-36230
Updated the dsconfig list subcommands to list objects of all complexity levels rather than requiring the --advanced flag to list advanced and expert objects. Issue:DS-16508
These issues were resolved with version 6.2.0.0 of the Directory Server:
The Self-Service Account Manager (SSAM) application is no longer included in the PingDirectory Server zip file. The source code for the application is available at https://github.com/pingidentity/ssam.
Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend. Issue:DS-16906 SF#:3556
Removed the "ssl-encryption" attribute from replication related monitor entries that refer to communication that is internal to the server. Only "Remote Repl Server" entries still have an "ssl-encryption" attribute as that communication is over the network. Issue:DS-16431
Updated the server to automatically store some JSON field values in a more compact manner in order to reduce the on-disk and in-memory footprint required for that data. Issue:DS-16638
The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set. Issue:DS-16405
Added global configuration property replication-history-limit. When set, replication-history-limit specifies the maximum length of the operational attribute ds-sync-hist in bytes. Issue:DS-15978
Added the only-cache-frequently-accessed option to the FIFO Entry Cache to allow only frequently accessed entries to be cached, and added a new Frequently Accessed Entry Cache to the default server configuration. This can speed up server performance when a few entries are accessed frequently, such as system accounts that are retrieved from the backend for each access that is done by the PingDirectoryProxy Server or for frequently repeated queries over a small subset of data. Issue:DS-8914
Updated the commonly-used passwords dictionary to include many additional values, including known passwords used in several real-world breaches. Issue:DS-17007
Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the PingDirectory Server. This includes:
- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.
- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the PingDirectory Server.
- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism. Issue:DS-17002
Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction. Issue:DS-17008 SF#:3644
Fixed an issue with the dictionary password validator that would cause it to stop processing the dictionary file once it encountered a blank line or a line containing only spaces. Any dictionary entries contained in the file after that point were incorrectly ignored. Issue:DS-17020
The server now requires Java version 8. Issue:DS-17019
Updated the replication status table displayed by "dsreplication status" so that it includes a "Server ID" column. The "Server ID" column is only displayed if the "-a" option is passed.
Fixed an exception that prevented editing a Replication Synchronization Provider in the PingData Administrative Console. Issue:DS-16982
Fixed an issue where user resource limits defined on the authorization entry where not being enforced after a remote bind using the pass-through authentication plugin. Issue:DS-17046 SF#:3617
Fixed an issue during upgrade where a backend initialization error could occur for the Changelog Backend indicating "Environment is Read-Only." Issue:DS-16955 SF#:00003431,00003636
Fixed an issue where subtree view restrictions could register "replication replay failed" alerts when attempting to replay a subtree delete operation. Issue:DS-17048 SF#:3645
Critical: Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation. Issue:DS-17074
Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned. Issue:DS-17078 SF#:00003677,00003683
Added the relative time extensible matching rule "relativeTimeExtensibleMatch" (1.3.6.1.4.1.30221.2.4.14) that can be used to match attributes with values using Generalized Time Syntax. The assertion value when using this matching rule should be in this form: an optional comparator, an optional negative '-' sign, and a duration sequence. The '>' comparator may be used to match times that come after the duration sequence. The '<' comparator may be used to match times that come before the provided duration sequence. If no comparator is provided, then matching values are determined by whether they are between the current time and the duration sequence. The optional negative sign indicates that the provided duration sequence is in the past. A duration sequence should be a comma separated list of duration values (a number followed by a unit of time, such as year, week, day, hour, minute, second, or millisecond). Examples:
Updated the server to use the latest 7.0.6 release of Berkeley DB Java Edition. Issue:DS-16117
Fixed an issue where character set password validators would not retain the values for character sets that differed only by case. Issue:DS-16855 SF#:3608
Enhanced the rebuild-index tool with the ability to rebuild all indexes, or all indexes in a specific state using the "--bulkRebuild" argument. Issue:DS-5944
Critical: Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain. Issue:DS-17237 SF#:3746
Updated the authentication failure reasons generated for bind attempts that fail because of an incorrect password when account lockout is enabled. If the account is not yet locked, the authentication failure reason will include the number of remaining failed attempts before the account will be locked. If the failed attempt caused the account to be locked, the authentication failure reason will indicate whether the account is permanently or temporarily locked.
Also fixed an issue in the get password policy state issues control implementation in which the server would incorrectly indicate that a temporary lockout was permanent for the failed bind attempt that caused the account to be locked. SF#:00003561
Fixed an issue that could cause the server to compute a slightly incorrect password expiration time for an account that is within the password expiration warning interval, based on whether the server had provided an expiration warning to that user. Issue:DS-17042
Added the ability to customize the LDAP join size limit, which was previously hard-coded to 1000 entries. The ldap-join-size-limit global configuration property, which has a default value of 10000, can be used to set the default server-wide size limit. This default limit can be overridden on a per-user basis by setting the ds-rlim-ldap-join-size-limit operational attribute in the user's entry. It is also possible to use the maximum-ldap-join-size-limit property in the client connection policy configuration to set an absolute maximum join size limit for all requests received on connections associated with that client connection policy. Issue:DS-17174
Fixed an issue where the milliseconds reported in the modifyTimestamp attribute could be up to 100 ms behind the actual modification time. Issue:DS-17211
Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.
Some of the changes include:
- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).
- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set. Issue:DS-17146
The setup tool's GUI mode has been deprecated, and will be removed in a future version of the product. Until then, it can still be accessed using the command 'setup --gui.' The --cli option is no longer necessary for starting setup in command-line mode. Issues:DS-17268,DS-3653
Fixed a race condition that could cause a VLV index to become corrupted with a high concurrent modification rate involving values close to each other in the sort order. The problem was uncovered during internal testing with a configuration that is unlikely to be used in production environments. Issue:DS-16933
Fixed an issue where notification delivery could halt after processing a subtree delete operation within a multi-update request. Issue:DS-17311 SF#:3810
Updated the server to dynamically calculate the optimal replication window and queue sizes from the configured num-recent-changes value on the backend. Increasing the num-recent-changes setting can lead to an increased peak server modification rate and reduce the possibility of replication backlogs. Since the combined window and queue sizes must not exceed the num-recent-changes value, the window-size and queue-size configuration settings on the Replication Server are no longer configurable separately. Issue:DS-17305 SF#:3347
The SCIM 1.1 interface has been changed to reject searches specifying a sortBy parameter that cannot be processed, rather than processing the search as if the parameter had not been present. Issue:DS-17271 SF#:3731
Fixed an issue where repeated modifications to a single entry could result in a replication backlog of all changes. A side effect of this change is that changing the number of replication replay threads now requires a server restart. Issue:DS-17252 SF#:3769
SCIM 1.1 clients can obtain diagnostic information about how the PingDirectory Server processes a search query, by specifying attributes=debugsearchindex as a query parameter. Issue:DS-17275
Eliminated a spurious warning message written to the server error log for changes that are part of an LDAP transaction or an atomic multi-update operation while a persistent search is active. Issue:DS-17267
HTTP TRACE requests have been disabled, and will now return an HTTP status code of 405 Method not allowed. Issue:DS-17298
Fixed an issue where incorrect names were displayed in the usage for the start scripts. Issue:DS-16593
Updated the SCIM 1.1 interface to treat query parameters (such as sortBy, sortOrder, startIndex) case-insensitively. Issue:DS-17270 SF#:3731
By default, replication no longer replicates entries from subordinate backends. For example, replication enabled for the base DN dc=example,dc=com would also allow replicating changes from another backend if the base DN of that backend was subordinate to dc=example,dc=com (for example, dc=child,dc=example,dc=com). Upgraded installations will not experience a behavior change. See the command help for the new "allow-inherited-replication-of-subordinate-backends" global configuration property. Issue:DS-9808 SF#:00003408
Fixed a problem that could cause the backup utility to compute an incorrect hash when performing an online backup. Issue:DS-17357
Updated the SCIM interface to reliably produce JSON rather than XML in response to a GET operation if an Accept header is not present, or when an Accept header provided by the client does not indicate a preference between JSON and XML. Issue:DS-17235 SF#:3755
Improved the error reporting associated with search involving isMemberOf failing when the global size limit is reached. Issue:DS-17374 SF#:00598952
Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security. Issue:DS-17318
Updated the encryption-settings tool to provide the ability to export or import multiple encryption settings definitions with a single command. Issue:DS-16018
Fixed an issue that could cause the server to incorrectly report the length of time until an account becomes locked after remaining unused for too long, or until an account becomes locked for failing to choose a new password in a timely manner after an administrative reset. The incorrect information would appear in account usability messages in a password policy state extended response or a get password policy state issues response control, and did not affect the server's ability to correctly enforce password policy. Issues:DS-16990,DS-16994
Updated support for the GSSAPI SASL mechanism to make it possible to configure whether the server should act as a GSSAPI acceptor or an initiator. Issue:DS-16170 SF#:3484
Fixed an issue that could cause the server to add a second entryUUID value to an entry being imported from LDIF, if that entry used entryUUID as an RDN attribute but didn't include it in the set of attributes for the entry. Issue:DS-17306
Updated the installer to discourage the use of weak root passwords.
When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.
When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.
In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints. Issue:DS-2074
Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation. Issue:DS-16509 SF#:3536
Updated the password storage schemes using the crypt, PBKDF2, and scrypt algorithms to provide the ability to impose an upper bound on the length of the passwords that they will accept. By default, any attempt to use a password longer than 200 bytes will be rejected, although this limit can be adjusted with the max-password-length property in the password storage scheme configuration.
These algorithms involve expensive computation, and encoding or validating a longer password is more expensive than encoding or validating a shorter password. A malicious client may try to launch a denial of service attack by issuing bind requests with exceptionally long passwords (with no expectation that those passwords are correct). Imposing an upper limit on password length can mitigate such attacks by rejecting those bind requests without performing any of the expensive processing required to validate the password.
Although the bcrypt algorithm also involves expensive processing, it already provides protection against this type of attack by only evaluating up to 72 bytes of a password, so the server does not need to impose an upper limit for passwords used with this scheme. Issue:DS-17011
Fixed an exception in the Local DB Index management menu that occurred when abandoning or resuming index creation. Issue:DS-17165
Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files. Issues:DS-15861,DS-15862
Improved error reporting for the manage-extensions tool. Issue:DS-17080
The setup tool's GUI mode is no longer available. Issue:DS-3653
Updated "dsreplication initialize" to be more defensive when initializing a remote replica. Errors should be detected and reported much sooner. Issue:DS-16500
The aci and objectClass indexes have enforced minimum index entry limits to ensure proper server performance. The enforced minimum will be used unless a higher value is specified. Issue:DS-17431 SF#:00602173
Added validation to the dsreplication command so that it no longer allows a server to be added to a domain when the requested restricted status does not match the restricted status of existing servers in the domain. Issue:DS-16723 SF#:00003582
The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made. Issue:DS-16858
Updated the server so that multiple entryDN virtual attributes can be created with different attribute types. Issue:DS-17478 SF#:00604795
Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running. Issue:DS-13721
Replicating PingDirectory Servers no longer wait on startup for the replication backlog to drop below startup-min-replication-backlog-count, when the replication backlog is due to replicas containing incorrect generation IDs. Issue:DS-16609
An LDAP search with indexed and virtual attribute filters will return the indexed results if the virtual attribute fails to return any results, for example, if the virtual results exceed the size limit. Issue:DS-17480
Fixed a bug where transactions grew read-write locks in the lock table without removing them when no longer needed. Issue:DS-17466 SF#:00601859
Updated to Berkeley DB Java Edition 7.3.7. Issue:DS-17440
The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration. Issue:DS-1029
Updated the SCIM 1.1 SDK to improve the performance of the User groups and Group members attributes. The virtual attribute "isDirectMemberOf" is used by this enhancement, and should be enabled. Issue:DS-17362 SF#:00003775
If the server is shutting down, replication will not try to connect to other servers in the topology, which can speed up server shutdown when remote servers are unresponsive. Issue:DS-17504 SF#:00609257
Updated the memory usage calculation of the group cache to occur in a background thread. This eliminates the possibility of blocking application threads in rare situations where the group cache calculation is expensive. Also, any time that the calculation takes longer than 10 seconds, the server will stop maintaining the memory usage for the group cache since in environments with a very high number of groups, this could lead to garbage collection pauses over 5 seconds. Issue:DS-17526 SF#:00609245
Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog. Issue:DS-17531 SF#:00609552
Fixed an issue that prevented users from using the adminPasswordFile argument with dsreplication. Issue:DS-17523
Fixed an issue that could cause the pre-read and post-read response controls to be created with a criticality of true. Issue:DS-17483
Critical: Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured. Issue:DS-12216
When a replicated backend does not contain the expected generation ID an alarm will be raised. Issue:DS-17433
The virtual attribute "isDirectMemberOf" is now enabled by default in PingDirectory Server. Issue:DS-17554
In order to avoid assured replication timeouts, replication will be disabled during explicit garbage collection. Issue:DS-12322
Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK. Issue:DS-17606
The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root. Issue:DS-17544
Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file. Issue:DS-811
Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.
Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed. Issue:DS-16361 SF#:00003514
Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.
Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear. Issue:DS-10694
Fixed an issue where an OR filter involving multiple IsMemberOf clauses would return no matches Issue:DS-17596 SF#:610191
Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the PingDirectory Server (for cases in which each server contains a complete copy of the data) or the PingDirectoryProxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing). Issue:DS-12520
Fixed an issue in which the server would incorrectly accept a DN containing an attribute value that started with an unescaped plus sign (for example, "telephoneNumber=+1 800 555 1234,ou=People,dc=example,dc=com"). In a DN, plus signs are used to separate the name-value pairs in a multivalued RDN, and any plus sign contained in an RDN value must be escaped with a backslash (like "telephoneNumber=\+1 800 555 1234,ou=People,dc=example,dc=com"). These kinds of malformed DNs are likely to cause problems with clients that encounter them, and the server now correctly rejects them. Issue:DS-17709 SF#:613375
The Administrative Console is no longer compatible with older versions of the server. Issue:DS-17241
Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.
In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.
Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.
Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest. Issue:DS-17444
Updated the Server SDK to provide support for groups. It is now possible to determine whether a user is a member of a specified group, to obtain the set of groups in which a user is a member, and to iterate over the members of a specified group. Issue:DS-17428
Added the ability to configure connection or request criteria that can identify add requests for entries that should be named with the server-generated entryUUID value. Although the server provides a name with entryUUID request control that can be included in add requests to specifically indicate that the entry should use entryUUID as the naming attribute, it may also be desirable to use criteria to identify requests from clients that cannot use the control, but that may benefit from this functionality. Issue:DS-17783
Fixed the task based tools to allow the use of password files and prevent passing a bind DN to the server when using a SASL External bind request. Issues:DS-17699,DS-17763 SF#:611402
Updated the Server SDK to provide support for privileges. It is now possible to determine whether a user has a given privilege, and to obtain a list of the privileges that have been assigned to a user. Issue:DS-17427
The search-filter-pattern property of the Pass Through Authentication Plugin now allows modifiers (such as "ldapFilterEscape" and "trim") to be used with attribute substitutions. This addresses an issue where binary attributes were not properly escaped in the LDAP filter. See the documentation for the search-filter-pattern property for more information. Issue:DS-17443
Replication will no longer generate or accept replication changes that have time stamps that are too far in the future. Issue:DS-17372 SF#:00601669
Updated the isMemberOf virtual attribute provider to add an optional included-group-filter configuration property. If provided, the virtual attribute will only include the DNs of groups in which the associated user is a member and that also match the given filter. For example, configuring an included-group-filter of "(objectClass=groupOfURLs)" would ensure that only dynamic groups are listed in the values of the virtual attribute. Issue:DS-17850
Replication no longer hangs when disabled for some, but not all, servers for a restricted domain. Issue:DS-17886
The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product. Issue:DS-16789
Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information. Issue:DS-17576
A check was added to make sure a search with a vlv sort doesn't exceed the search time limit. Issue:DS-17912 SF#:614864
Added a new salt-length-bytes configuration property to the Salted MD5, Salted SHA-1, Salted SHA-256, Salted SHA-384, and Salted SHA-512 password storage schemes. If configured, this property will specify the size of the salt generated for new encoded passwords. If it is not defined, the server will continue to use the default size of eight bytes (64 bits).
This property only controls the size of the salt used when encoding new passwords. The server already had the ability to interpret encoded passwords with different salt lengths, so any existing passwords encoded with a different salt length will continue to work. Issue:DS-17921
The Pass Through Authentication Plugin will now record Last Login Time and Last Login IP Address in the event of a successful remote bind, regardless of the value of try-local-bind. Issue:DS-17927 SF#:616677
Added a new plugin to monitor sub-operation phases and gather diagnostic information. The plugin supports adding a request criteria so that the monitoring can be scoped to a specific set of entries.
The information collected is exposed in a monitor entry named cn=Sub-Operation Timing in cn=monitor. Issue:DS-16755
Fixed an issue that could cause the entry in a pre-read or post-read response control to include virtual attributes that don't have any values. Issue:DS-17953
Fixed an issue that could cause different versions of the same schema elements to appear in the server's subschema subentry. If a schema element was defined in an earlier file but then overridden in a later schema file, or if an existing schema element was changed on the fly with the add schema file task (or the load-ldap-schema-file tool, which uses that task behind the scenes), then the schema entry would incorrectly show both the previous and updated versions of the schema element. Issue:DS-17928
Updated the 'changes' attribute in the changelog backend to use the correct previous value when use-reversible-form is set to true. Issue:DS-18007 SF#:00598940
Critical: Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
1) Server B had not received changes directly from a client for a long time (beyond the purge delay),
2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
3) Server A is shutdown, and
4) While Server A is shutdown, the Server B processes one or more changes directly from the client. Issue:DS-18035 SF#:00614612
Sync Attribute Mapping modifier names, such as "jsonEscape", are now case insensitive. Issue:DS-17999
Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:
- Whether the password update is a self change or an administrative reset
- Whether to accept or reject pre-encoded passwords
- Whether to perform or skip password quality validation for the new password
- Whether to check to see if the new password matches the current password or any password in the user's history
- Whether to enforce or ignore the minimum password age constraint
- Which password storage scheme to use when encoding the new password
- Whether the user must be required to choose a new password before being permitted to request any other operations Issue:DS-18018
Updated to Berkeley DB Java Edition 7.4.5. Issue:DS-17639
Critical: Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated). Issue:DS-18070
Updated the password policy state extended operation to make it possible to determine whether the target user has a static password. Also, updated the server's support for the get password policy state issues functionality so that it will include an account usability notice if the target user does not have a static password. Either of these can be used to determine whether the user may authenticate with a mechanism that requires a static password (for example, using an LDAP simple bind or a SASL PLAIN bind). Issue:DS-18030
Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs. Issue:DS-17968
Modified the server to not examine recent changes within the backend when initially started by the updater to look for post-update errors. This can speed the update process by several minutes in some environments. Issue:DS-18112
Added support for equality composite indexes, which combine a mandatory equality filter pattern (for example, "(uid=?)") with an optional base DN pattern (for example, "ou=?,ou=Customers,dc=example,dc=com") to improve the performance of certain types of searches in directories with a very large number of entries, and in particular with a very large number of non-leaf entries. Equality composite indexes offer two distinct advantages over the existing equality attribute indexes in these kinds of deployments:
- In deployments with a highly branched DIT in which clients often search with a base DN at or below one of these branch points, the use of a base DN pattern allows the server to efficiently maintain an index that is scoped to these branches so that the candidate set will only include entries from the targeted branch rather than from the entire backend. This means that individual index keys are much less likely to have ID sets that exceed the index entry limit, or that could require examining a large number of entries that are outside the scope of the search.
- In deployments with any DIT structure, equality composite indexes are much more efficient than equality attribute indexes at maintaining index keys that match a very large number of entries.
As with equality attribute indexes, equality composite indexes can be used to efficiently search for entries matching an equality filter or a substring filter with a subInitial component. These filters may be requested by themselves, or they may be inside an AND or OR filter. Issues:DS-13576,DS-15809,DS-6511 SF#:1966
Fixed an incompatibility between password modify extended operations and the changelog encryption plugin. Issue:DS-18082 SF#:00615501
Added a safeguard to limit the size of the buffer used to create a notification of a transaction. The notification will be discarded if some of the changes could not be found and the limit is reached. Issue:DS-35012 SF#:00616493
Updated license files for 3rd party libraries Issue:DS-18134
The dsreplication initialize-all option now correctly uses the hostname, port, and connection security of the replica servers that were provided during dsreplication enable, rather than the values provided during server setup. Issue:DS-18087
Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler. Issue:DS-10748 SF#:00003622,614777
Replication initialization has been enhanced to allow multiple initializations to run concurrently in some cases. When the initializations are for the same base DN each server may only participate in a single initialization. When the initializations are for different base DNs, there is no such limit. Issue:DS-17775 SF#:614343
Updated the audit log publisher to include the replication change ID in applicable changes by default. Issue:DS-18061
Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses. Issue:DS-14650
Updated the NotificationManager class within the Server SDK to provide access to the entry before and after the change rather than only the raw request object. Issue:DS-18191
Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance with the capability to run as Windows Services. Issue:DS-4161
Fixed an issue where the Self-Service Account Manager (SSAM) sample would not install. Issue:DS-18229
Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions. Issue:DS-18016
Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.
Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.
The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).
The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced. Issue:DS-17243
Update the default global ACIs so that a user can modify their own password when the Changelog Password Encryption Plugin is enabled. Issue:DS-18144
Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes. Issue:DS-35495
A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com. Issue:DS-18100
Fixed an issue where a subtree delete operation could stall operation processing (SalesForce Case 00623381). Issue:DS-35496 SF#:00623381
Addressed an issue that could cause a server to never clear its replication backlog after being initialized with "dsreplication initialize". Issue:DS-35524 SF#:00624368
Removed the ability to create custom HTTP trace loggers using the Server SDK. Issue:DS-18188
The Self-Service Account Manager (SSAM) application is no longer included in the PingDirectory Server zip file. The source code for the application is available at https://github.com/pingidentity/ssam.
Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend. Issue:DS-16906 SF#:3556
Removed the "ssl-encryption" attribute from replication related monitor entries that refer to communication that is internal to the server. Only "Remote Repl Server" entries still have an "ssl-encryption" attribute as that communication is over the network. Issue:DS-16431
Updated the server to automatically store some JSON field values in a more compact manner in order to reduce the on-disk and in-memory footprint required for that data. Issue:DS-16638
The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set. Issue:DS-16405
Added global configuration property replication-history-limit. When set, replication-history-limit specifies the maximum length of the operational attribute ds-sync-hist in bytes. Issue:DS-15978
Added the only-cache-frequently-accessed option to the FIFO Entry Cache to allow only frequently accessed entries to be cached, and added a new Frequently Accessed Entry Cache to the default server configuration. This can speed up server performance when a few entries are accessed frequently, such as system accounts that are retrieved from the backend for each access that is done by the PingDirectoryProxy Server or for frequently repeated queries over a small subset of data. Issue:DS-8914
Updated the commonly-used passwords dictionary to include many additional values, including known passwords used in several real-world breaches. Issue:DS-17007
Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the PingDirectory Server. This includes:
- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.
- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the PingDirectory Server.
- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism. Issue:DS-17002
Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction. Issue:DS-17008 SF#:3644
Fixed an issue with the dictionary password validator that would cause it to stop processing the dictionary file once it encountered a blank line or a line containing only spaces. Any dictionary entries contained in the file after that point were incorrectly ignored. Issue:DS-17020
The server now requires Java version 8. Issue:DS-17019
Updated the replication status table displayed by "dsreplication status" so that it includes a "Server ID" column. The "Server ID" column is only displayed if the "-a" option is passed.
Fixed an exception that prevented editing a Replication Synchronization Provider in the PingData Administrative Console. Issue:DS-16982
Fixed an issue where user resource limits defined on the authorization entry where not being enforced after a remote bind using the pass-through authentication plugin. Issue:DS-17046 SF#:3617
Fixed an issue during upgrade where a backend initialization error could occur for the Changelog Backend indicating "Environment is Read-Only." Issue:DS-16955 SF#:00003431,00003636
Fixed an issue where subtree view restrictions could register "replication replay failed" alerts when attempting to replay a subtree delete operation. Issue:DS-17048 SF#:3645
Critical: Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation. Issue:DS-17074
Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned. Issue:DS-17078 SF#:00003677,00003683
Added the relative time extensible matching rule "relativeTimeExtensibleMatch" (1.3.6.1.4.1.30221.2.4.14) that can be used to match attributes with values using Generalized Time Syntax. The assertion value when using this matching rule should be in this form: an optional comparator, an optional negative '-' sign, and a duration sequence. The '>' comparator may be used to match times that come after the duration sequence. The '<' comparator may be used to match times that come before the provided duration sequence. If no comparator is provided, then matching values are determined by whether they are between the current time and the duration sequence. The optional negative sign indicates that the provided duration sequence is in the past. A duration sequence should be a comma separated list of duration values (a number followed by a unit of time, such as year, week, day, hour, minute, second, or millisecond). Examples:
Updated the server to use the latest 7.0.6 release of Berkeley DB Java Edition. Issue:DS-16117
Fixed an issue where character set password validators would not retain the values for character sets that differed only by case. Issue:DS-16855 SF#:3608
Enhanced the rebuild-index tool with the ability to rebuild all indexes, or all indexes in a specific state using the "--bulkRebuild" argument. Issue:DS-5944
Critical: Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain. Issue:DS-17237 SF#:3746
Updated the authentication failure reasons generated for bind attempts that fail because of an incorrect password when account lockout is enabled. If the account is not yet locked, the authentication failure reason will include the number of remaining failed attempts before the account will be locked. If the failed attempt caused the account to be locked, the authentication failure reason will indicate whether the account is permanently or temporarily locked.
Also fixed an issue in the get password policy state issues control implementation in which the server would incorrectly indicate that a temporary lockout was permanent for the failed bind attempt that caused the account to be locked. SF#:00003561
Fixed an issue that could cause the server to compute a slightly incorrect password expiration time for an account that is within the password expiration warning interval, based on whether the server had provided an expiration warning to that user. Issue:DS-17042
Added the ability to customize the LDAP join size limit, which was previously hard-coded to 1000 entries. The ldap-join-size-limit global configuration property, which has a default value of 10000, can be used to set the default server-wide size limit. This default limit can be overridden on a per-user basis by setting the ds-rlim-ldap-join-size-limit operational attribute in the user's entry. It is also possible to use the maximum-ldap-join-size-limit property in the client connection policy configuration to set an absolute maximum join size limit for all requests received on connections associated with that client connection policy. Issue:DS-17174
Fixed an issue where the milliseconds reported in the modifyTimestamp attribute could be up to 100 ms behind the actual modification time. Issue:DS-17211
Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.
Some of the changes include:
- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).
- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set. Issue:DS-17146
The setup tool's GUI mode has been deprecated, and will be removed in a future version of the product. Until then, it can still be accessed using the command 'setup --gui.' The --cli option is no longer necessary for starting setup in command-line mode. Issues:DS-17268,DS-3653
Fixed a race condition that could cause a VLV index to become corrupted with a high concurrent modification rate involving values close to each other in the sort order. The problem was uncovered during internal testing with a configuration that is unlikely to be used in production environments. Issue:DS-16933
Fixed an issue where notification delivery could halt after processing a subtree delete operation within a multi-update request. Issue:DS-17311 SF#:3810
Updated the server to dynamically calculate the optimal replication window and queue sizes from the configured num-recent-changes value on the backend. Increasing the num-recent-changes setting can lead to an increased peak server modification rate and reduce the possibility of replication backlogs. Since the combined window and queue sizes must not exceed the num-recent-changes value, the window-size and queue-size configuration settings on the Replication Server are no longer configurable separately. Issue:DS-17305 SF#:3347
The SCIM 1.1 interface has been changed to reject searches specifying a sortBy parameter that cannot be processed, rather than processing the search as if the parameter had not been present. Issue:DS-17271 SF#:3731
Fixed an issue where repeated modifications to a single entry could result in a replication backlog of all changes. A side effect of this change is that changing the number of replication replay threads now requires a server restart. Issue:DS-17252 SF#:3769
SCIM 1.1 clients can obtain diagnostic information about how the PingDirectory Server processes a search query, by specifying attributes=debugsearchindex as a query parameter. Issue:DS-17275
Eliminated a spurious warning message written to the server error log for changes that are part of an LDAP transaction or an atomic multi-update operation while a persistent search is active. Issue:DS-17267
HTTP TRACE requests have been disabled, and will now return an HTTP status code of 405 Method not allowed. Issue:DS-17298
Fixed an issue where incorrect names were displayed in the usage for the start scripts. Issue:DS-16593
Updated the SCIM 1.1 interface to treat query parameters (such as sortBy, sortOrder, startIndex) case-insensitively. Issue:DS-17270 SF#:3731
By default, replication no longer replicates entries from subordinate backends. For example, replication enabled for the base DN dc=example,dc=com would also allow replicating changes from another backend if the base DN of that backend was subordinate to dc=example,dc=com (for example, dc=child,dc=example,dc=com). Upgraded installations will not experience a behavior change. See the command help for the new "allow-inherited-replication-of-subordinate-backends" global configuration property. Issue:DS-9808 SF#:00003408
Fixed a problem that could cause the backup utility to compute an incorrect hash when performing an online backup. Issue:DS-17357
Updated the SCIM interface to reliably produce JSON rather than XML in response to a GET operation if an Accept header is not present, or when an Accept header provided by the client does not indicate a preference between JSON and XML. Issue:DS-17235 SF#:3755
Improved the error reporting associated with search involving isMemberOf failing when the global size limit is reached. Issue:DS-17374 SF#:00598952
Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security. Issue:DS-17318
Updated the encryption-settings tool to provide the ability to export or import multiple encryption settings definitions with a single command. Issue:DS-16018
Fixed an issue that could cause the server to incorrectly report the length of time until an account becomes locked after remaining unused for too long, or until an account becomes locked for failing to choose a new password in a timely manner after an administrative reset. The incorrect information would appear in account usability messages in a password policy state extended response or a get password policy state issues response control, and did not affect the server's ability to correctly enforce password policy. Issues:DS-16990,DS-16994
Updated support for the GSSAPI SASL mechanism to make it possible to configure whether the server should act as a GSSAPI acceptor or an initiator. Issue:DS-16170 SF#:3484
Fixed an issue that could cause the server to add a second entryUUID value to an entry being imported from LDIF, if that entry used entryUUID as an RDN attribute but didn't include it in the set of attributes for the entry. Issue:DS-17306
Updated the installer to discourage the use of weak root passwords.
When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.
When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.
In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints. Issue:DS-2074
Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation. Issue:DS-16509 SF#:3536
Updated the password storage schemes using the crypt, PBKDF2, and scrypt algorithms to provide the ability to impose an upper bound on the length of the passwords that they will accept. By default, any attempt to use a password longer than 200 bytes will be rejected, although this limit can be adjusted with the max-password-length property in the password storage scheme configuration.
These algorithms involve expensive computation, and encoding or validating a longer password is more expensive than encoding or validating a shorter password. A malicious client may try to launch a denial of service attack by issuing bind requests with exceptionally long passwords (with no expectation that those passwords are correct). Imposing an upper limit on password length can mitigate such attacks by rejecting those bind requests without performing any of the expensive processing required to validate the password.
Although the bcrypt algorithm also involves expensive processing, it already provides protection against this type of attack by only evaluating up to 72 bytes of a password, so the server does not need to impose an upper limit for passwords used with this scheme. Issue:DS-17011
Fixed an exception in the Local DB Index management menu that occurred when abandoning or resuming index creation. Issue:DS-17165
Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files. Issues:DS-15861,DS-15862
Improved error reporting for the manage-extensions tool. Issue:DS-17080
The setup tool's GUI mode is no longer available. Issue:DS-3653
Updated "dsreplication initialize" to be more defensive when initializing a remote replica. Errors should be detected and reported much sooner. Issue:DS-16500
The aci and objectClass indexes have enforced minimum index entry limits to ensure proper server performance. The enforced minimum will be used unless a higher value is specified. Issue:DS-17431 SF#:00602173
Added validation to the dsreplication command so that it no longer allows a server to be added to a domain when the requested restricted status does not match the restricted status of existing servers in the domain. Issue:DS-16723 SF#:00003582
The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made. Issue:DS-16858
Updated the server so that multiple entryDN virtual attributes can be created with different attribute types. Issue:DS-17478 SF#:00604795
Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running. Issue:DS-13721
Replicating PingDirectory Servers no longer wait on startup for the replication backlog to drop below startup-min-replication-backlog-count, when the replication backlog is due to replicas containing incorrect generation IDs. Issue:DS-16609
An LDAP search with indexed and virtual attribute filters will return the indexed results if the virtual attribute fails to return any results, for example, if the virtual results exceed the size limit. Issue:DS-17480
Fixed a bug where transactions grew read-write locks in the lock table without removing them when no longer needed. Issue:DS-17466 SF#:00601859
Updated to Berkeley DB Java Edition 7.3.7. Issue:DS-17440
The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration. Issue:DS-1029
Updated the SCIM 1.1 SDK to improve the performance of the User groups and Group members attributes. The virtual attribute "isDirectMemberOf" is used by this enhancement, and should be enabled. Issue:DS-17362 SF#:00003775
If the server is shutting down, replication will not try to connect to other servers in the topology, which can speed up server shutdown when remote servers are unresponsive. Issue:DS-17504 SF#:00609257
Updated the memory usage calculation of the group cache to occur in a background thread. This eliminates the possibility of blocking application threads in rare situations where the group cache calculation is expensive. Also, any time that the calculation takes longer than 10 seconds, the server will stop maintaining the memory usage for the group cache since in environments with a very high number of groups, this could lead to garbage collection pauses over 5 seconds. Issue:DS-17526 SF#:00609245
Fixed an issue that could cause a sync pipe to crash due to missing attributes in the changelog. Issue:DS-17531 SF#:00609552
Fixed an issue that prevented users from using the adminPasswordFile argument with dsreplication. Issue:DS-17523
Fixed an issue that could cause the pre-read and post-read response controls to be created with a criticality of true. Issue:DS-17483
Critical: Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured. Issue:DS-12216
When a replicated backend does not contain the expected generation ID an alarm will be raised. Issue:DS-17433
The virtual attribute "isDirectMemberOf" is now enabled by default in PingDirectory Server. Issue:DS-17554
In order to avoid assured replication timeouts, replication will be disabled during explicit garbage collection. Issue:DS-12322
Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK. Issue:DS-17606
The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root. Issue:DS-17544
Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file. Issue:DS-811
Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.
Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed. Issue:DS-16361 SF#:00003514
Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.
Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear. Issue:DS-10694
Fixed an issue where an OR filter involving multiple IsMemberOf clauses would return no matches Issue:DS-17596 SF#:610191
Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the PingDirectory Server (for cases in which each server contains a complete copy of the data) or the PingDirectoryProxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing). Issue:DS-12520
Fixed an issue in which the server would incorrectly accept a DN containing an attribute value that started with an unescaped plus sign (for example, "telephoneNumber=+1 800 555 1234,ou=People,dc=example,dc=com"). In a DN, plus signs are used to separate the name-value pairs in a multivalued RDN, and any plus sign contained in an RDN value must be escaped with a backslash (like "telephoneNumber=\+1 800 555 1234,ou=People,dc=example,dc=com"). These kinds of malformed DNs are likely to cause problems with clients that encounter them, and the server now correctly rejects them. Issue:DS-17709 SF#:613375
The Administrative Console is no longer compatible with older versions of the server. Issue:DS-17241
Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.
In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.
Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.
Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest. Issue:DS-17444
Updated the Server SDK to provide support for groups. It is now possible to determine whether a user is a member of a specified group, to obtain the set of groups in which a user is a member, and to iterate over the members of a specified group. Issue:DS-17428
Added the ability to configure connection or request criteria that can identify add requests for entries that should be named with the server-generated entryUUID value. Although the server provides a name with entryUUID request control that can be included in add requests to specifically indicate that the entry should use entryUUID as the naming attribute, it may also be desirable to use criteria to identify requests from clients that cannot use the control, but that may benefit from this functionality. Issue:DS-17783
Fixed the task based tools to allow the use of password files and prevent passing a bind DN to the server when using a SASL External bind request. Issues:DS-17699,DS-17763 SF#:611402
Updated the Server SDK to provide support for privileges. It is now possible to determine whether a user has a given privilege, and to obtain a list of the privileges that have been assigned to a user. Issue:DS-17427
The search-filter-pattern property of the Pass Through Authentication Plugin now allows modifiers (such as "ldapFilterEscape" and "trim") to be used with attribute substitutions. This addresses an issue where binary attributes were not properly escaped in the LDAP filter. See the documentation for the search-filter-pattern property for more information. Issue:DS-17443
Replication will no longer generate or accept replication changes that have time stamps that are too far in the future. Issue:DS-17372 SF#:00601669
Updated the isMemberOf virtual attribute provider to add an optional included-group-filter configuration property. If provided, the virtual attribute will only include the DNs of groups in which the associated user is a member and that also match the given filter. For example, configuring an included-group-filter of "(objectClass=groupOfURLs)" would ensure that only dynamic groups are listed in the values of the virtual attribute. Issue:DS-17850
Replication no longer hangs when disabled for some, but not all, servers for a restricted domain. Issue:DS-17886
The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product. Issue:DS-16789
Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information. Issue:DS-17576
A check was added to make sure a search with a vlv sort doesn't exceed the search time limit. Issue:DS-17912 SF#:614864
Added a new salt-length-bytes configuration property to the Salted MD5, Salted SHA-1, Salted SHA-256, Salted SHA-384, and Salted SHA-512 password storage schemes. If configured, this property will specify the size of the salt generated for new encoded passwords. If it is not defined, the server will continue to use the default size of eight bytes (64 bits).
This property only controls the size of the salt used when encoding new passwords. The server already had the ability to interpret encoded passwords with different salt lengths, so any existing passwords encoded with a different salt length will continue to work. Issue:DS-17921
The Pass Through Authentication Plugin will now record Last Login Time and Last Login IP Address in the event of a successful remote bind, regardless of the value of try-local-bind. Issue:DS-17927 SF#:616677
Added a new plugin to monitor sub-operation phases and gather diagnostic information. The plugin supports adding a request criteria so that the monitoring can be scoped to a specific set of entries.
The information collected is exposed in a monitor entry named cn=Sub-Operation Timing in cn=monitor. Issue:DS-16755
Fixed an issue that could cause the entry in a pre-read or post-read response control to include virtual attributes that don't have any values. Issue:DS-17953
Fixed an issue that could cause different versions of the same schema elements to appear in the server's subschema subentry. If a schema element was defined in an earlier file but then overridden in a later schema file, or if an existing schema element was changed on the fly with the add schema file task (or the load-ldap-schema-file tool, which uses that task behind the scenes), then the schema entry would incorrectly show both the previous and updated versions of the schema element. Issue:DS-17928
Updated the 'changes' attribute in the changelog backend to use the correct previous value when use-reversible-form is set to true. Issue:DS-18007 SF#:00598940
Critical: Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
1) Server B had not received changes directly from a client for a long time (beyond the purge delay),
2) Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
3) Server A is shutdown, and
4) While Server A is shutdown, the Server B processes one or more changes directly from the client. Issue:DS-18035 SF#:00614612
Sync Attribute Mapping modifier names, such as "jsonEscape", are now case insensitive. Issue:DS-17999
Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:
- Whether the password update is a self change or an administrative reset
- Whether to accept or reject pre-encoded passwords
- Whether to perform or skip password quality validation for the new password
- Whether to check to see if the new password matches the current password or any password in the user's history
- Whether to enforce or ignore the minimum password age constraint
- Which password storage scheme to use when encoding the new password
- Whether the user must be required to choose a new password before being permitted to request any other operations Issue:DS-18018
Updated to Berkeley DB Java Edition 7.4.5. Issue:DS-17639
Critical: Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated). Issue:DS-18070
Updated the password policy state extended operation to make it possible to determine whether the target user has a static password. Also, updated the server's support for the get password policy state issues functionality so that it will include an account usability notice if the target user does not have a static password. Either of these can be used to determine whether the user may authenticate with a mechanism that requires a static password (for example, using an LDAP simple bind or a SASL PLAIN bind). Issue:DS-18030
Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs. Issue:DS-17968
Modified the server to not examine recent changes within the backend when initially started by the updater to look for post-update errors. This can speed the update process by several minutes in some environments. Issue:DS-18112
Added support for equality composite indexes, which combine a mandatory equality filter pattern (for example, "(uid=?)") with an optional base DN pattern (for example, "ou=?,ou=Customers,dc=example,dc=com") to improve the performance of certain types of searches in directories with a very large number of entries, and in particular with a very large number of non-leaf entries. Equality composite indexes offer two distinct advantages over the existing equality attribute indexes in these kinds of deployments:
- In deployments with a highly branched DIT in which clients often search with a base DN at or below one of these branch points, the use of a base DN pattern allows the server to efficiently maintain an index that is scoped to these branches so that the candidate set will only include entries from the targeted branch rather than from the entire backend. This means that individual index keys are much less likely to have ID sets that exceed the index entry limit, or that could require examining a large number of entries that are outside the scope of the search.
- In deployments with any DIT structure, equality composite indexes are much more efficient than equality attribute indexes at maintaining index keys that match a very large number of entries.
As with equality attribute indexes, equality composite indexes can be used to efficiently search for entries matching an equality filter or a substring filter with a subInitial component. These filters may be requested by themselves, or they may be inside an AND or OR filter. Issues:DS-13576,DS-15809,DS-6511 SF#:1966
Fixed an incompatibility between password modify extended operations and the changelog encryption plugin. Issue:DS-18082 SF#:00615501
Added a safeguard to limit the size of the buffer used to create a notification of a transaction. The notification will be discarded if some of the changes could not be found and the limit is reached. Issue:DS-35012 SF#:00616493
Updated license files for 3rd party libraries Issue:DS-18134
The dsreplication initialize-all option now correctly uses the hostname, port, and connection security of the replica servers that were provided during dsreplication enable, rather than the values provided during server setup. Issue:DS-18087
Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler. Issue:DS-10748 SF#:00003622,614777
Replication initialization has been enhanced to allow multiple initializations to run concurrently in some cases. When the initializations are for the same base DN each server may only participate in a single initialization. When the initializations are for different base DNs, there is no such limit. Issue:DS-17775 SF#:614343
Updated the audit log publisher to include the replication change ID in applicable changes by default. Issue:DS-18061
Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses. Issue:DS-14650
Updated the NotificationManager class within the Server SDK to provide access to the entry before and after the change rather than only the raw request object. Issue:DS-18191
Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance with the capability to run as Windows Services. Issue:DS-4161
Fixed an issue where the Self-Service Account Manager (SSAM) sample would not install. Issue:DS-18229
Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions. Issue:DS-18016
Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.
Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.
The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).
The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced. Issue:DS-17243
Update the default global ACIs so that a user can modify their own password when the Changelog Password Encryption Plugin is enabled. Issue:DS-18144
Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes. Issue:DS-35495
A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com. Issue:DS-18100
Fixed an issue where a subtree delete operation could stall operation processing (SalesForce Case 00623381). Issue:DS-35496 SF#:00623381
Addressed an issue that could cause a server to never clear its replication backlog after being initialized with "dsreplication initialize". Issue:DS-35524 SF#:00624368
Removed the ability to create custom HTTP trace loggers using the Server SDK. Issue:DS-18188
Important upgrade considerations for version 6.0.0.0 of the Directory Server:
Note: The product names have been updated to reflect the UnboundID acquisition by Ping Identity. This is a naming and branding change only; the code base is the same as in prior releases and will continue to be maintained into the future.
If upgrading the server that was running an older version of the JDK, run the dsjavaproperties --initialize command after the software upgrade to compare the settings of the older JDK with requirements for the new server software. Apply any necessary changes to the upgraded server based on previous performance settings.
The 6.0 release makes these changes to supported platforms:
PBKDF2 is now the default encoding for root passwords. This only affects new installations.
In addition to changing the default password storage scheme for root users to PBKDF2, the default password storage scheme for regular users has been changed to salted 256-bit SHA-2.
HTTPS defaults to ON: servers now default to use HTTPS for console and API connections including the SCIM API. This may affect automation scripts and development environments where HTTPS has not been in use before.
Generated user passwords, for example those created by the server during a password reset sequence, are now created as pass-phrases instead of random character strings. This makes them them easier to type and remember. This change will not affect upgrades.
The /config directory file permissions have been changed so that they are only accessible by the server user.
Customers who choose to use the optional encryption algorithms provided by the third-party BouncyCastle library are encouraged to upgrade to BouncyCastle 1.54.
The Self Service Account Manager (SSAM) application is now included in the distribution image and may be optionally installed as desired.
Updated commons-beanutils from version 1.8.3 to 1.9.2 to improve security.
Updated Spring Boot artifact to v1.2.8 so transitive Spring library dependencies use v4.1.9.
Updated the HTTP/HTTPS connection handler to Jetty 9.2.15.v20160210.
The encryption-settings tool in a previous version of the PingDirectory Server will not be able to import settings generated by this version of the PingDirectory Server, if there are multiple settings exported at once.
These features were added for version 6.0.0.0 of the Directory Server:
Added a new control for very large result sets 'maximum-sort-size-limit-without-vlv-index,' which allows client applications to request that the server gracefully degrades to unsorted results in cases where sorting a very large result set would have caused a time-out.
Added LDAP support for applications that authenticate users with Yubikey one-time passwords. The extensions include the UNBOUNDID-YUBIKEY-OTP SASL handler configuration object, extended operations and command line tools for registering a user’s Yubikey device, deregistering, and supporting authentication using either the one-time password (OTP) only, or the OTP together with a static password. The server can be configured to use the public Yubico validation service, or a different validation service. The Yubikey FIDO U2F, OATH HOTP, and PGP modes are not supported.
Added new "generate TOTP shared secret" and "revoke TOTP shared secret" extended operations to make it easier for applications to enable TOTP authentication for users. While these operations are primarily intended to be invoked programmatically, a generate-totp-shared-secret tool can be used to invoke these operations from the command line.
A new transform-ldif tool is available to read an LDIF file and write an updated file with a number of changes applied. The transformations include:
A new load-ldap-schema-file tool is available for loading LDAP schemas while a server is active and on-line.
A new register-yubikey-otp-device tool is available for creating or changing associations between users and specific OTP devices.
The *rate performance testing tools now includes some additional sample rate pattern files: hockey stick, step-function, sine, triangle, sawtooth and square wave patterns.
The setup command now logs its input arguments, making it easier to confirm or duplicate a setup process. This changes the content of the log and may affect automated scripts that read these log files.
The config-diff tool, which makes it easy to compare and reconcile settings between server instances, now also supports the --pretty-print option which adds line breaks to the generated lists of dsconfig commands.
The manage-account tool has been enhanced significantly to make it easier to perform operations that affect large sets of user accounts including bulk lock-outs, parallel processing of updates, support for input filter criteria and DN lists. In particular, the manage-account tool now supports explicitly setting user accounts to the "locked-out" state. This is an improvement over earlier versions which required manipulation of operational attributes. See the command help for a complete list of the options and new sub-commands.
For easier consumption by third-party analysis tools, the Directory and Proxy Servers can now output JSON log formats. Similar support will be added to the Data Sync and Governance Brokers in a later release.
To help avoid issues when indexes near their index-entry-limit, the verify-indexes command now has the following two options:--listKeysNearestIndexEntryLimit, and --listKeysExceedingIndexEntryLimit. The Admin Guide includes a new section, "Monitoring Index Entry Limits", which explains how to set, track, and tune the server's Index Entry Limit values.
Monitor entries have been added for a number of related metrics, all of which can be set to trigger alarms:
The Pass-Through Authentication plugin has a new "allowLaxPassThroughAuthenticationPasswords" option that permits password changes that do not comply with the PingDirectory Server's password policy. This facilitates integration in cases where the pass-through system has less-strict rules for new passwords.
For Java developers whose tools and workflows make use of Maven, the Server SDK jar has been deployed to Maven Central so that a developer can now add the Server SDK as a project dependency by adding a few lines to a project's pom.xml. Also, developers can now generate a Server SDK project that Maven-aware IDEs such as IntelliJ IDEA can package into an extension bundle with no special configuration needed. This benefit extends similarly to continuous integration systems such as Jenkins.
The dsconfig tool provides the ability to search for and quickly navigate to configuration objects and properties in which the name, synopsis, or description matches a provided pattern.
A new rotate-log tool and task have been added, which can be used to trigger rotation of one or more log files.
The Configuration API is now fully supported for all servers. In this release, the API was changed to match SCIM conventions for attribute naming, resource modeling, and the standard HTTP verbs. The UnboundID SCIM 2 SDK (available through GitHub) can now be used with the Configuration API.
All servers have an updated web Administrative Console, which includes:
The new Administrative Console can also be deployed to independent application servers instead of being co-hosted by the servers. This simplifies deployment models and increases separation between data and application layers.
To assist with situations where a very large number of changes may cause disk, memory, and server start time to increase unexpectedly, alerting and gauge features have been added to the Recent Changes Database.
Servers can now trigger events whenever log file rotation occurs. This includes "copy on rotate" and "summarize on rotate" listeners, as well as Server SDK support for creating custom log file rotation listeners.
It is now possible to create, change, and remove root user accounts across the topology using the dsconfig tool and Administrative Console.
Made a number of improvements to way the server handles the encryption settings database:
Updated the search-logs tool to support JSON formatted logs.
The dsreplication initialize command now ignores the adminUID and adminPassword property values in the tools.properties file, as these values may not necessarily be correct for the new server being added to the replication topology. The command now always prompts for the administrative credentials.
These were known issues at the time of the release of version 6.0.0.0 of the Directory Server:
When deploying the Administrative Console in Tomcat 8, and accessing the Administrative Console application using Tomcat's Web Application Manager, some browsers (including Safari and Firefox) will generate a path URL that encodes the dash in ubid-console. This results in a path such as http://localhost:8888/ubid%2Dconsole/, which causes session management errors. To workaround this issue, copy and paste the generated link into a browser, and replace the encoded dash with a dash (-) character.
The PermSize and MaxPermSize JVM properties are no longer supported in JDK 8, and will safely be ignored. These properties can be removed by modifying the config/java.properties file and running "bin/dsjavaproperties" while the server is offline.
Security criteria for root passwords with the default configuration will be increased in a future release. This might affect automated installation scripts that currently use less secure passwords. This will not affect existing root accounts.
The dsconfig tool and the Administrative Console enables creating and managing new Root DN users in this release. However, there is a limitation with changing the password of the currently logged in administrator. The ldappasswordmodify command can be used to change the administrator's password by providing the current and new password.
For version 5.2.0.1 to pre-6.0.0.0 servers configured to use the IBM version of Java, an extraneous ${INSTANCE_ROOT} directory is created under the server root. This is fixed on a fresh install of 6.0.0.0, but if updating to 6.0.0.0, this directory still exists and can be deleted before or after the update.
These issues were resolved with version 6.0.0.0 of the Directory Server:
Fixed an issue in which the server may fail to identify matching entries for an OR JSON object filter that targets an attribute for which at least one JSON field index is defined, but where at least one of the OR filter components is unindexed. Issue:DS-16589
Updated the password modify extended operation to enable a user to provide an expired password, as long as the user has at least one available grace login. Issue:DS-16289
Updated the changelog backend to better deal with the case in which it encounters information about an orphaned operation in its pending changes map. Issue:DS-15993
Added a warning during startup for any invalid group entries that are encountered and cannot be used. Issue:DS-13976 SF#:2934
Updated command-line tools based on the LDAP SDK tool APIs to add the following features:
Updated the verify-index tool to improve performance and reduce disk utilization. Issue:DS-12310
Added a passphrase password generator that concatenates randomly-selected words from a dictionary file to construct a password that can be both secure and easy to remember. Issue:DS-14424
Updated the offline mode of the rebuild-index tool to improve performance and reduce disk utilization. Issue:DS-12309
Added a --prettyPrint option to the config-diff tool to make the output more human-readable. Issue:DS-14694
Improved memory utilization when processing entries with very large attributes, to prevent possible data retention in memory. Issue:DS-14878 SF#:00003169
Added a new global configuration property, unrecoverable-database-error-mode, which enables configuration of an action to take when an unrecoverable database error occurs. Issue:DS-14796
Fixed an issue with the dsjavaproperties tool where java properties for PermSize and MaxPermSize could be added when using JDK 8, which no longer supports these options. Issue:DS-14857 SF#:3187
Updated the bcrypt, crypt, PBKDF2 and scrypt password storage schemes so they can be used to create new instances. Issue:DS-14923
Fixed a formatting issue in ldap-diff which could result in multiple progress messages being printed on the same line. Issue:DS-14986 SF#:3205
Updated the Apache commons collections library to address the security vulnerability described by CVE 2015-4852. Issue:DS-14430 SF#:00003216
Fixed a case where attribute syntax configuration changes would not apply to undefined attributes, which rely on default attribute types. Issue:DS-14979
Updated the server to use the latest 6.4.25 release of Berkeley DB Java Edition. Issue:DS-14996
Collect-support-data tool now captures Kerberos config and log information. Issue:DS-13823
Updated the server's support for the Twilio Messaging Service so that it uses the newer "Messages" API when sending SMS messages instead of the older "SMS" API. The older API has been deprecated, and Twilio now imposes a 120-character limit for messages sent via that API. The messages API allows the server to take advantage of the full 160 characters per SMS message. Issue:DS-14749
The replication target of the PingDirectory Server now correctly handles the connection being lost during initialization. Issue:DS-14690
Improved the logic the server uses when leveraging indexes to identify the set of candidate entries that are expected to match the search criteria. Also, dramatically improved the information about index usage that the server provides when issuing a search that requests the special debugsearchindex attribute, or that includes the matching entry count request control. Issue:DS-14820 SF#:00003178
Updated the pass-through authentication plugin to allow replacing passwords for migration from legacy directory products. Issues:DS-15007,DS-15083 SF#:00003198
Updated the default set of global ACIs to permit requests that include the simple paged results control. Issue:DS-15082
Server SDK extensions are now built with a Java source version of 1.7 by default. Issue:DS-15015
Improved the message used to indicate when the replication server startup minimum replication backlog processing completes. The message now states that the calculation was done when the server was started, and any missing local replicas that were unavailable for the calculation are listed. Issue:DS-15079 SF#:3220
Critical: Fixed an issue where opening the backend database might fail with an IllegalStateException that references "exploded-index-background-deletes" when there are several backend exploded indexes. Issue:DS-15094
Improved the locking strategy for multi-update requests to better accommodate delete and add requests for the same entry. This also enables graceful failures for bad requests, instead of lock timeouts. Issue:DS-15132 SF#:3248
Updated the manage-account tool to display labels for recently added password policy extended operation types. Issue:DS-15159 SF#:00003262
Added a maximum-sort-size-limit-without-vlv-index property to the client connection policy configuration. If this property is given a nonzero value, the server will not attempt to sort a result set if the number of candidate entries is greater than this number, unless it can do so using a VLV index. If the server refuses to sort a result set because of this setting, then it will either reject the search (if the server-side sort control is marked critical), or it will return the results unsorted (if the server-side sort control is not critical). Issue:DS-14855 SF#:2799
Changed interactive setup default value for HTTPS enablement. Issue:DS-15221
Changed interactive setup default value for entry cache priming. Issue:DS-15222
Added new options to the matching entry count request control to allow the client to better control the balance between how quickly the server obtains the matching entry count estimate and how accurate that estimate is. Issue:DS-15227 SF#:3178
Updated the server to reject baseObject searches that request the debugsearchindex attribute. Issue:DS-15284
Added support for authenticating with one-time passwords generated by YubiKey devices. The server may be configured to require static passwords in conjunction with YubiKey one-time passwords as a form of two-factor authentication, or it may be configured so that a one-time password alone is sufficient for authentication. Issue:DS-7017
Updated the initial server configuration to improve security and usability. These changes apply only to new installations and will not be applied when updating an existing installation. Changes include:
Updated the default file permissions for new installations on UNIX-based systems. Files and directories included in the zip file will be only be accessible to their owner (the user that unzipped the file) by default.
Newly-created files and directories will also be assigned permissions that allow them to be accessed only by the account used to run the server. Existing configuration options for setting file permissions (the log-file-permissions and db-directory-permissions properties) will continue to behave as before. The new config/server.umask file will control the default permissions for all other newly-created files and directories. Issues:DS-13571,DS-13860,DS-7505 SF#:2703
Fixed a bug that could cause the same filter index to be evaluated multiple times when processing a search operation. Issue:DS-15366
Updated the global ACIs that ship with the server to use a separate ACI for each control or extended request to allow by default, rather than grouping all desired controls together in one ACI and all desired extended requests together in a second ACI. This change will only be reflected in new installations, and not when updating an existing deployment. Issue:DS-15417
Increased the default cache size set by the installer for JVM heaps smaller than 8GB. Issue:DS-15415
Addressed an issue where dsconfig incorrectly allowed certain configuration objects to be deleted. Issue:DS-15400
Updated the changelog backend to report progress and summary information when exporting to LDIF or importing from LDIF. Also fixed a problem that could cause valid entries from being imported because of a mistaken schema violation. Issue:DS-15471
Updated mirror virtual attribute provider implementation to read values from additional entries when the source entry dn attribute has more than one value. Issue:DS-15286
Provided a graphical tool, watch-entry, that is intended to demonstrate replication or synchronization latency by watching an LDAP entry for changes. If the entry changes, then the background of modified attributes will temporarily be red. Attributes can also be directly modified as well. Issue:DS-15437
Updated interactive setup to display default values, and improved the overall layout and appearance. Issues:DS-15361,DS-15363,DS-15434
Added more logging information when initializing web application and servlet extensions in case an extension causes conflicts or delays. Issue:DS-15466
Updated setup to encode the root password with the PBKDF2 password storage scheme instead of SSHA512. Issue:DS-15521
Fixed a defect where removing an objectClass value could result in an entry that violates the schema, we will now ensure that the entire entry is valid whenever adding or removing objectClasses. Issue:DS-15516 SF#:3234
Increase the minimum memory requirements for the server process from 256MB to 384MB to accommodate the Administrative Console. Issue:DS-15571
Added a load-ldap-schema-file tool that will allow the server to recognize a new schema file, or an updated version of an existing schema file, and make the definitions immediately available without needing to restart the server. Issue:DS-15576
Updater tool will increase PermSize and MaxPermSize parameters to recommended value to prevent Java JVM pauses. Issue:DS-15522 SF#:00003324
Fixed an error that could occur during upgrade when the configuration can not be loaded due to missing custom schema. Issue:DS-15592 SF#:3340
Updated the Groovy Scripting Language version to 2.4.6. Issue:DS-15621
Added support for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism that indicates that an application attempted to verify the identity of a user whose account is stored in the server but that used a form of authentication that is external to the server (for example, via social login). The server will not alter the authentication state of the underlying connection, but may veto a successful external authentication if the user's account is not in a usable state (for example, the account is locked or disabled, or the password is expired), or it may update password policy state for the user to reflect the authentication attempt (for example, updating the last login time and IP address for a successful authentication, or recording the failed attempt and potentially locking the account for an unsuccessful authentication). Issue:DS-15559
Replaced the tabs in parallel-update log messages for failure with spaces and made the log message time stamps consistent with other logs. Issue:DS-15724
Improved visibility of the use of index keys near or in excess of the index entry limit. These changes include:
Changed the dsjavaproperties command so that its --initialize operation now carries over properties that are tool-independent from an existing java.properties file, such as the default java home and the tuning parameters. Issue:DS-15578
Added the default JVM argument "-XX:UseCMSInitiatingOccupancyOnly" to decrease server pauses by forcing the JVM to respect the CMSInitiatingOccupancyFraction. Issue:DS-15578
Updated the verify-index tool to add a "--listIndexKeysNearestIndexEntryLimit" argument to obtain information about the keys whose ID lists are closest to (but have not yet exceeded) the index entry limit, including the number of matching entries and how close they are to reaching the limit. Issue:DS-247
Improved server performance by reducing the cost of determining the transaction settings for interacting with the backend database. Issue:DS-15768
Updated the server SDK generated documentation to use the new logo and new icon. Issue:DS-15691
Added memory tracking to the FIFO Entry Cache. The memory usage of the FIFO Entry Cache is about 10% less than reported, but is not likely to be higher than reported. Issue:DS-15794
The Data Services Markup Language (DSML) client and gateway components have been discontinued and are no longer available. Issue:DS-15753
Updated the unique attribute plugin so that the filter property applies to conflict searches, and matches entries being added or modified. Issue:DS-15791
Changed default number of HTTP request handlers from 2 times to 4 times the number of processors available to the Java virtual machine to improve performance. For example, the default has increased from 128 to 256 on a dual-socket, 8-core x64 CPU-based system with hyper-threading enabled. Issue:DS-15773
Added the ssl-cert-nickname property to the HTTP Connection Handler. If multiple public-private key pairs are in a JKS keystore, the LDAP Connection Handler enables choosing a specific certificate alias with the ssl-cert-nickname property. The HTTP Connection Handler for HTTPS connections now has the same option for parity. Issue:DS-15477
Updated the FIFO Entry Cache's max-memory-percent property to specify the maximum percentage of JVM memory the cache can use. Previously the property specified the maximum percentage of memory that must be consumed in the JVM by the application overall before the cache begins to shrink. Issue:DS-14863
The configuration framework now trims leading and trailing spaces from distinguished names. Issues:DS-13870,DS-13940
Added a new rotate-log tool to request the rotation of one or more log files. Issue:DS-10464
Improved the error messages produced by the manage-extensions tool when attempting to install invalid extensions. Issue:DS-15412
Improved the error messages and examples for create-rc-script and create-systemd-script by explicitly suggesting the use of sudo so that the scripts can modify protected files. Issue:DS-15178
Rewrote the manage-account tool to provide many new features:
Updated the isMemberOf virtual attribute implementation so that it preserves the case of the RDN attribute and value in the group DNs. Issue:DS-15968
The former suite of Administrative Console applications, each of which were tied to a particular product (for example the dsconsole.war for the PingDirectory Server) are no longer available, and have been superceded by a new version of the Administrative Console capable of managing any server product. You can choose to access the Administrative Console by hosting it within a server, or by deploying it in an external servlet container. For the former, enable an HTTP Connection Handler and add the Administrative Console Web Application Extension to the handler. For the latter, download and unzip the management-console-[version].zip file, and install the ubid-console.war file according to your container's instructions. Issue:DS-15088
Root DN User configuration entries can now be fully managed through the configuration management interfaces such as dsconfig and the Administrative Console. Issue:DS-15422
Added support for log file rotation listeners, which allow for custom processing whenever a log file is rotated out of service so that the server will no longer write to it. A copy listener (which will copy the rotated log file to an alternate location, optionally compressing it in the process), and a summarize listener (which will invoke the summarize-access-log tool on the rotated log file) are included. The Server SDK also includes an API for creating custom log file rotation listeners. Issue:DS-4235
Improved the log message for memory pools with an undefined maximum size when priming a server. Issue:DS-14658
Improved the warnings given when the maximum memory that all server components can consume is greater than the available memory in the JVM. Issue:DS-15920
Replaced the scramble-ldif tool with a more powerful transform-ldif tool with support for a number of additional transformation types. The new transform-ldif tool is backward compatible with the former scramble-ldif tool, and the scramble-ldif shell script and batch file are still included with the server to ensure compatibility with scripts that depend on that tool. Issue:DS-15108
Updated the password policy state extended operation and the manage-account tool to provide a way to obtain a list of the SASL mechanisms and OTP delivery mechanisms that are available to a user, to determine whether a user has a TOTP shared secret, and to retrieve and manipulate the set of public IDs for the YubiKey OTP devices registered for a user. Issue:DS-16104
Improved the collect-support-data tool to include information provided by systemd on platforms that support it. Issue:DS-13401
Improved the error messages for create-rc-script and create-systemd-script when the directory in which the script will be created does not exist. Issue:DS-15337
Improved the dsconfig tool to validate that there is only one enabled entry cache per entry cache level. Issue:DS-13478
If a replicated operation has failed multiple times as a result of database lock conflicts resulting from interactions with other operations, the server will now acquire an exclusive lock before making a final attempt at processing that operation to ensure that no other operations will be allowed to conflict with it. Issue:DS-16149 SF#:3482
Added support for a "generate TOTP shared secret" extended operation that allows a client to request that the server generate a shared secret for a specified user that will be stored in the user's entry and returned to the client. That shared secret can be used to generate time-based one-time passwords for use in the course of authenticating to the server through the UNBOUNDID-TOTP SASL mechanism. A "revoke TOTP shared secret" extended operation was also added to allow a shared secret to be eliminated if it is no longer needed or may have been compromised. The password policy state extended operation and the manage-account command-line tool have also been updated to provide support for manipulating the set of TOTP shared secrets for a user. Issue:DS-15349
Updated replication hostname checking with support for certificate alternative subject names and dnsname extensions checking. Issue:DS-13417 SF#:00002659
Added the server's process ID to the output of the status tool. Issue:DS-10312
Added support for JSON-formatted access and error log messages. Issue:DS-14919
Added a monitor entry for each Server SDK extension. Issue:DS-14548
The Configuration API now returns unquoted, native Javascript values for integer, real number, and boolean properties. Duration and size property values, for example '1 w' or '100 G', continue to be represented as Javascript string types. Issue:DS-15175
Added the ability to create local constants in LDIF template files using the new 'local' keyword. Issue:DS-14213
Updated the server to allow users with expired passwords to authenticate with SASL mechanisms that do not involve passwords. Issue:DS-15789
Added r) option in dsconfig interactive mode which shows how to preform the pending operation through the configuration REST API. Added --rest option to config-diff which changes the output from dsconfig command line arguments to configuration REST API arguments. Issue:DS-15792
Addressed a few issues in config-diff. In some situations, config-diff would not generate commands in an order that respected all dependencies. This has been fixed. Most expected warnings are now excluded by default but can be included in the output with the --includeAllWarnings option. The --sourceBindPasswordFile and --targetBindPassword are now applied in conjunction with the --targetConfigGroup and --sourceConfigGroup options. Issues:DS-10466,DS-10765,DS-14479,DS-15318,DS-16154
Added support for setting the request header size in the Jetty http configuration server properties. Issue:DS-12191 SF#:00002580
Updated the restore command so that it can no longer be used to restore a backup of the config backend. The command now points the administrator for safer ways to revert configuration changes, including using config-diff. Issue:DS-14704
Updated the sanitize-log tool to add support for JSON-formatted access and error log files. Issue:DS-16224
Added the ability to search for configuration objects and their properties by name with the dsconfig tool. Issue:DS-979
Added a --dry-run option to dsconfig, which can be used in batch mode to validate the configuration changes in a batch file without applying them. Issue:DS-10946
Fixed an issue that prevented the server from using the allowed-unauthenticated-request-criteria property to indicate which extended operations would be allowed on an unauthenticated connection when reject-unauthenticated-requests was set to true. Issue:DS-16267
Fixed an issue in which a password modify extended request that included the target user's current password could be seen as an administrative reset rather than a self change and might put the user's account in a "must change password" state if the user's password policy has force-change-on-reset set to true. Issue:DS-16266
Updated the local DB backend to provide an option to use a single-writer lock to avoid database lock conflicts between operations by ensuring that only a single write operation may be in progress at any time.
By default, write operations do not acquire the single-writer lock and are fully concurrent as long as none of those operations result in database lock conflicts. In the event that a lock conflict does arise between two or more operations (which should be a very rare occurrence in most environments), the server will retry each of those operations one or more times. With the changes included in this update, the server will now also acquire a single-writer lock to ensure that it only processes one of those conflicting operations at at time to reduce the likelihood of a further conflict.
In environments with a very large number of database lock conflicts, it may be desirable to configure the server to acquire the single-writer lock even on the first attempt of each write operation. This can be accomplished by setting single-writer-lock-behavior property to always-acquire in the backend configuration. While this can limit the overall write performance that the server can achieve, the server should still be able to process thousands of write operations per second, which is more than enough for most deployments.
The use of the single-writer lock does not have any effect on the concurrency of read operations. The server may still process any number of read operations simultaneously, even when the single-writer lock is used to ensure that only one write operation may be processed at any time. Issue:DS-16150
Added the ability to define an ACI to grant regular users access to the debugsearchindex operational attribute. This attribute can be used to obtain detailed information about the server's use of indexes in the course of processing a search request, and it was previously accessible only to users with either the bypass-acl or bypass-read-acl privilege.
To grant this access, you will need to permit access to both the debugsearchindex operational attribute, and to the cn=debugsearch portion of the DIT. For example, if you have a group with DN "cn=debugsearchindex Users,ou=Groups,dc=example,dc=com" and you want to grant the members of that group the ability to use the debugsearchindex feature, you can use the following command to add an appropriate global ACI to permit that access:
dsconfig set-access-control-handler-prop --add "global-aci:(targetattr=\"debugsearchindex\")(target=\"ldap:///cn=debugsearch\")(version 3.0; acl \"Allow members of the 'debugsearchindex Users group to request the debugsearchindex operational attribute \"; allow (read,search,compare) groupdn=\"ldap:///cn=debugsearchindex Users,ou=Groups,dc=example,dc=com\";)"
In addition, the server now allows the debugsearchindex attribute to be requested in a case-insensitive manner. Previously, the server would only recognize debugsearchindex in all lowercase. It can now be requested in mixed case, like debugSearchIndex. Issue:DS-15672
Fixed an issue that could prevent password reset tokens from being used on locked accounts when the server was configured to permit such changes. Issue:DS-16282
Updated the pass-through authentication plugin to suppress the "force change on reset" behavior if the user's local password is replaced with a password that was accepted by a backend server. Issue:DS-15096
Fixed a null-pointer exception error that occurred when performing a bounded range search on an unindexed attribute. Issue:DS-16348 SF#:3513
The backend is no longer locked with an exclusive lock when renaming an entry due to an add conflict during replication. Issue:DS-15470 SF#:00003320
CollectSupportData collects to gc-with-context all log messages for all stop-the-world GC events longer than one second, along with the two previous log messages. Issue:DS-16444
Updated the pass-through authentication plugin to make it possible to search for the appropriate user entry in the external server using a filter constructed from attributes in the local server's copy of the user entry. This makes it possible to use pass-through authentication in cases where the user's entry has a different DN in the external server than in the local server, and where the DN for the external server cannot be constructed from the information contained in the local copy of the user entry. Issue:DS-16489
Fixed an issue with JSON field indexing that could occur if the same field value appeared in multiple attribute values in the same entry, when at least one of those field values was removed or changed and at least one remained the same. Issue:DS-16337
Fixed an issue that prevented the deletion of disabled debug loggers. Issue:DS-15622
Updated the Local DB Backend to detect the database being only partially initialized via a "dsreplication initialize" command. If the backend is started with a partially initialized environment, then the incomplete database files will be deleted, and an alarm will be raised to signal to the administrator that the backend must be reinitialized. Issue:DS-11927
Fixed an issue where update verification fails to catch a problematic update that causes the server to not start. Issue:DS-16113
Improved an error message about a possible database recovery operation that may be triggered after a database restore from a online backup or during replication binary initialization. In rare cases, the database recovery may cause a delay while opening the database. Issue:DS-16137
Fixed an issue with the summarize-access-log tool where it would appear to hang due to slow processing of large complex filters. Issue:DS-15009
These features were added for version 5.2.0.0 of the Directory Server:
Improvements to Data Store’s Native JSON Attribute Support
The previous release of the Data Store included native support for compactly storing JSON objects in LDAP attributes, and for evaluating filters to match on fields inside those JSON objects. This release adds support for enforcing constraints on the fields that may be included in JSON objects, for indexing field values for improved search performance and flexibility, and for tokenizing commonly-used string values to further reduce the data footprint.
New Pasword Validators
The Data Store now includes the Haystacks Password Validator, based on the Gibson Research Corporation Password Haystacks concept, and the Commonly-Used Passwords Dictionary Validator, which ensures that a proposed password is not one of 10,000 commonly used passwords.
Can Request an entryUUID rdn Value when Adding an Entry
When adding a new entry to the server, the client can now request that the server-generated entryUUID be used as the RDN attribute for the entry. This improves privacy by ensuring that the entry DN will not include any personally-identifying information, and it is a convenience for application developers by eliminating the potential need for modify DN operations.
Implemented a Virtual Attribute Provider
Added an Identify References virtual attribute provider. These virtual attributes will have values that are the DNs of entries that contain a specified attribute with a value equal to the DN of the entry containing the virtual attribute. For example, this could be used to create a virtual 'directReports' attribute whose values are the DNs of the entries that list the target user as their manager.
Self-Service Account Manager (SSAM)
SSAM is a web application that provides a user interface for performing common account registration, attribute update and password change tasks against the Data Store, with optional integration with PingFederate and PingAccess products.
These were known issues at the time of the release of version 5.2.0.0 of the Directory Server:
When deploying a .war file through the Web Application HTTP Servlet Extension, dependencies bundled in the file may conflict with the server's own dependencies if the server version differs from the version in the .war file. This may cause the Web Application HTTP Servlet Extension or the server itself to not start correctly. For reference, all server dependencies are available in
These issues were resolved with version 5.2.0.0 of the Directory Server:
The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the local DB backend so that changes to the db-checkpointer-wakeup-interval property no longer require a restart to take effect, and to expose new monitor attributes with useful information about the processing performed by the database cleaner. Issue:DS-12263
Added a configuration option to enable a wait period before removing a 'server unavailable' alert after a garbage collection task is performed. This allows sub-systems like replication to restart before the server becomes available again. For the Periodic GC Plugin, this option is 'delay-post-gc.' For a Forced GC Task entry, the attribute is named 'ds-task-delay-post-gc.' Both options take a value in milliseconds, and have a default value equivalent to 20 seconds. Issue:DS-12318
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Changed the default password policy behavior to prevent users from changing their passwords to their current password value. This logic will apply regardless of password history settings. Issue:DS-12313 SF#:2546
Added the 'listKeysExceedingIndexEntryLimit' argument to the verify-index tool, which enables listing the keys for indexes that have exceeded their index entry limits. Issue:DS-3186
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483
Fixed an issue that generated the following error message, but did not impact the current operation: "An unexpected error occurred while notifying a change notification listener of a modify operation: RuntimeException: The specified condition must be true. The error occurred at com.unboundid.directory.server.types.AuthenticationInfo.replaceUserEntries." Issue:DS-12443
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse hostname lookups. Issue:DS-12610 SF#:00002632
Updated the notification destination cn=monitor entry (objectclass of ds-notification-destination-monitor-entry) to include an attribute, ds-notification-age-of-next-pending-change-seconds, which tracks how out-of-date the destination is in seconds. Values are only maintained on the master server for that domain (ds-notification-master=true). A value of 0 on the master server for that domain indicates that the destination is up-to-date. This attribute can be used in a gauge to generate alarms if a destination gets too far behind. Issue:DS-12618 SF#:2597
Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576
Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.
The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.
The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.
Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently. Issue:DS-12138
Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285
Added support for three new extended operations for interacting with single-use tokens:
Fixed an issue where the Data Store parsed the last login time value using the wrong time zone. The incorrect time affected password policy decisions and was delivered in the response to a password policy state extended request. Issue:DS-12943
Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client. Issues:DS-12560,DS-12561
Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717
Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880
MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples. Issue:DS-12798
Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries. Issue:DS-9842
Fixed the Local DB Backend configuration help text for deadlock-retry-limit, which incorrectly stated that a value of zero would result in unlimited retry attempts. That value actually results in no retry attempts. Issue:DS-12909
JDBC external servers now give precedence to settings in the jdbc-driver-url property, over other dsconfig JDBC Managed Object settings for host-name, port, and database-name. The jdbc-driver-url property setting can be used instead of the other JDBC Managed Object settings. Issue:DS-12700
Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727
Addressed an issue where data definition language (DDL) log field mappings for the JDBC error log were not previously documented. Issue:DS-13163
Fixed an issue where debug logging at a fine-level could consume large amounts of memory. Issue:DS-13124
Updated the server to use the latest 6.3.8 release of the Berkeley DB Java Edition. Issue:DS-13206
Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010
Improved the server shutdown time in situations when there is a database cleaner backlog. This also ensures a faster start up time since database recovery isn't needed. Issue:DS-13207
Updated the local DB backend to always try to keep exploded indexes in the database cache, and to always load exploded indexes into the cache on startup if database preloading is enabled, even if the database containing non-exploded index data for the associated index is configured with a lesser cache mode or preload configuration. Because reading from exploded indexes requires much more database interaction than non-exploded indexes, this can dramatically improve the performance of exploded index accesses for deployments in which it is not possible to fully cache all data in the backend. Issue:DS-13182
Updated the server's JVM arguments to always log garbage collection information to a rotating set of log files stored within logs/jvm/gc.log.N. The file system usage is limited to 300MB. If the server had previously been configured with VERBOSE_GC, then garbage collection logging information will no longer be logged to logs/server.out. Issue:DS-11522
The following UnboundID product names have changed: - Identity Data Store to Data Store - Identity Proxy to Proxy Server - Identity Data Sync Server to Data Sync Server - Identity Broker to Data Broker Issue:DS-12799
Custom HTTP loggers are no longer permitted to modify the requests and responsesbeing logged. Calling a forbidden method will result in a subclass of UnsupportedOperationException. For requests, the forbidden methods are authenticate, getReader, login, logout and setCharacterEncoding. For responses, the forbidden methods are addCookie, addHeader, addIntHeader, flushBuffer, getOutputStream, getWriter, reset, sendError, sendRedirect, setBufferSize, setCharacterEncoding, setContentLength, setContentType, setHeader, setIntHeader, setLocale and setStatus. Issue:DS-10283
Fixed a bug where using the advanced arguments of some tools would result in changing the saved complexity settings for the dsconfig tool. Issue:DS-12897
Fixed a defect where a deny ACI with target attrs would prevent Modify DN operations from succeeding, even when the target attrs did not include any RDN attrs. Issue:DS-13453 SF#:2807
Fixed an edge case problem in which a password change could result in the previous password not being included in the password history. Issue:DS-13481 SF#:2813
Updated the server to use the latest 6.3.9 release of the Berkeley DB Java Edition. Issue:DS-13426
Updated the installer to increase the maximum suggested JVM size on Linux systems with at least 48 GB of RAM. Issue:DS-12982
Added a new search-logs tool. Similar to the command line tool 'grep,' this tool searches across log files to extract lines matching the provided pattern(s). The search-logs tool can handle multi-line log messages, extract log messages within a given time range, and include rotated log files. Issue:DS-3095
Fixed an issue that could cause the server to overlook attribute options in an indexed search filter. Issue:DS-13559 SF#:00002812
Fixed an issue with the Pass Through Authentication Plugin where if a DN map was not used, the controls from the native bind operation were included in the pass through authentication request. Issue:DS-13644 SF#:2847
Updated the create-systemd-script tool by adding resource limits for available open file descriptors (NOFILE), and shared memory reservations (MEMLOCK). The generated script lists the recommended file descriptors limit and the resource limit setting for enabling large page support. The settings in the create-systemd-script output supersedes prior documentation for setting the number of open file descriptors on non-systemd systems. Issue:DS-13678
Updated the ldif-diff tool to ensure that change records for delete operations will be ordered to ensure that a delete for a parent entry will never come before the deletes for its children. Issue:DS-13748
Added a new Commonly-Used Passwords instance of the dictionary password validator that uses a dictionary file with 10,000 of the most common user passwords as determined by analysis of data from a number of security breaches. Because these passwords are so popular among end users, they are also very commonly guessed by attackers trying to compromise end user accounts.
The Commonly-Used Passwords validator is defined in the out-of-the-box configuration, but is only invoked by the Secure Password Policy by default. Issue:DS-10775
Updated the initial output of export-ldif to report that it is calculating a disk-ordered cursor rather than "Exported 0 entries." Issue:DS-13771
Updated the server to allow an initial heap size over 128 GB. Due to limitations of older JVMs, this was previously capped at 128 GB, even when the maximum heap size was larger. Issue:DS-13554
Enhanced the server's support for storing and interacting with JSON objects.
It is now possible to configure indexes for specified fields inside JSON objects to accelerate JSON object filter extensible match search operations. Indexes can be used for fields with boolean, integer, null, and string values and JSON object filters of type equals, equalsAny, greaterThan, lessThan, and substring, as well as AND filters that contain at least one indexed component and OR filters that contain only indexed components. Note that greaterThan and lessThan filters that target string values can only be indexed if they use case-insensitive matching.
It is now possible to indicate that the values of specified fields (ideally fields with a relatively small set of distinct values) should be tokenized when they are stored in the database. Tokenized values can be stored more efficiently, and consume less space in memory and on disk.
It is now possible to define a number of constraints for the fields that may be included in JSON objects stored in values of a specified attribute type. Constraints that may be imposed on a JSON field include: - Require values of the field to have a specified data type. - Indicate whether the field is required or optional. - Indicate whether the field is permitted to have multiple values in an array. If a field is permitted to have array values, then it is also possible to place restrictions on the number of elements that may be present in the array. - Indicate whether the field is permitted to have a value that is the null primitive as an alternative to values of the indicated data type. - Restrict values of string fields to a predefined set of allowed values, to values matching a given regular expression, or to values of a specified length. - Restrict values of numeric fields with upper and lower bounds. Issues:DS-12139,DS-12917,DS-13476,DS-13538
Added support for a new "Haystack" password validator based on the concept of password haystacks as described at https://www.grc.com/haystack.htm. It estimates the strength of a password using a combination of its length and the types of characters that it contains (e.g., a longer password containing only lowercase letters may be stronger than a shorter password containing a mix of uppercase and lowercase letters, numbers, and symbols).
The Haystack password validator is defined in the out-of-the-box configuration but is only enabled by default in the secure password policy. Issue:DS-12106
Added support for a "name with entryUUID" request control. If this control is included in an add request, the entry will be added with a distinguished name whose RDN contains only the entryUUID attribute. This offers a number of potential benefits:
Updated the server to better utilize worker threads and reduce the potential for a work queue backlog when processing multiple concurrent long-running operations. Issue:DS-13783
Fixed an issue involving transactions sent through a Proxy Server with Entry Balancing configured. If the transaction contained requests that targeted entries that were not in the global index, then duplicate requests were included in the resulting Multi-Update operation forwarded to the Data Store. Issue:DS-13820 SF#:2851
Updated interactive dsconfig to include an option to toggle between sorting similar properties together or sorting them alphabetically. Issue:DS-1706
Added an Identify References virtual attribute provider. Virtual attributes of this type will have values that are the DNs of entries that contain a specified attribute with a value that matches the DN of the entry containing the virtual attribute. For example, this could be used to create a virtual directReports attribute whose values are the DNs of the entries that list the target user as their manager. Issue:DS-13727
Fixed a conflict between the Changelog Password Encryption plugin and the replication historical ds-sync-hist attribute that would result in a "historical information for this attribute seems to be corrupt" error message in the logs. Issue:DS-13484
The collect-support-data tool now has the option to collect logging information within a specified time range via the '--timeRange' argument. Issue:DS-1261
Updated the server to use the latest 6.4.9 release of Berkeley DB Java Edition. Issue:DS-13856
Improved the server's support for selecting TLS cipher suites. When the server is configured to use a specific set of cipher suites, it will now always validate that all of the configured suites are supported by the JVM. When the server is not configured to use a specific set of cipher suites, it will now customize the set of default suites to prioritize those using strong cryptography (especially those that offer forward secrecy), and exclude suites with known weaknesses. Issues:DS-12681,DS-13475
Updated the alert handler configuration to indicate whether the alert handler should be invoked asynchronously in a background thread rather than by the thread that generated the alert. For alerts generated during the course of processing an operation, invoking potentially time-consuming alert handlers in a background thread can avoid adversely impacting the response time for that operation while still ensuring that administrators are made aware of the issue that arose. Issue:DS-12833
Updated the server to provide support for SMTP connection pooling. When sending an email message, the server will attempt to reuse an existing SMTP connection rather than establishing a new connection for each message. Issue:DS-12833
Deprecated the invalid-attribute-syntax-behavior global configuration property in favor of a new permit-syntax-violations-for-attribute global configuration property. The new option makes it possible to allow malformed values for an explicitly-specified set of attribute types, whereas the former option could only be used to enable or disable syntax enforcement for all attribute types.
When migrating from a directory service that did not properly enforce attribute syntax compliance, it is strongly recommended that the data be cleaned to correct any malformed values that it may contain. However, in cases where that may not be immediately feasible, it is strongly recommended that syntax validation be relaxed only for attribute types that are known to have problems so that it will still be performed for other attribute types to prevent inadvertently introducing additional malformed values.
In the event that an LDIF file contains malformed values, the import-ldif tool will now provide a list of the attribute types with attribute syntax violations and the number of malformed values identified for each attribute type. As before, the specific violations can be identified by instructing the import-ldif tool to generate a rejects file, which will include a comment with each rejected entry to describe the reason the entry was rejected.
In addition, the server will now always perform syntax validation for the aci attribute type, regardless of the values of the invalid-attribute-syntax-behavior and permit-syntax-violations-for-attribute properties. This will provide additional assurance that malformed access control instructions cannot be introduced into the server during LDIF import processing. The server will still discover and validate all ACIs on startup, and will still place itself in lockdown mode on finding a malformed ACI rather than attempting to run with an incomplete access control configuration. Issues:DS-11823,DS-13535,DS-13894
Updated the account status notification handler configuration to indicate whether the handler should be invoked asynchronously in a background thread rather than by the thread that triggered the notification. For account status notifications generated during the course of processing an operation, invoking notification handlers in a background thread can avoid adversely impacting the response time for that operation. Issue:DS-12833
Fixed a problem that could cause the server to incorrectly handle the require-change-by-time property in the password policy configuration. Issue:DS-13140
A new index is now considered trusted if the server can determine that the associated attribute type (or JSON field for a JSON index) is not used in the data already contained in the target backend. If an index is automatically trusted, it is not necessary to use the rebuild-index tool to initialize that index. Issue:DS-12178
Fixed an issue with large password history duration values that may have prevented some passwords in the history from being considered a match when a new password with the same value was added. Issue:DS-13899 SF#:2813
Updated the server to use the latest 6.4.12 release of the Berkeley DB Java Edition. This version addresses a possible data corruption bug in versions 6.3.0 to 6.4.11. Issue:DS-14014
Fixed an issue where dynamic group membership searches lead to resource and memory leaks. Issue:DS-13983 SF#:00002944
Fixed an issue where password history values could be duplicated in replicated environments. Issue:DS-14036
Fixed an issue where replication would stall while performing searches on LDAP referrals. Issue:DS-14099 SF#:00002985
Fixed issues pertaining to search references. One caused replication to stall, and the other caused multiple copies of the same reference to be returned in a single search. Issue:DS-14116 SF#:2985
Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074
Updated the server's password policy support to make a few account usability enhancements:
Fixed a couple of corner cases in which the server could treat smart referrals improperly. This includes search operations based above smart referrals contained in entries whose DNs contain escaped commas, as well as some search and compare operations based at least one level below a smart referral. Issue:DS-14133
Fix an issue in the SCIM interface where an attribute required by the SCIM schema could be deleted by a PATCH operation. Issue:DS-14060
Fixed a log publisher defect that would result in an unreadable file when both compression and signing were enabled at the same time. Issue:DS-13552
Updated the LDAP connection handler to enable the use of multiple threads for accepting connections and preparing them for use. This improves concurrency for deployments in which the process of accepting a new connection may take some time to complete, possibly because of expensive DNS lookups or invoking time-consuming post-connect plugins). Issue:DS-12627
Updated the server to generate an administrative alert if it detects that a database environment was not closed cleanly and may require a time-consuming recovery process. Issue:DS-13794
Updated the email OTP delivery mechanism to allow retrieving email addresses from fields contained inside JSON objects, optionally using a JSON object filter to select which of several addresses should be used (e.g., only attempt to use verified email addresses). Similar changes have been made to the Twilio OTP delivery mechanism for obtaining phone numbers for SMS messages. Issue:DS-14259
The ldifsearch command now supports the option "---isCompressed" for LDIF files that have been compressed with gzip. Issue:DS-14140
Added properties to the task backend for limiting the number of log messages retained in task entries, in order to limit the size of the in-memory representation of those entries. All log messages generated by a task will still be recorded in the server error log, even if they are not all retained in the corresponding entry in the task backend. Issue:DS-11067 SF#:2282
Updated the server to reject search requests that attempt to make use of an invalid JSON object filter. The server would previously return a success result with no matching entries. Issue:DS-12933
Fixed a race condition that could arise from simultaneous attempts to add entries with an attribute value that would cause an exploded index key to exceed its index entry limit. Issue:DS-14311
Updated the server to discourage conflicts between indexes and virtual attributes. A search that targets an indexed attribute will only identify entries with real values as potential matches, and may omit entries that match the filter if they match because of a virtually-generated value. Issue:DS-13862
Added password storage schemes that leverage the Bcrypt and scrypt key derivation functions. These storage schemes require the free and open source Bouncy Castle library, which is not included with the server. This library must be obtained from https://bouncycastle.org/ and placed in the server lib directory before these storage schemes can be used. Issues:DS-14398,DS-14399
Fixed an issue with the collect-support-data tool when using the --pid argument. Only one jstack was being collected, instead of using the amount specified by the --maxJstacks argument. Issue:DS-14349
Updated the report generated by import-ldif to include database cache requirements for each possible cache-mode per backend database (e.g., attribute index). This aids tuning environments that cannot be fully cached. Issue:DS-12312
These issues were resolved with version 5.1.5.2 of the Directory Server:
Fixed an issue where replication would stall while performing searches on LDAP referrals. Issue:DS-14099 SF#:00002985
Fixed issues pertaining to search references. One caused replication to stall, and the other caused multiple copies of the same reference to be returned in a single search. Issue:DS-14116 SF#:2985
Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074
Fixed a couple of corner cases in which the server could treat smart referrals improperly. This includes search operations based above smart referrals contained in entries whose DNs contain escaped commas, as well as some search and compare operations based at least one level below a smart referral. Issue:DS-14133
These issues were resolved with version 5.1.5.1 of the Directory Server:
Fixed a conflict between the Changelog Password Encryption plugin and the replication historical ds-sync-hist attribute that would result in a "historical information for this attribute seems to be corrupt" error message in the logs. Issue:DS-13484
Fixed an issue with large password history duration values that may have prevented some passwords in the history from being considered a match when a new password with the same value was added. Issue:DS-13899 SF#:2813
Updated the server to use the latest 6.3.10 release of the Berkeley DB Java Edition. This version addresses a possible data corruption bug in versions 6.3.0 to 6.3.9. Issue:DS-14015
Fixed an issue where dynamic group membership searches lead to resource and memory leaks. Issue:DS-13983 SF#:00002944
Fixed an issue where password history values could be duplicated in replicated environments. Issue:DS-14036
These features were added for version 5.1.5.0 of the Directory Server:
Data within the backend database is now stored more compactly both on disk and in memory. The exact benefits depend on the data set and indexing, but improvements of 20-40% should be expected in the size on disk, the memory needed to fully cache the database, the time to preload the database at start up, the size and duration of backups, and the time required to remotely initialize a replica. Upgrades of existing environments require an export and reimport of the data to take advantage of these improvements.
These issues were resolved with version 5.1.5.0 of the Directory Server:
Improved the server shutdown time in situations when there is a database cleaner backlog. This also ensures a faster start up time since database recovery isn't needed. Issue:DS-13207
Updated the local DB backend to always try to keep exploded indexes in the database cache, and to always load exploded indexes into the cache on startup if database preloading is enabled, even if the database containing non-exploded index data for the associated index is configured with a lesser cache mode or preload configuration. Because reading from exploded indexes requires much more database interaction than non-exploded indexes, this can dramatically improve the performance of exploded index accesses for deployments in which it is not possible to fully cache all data in the backend. Issue:DS-13182
Updated the server to use the latest 6.3.9 release of the Berkeley DB Java Edition. Issue:DS-13426
Fixed an edge case problem in which a password change could result in the previous password not being included in the password history. Issue:DS-13481 SF#:2813
Updated the installer to increase the maximum suggested JVM size on Linux systems with at least 48 GB of RAM. Issue:DS-12982
Fixed an issue that could cause the server to overlook attribute options in an indexed search filter. Issue:DS-13559 SF#:00002812
Fixed an issue with the Pass Through Authentication Plugin where if a DN map was not used, the controls from the native bind operation were included in the pass through authentication request. Issue:DS-13644 SF#:2847
Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727
Updated the initial output of export-ldif to report that it is calculating a disk-ordered cursor rather than "Exported 0 entries." Issue:DS-13771
Updated the server to allow an initial heap size over 128 GB. Due to limitations of older JVMs, this was previously capped at 128 GB, even when the maximum heap size was larger. Issue:DS-13554
Fixed an issue involving transactions sent through a Proxy Server with Entry Balancing configured. If the transaction contained requests that targeted entries that were not in the global index, then duplicate requests were included in the resulting Multi-Update operation forwarded to the Data Store. Issue:DS-13820 SF#:2851
Important upgrade considerations for version 5.1.0.0 of the Directory Server:
The summarize-config tool is deprecated, and will be removed in future versions of the product. Use the config-diff tool with the "sourceBaseline" argument to list a summary of changes to the local server configuration.
These features were added for version 5.1.0.0 of the Directory Server:
Password Validators now have added properties for user-friendly descriptions and errors, which can be used by client applications to improve user interfaces.
The self-service password reset function that uses a one-time password (OTP) is now more streamlined. An OTP token can be sent to an end user through email or SMS, and used for authentication when setting a new password.
Added initial support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. Indexing options are currently limited. Please see the full release note below for DS-12138.
These issues were resolved with version 5.1.0.0 of the Directory Server:
The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the local DB backend so that changes to the db-checkpointer-wakeup-interval property no longer require a restart to take effect, and to expose new monitor attributes with useful information about the processing performed by the database cleaner. Issue:DS-12263
Added a configuration option to enable a wait period before removing a 'server unavailable' alert after a garbage collection task is performed. This allows sub-systems like replication to restart before the server becomes available again. For the Periodic GC Plugin, this option is 'delay-post-gc.' For a Forced GC Task entry, the attribute is named 'ds-task-delay-post-gc.' Both options take a value in milliseconds, and have a default value equivalent to 20 seconds. Issue:DS-12318
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Changed the default password policy behavior to prevent users from changing their passwords to their current password value. This logic will apply regardless of password history settings. Issue:DS-12313 SF#:2546
Added the 'listKeysExceedingIndexEntryLimit' argument to the verify-index tool, which enables listing the keys for indexes that have exceeded their index entry limits. Issue:DS-3186
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483
Fixed an issue that generated the following error message, but did not impact the current operation: "An unexpected error occurred while notifying a change notification listener of a modify operation: RuntimeException: The specified condition must be true. The error occurred at com.unboundid.directory.server.types.AuthenticationInfo.replaceUserEntries." Issue:DS-12443
Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse hostname lookups. Issue:DS-12610 SF#:00002632
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
Updated the notification destination cn=monitor entry (objectclass of ds-notification-destination-monitor-entry) to include an attribute, ds-notification-age-of-next-pending-change-seconds, which tracks how out-of-date the destination is in seconds. Values are only maintained on the master server for that domain (ds-notification-master=true). A value of 0 on the master server for that domain indicates that the destination is up-to-date. This attribute can be used in a gauge to generate alarms if a destination gets too far behind. Issue:DS-12618 SF#:2597
Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496
Critical: The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576
The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245
Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.
The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.
The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.
Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently. Issue:DS-12138
Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285
Added support for three new extended operations for interacting with single-use tokens:
- The "get supported OTP delivery mechanisms" operation provides information about which one-time password delivery mechanisms are configured in the server, and which of those are available for a specified user.
- The "deliver single-use token" operation can generate a token value and provide it to a specified user through an out-of-band communication mechanism like email, SMS, or voice call.
- The "consume single-use token" operation indicates that the user has received a single-use token from the "deliver single-use token" operation, and to consume that token so that it cannot be reused. Issues:DS-12594,DS-12596
Fixed an issue where the Data Store parsed the last login time value using the wrong time zone. The incorrect time affected password policy decisions and was delivered in the response to a password policy state extended request. Issue:DS-12943
Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client. Issues:DS-12560,DS-12561
Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880
MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples. Issue:DS-12798
Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717
Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries. Issue:DS-9842
Fixed the Local DB Backend configuration help text for deadlock-retry-limit, which incorrectly stated that a value of zero would result in unlimited retry attempts. That value actually results in no retry attempts. Issue:DS-12909
JDBC external servers now give precedence to settings in the jdbc-driver-url property, over other dsconfig JDBC Managed Object settings for host-name, port, and database-name. The jdbc-driver-url property setting can be used instead of the other JDBC Managed Object settings. Issue:DS-12700
Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010
Fixed an issue in the Server SDK where the ServerContext sendAlert method incorrectly generated a Java RuntimeException when attempting to send a third-party extension alert. Issue:DS-12995
These issues were resolved with version 5.0.1.0 of the Directory Server:
The setup tool has been updated to use HTTPS when configuring the HTTP Connection Handler(s). Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the local DB backend so that changes to the db-checkpointer-wakeup-interval property no longer require a restart to take effect, and to expose new monitor attributes with useful information about the processing performed by the database cleaner. Issue:DS-12263
Added a configuration option to enable a wait period before removing a 'server unavailable' alert after a garbage collection task is performed. This allows sub-systems like replication to restart before the server becomes available again. For the Periodic GC Plugin, this option is 'delay-post-gc.' For a Forced GC Task entry, the attribute is named 'ds-task-delay-post-gc.' Both options take a value in milliseconds, and have a default value equivalent to 20 seconds. Issue:DS-12318
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Changed the default password policy behavior to prevent users from changing their passwords to their current password value. This logic will apply regardless of password history settings. Issue:DS-12313 SF#:2546
Added the 'listKeysExceedingIndexEntryLimit' argument to the verify-index tool, which enables listing the keys for indexes that have exceeded their index entry limits. Issue:DS-3186
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
Fixed an issue that generated the following error message, but did not impact the current operation: "An unexpected error occurred while notifying a change notification listener of a modify operation: RuntimeException: The specified condition must be true. The error occurred at com.unboundid.directory.server.types.AuthenticationInfo.replaceUserEntries." Issue:DS-12443
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
Updated the notification destination cn=monitor entry (objectclass of ds-notification-destination-monitor-entry) to include an attribute, ds-notification-age-of-next-pending-change-seconds, which tracks how out-of-date the destination is in seconds. Values are only maintained on the master server for that domain (ds-notification-master=true). A value of 0 on the master server for that domain indicates that the destination is up-to-date. This attribute can be used in a gauge to generate alarms if a destination gets too far behind. Issue:DS-12618 SF#:2597
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
These features were added for version 5.0.0.0 of the Directory Server:
Java 7 is now required when setting up a new server or upgrading an existing server.
Added support for extensible match filters that can make assertions about the number of values that a specified attribute has in an entry. For example, the extensible match filter "(cn:valueCountEquals:=1)" will match an entry only if that entry has exactly one value for the cn attribute. The following special matching rules have been added to help provide this capability:
- valueCountEquals - valueCountDoesNotEqual - valueCountGreaterThan - valueCountGreaterThanOrEqualTo - valueCountLessThan - valueCountLessThanOrEqualTo
Updated the LDAP changelog to support selecting which entries should be included in or excluded from the changelog. Entries can be selected based on the location of the target entry in the DIT, and/or based on whether the changelog entry matches a given filter.
A new ds-changelog-target-attribute attribute has also been added to changelog entries to indicate which attributes were involved in the change. This may be used to select changelog entries for inclusion or exclusion based on changes to specific attributes.
Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.
Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.
Updated the server to use the latest 6.2.31 release of the Berkeley DB Java Edition.
The default SCIM base context path changed from / to /scim. Any clients using the previous base context path will no longer be able to access SCIM services until they are updated. The following dsconfig command may be used to revert to the previous base context path after update:
dsconfig set-http-servlet-extension-prop --extension-name SCIM --set base-context-path:/
Introduced the Configuration HTTP Servlet Extension, which can be used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.
Improved the diagnostic information the server can provide at startup for any components that take a substantial amount of time to initialize. The server will also generate an alert notification if any component attempts to perform an unindexed internal search operation, in order to warn about potential misconfiguration.
Added a global configuration setting called database-on-virtualized-or-network-storage. This boolean setting must be set to true when database files will be stored on network file systems. It should be set to false if the database is on a local disk since it incurs a performance penalty.
These issues were resolved with version 5.0.0.0 of the Directory Server:
Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change. Issue:DS-11472
Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value. Issue:DS-11541 SF#:2421
Updated the javadoc for the Example Overload Handler plugin to include the argument "invoke-for-internal-operations" with a value of "false" during the plugin creation. Previously, the plugin, when enabled, would drop internal queries to the monitor backend initiated by the gauge state provider.
Fixed an issue in the Example Overload Handler plugin's applyConfiguration method, where when any changes were made to the plugin's configuration itself (such as adding a new pre-parse type), it would drop requests because we were doing an LDAP search for the gauge argument in the config backend over a client connection, instead of using an internal connection.
Fixed an issue where when the Example Overload Handler plugin was disabled and then re-enabled, an IllegalStateException occurred because the monitor provider that publishes drop stats was previously registered. Issue:DS-11565 SF#:00002421
Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message. Issue:DS-11546
Updated gauge alert details to include the last threshold value that was crossed. Issue:DS-11396
Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option. Issue:DS-10460
Fixed a rare issue in backend database entry encoding where the server alerted on an "unexpected exception" when encoding large entries with an unusually large number of ds-sync-hist values. The error was reported in the alert message as being a NegativeArraySizeException thrown from the EntryEncoder class. Issue:DS-11625
Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu. Issue:DS-11688
Critical: Added a fail safe to the pending changes queue for the Changelog Backend that can detect and ignore recovered changes that do not need to be committed in order to prevent holding up other changes in the queue. Issue:DS-11720 SF#:2453
Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates Issue:DS-11637
Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types. Issue:DS-11453
Removed the "alarm-normal" alert. Issue:DS-11730
Updated the server so that alarm-cleared, alarm-warning, alarm-minor, alarm-major, and alarm-critical alerts are not subject to duplicate alert suppression. Separate alert notifications of these types may represent distinct conditions and resources that should not be suppressed. Issue:DS-11738
Updated the set subtree accessibility extended operation handler to support atomically altering the accessibility of multiple subtrees in a single request. Issue:DS-11483
Updated the alarm manager to not persist normal alarms. Issue:DS-11719
Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions. Issue:DS-11719
Critical: Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.
SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.
It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination. Issue:DS-11782
Updated the Web Console so that upon login, the user's old session is always invalidated. Issue:DS-11624
Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page. Issues:DS-11629,DS-11645
Updated numeric gauges so that their severity changes when the current gauge value equals the threshold's exit value. Previously the value had to be strictly less than the exit value for the severity to change. Issue:DS-11837
Updated the HTTP Detailed Access logger to use time stamps with millisecond precision. Issue:DS-11755
Updated the access logger to include usedPrivileges and/or missingPrivileges fields in result log messages for operations in which the requester used one or more privileges, or in cases where the requested operation required one or more privileges that the requester did not have. Issue:DS-11805
Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names. Issue:DS-11751
Fixed an issue where the server would hang during startup due to a previous unexpected service outage resulting in an empty tasks.ldif file. Issue:DS-11868
Computed minimums, averages, maximums in statistics loggers previously processed infinite or out-of-range numbers leading to unprintable character output in comma-separated value (CSV) files. Computed minimums, averages, maximums in statistics loggers now exclude infinite and out-of-range values. Issue:DS-11913
Fixed a replication issue where the changelogDb path on the destination server was incorrect when the following conditions were met: the source and destination shared the same installation path, the source server used a symlink for changelogDb to an external path, the destination server did not have the external path. Issue:DS-11892 SF#:2486
Added additional debug information for constraint violations that can happen during replication enable. Issue:DS-11839 SF#:2482
Fixed an issue where deleting values of a multi-valued attribute using SCIM PATCH could silently fail. Modifications in SCIM PATCH are now mapped directly to LDAP modifications to take advantage of the matching rules configured in the Identity Data Store, when matching deleted values. Since the SCIM PATCH is now applied by the Data Store, the Permissive Modify Request Control (1.2.840.113556.1.4.1413) is now required by the SCIM component. This will ensure that adding an existing value or deleting a non-existent value in the PATCH request will not result in an error.
To continue using SCIM component after an upgrade of the Identity Data Store or Identity Proxy, access controls and configuration may need to be updated to allow access to the Permissive Modify Request Control.
Identity Data Store:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
Identity Proxy:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-request-processor-prop --processor-name dc_example_dc_com-req-processor --add supported-control-oid:1.2.840.113556.1.4.1413
Note that "dc_example_dc_com-req-processor" is the default processor name and it may be different depending on your configuration.
Identity Broker: For each Identity Data Store used as an user store, the following configuration changes are required:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319||1.2.840.113556.1.4.1413”)(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'
Note that the user DN "cn=Broker User,cn=Root DNs,cn=config" is default user name created when the external store is prepared. It may be different depending on your configuration. Issue:DS-11138
Fixed a bug that resulted in an error message related to performing a modify DN operation against a currently authenticated user entry. Issue:DS-11728
When using SCIM, the method in which the username in HTTP Basic authentication are mapped to a user is now configurable using Identity Mappers. Once the username is mapped to a user, a simple BIND request will be used to verify the password. Issue:DS-11908
Added change type indexes to the LDAP changelog to improve the efficiency of get changelog batch operations that target records with only a subset of change types. Issue:DS-11933
Added the ability for a Server SDK extension, such as a Plugin, to register for notifications when an operation completes using the OperationContext#registerOperationCompletedListener() method. Issue:DS-11406
Fixed an issue where a password policy was configured to record the last login time and last login IP address, but those attributes were not being updated when a bind went through the pass-through authentication plugin to a remote server. Issue:DS-11996 SF#:2526
Fixed an issue where a password policy was adding login failures when a bind went through the pass-through authentication plugin, and failed locally, but subsequently succeeded against an external server. Issue:DS-12010 SF#:2526
Added a new schema file that contains previously undefined server attributes. The addition of these attributes helps resolve conflicts with user-defined schema. Issue:DS-3629
Fixed a rare condition where parent DNs stored in compact form for evaluation of group membership could consume a large amount of memory. Issue:DS-12005 SF#:00002531
Updated the configuration properties of the Local DB Backend to indicate which settings require a component (or server) restart to take effect. Issue:DS-12032
Fulfilled an enhancement request to allow access to the additional information properties in alert notifications. Issue:DS-12040 SF#:00002528
Added a workaround for a bug in some versions of Java that could interfere with the ability to restore an encrypted backup. Issue:DS-11902
Fixed an issue where attempting to cancel many outstanding proxy operations could make the proxy server unresponsive. Issue:DS-12000 SF#:00002535
Fixed a problem with startup dependencies not being properly honored for Server SDK plugins. Issue:DS-12066
Fixed the index rebuild job so that it does not generate redundant "index-degraded" alerts when an index is being rebuilt. Issue:DS-11879
Fixed an issue that caused replication to disconnect for up to fifteen minutes when sending on half open connections, typically due an unforeseen network issue. Issue:DS-12027 SF#:2534
Fixed an issue where replication would not be established for a new replica when it was initialized by importing an LDIF file exported from an existing replica. The issue occurred whether the import was performed before or after enabling replication. Issues:DS-11774,DS-9877
Fixed an issue where the server could hit an unexpected exception when a new attribute index was added while the server was under heavy load. Issue:DS-12064
Fixed an issue that could interfere with rebuilding an attribute index with one or more exploded index keys. Issue:DS-11919
Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized. Issue:DS-10441
Added a configuration option that can be used to indicate that an attribute index should maintain a matching entry count for keys that exceed the index entry limit. While maintaining a count for these index keys will not improve the efficiency of applicable searches, the count can be used to improve the result the server is able to return for these searches when used in conjunction with the matching entry count request control. Issue:DS-12109
Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance. Issue:DS-11993
Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects. Issue:DS-12147
The dsreplication remove-defunct-server subcommand no longer allows the removal of a running server from the replication topology. Issue:DS-12124
Updated the character set password validator to allow for adding optional character sets that require zero or more matches. Issue:DS-12162
Updated the server's support for filtered indexes so that they can be used for a broader set of search filters. Issue:DS-12170
Simplified the various cache-mode properties within the Local DB Backend configuration. Current values for these properties are "cache-keys-and-values" (formerly "default"), "cache-keys-only" (formerly "evict-leaf-immediately"), and "no-caching" (formerly "evict-bin-immediately"). The old values will continue to work. If the update tool is used to upgrade to this release, the existing values within the configuration will be updated to use the new values. Issue:DS-11297
Fixed an issue where registering a server extension would cause a null-pointer exception at startup preventing the server from starting. Issue:DS-12174
Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body. Issues:DS-12120,DS-8368
Updated the rebuild-index tool to add offline support for approximate indexes. Issue:DS-12197
Fixed an issue with the verify-index tool that could arise when examining approximate indexes with one or more keys exceeding the index entry limit. Issue:DS-12197
Fixed an issue where updating a component in the web console could generate a missing enabled property error. Issue:DS-12201
Fix an issue where a VLV request specifying a large afterCount value would result in an OutOfMemoryError and cause the Data Store to shut down. Issue:DS-12215
Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903. Issue:DS-11959
These features were added for version 4.7.0.0 of the Directory Server:
Updated the server to support Alarms. An alarm represents a stateful condition of the server that might indicate a problem, such as low disk space or external server unavailability. The status command line utility and the monitoring page of the web console have been updated to expose the active alarms. Many existing alert types have been updated to be treated as alarms. When the condition associated with an alarm abates, the alarm is cleared.
Added support for Gauges. A gauge examines specific server monitoring data, and raises an alarm when a configured threshold is crossed. The server has out-of-the-box gauges such as CPU Usage and Disk Busy, and new ones can be added through the Gauge Data Source and Gauge configuration object types.
The end-to-end replication latency is continuously calculated and exposed through the replica's monitor entry. The Replication Latency gauge can be configured to raise an alarm if the measured latency exceeds a specified threshold.
Added support for a matching entry count request control that uses server index data to quickly determine the number of entries that match the associated search request. The matching entry count response control will indicate whether the value is an exact count or an upper bound, and may contain additional debug messages describing the use of indexes to derive that count. This functionality is exposed on the ldapsearch command line tool with the --countEntries option.
Exposed more fine-grained control of transaction locking and retry. Added local DB backend configuration properties that can be used to specify default transaction settings that will be used for external transactions (LDAP transactions or atomic multi-update operations) that do not include a transaction settings request control. Added support for a transaction settings request control that can be used to customize the behavior of the server when processing a batched transaction or an atomic multi-update operation. Customizable settings include the commit durability, the number of retry attempts, the conditions under which to acquire an exclusive lock in the target backend while the commit is in progress, and upper and lower bounds for transaction lock timeouts.
Enhanced Replication Health Monitoring and Alarms.
OpenJDK 7 is now supported on Linux.
These were known issues at the time of the release of version 4.7.0.0 of the Directory Server:
JDK 6 is currently deprecated and will not be supported in the next major release.
UnboundID products are not supported on JDK 8.
The following attributes are not defined in the Unbound ID Data Store schema, but are being used by the product. Please do not use the following: baseDN, certificate, hostname, id, instancePath, jmxEnabled, jmxport, jmxsEnabled, jmxsport, ldapEnabled, ldapport, ldapsEnabled, ldapsport, location, memberofgroups, os, preferredSecurity, replicationPort, startTLSEnabled, type.
These issues were resolved with version 4.7.0.0 of the Directory Server:
Task-based invocations of the restore tool now require that the "backupDirectory" parameter have an absolute path. Issue:DS-9110
Fixed the web console so that attempts to reconnect (after the console is restarted) succeed. Issue:DS-11043
Added additional processing to the Unique Attribute Plugin that eliminates a race condition where concurrent operations were previously allowed to create entries with the same unique value. Issue:DS-11086 SF#:2307
Updated the processing time histogram to use a more sensible format for aggregate percent values. The LDAP SDK monitor parsing support for this monitor entry has also been updated to accommodate either format. Issue:DS-11146
Added support for a new hex string attribute syntax, which is intended to store values comprised of zero or more hexadecimal digits. Hex string values may be compacted, so that the representation stored in the database uses less memory and disk space than the string representation that will be used when clients interact with the data. Issue:DS-10813
Added support for compacting the values of attributes configured to use an integer or bit string syntax. Compacted values can require less space to store in the database and less memory to hold in the cache, particularly for values with larger non-compacted representations.
Compaction for integer and bit string values is not enabled by default because certain values that violate the constraints of the syntax could be incorrectly interpreted as if they had been compacted. If the server has ever been configured to permit attribute values that violate syntax constraints, it is recommended that the data be exported to LDIF before enabling compaction and imported from LDIF after compaction has been enabled. Issue:DS-10783
Added local DB backend configuration properties that can be used to specify default transaction settings that will be used for external transactions (LDAP transactions or atomic multi-update operations) that do not include a transaction settings request control. Issue:DS-10555
Added a result code tracker that maintains a monitor entry with counts and response times of results. Each result is categorized by operation type, post-response result code, and whether it is a failure or non-failure. Issue:DS-3270
Exposed LDAP extended operation throughput and response time data in the Periodic Stats Logger and the Metrics Engine to expand upon the set of tracked operation types. Issue:DS-10369
Exposed local & non-local external server health check states in the Proxy load balancer monitor entry. Issue:DS-10552
Fixed an issue with HTTP Connection Handlers that allowed them to be configured with ports that were already in use. Now the server will not start if an HTTP Connection Handler is configured to use a port that is in use. Issue:DS-11202
Changed automatic tuning for db-num-cleaner-threads in the JE Backend to set a maximum of two cleaner threads. Previously, automatic tuning set a maximum of 16 threads depending on the number of available CPUs, and unneeded cleaner threads decreased performance. If a greater number of cleaner threads is needed to keep up with server load, the server will generate an alert with suggested configuration changes. Issue:DS-2356
Fixed a bug where in a rare case the server may take 10 minutes to start due to waiting on non-existent replication backlog. The server will now will start without delay if there no backlog to process or report the on the progress of the backlog count every 30 seconds until the start up backlog threshold is met. Issues:DS-11182,DS-11195 SF#:2332
The default value for the Global Configuration property startup-min-replication-backlog-count has been changed from unlimited to 5000 to avoid starting connection handlers before the server has a chance to catch up on replicated updates. A server that has been offline for an extended period if time will take longer to start up, but once it is started, it will expose up-to-date data. Issue:DS-11285
Updated the mirror and isMemberOf virtual attribute providers to take advantage of the matching entry count functionality when determining whether a given search operation may be processed efficiently with the virtual attribute provider. Previously, these virtual attribute providers may have incorrectly concluded that a search could be processed efficiently when the criteria would not have been indexed as expected (e.g., because one or more index keys needed to perform the search had exceeded the index entry limit), resulting in a search that took longer to process than if the virtual attribute provider had not been used. Issue:DS-11108 SF#:00002323
Fixed a problem in which the server could encounter an internal error when processing a substring search for an attribute type that does not have a substring matching rule, but for which an equality index is defined. The server will now return an inappropriate matching result for attempts to evaluate a search filter in which a necessary matching rule is not available. Issue:DS-11345
To ensure consistent response times, the server actively alerts when its threads are paused for more than a few seconds due to environmental issues. Causes may include running within a virtualized environment, disk swapping, and garbage collection. With this change, the server uses information provided by the JVM about recent garbage collection pauses to either rule out garbage collection as the source of the detected pause, or to provide details about the type of garbage collection that could have caused the pause. Issue:DS-10930
Enhance the changelog backend to work with LDAP clients sensitive to the distinction between moddn and modrdn values in the changetype attribute. Issue:DS-11394 SF#:2392
Added tracking of extended operations by type to the LDAP Result Code Tracker to increase the granularity of reported data. Issue:DS-11011
Updated the attribute constraint validation check for 'X-MIN-INT-VALUE' to allow negative integer values to be specified. Issue:DS-11441 SF#:00002401
Fixed a problem that prevented the server from starting if a TLS-enabled connection handler was configured with a certificate nickname that referenced a non-RSA certificate. Issue:DS-10949
Fixed an internal server error resulting from a multi-update request containing only password modify extended requests with target identities not prefixed with "dn:". Issue:DS-11449
These were known issues at the time of the release of version 4.6.0.0 of the Directory Server:
UnboundID products, Java SE, and the JVM do not use OpenSSL libraries and are therefore not vulnerable to OpenSSL issues. Oracle has provided a statement on the April 2014 OpenSSL Heartbleed vulnerability at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html. Issue:DS-10807
A SCIM request from a client application cannot contain null JSON elements in request bodies to represent attributes that have no values. Instead, the request should not include the attributes. Issue:DS-9048
If an application that was used in a consent operation is deleted, the Identity Broker's /privacy/v1/histories/{ownerCompositeKey}/accessHistory resource will show that application as null in its responses. This causes the following error with the Privacy Preferences application when requesting access history:
An error occurred: "Unexpected AJAX error message format." Issue:DS-10203
These issues were resolved with version 4.6.0.0 of the Directory Server:
Upgrade to Berkeley DB Java Edition version 5.0.103.
Updated the local DB backend to improve support for exploded indexes:
- Fixed a bug that could cause the server to improperly count the number of entries matching an exploded index key, which could interfere with the correct enforcement of the index entry limit for exploded index keys.
- Updated the server so that if an exploded index key has exceeded the index entry limit, the data associated with that index key will be deleted in the background so that the result to the client will not be delayed.
The server has also been updated to improve the diagnostic information that will be made available in the event of a database deadlock, lock timeout, or transaction timeout. Issues:DS-10277,DS-10278,DS-10279 SF#:00002147
Updated the validate-file-signature tool to ensure that it will always display a final summary message to indicate whether any warnings or errors were encountered during processing. Issue:DS-10333
Updated the signed logging implementation to better handle any problems that may arise during cryptographic processing. If any such problem is encountered, the server will now include a message with information about the error in the signature block rather than suspending the logger with an exception recorded in the server.out log file. Issue:DS-10310
The replication conflict resolution policy has been changed for attributes defined in the schema as single-value. The new policy for these attributes is that the last write always takes effect in the event of a conflict. Previously, in cases where two different values were added on different servers very close to the same time, the intended policy was to have the first value take effect across all the replicas. However, this former policy could result in replica divergence in the presence of three or more replicas. Issues:DS-10063,DS-9855
Fixed an issue in the Periodic Stats Logger, where no logging would occur when suppress-if-idle=true was configured, even when the server was not idle. Issue:DS-10387 SF#:2170
Fixed the artifacts associated with the first bind failure that crosses the lockout failure count set in the Password Policy. Previously, the Password Policy Response control would not accurately reflect that the account was locked, and the account locked time was not being updated. Issues:DS-10398,DS-10399 SF#:2148
Added a new sanitize-log tool that can be used to remove sensitive information from server log files, including the file-based access log, the operation timing access log, the file-based error log, the file-based sync log, the file-based resync log, and the detailed HTTP operation log.
The sanitization process operates on fields that consist of name-value pairs. The field name and equal sign will always be retained, but in cases where the value may contain sensitive data, that value may either be replaced with the string "---REDACTED---", or it may be tokenized. If the tokenized value is a DN or filter, then attribute names in that DN or filter will be preserved while the values will be replaced with a string consisting of a number inside curly braces. If the tokenized value is not a DN or filter, then the entire value will be replaced with a number inside curly braces. If a string to be tokenized appears multiple times in the log, the same replacement token will be used for each occurrence of that string to make it possible to correlate occurrences of that string without revealing the actual content.
The sanitize-log tool has a default configuration that should be sufficient for many environments, allowing it to tokenize or redact sensitive information while preserving non-sensitive content for use in diagnosing problems or understanding usage patterns. However, this behavior can be customized using command-line arguments by indicating whether to preserve, tokenize, or redact a given log field. Issue:DS-10472
Fixed issues with the JDBC Access Logger that were related to Oracle Thin Client, where column values were "null" and disabling the logger resulted in losing a connection to the server when using the dsconfig command. Issue:DS-10485
Critical: Fixed a problem that could interfere with access to an exploded attribute index after performing an online index rebuild for that attribute. Issue:DS-10470
Updated the Server SDK to add the ability to generate administrative alert notifications that cause the server to report itself as degraded or unavailable. Issue:DS-10499
Improved performance for ACI calculations involving complex search filters by trying to reduce the number of redundant access calculations when multiple filter components refer to the same attribute type. Issue:DS-10528 SF#:2212
Updated the server and replication infrastructure so that tasks for initializing one or more servers over the network can be canceled with the manage-tasks tool. When an initialization task is initiated by dsreplication, instructions to cancel the task are printed to the console. When an initialization task is canceled, the target backend is left empty and disabled, and must be re-enabled before another initialization can be attempted. Issue:DS-9999
Fixed an issue with the Password Modify Extended Request used with the Password Policy Control, where the "Password in History" error type was not being set properly. Also, in the case of "Insufficient Password Quality," a diagnostic message is provided in the extended result. Issue:DS-10592 SF#:2220
Fixed an issue so that collect-support-data now generates filename entries correctly. Previously, the tool would hang if the archiving of files following a symbolic link required generating a non-duplicating filename entry. Issue:DS-10582
Fixed Time Rotation Policies could be triggered twice in succession if a backwards time system clock adjustment is made during log rotation. This condition may be triggered by network time protocol updates or virtualization host-to-guest time synchronization. The fix was to record the time of file comparison and not allow the last rotation time to be set to a time earlier than the time of comparison. Issue:DS-10591 SF#:2205
Enabled the Host System Monitor Provider by default so that system CPU and memory utilization will be reported automatically through the server's monitoring framework. Disk and network monitoring can be enabled by configuring values for the disk-devices and network-devices configuration properties. Issue:DS-10562
The default timeout period for smtp-timeout was changed from none to two minutes to prevent non-responsive mail servers from disrupting administrative functions. Issue:DS-10230
Introduced a limit to the number of changes a replica is allowed to hold that are pending communication to the replication server. Issue:DS-10605 SF#:2218
Fixed an issue with dsreplication status where the tool would fail to parse an IPv6 server address when using the displayServerTable option. Issue:DS-10668 SF#:2223
The dsreplication detach command was deprecated in a previous release and has now been removed. To remove or isolate a server from the replication topology, use dsreplication disable. This command will remove the server from a replication topology for a given base DN. Issues:DS-10146,DS-9913
With the implementation of Java 7, the log-file-permissions setting now provides more granular permissions for users and groups. Issue:DS-6241
Fixed an issue in which subtree delete operations that were part of an LDAP transaction were not replicated properly and could interfere with the replication of new changes. Issue:DS-10871 SF#:2257
The setup command no longer saves user-provided key store and trust store passwords in PIN files. Passwords provided during setup are encrypted with the configuration data. If the administrator chooses to use PIN files to supply the passwords, the files are referenced in the server configuration by the key manager and trust manager. Issue:DS-10787
Updated the access control handler configuration to make it easier to specify which controls clients are allowed to include in bind requests. Issue:DS-10725
Updated the access logger so that result messages include user-friendly names for result codes in addition to their numeric values. Issue:DS-9946
Updated the Periodic Stats Logger to include an empty value in the output rather than "infinity" in certain circumstances. This avoids problems plotting the output in a spreadsheet. Issue:DS-8842
Fixed the exchange of symmetric keys used when importing or restoring encrypted data. The exchange was not working when the servers defined in admin data were configured to use secure authentication. This would result in error message "CryptoManager failed to import the symmetric key" during a restart of the server. Issue:DS-10896 SF#:2253
Fixed an issue where ldap-diff would stop working when it encountered an invalid DN from one of the servers. The command now finishes processing, but ignores invalid entries. Issue:DS-10650
Updated dsconfig to treat tabs as whitespace in batch files. Issue:DS-10549
Added Metrics Collection Size Limit Retention Policy to the metrics backend to allow up to 2 GB of metric data to be buffered locally, which allows the Metrics Engine to be offline for a longer time without missing collected data. Issue:DS-10156
Removed deprecated "lshal" command from Linux-specific processes performed by the collect-support-data tool and added similar command, "udevadm info --export-db" Issue:DS-10713
Delete requests going through an entry balancing request processor no longer require the requester to have permission to use the pre-read request control (1.3.6.1.1.13.1) on the backend servers. The pre-read request can be used to keep the global index up to date for deleted entries, but it requires explicitly adding permission for this control on the backend servers. This functionality can be enabled by setting the advanced "global-index-update-method-for-deletes" configuration option for entry balancing request processors to "pre-read-request-control." Issue:DS-10961 SF#:2260
Fixed a problem that could cause a VLV index to be improperly maintained in cases in which a large number of entries had the same values for all of the attributes defined in the sort order. Issue:DS-10971 SF#:00002278
Updated the Replication Servers table produced by the dsreplication tool to omit unnecessary "Security" column. Issue:DS-10442
Clients with the 'privilege-change' privilege are now able to add entries with ds-privilege-name values through the proxy server. Issue:DS-10935
Corrected an issue where virtual attribute processing for base entry searches by privileged users caused virtual and operational attributes to be returned when defining a search entry plugin. Issue:DS-10992 SF#:2283
These features were added for version 4.5.1.0 of the Directory Server:
Password rotation is now supported. The Identity Data Store now has the ability to associate multiple passwords and expiration dates with a single account. This enables new client credentials to be rolled out over time instead of all at once.
The import-ldif command now reports on-disk and in-RAM database sizes for planning and estimating. The tool also makes configuration recommendations based on results.
SCIM Resource Versioning (ETag) is now supported. This enables clients to detect overlapping updates for the Identity Data Store and Identity Proxy SCIM interfaces.
The dsreplication tool now reports the number of entries in conflict, to facilitate monitoring of replication issues.
Attributes that are stored only on disk ("un-cached attributes") are now compressed automatically to reduce storage requirements
The collect-support-data tool now refers to tools.properties for default command-line options.
The collect-support-data tool now supports an option to encrypt the data archive, to ensure protection of customer data while in transit, and an option to reduce the amount of potentially sensitive data that is collected.
Cross-origin Resource sharing (CORS) support is now included for HTTP Servlet Extensions, including the SCIM RESTful APIs.
Add support for SCIM resource versioning.
These were known issues at the time of the release of version 4.5.1.0 of the Directory Server:
Disable support for interactive transactions by default. The use of interactive transactions in some cases is prone to creating database deadlocks which may result in one or more operations being delayed and/or aborted, and in most cases, the use of standard LDAP transactions, the LDAP assertions control, the LDAP read entry controls, and/or the increment modify extension provide a sufficient level of atomicity for operations. Issue:DS-9954
The dsreplication initialize and initialize-all subcommands are not supported if run from a server that is a version prior to 4.5.0.0. When executed in a replicated environment containing old and new server versions, dsreplication can take several minutes to report the unsupported use-case when using initialize-all. Issue:DS-9904
The SCIM REST client, included with the SCIM SDK, may hang while waiting for responses from the UnboundID SCIM implementation when using Java 6. This is due to a JDK issue, which was fixed in Java 7. If this condition is encountered, the latest version of Java 7 can be used with the client application to work around the issue. Issue:DS-10104
A SCIM request from a client application cannot contain null JSON elements in request bodies to represent attributes that have no values. Instead, the request should not include the attributes. Issue:DS-10105
If an application that was used in a consent operation is deleted, the Identity Broker's /privacy/v1/histories/{ownerCompositeKey}/accessHistory resource will show that application as null in its responses. This causes the following error with the Privacy Preferences application when requesting access history:
An error occurred: "Unexpected AJAX error message format." Issue:DS-10203
When the Velocity servlet receives CORS-enabled requests and has a cross-origin policy in effect, it will return multiple Access-Control-* headers with duplicate values. This will cause cross-origin requests issued by web browsers to fail. Issue:DS-10205
These issues were resolved with version 4.5.1.0 of the Directory Server:
Update the make-ldif tool to no longer assign the objectClass value of extensibleObject to branch entries. If needed, "objectClass: extensibleObject" can be added explicitly to the branch definition. Issue:DS-8530
The output of 'dsreplication status' now includes a separate column for the number of replication conflict entries, rather than including these entries in the entry count. The number of regular entries shown should now be the same across all servers (except for prior version servers) in a system where replication conflicts have been resolved. Issue:DS-7306
Fix a bug where authentication with SCIM would fail because the password provided contains a colon character. Note: HTTP Basic Authentication does not allow for usernames to contain a colon character, but LDAP DNs can, so avoid using DNs with a colon when authenticating with SCIM. Issue:DS-10045 SF#:2112
Provide an advanced configuration property db-file-cache-size for the JE database file handle cache size. Increase the default size from 100 to 1000 for better performance with large databases. Issue:DS-9540
The setup tool's --aggressiveJVMTuning and --verboseGC command-line options have been deprecated. Instead, use --jvmTuningParameter AGGRESSIVE and --jvmTuningParameter VERBOSE_GC respectively. Issue:DS-9079
Add support for a password retirement feature. If enabled, whenever a user's password is changed, the server will retire the user's former password in a way that allows it to continue to be used for a configurable length of time. This makes it possible to have a grace period when changing a password so that applications which have been configured with the previous password will still be able to authenticate with that password until they can be updated with the new password.
This capability is disabled by default but can be enabled to automatically retire user passwords on self changes and/or administrative resets. It is also possible to allow passwords to be retired via the use of a control included in a modify request or a password modify extended request. Issue:DS-9848 SF#:00002075
Update the server configuration to use a new default limit for duplicate alert suppression. The previous default imposed a maximum of 100 alerts of the same type per hour. The new default imposes a maximum of 10 alerts of the same type every ten minutes. This is more likely to suppress bursts in which the same alert is repeatedly generated over a short time without interfering with multiple occurrences of alerts of the same type over a longer period of time. Issue:DS-9259
Add an example usage for the rebuild-index tool that demonstrates the arguments needed to run the tool as a task. Issue:DS-8922
Fix a bug in which the implementation for third-party result criteria created via the Server SDK did not provide access to additional details about a search operation, including the number of entries and/or references returned, and whether the search was indexed. Issue:DS-10057
Update the backup compatibility mechanism to warn on an attempt to restore a backup from a server that contained one or more encryption settings definitions into a server that does not have all of those definitions. Any entries encrypted with the settings contained in one of those definitions will be inaccessible to a server that does not contain those definitions. Issue:DS-9918
Update the import-ldif tool to report a detailed breakdown of the database cache requirements of the imported data set. This includes targeted warnings if the current server configuration is not optimized for the imported data set as well as recommendations for the largest data sets that are cacheable both for the current server configuration and for the machine with the most aggressive memory tuning options. A few summary tables are included in the output that is reported by the tool. Additional details, including the memory requirements for each index, are included in the logs/tools directory in both .txt and .csv formats. Issues:DS-6977,DS-8835
Fix a bug that could cause multiple persistent search notifications for operations associated with an interactive transaction or an atomic multi-update operation. Issue:DS-7433
Update the server so that uncached data is automatically compressed. Issue:DS-9539
For a number of LDAP-enabled tools that support including arbitrary controls in requests, the tool supports the use of a user-friendly name instead of the OID for certain controls. This was not previously documented, but the tool usage for the "--control" argument now provides those user-friendly names so they are easier to use. Issue:DS-8685
Fix the dsreplication disable subcommand to allow disabling servers that missed replication updates. Issue:DS-7244
Disable support for interactive transactions by default. The use of interactive transactions in some cases is prone to creating database deadlocks which may result in one or more operations being delayed and/or aborted, and in most cases, the use of standard LDAP transactions, the LDAP assertions control, the LDAP read entry controls, and/or the increment modify extension provide a sufficient level of atomicity for operations. Interactive transaction support can be enabled if this capability is still required.
Note that for environments which use the large attribute feature (which has been deprecated in favor of uncached attributes), interactive transactions are still required, and an attempt to start a server with a large attribute backend but without support for interactive transactions will cause the server to enter lockdown mode. Any customers using large attributes that wish to update to the latest version of the server should first contact support to determine the best way to perform the update. Issue:DS-9954
Update the server to improve the caching behavior for PIN files as used by key and trust manager providers. In the case that the keystore or truststore file has been updated to require a new PIN and the existing PIN file is updated without a configuration change to the associated key or trust manager provider, the server would previously keep trying to use the old PIN. It will now look for and use an updated PIN if a failure is encountered while using the old PIN. Issue:DS-10113 SF#:2123
Update the collect-support-data tool so that it can encrypt the data that is captured to protect it from unauthorized third parties. The encryption key is generated from a passphrase which may be read from a file, interactively provided by the user, or dynamically generated by the tool. This passphrase must be provided to support personnel (ideally over a different communication channel than the encrypted support data archive itself) for them to be able to access the information it contains.
There is also a new option to decrypt an encrypted collect-support-data archive when provided with the encryption passphrase. Issue:DS-10129
Update the collect-support-data tool so that it is possible to configure default values for most arguments in the tools.properties file. Issue:DS-10178
Update the collect-support-data tool to further reduce the possibility of gathering sensitive information. Potentially sensitive data will be replaced with ---REDACTED--- in the output. A new "--securityLevel maximum" option can also be specified that redacts DNs and search filters, which might include personally identifiable information. Issue:DS-10115
These features were added for version 4.5.0.0 of the Directory Server:
The Replication Initialization process has been enhanced to use binary transfers, removing the need to perform binary copy of large databases.
Tampering detection is now available for audit files.
Combined search operations that process using indexes with those that process by virtual attribute providers, and operations that target multiple virtual attributes are supported.
The dsreplication command now supports SASL binding, which enables Kerberos authentication without the use of passwords.
A new config-diff command line utility can compare two server configurations and produce the difference as a dsconfig batch file. The file can then be used to bring the source configuration in line with the target. Comparisons can be done between live servers or configuration files, and between current or legacy configurations. Run 'config-diff --help' to get more information including example use cases.
These were known issues at the time of the release of version 4.5.0.0 of the Directory Server:
The dsreplication detach command is deprecated. This command can be run, but will generate warnings if used either interactively or non-interactively. To remove or isolate a server from the replication topology, use dsreplication disable. This command will remove the server from a replication topology for a given base DN. Issue:DS-9919
When executed in a replicated environment containing old and new server versions, dsreplication can take several minutes to report the unsupported use-case when using initialize-all. Issue:DS-9904
Java 1.7 has a synchronization bottleneck in HashMap that severely impacts performance. Use update 1.7u40, if possible, to avoid this issue. Issue:DS-9477
It is no longer possible to customize the format in which last access time values are written. Now values are written in the generalized time syntax. A new max-update-frequency property can be used to limit how often an entry's access time is updated. If an entry does not have a last access time, the modifyTimestamp can be used to reduce the rate of access time updates when the feature is initially enabled. Issue:DS-8360
These issues were resolved with version 4.5.0.0 of the Directory Server:
Update the Identity Access API to automatically map LDAP attributes using the Generalized Time attribute syntax to the SCIM DateTime data type. Issue:DS-9758
Update SCIM and the Identity Access API to return a 400 status code when the id attribute is included in a PATCH request, as the id attribute is read-only. Issue:DS-9195
Fix a bug in the JDBC Access Logger that could cause incompatibility with some database versions and display a "Cannot commit when autoCommit is enabled" error message. Issue:DS-8750
Fix a bug when shutting down replication nodes, that could result in multiple shutdown attempts for the same node. Issue:DS-8790 SF#:1906
Update the Server SDK to provide a new EnhancedPasswordStorageScheme API that both simplifies the API needed to create custom password policies and makes it possible for the password storage scheme to have access to the full user entry so that it is possible to use information from that entry in the process of generating or verifying encoded passwords. Issue:DS-8429
Update the out-of-the-box configuration to add a sensitive attribute definition for the TOTP shared secret. This definition will not be enforced by default, but it can be easily enabled by referencing it from the global configuration or the desired set of client connection policies. Issue:DS-8769
Update the global ACIs so that the retain identity request control will be allowed by default. Issue:DS-8710
If the server is configured with one or more global sensitive attribute definitions, internal operations may be subject to restrictions imposed by some sensitive attributes. This is often the correct behavior, but there are some cases in which sensitive attribute restrictions may interfere with correct processing (e.g., if a sensitive attribute is also configured as a unique attribute, then the unique attribute plugin may have previously been blocked from performing the necessary search to determine whether there are any conflicting values). To address this problem, the server has been updated so that some internal operations are allowed to be exempted from sensitive attribute restrictions to ensure that they are able to behave correctly. Issue:DS-7849
Update the server startup process so that if no messages have been logged for at least five minutes, the server will generate and log a message about the current phase of startup processing. This can help reassure administrators that the server is still starting and provide information about what phase of startup may be taking so long. Issue:DS-7450
Update the TOTP SASL mechanism handler to provide an option that will prevent TOTP passwords from being used multiple times, even in the same time interval. Issue:DS-8738
Enable the validate TOTP password extended operation handler in the out-of-the-box configuration. Issue:DS-8756
Update the server to allow the start administrative session extended request on an unauthenticated connection even if the reject-unauthenticated-requests global configuration property is set to true, and on an insecure connection even if the reject-insecure-requests property is set to true. The server would previously reject the attempt to create an administrative session under these circumstances, which could interfere with the ability to bind or use StartTLS in cases where all normal worker threads are tied up and unable to process new requests in a timely manner. Issue:DS-8717
Update the file-based cipher stream provider so that it only needs access to the PIN file when the server is started (or when invoking a command-line tool that needs to open the encryption settings database). This makes it possible to store the PIN file on removable media (e.g., a USB drive) that is only mounted as-needed to reduce the likelihood that someone with access to the system will be able to obtain the PIN needed to access the data encryption keys. Issue:DS-8736
Fix a potential deadlock when enabling replication in a large topology. Issue:DS-8790 SF#:1906
Add support for a new password storage scheme that uses the PBKDF2 algorithm (as described in the PKCS#5 specification contained in RFC 2898). This scheme uses multiple rounds of cryptographic processing to make brute force (and even dictionary) attacks much more expensive. The salt length, iteration count, and derived key length can be customized by the administrator if desired. Issue:DS-8680
Add a new wait for passphrase cipher stream provider that can be used to allow the passphrase for the encryption settings database to be provided interactively by an administrator without the need to have it stored anywhere on the server system. A new "supply-passphrase" subcommand has been added to the encryption-settings tool that can be used to provide this passphrase when it is needed during server startup or when this cipher stream provider is first put into service. Issue:DS-8737
Fix a bug that could result in a replica that resisted becoming a WAN gateway after disconnecting from catch-up mode. Issue:DS-8830 SF#:1910
Fix a memory leak that could affect long-lived connections that are used to process a large number of non-anonymous bind operations without using the retain identity control. Issue:DS-8833
Fix an issue where the setup process could produce a java error file due to a native memory allocation failure. Issue:DS-6412
Update java.properties generation so that comments related to alternative JVM tunings are no longer present in the file. In most cases, rather than updating java.properties by hand you should use the dsjavaproperties tool to generate JVM options. Issue:DS-8339
Add an allow-insecure-local-jmx-access option to the global config that will expose JMX data via insecure local JVM connection Issue:DS-4300
Add support for a new multifactor authentication mechanism that uses one-time passwords that have been delivered to the end user through some out-of band mechanism. The authentication is performed in a two-step process:
- The client first sends a "deliver one-time password" extended request, which includes an authentication ID to identify the target user, the static password for that user, and an optional list of allowed delivery mechanisms. If successful, this extended request will cause a one-time password to be generated and made available to the user through some mechanism (the server comes with support for delivering one-time passwords through e-mail via SMTP, and through SMS using the Twilio web service, and it also includes Server SDK support for creating custom delivery mechanisms).
- Once the user has received the one-time password, they may use it to authenticate via the UNBOUNDID-DELIVERED-OTP SASL mechanism, which includes an authentication ID, an optional authorization ID, and the one-time password value that was provided to them.
A new deliver-one-time-password command-line tool has been provided to make it possible to test the extended request used to provide the one-time password to the user, and all command-line tools that support SASL authentication have been updated to make it possible to use the UNBOUNDID-DELIVERED-OTP SASL mechanism. Issue:DS-6969
Fix a bug where pwdChangedTime was not being updated when using the update-local-password option in the pass through authentication plugin. Issue:DS-8856 SF#:1932
Add a new alert handler that can use the Twilio service to deliver administrative alerts via SMS. Long alerts may be either truncated or split into multiple SMS messages. Issue:DS-5587
Update the configuration schema to make the ds-cfg-inherit-default-root-privileges attribute mandatory for object class ds-cfg-root-dn-user which is used to define Root User DNs. When this attribute is not present on Root DN User entries, the effect is for the root user to inherit default privileges. It has been made mandatory to make this behavior more explicit. During an update of the server, root DN user entries that do not explicitly declare a value for this attribute will be updated with a value of 'true'. Issue:DS-8450
Fix a bug in which setting the show-all-attributes property to true in the root DSE or schema backends could cause the associated operational attributes to behave incorrectly if they appeared in other entries in the server (e.g., if this setting was enabled for the root DSE, then it could cuase the subschemaSubentry operational attribute to behave as a user attribute in other entries as well). Issue:DS-8788
Improve performance when large static groups are retrieved over SCIM. The UnboundID Join Request Control is used to gather the attributes needed from each member entry and return them from the data store in a single operation. Issue:DS-7681
Add arguments to import-ldif to allow excluding operational and replication attributes from being imported. Issue:DS-5991
Add 'jmap -histo:live' to collectSupportData when --collectExpensiveData is set Issue:DS-8783
Ensure that the Pass-Through Authentication plugin updates the last login time and last login IP address when the update-local-password option is enabled. Issue:DS-8872
Fix a bug that prevented modify operations with sequential password modifications from completing as expected. Issue:DS-8880
Fix NullPointerException with missing arguments to dsreplication. Issue:DS-6738
Update the backup, restore, import-ldif, and export-ldif tools to provide support for data encryption and signing when they are running in a different JVM than the server. Previously, these functions were only available when the backup/restore/import/export processing was invoked as a task so that it would operate inside the running server. Issue:DS-166
Dramatically improve the performance of LDIF export when not running as a task (i.e., in a JVM that is outside the running server). Issue:DS-7340
Add the ability to use the simple paged results, server-side sort, and virtual list view request controls in conjunction with search operations that are processed using a virtual attribute provider. Issues:DS-6613,DS-6928
Fix a bug where ldapmodify would not accept multiple values for case sensitive attributes. Issue:DS-8911 SF#:1944
Add a WebLogic specific descriptor file for the web console to help with deployment compatibility. Issue:DS-8925 SF#:1915
Add help message for when user tries to rebuild-index while server is online. Issue:DS-1242
Add error messages for when incorrect arguments are supplied to dsconfig Issue:DS-7569
The trust store password options have been deprecated for most tools that do not require read-write access to a trust store. Issue:DS-8789
Add correct line number in error messages on make-ldif. Issue:DS-8018
Add correct ALU branding in create-sync-pipe-config. Issue:DS-8820
Update default sync pipe naming to be script friendly by replacing space characters with underscores. Issue:DS-3190
Make a number of criteria-related improvements:
- Add Server SDK support for creating custom connection, request, result, search entry, and search reference criteria implementations.
- Update the simple request criteria type to make it possible to consider the search scope in determining whether a search operation matches the criteria.
- Update the simple result criteria type to make it possible to consider the indexed/unindexed status in determining whether a search operation matches the criteria.
- Add a new type of request criteria that may be used to more easily identify operations that target the server root DSE.
- Add a new type of result criteria that may be used to classify operations based on replication assurance requirements and/or whether those requirements were satisfied.
- Add a new allowed-insecure-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an insecure connection and the server is configured to reject insecure requests.
- Add a new allowed-unauthenticated-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an unauthenticated connection and the server is configured to reject unauthenticated requests. Issues:DS-5079,DS-8168,DS-8770
Fix an issue in the Identity Data Store LDAP changelog which resulted in the Sync Server Notification Pipe missing changes under certain load patterns. Issue:DS-8901
Update the unique attribute plugin to make it possible to customize the behavior that the server should exhibit if the plugin is configured with multiple unique attributes. Uniqueness can be enforced independently for each attribute type, or as a set across all the configured attribute types (optionally permitting conflicts if they all appear in the same entry). Issue:DS-8209
Backup files and directories are no longer created with default world-readable permissions. The permissions to be used are instead configurable through the db-directory-permissions property for local DB backends and the changelog backend, and through the backup-file-permissions property for other types of backend. The default permissions provide no access to other users. Issue:DS-8749
Make two new tools available that can be used in conjunction with referential integrity and unique attribute processing:
Remove passwords when running collect-support-data Issue:DS-976
Update the server support for LDAP transactions (both standard LDAP transactions as described in RFC 5805, and the UnboundID-proprietary batched transactions implementation) to add support for proxied authorization by including a proxied authorization v1 or v2 control, or an intermediate client control with an alternate client identity, in the start transaction request. Issue:DS-8989
Add a new sign-log configuration property to file-based loggers that may be used to cause the server to digitally sign messages written by that logger. A new validate-file-signature tool may be used to verify signature information in signed log files, as well as LDIF files generated by signed LDIF exports. Issue:DS-8662
Fix a bug that prevented current and new passwords from being available to account status notification handlers for password changes and administrative resets made using the password modify extended operation. Issue:DS-9069
Fix a bug that treated passwords with curly braces as encoded with unknown password encoding scheme. The encoding check has been updated to verify that the password storage scheme referenced in a password string is valid and already registered with the server. Issue:DS-9093 SF#:1980
Update the local DB backend so that it will generate a warning when starting an LDIF export as a task. A task-based LDIF export may be unsafe because it cannot guarantee the kind of point-in-time snapshot of the data that an offline export provides, which means that the LDIF file resulting from a task-based export may reflect a portion of the changes processed while the export is in progress. The export-ldif tool usage has also been updated to provide the same warning. Issue:DS-7340
Update the Server SDK to make information about the target entry available in CompareResult, DeleteResult, ModifyResult, and ModifyDNResult classes, which makes it available for use by post-response and post-replication plugins. Issue:DS-9100 SF#:1951
Update the referential integrity plugin to prevent subtree delete operations when referential integrity is configured to operate in synchronous mode, which could result in database lock conflicts. Issue:DS-7940
Fix a bug that could prevent the server from properly maintaining ordering indexes for attributes with a generalized time syntax. Issue:DS-8952 SF#:1947
Update the last access time plugin (and the last access time uncached entry criteria, which depends on the last access time plugin) to change the way that last access time updates will be made.
It is no longer possible to customize the format in which last access time values are written. Rather, they will now always be written in the generalized time syntax, and a new max-update-frequency property may be used to limit how often an entry's access time may be updated. Further, if an entry does not have a last access time, then the modifyTimestamp may be used instead to help reduce the rate of access time updates when the feature is initially enabled.
When updating a deployment that uses the former last access time behavior, it is recommended that either all servers be updated in a short period of time or that the last access time plugin be temporarily disabled until all servers have been updated to a version that uses the newer approach. Otherwise, the rate of last access time updates may increase as long as the environment contains a mix of servers with older and newer versions. Issue:DS-8360
Fix a bug where group membership could incorrectly present a user as a member of a static group when that static group contained a dynamic group. Issue:DS-9159 SF#:1996
Add support for two new extended operations. A list configurations extended operation may be used to obtain information about the configurations that are available within to the server, including the currently-active configuration, the baseline configuration (i.e., the base configuration for an out-of-the-box installation of the current version), and all archived configurations that reflect configuration changes over time. A get configuration extended operation may be used to retrieve a specific configuration from the server. Issue:DS-9149
Update setup to fix a bug in which file path options specified as relative to the current directory may cause the server to be configured incorrectly or cause setup failure. Issue:DS-8389
Update the HTTP Connection handler to support configuration for tracking sessions either through HTTP cookies or by URL rewriting. Issues:DS-8639,DS-9128
Fix a bug where Changelog Password Encryption Plugin would throw an exception when processing a password change from an Active Directory Sync source. Issue:DS-9178 SF#:1954
Update the server's backup and restore capabilities so that backups will be stored with additional information about the state of the server and backend when the backup was taken so that potential compatibility problems may be identified when attempting to restore that backup. Issue:DS-8344
Update the server so that it will allow TLS renegotiation by default if it is running in a JVM that we can detect includes support for the extension described in RFC 5746. Older JVMs are vulnerable to a man-in-the-middle attack that could exploit a renegotiation flaw to inject arbitrary cleartext into a secure communication stream, and support for renegotiation was disabled by default to eliminate the possibility of such an attack against the server. However, modern JVMs have fixed the vulnerability and allowing TLS renegotiation in such systems can allow for better compatibility with clients that attempt to perform renegotiation. Issue:DS-6307 SF#:1972
Critical: Fix a bug in low level protocol buffer that could result in "uncaught exception" errors. Issue:DS-9268 SF#:2002
Address an issue in replication where the Identity Data Store may not shutdown in a timely fashion because monitor information requests are not handled efficiently Issue:DS-9232 SF#:2002
Update the server to provide a degree of sandboxing around Server SDK extensions so that an unexpected exception thrown by an extension will be caught and result in an administrative alert rather than being caught further up in the stack and potentially causing other problems. Issue:DS-9247
In the rare cases where it is necessary to forcefully terminate the JVM from within the server itself, ensure that any files marked for deletion when the JVM shuts down are manually deleted before the JVM is terminated. This can help avoid problems like server shutdown not being detected properly because the server PID file hasn't been removed. Issue:DS-9267
Provide improved schema validation to detect additional cases in which certain misspelled tokens in the definition for a schema token could be silently interpreted as an extra property for that schema element. The server will now log a warning message about these unexpected tokens so that administrators can either correct them or prefix them with "X-" to indicate that they are an extra property provided for informational purposes. Issue:DS-9236
Reduce the time it takes the server to shut down in certain situations. Background threads sometimes missed a signal to wake up and had to wait for their next polling interval to see that a shut down had been requested. Issue:DS-9334
Fix a defect where restricted domains were only being added to the configuration the first time replication was enabled. This would prevent you from being able to add new backends to the replication topology in an entry balanced environment where the baseDN of the new backend was inside the global domain baseDN.
If you are using an entry balanced environment and plan on adding new backends to your environment then you will need to upgrade to this release prior to adding these new backends. Issue:DS-9293
Fix a bug in the server that could cause a worker thread to become unable to send valid responses to operations if an unexpected exception was encountered while processing a search operation after that operation had already returned an odd number of entries. In such cases, subsequent operations processed by the worker thread could fail with a message like "The following constraint was violated. Entire search operation must be performed using the same thread from start to finish." Issue:DS-9086 SF#:00002024
Update the default behavior of all file-based loggers to have include-thread-id=true. This will include a compact thread ID in all log messages. This can make it easier to correlate log messages generated by the same thread within a single log file or across different types of log files. Issue:DS-9352
Remove -XX:+UseMembar from the default set of generated JVM properties except on early JVM versions where this setting was required to work around a threading bug in the JVM.
Update the server JVM arguments generated by setup and dsjavaproperties to explicitly define -XX:MaxNewSize and -XX:NewSize for JVM's 1GB in size and larger. Also, add a comment to the generated java.properties file directing the administrator to use dsjavaproperties for making memory-related changes to this file rather than editing it directly. Issue:DS-9227
Fix an issue where the server could return an invalid result code (-1) in a few exceptional cases. These cases have been updated to return the appropriate result code and a general check has been added to convert any future cases where this occurs into a generic but valid server error code. Issue:DS-9409
Update the server to emit a warning message when starting a backend that is configured with multiple base DNs. Although the server currently supports backends with multiple base DNs, this capability may be removed in a future release because some functionality (e.g., online replica initialization via binary copy) is not available for backends configured with multiple base DNs. Issue:DS-9146
Improve efficiency and reliability of shutdown process for replication database threads. Issue:DS-9400 SF#:2027
Fix a bug where modify operations that attempt a delete modification against an attribute that does not exist would not be preformed because the modification was incorrectly detected as a replication conflict and dropped in an attempt to resolve the conflict. Issue:DS-9431 SF#:2023
Add password file arguments to the scripts used to prepare external servers. Issue:DS-9406
The SCIM configuration for the Groups derived attribute now indicates whether to rely on the isMemberOf attribute or not. The default behavior is to rely on isMemberOf. This change eliminates unnecessary group membership searches in the case where an entry does not belong to any groups. Issue:DS-9051
Modify the way the server processes subtree delete operations so that they are no longer atomic, in order to avoid causing problems with potential database deadlocks or increased operation response times. In the event of a partial subtree delete, the server should generate an alert to notify administrators that a portion of the subtree still remains. Issues:DS-9020,DS-9174
Add a Log Publisher called "Debug ACI Logger" that can be enabled to help debug ACI issues. You can read more about debugging ACI related issues in the Admin Guide section "Troubleshooting ACI Evaluation". Issue:DS-8260
Update the make-ldif utility such that first and last names are now generated randomly instead of in sequential alphabetical order. The original ordered behavior can be enabled by using the --orderedNames option. Issue:DS-9504
Update the setup and dsjavaproperties tools to permit maximum heap size values for memory that is not currently available on the host, though the value must still be less than the total amount of memory present on the host. Issue:DS-9111
Fix an issue where the dsreplication adminPassword value provided in tools.properties was displayed in the clear on the command line. Issue:DS-9487
Fix a bug when using the force-change-on-reset option in the Password Policy for a replicated environment could result in the "pwdReset" flag being set on some replicas after a user resets their own password. Issue:DS-9547 SF#:2036
Update the setup and dsjavapropeties tools to permit JVM heap size values to be as large as the amount of memory present on the system would permit. Issue:DS-9494
Update the Server SDK to provide the ability to run command line utilities within the server process. A ToolExecutor can be retrieved from the ServerContext. Currently, only the config-diff command is supported, but additional commands might be supported in the future. Issue:DS-9537 SF#:00001858
Enhance dsconfig to write to the config audit log when in offline mode. Issue:DS-1495
Clean up a number of modify response messages for cases in which an invalid value was included in or targeted by the modify request. Formerly, some of these messages included attribute values, but this could result in very ugly output for tools and applications that displayed the message to the client in cases in which the value contained non-printable content. Issue:DS-8470
Change the replication status server table to display replica IDs instead of server IDs for each replica in a domain. Issue:DS-9206
Alter some potential error messages that could expose the server's key or trust store file path to the client if the server configuration for that key or trust store was not correct (e.g., if it was configured with an incorrect PIN). Issue:DS-8873
If an SSL certificate nickname is specified in the configuration of an LDAP connection handler (to indicate which certificate the server should present to clients), validate that the specified certificate is actually available via the configured key manager provider. Previously, it could be difficult to troubleshoot problems that may arise as the result of specifying the nickname for a nonexistent certificate. Issue:DS-8947
Fix a bug that could prevent persistent searches from receiving notification of changes processed as part of an external transaction. Issue:DS-8718
Fix a bug that could cause the update process to fail if the server to update was offline and the contents of the database directory had been removed. Issue:DS-9621
Add an option to collect replication state dump with collect support data. Issue:DS-9534
Upgrade to Berkeley DB Java Edition version 5.0.97. Issue:DS-9137
Fix a bug that could cause the server to incorrectly short-circuit the process of determining whether an entry had a specific attribute value if that entry contained both real and virtual values for the target attribute and the comparison took attribute options into consideration. Issue:DS-9631 SF#:00002047
Fix a bug that interfered with the ability to automatically re-encode passwords whenever a user attempted to authenticate with a password encoded with a deprecated storage scheme. Issue:DS-9767
On Linux, issue a warning on startup and after a JVM pause if the kernel setting vm.swappiness is not 0 as this can cause the server to become unresponsive for several seconds when memory is paged back from disk during a garbage collection. Issue:DS-9070
Display an error message rather than an exception stack trace when the encryption-settings tool is invoked without any arguments. Issue:DS-8892
Fix a bug in the index rebuild task in which, if the set of indexes to rebuild included one or more system indexes, the task would take the backend offline before rejecting the rebuild attempt and bringing the backend back online. The task will now reject the rebuild attempt without affecting the availability of the target backend. Issue:DS-8971
Fix a bug that prevented offline LDIF exports of the config backend. Issue:DS-9447
Automatically record server monitor data at shutdown, as it may be useful for debugging purposes in cases where a problem was experienced within the server that was resolved by a restart. Issue:DS-9777
Update the config definitions for the client connection policy and simple connection criteria objects to provide additional documentation about using connection criteria in conjunction with client connection policies. In particular, it is now clearer that connections secured with StartTLS are initially considered insecure before the StartTLS operation has been completed and therefore insecure connections must be allowed in order to permit them to submit the StartTLS requests needed to secure them. Issue:DS-9097
Update the Server SDK password storage scheme documentation to indicate that password validators may not always be invoked before the password storage scheme is used to encode the password. As such, the password storage scheme should not make any assumptions about the format of the plaintext passwords it is called upon to encode, nor about whether those plaintext passwords will be allowed for use in the target entry. Issue:DS-9683 SF#:00002043
Improve the performance of certain monitor entry searches that target specific monitor entries by object class. In particular, this includes searches with AND or OR filters, as well as filters that target object classes not defined in the server schema. Issue:DS-9772
Update the LDAP processing within the server to be able to interpret malformed abandon requests sent by versions of the Netscape LDAP SDK for Java built before March 2001. Issue:DS-9865
Lower the severity from SEVERE to MILD for attribute mapping failures due to missing source attribute. Issue:DS-9858 SF#:2068
Fix issue with replication configuration where one replication domain was subordinate to another, LDIF initialization of the subordinate domain could cause replication to diverge in the superior domain for ADD operations. Issue:DS-9607
Fix an issue where the Identity Access API would not return search results when filtering by an operational attribute unless the "attributes" query parameter was also used. Issue:DS-7891
Fix a bug that could interfere with upgrading from a pre-4.1 server when the changelog is enabled. Issue:DS-9873
Deprecate the 'dsreplication detach' command. This command is still functional but will generate warnings if used either interactively or non-interactively. To remove or isolate a server from the replication topology you should instead use 'dsreplication disable', which will remove the server from a replication topology for a given base DN. Issue:DS-9919
Update the server to force data written by the 'backup' and 'export-ldif' tools to disk periodically. This can significantly reduce the impact on response times of update operations that are running on the server by limiting the amount of outstanding data in the file system cache that must be flushed during certain database operations. Issue:DS-9944 SF#:00002092
Update the message emitted by the server when a JVM pause is detected to list additional possible causes beyond garbage collection. Issue:DS-9859
These features were added for version 4.1.0.0 of the Directory Server:
The UnboundID Identity Broker is the first of a new class of components for consumer and subscriber identity management architectures.
As a stand-alone server, it provides authorization decisions for client applications, provisioning systems, API gateways, and analytical tools in any architecture involving personal, account, or sensitive identity data.
Working together with the UnboundID Identity Data Store and Identity Proxy, the Identity Broker is designed to make high-volume and high-speed authorization decisions based on ever-changing consumer profile and consent data. Functionally, the Identity Broker is both the Policy Decision Point and the OAuth2 provider for externalized authorization. Performance-wise, the Identity Broker can support the request volumes driven by the complex, real-time interactions necessary to support today's consumer-facing mobile, social, and cloud ecosystems.
These issues were resolved with version 4.1.0.0 of the Directory Server:
Update the PingDirectory Server and PingDirectoryProxy Server to provide improved support for LDAP transactions. It is now possible to use batched transactions (either the UnboundID proprietary implementation or standard LDAP transactions as per RFC 5805) through the Directory Proxy Server in both simple and entry-balanced configurations, although only in cases in which all requests may be processed within the same backend server and within the same Berkeley DB JE backend. It is not currently possible to process a transaction that requires changes to be processed across multiple servers or multiple Directory Server backends.
In addition, both the PingDirectory Server and PingDirectoryProxy Server now provide support for a new multi-update extended operation that makes it possible to submit multiple updates in a single request. These updates may be processed either as individual operations or as a single atomic unit. Issues:DS-1096,DS-524 SF#:00001419
SCIM support is now integrated into the Directory and Proxy builds and a separate install of the SCIM extension is no longer required. An initial SCIM HTTP connection handler and SCIM extension is included with the out of the box config but is disabled by default. Issue:DS-6777
Add the ability to create custom SASL mechanism handlers using the Server SDK. This makes it possible for third-party developers to create their own custom authentication logic to better integrate with software that needs to perform a kind of authentication that the server does not support out of the box. Issue:DS-3650
Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism that provides a simple form of multifactor authentication by requiring both a client certificate (supplied during SSL/TLS negotiation) and a password. Issue:DS-4411
Add support for OAuth 2.0 bearer token authentication to the SCIM interface. This requires an OAuthTokenHandler extension built with the UnboundID Server SDK in order to decode and validate bearer tokens. Issue:DS-6763
Add support for a new last access time plugin that can be used to update a ds-last-access-time attribute in an entry that has been targeted by an add, bind, compare, delete, modify, and modify DN operations, as well as search result entries returned to the client. The format of the last login time value can be customized to help avoid updating entries too frequently (e.g., no more than once per day). Issue:DS-7370
Add a generic REST API that can be enabled in the PingDirectory Server or PingDirectoryProxy Server to expose access to raw LDAP data over HTTP using the SCIM protocol. Issue:DS-7267
Make it possible to configure the PingDirectory Server so that some entries may be excluded from the database cache, thereby making it possible to prioritize which entries should be held in memory versus those which require disk access to retrieve.
The selection of entries to exclude from the database cache is performed using an uncached entry criteria object, and the criteria to use may be customized on a per-backend basis. The Directory Server currently includes two forms of criteria: one which uses a filter to indicate which entries should be cached and which should be uncached, and another which uses the last access time to ensure that only recently-accessed entries are cached. The Server SDK has also been updated to make it possible for administrators to define their own uncached entry criteria. Issue:DS-7350
Add support for RPM based installation. Issue:DS-5990
Update the names of the UnboundID-branded products which are now: - Identity Data Store (formerly PingDirectory Server) - Identity Proxy (formerly Proxy Server) - Identity Data Sync Server (formerly Synchronization Server) - Metrics Engine (name unchanged) Issues:DS-7514,DS-7515,DS-7516,DS-7518
Add support for uncached attributes, which can be used to indicate that certain attributes should be stored in a separate database (with different cache settings) from the rest of the content for the entry. This can help administrators better control the memory footprint of the server, particularly in deployments in which the underlying system doesn't have enough memory to fully cache all data.
The server incluedes support for a simple uncached attribute criteria implementation that allows the administrator to specify the attribute types for attributes that should be uncached, optionally restricted to those attributes with at least a minimum number of values or total value size. Server SDK support is also included so that custom uncached attribute criteria implementations can be created using Java or Groovy code. Issue:DS-6617
Add support for a new control that may be used to indicate that updates to certain operational attributes should be suppressed for the associated operation. At present, the control makes it possible to suppress updates to any combination of the following elements:
* An entry's last access time * An entry's lastmod attributes (creatorsName, createTimestamp, modifiersName, modifyTimestamp) * A user's last login time * A user's last login IP address
The ldap-diff tool has been updated to use this control if the server supports it so that it will not require updating the last access time for all entries being examined. Issue:DS-7632
Add a new task (and a corresponding tool to invoke it) that makes it possible to re-encode all or a selected portion of the entries in a local DB backend. This can be useful after a configuration change that impacts the way that entries should be encoded, including:
* If the uncached attribute and/or uncached entry feature has been enabled and you wish to re-encode the entries so that the appropriate portions of the data are uncached.
* If you're using the last access time uncached entry criteria and wish to migrate entries that haven't been accessed in a while to the uncached database.
* If you have enabled or disabled data encryption and/or compression, or if you have changed an encryption key, and want the data to be re-encoded to apply that change.
The set of entries to re-encode may be customized so that entries in specified branches are included or excluded, and/or that entries matching specified filters are included or excluded. It is also possible to exclude entries that are fully and/or partially uncached so that only cached data will be accessed. A rate limiting option can be used to help ensure that re-encode processing will have a minimal impact on other operations handled within the server.
Note that the re-encode processing does not have any impact on the content of the entries (e.g., there are no updates to the lastmod or last access time attributes), nor does it cause the entries to be re-indexed. Issue:DS-7486
Fix a bug where adding a duplicate schema attribute type in a new file would remove the attribute type from the original file on other replicas when the schema change was replicated. Issue:DS-6610 SF#:1736
Add ability to set the maxHeapSize and listenAddress arguments in a properties file when running setup. Issue:DS-6003
Fix a bug where current heap size was not displayed in error message about being too low. Issue:DS-7292
Update the PingDirectory Server to add support for compacting attribute values based on the associated attribute syntax. This can significantly reduce the amount of disk space and memory required to hold values of these attributes.
At present, the server includes support for compacting values of attributes with the following syntaxes:
- Boolean - Distinguished Name - Generalized Time - Name and Optional UID - User Password - UUID
Compaction is enabled by default for all attributes with the Boolean, generalized time, user password, and UUID syntaxes, and the original values should be perfectly preserved by the compaction process.
Distinguished name and name and optional UID compaction will always result in values that are logically equivalent, but the compaction process may introduce some cosmetic differences (e.g., loss of insignificant spaces in between components) that may confuse some clients that expect values to be returned exactly as they were provided, and as such compaction is only enabled by default for the creatorsName and modifersName attributes. In environments in which it is known that clients will accept minor cosmetic differences in DN values, compaction can be easily enabled for all values. Issue:DS-6391
Fix a bug where under certain error conditions the start server scripts could prompt user to overwrite existing file. Issue:DS-7268
Enhance collect support data tool to include directory listings of external replication and changelog database directories. Issue:DS-6943
Fix a bug where dsconfig would exit unexpectedly if going "back" when creating a new property value. Issue:DS-7735
Modify the restore utility to restore the modified timestamp of restored files to have their original value. This makes it possible to do an incremental backup immediately after doing a restore. Issue:DS-8089
Improve Server SDK to allow calling setAttachment on a ProxyOperationContext. Issue:DS-8123 SF#:1876
Upgrade to Berkeley DB Java Edition version 5.0.75 to address a very slow memory leak that is accelerated by having a non-default number of database cleaner threads. Issue:DS-8083 SF#:1867
Eliminate the use of the legacy ds-entry-unique-id, ds-create-time, and ds-update-time attributes, and the virtual attributes used to generate entryUUID, createTimestamp, and modifyTimestamp from them. The server will now generate entryUUID, createTimestamp, and modifyTimestamp as real attributes, and will use syntax-based compaction to provide the same space savings as had previously been accomplished with the legacy compaction mechanism. Issue:DS-6391
Add support for a control that can be included in a delete or modify DN request to indicate that no referential integrity processing should be performed for that operation. Issue:DS-8038
Update the access logging framework to provide support for logging information about replication assurance processing. In the default file-based access logger, RESULT messages may include information about the level of assurance that will be used for the operation, and new ASSURANCE-COMPLETE messages will provide information about the result of that assurance processing. The debug access logger has also been updated to provide detailed information about assurance processing. Issues:DS-7822,DS-7823
Update the Server SDK to make it possible to create custom loggers that include information about replication assurance processing. Issues:DS-7822,DS-7823
Update the server to provide better support for the "binary" attribute option as described in RFC 4522. The server will now automatically ensure that the binary option is provided for attributes with the certificate, certificate list, certificate pair, and supported algorithm syntaxes. The server will now include the binary option when returning attributes of these syntaxes, and will silently insert the binary option if it is missing from these attributes during LDAP add, LDAP modify, and LDIF import processing. Issue:DS-7241
Introduce an "include-thread-id" configuration property on many of the file-based loggers that when enabled adds a threadID field to logging output. This makes it possible to know exactly which thread logged a message, which can simplify correlating errors between log messages and separate logs. This ID can be correlated to a thread name using the cn=JVM Stack Trace,cn=monitor entry. Issue:DS-8212
Update support for batched transactions to fix a potential corner case for a deadlock that could cause the transaction to fail after a timeout period. This change also eliminates the dependency that required all batched transactions to be processed in a pre-specified backend, so that it is now possible to process a batched transaction in any backend (as long as all operations that are in the transaction are in the same backend). Issue:DS-8185
Change stop-*.bat to attempt a soft server shutdown before terminating the process. Issue:DS-408
Eliminate unnecessary thread contention when evaluating ACIs that use groupDN. Issue:DS-8279
Update the server to reduce the need to access uncached data for modify operations targeting partially-cached entries. Previously, modifies to partially-cached entries would always read from and write to both the id2entry and uncached-id2entry databases. Now, the server will attempt to avoid accessing uncached content for modify operations that don't alter uncached attributes. Issue:DS-7899
Update the unique attribute plugin to provide an option to reject changes if they would result in a conflict with a soft-deleted entry. By default, values in soft-deleted entries will not be considered conflicts, but it is now possible to configure the server so that such conflicts will not be allowed. Issue:DS-8239
Fix a bug that prevented the password modify extended operation from updating a user's password when the update was part of an atomic multi-update extended operation. Issue:DS-8217
Fix an issue which could result in a NullPointerException error message when using the Pass Through Authentication plugin with external servers that do not have a location attribute defined. Issue:DS-8265
Update the update tool to run Oracle's DbPreUpgrade_4_1 utility on Data Store database files created with a 4.1 or earlier version of Berkeley DB before being updated to a 5.x version of Berkeley DB. Issue:DS-8135
Update the logic used to generate ds-entry-checksum values so that checksums will be consistent across servers, even if the entries have the attributes or attribute values in different orders. Issue:DS-7754
Update the JMX connection handler to infer an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) for JMX attributes from the underlying LDAP attribute type and value. The legacy behavior to return all JMX attributes as String values can be set if desired through the advanced global configuration property 'jmx-value-behavior'. Issue:DS-7635
Add the --noPropertiesFile option to the status command so that it does not fail when the option is provided to collect-support-data. Issue:DS-8390
Update the CRYPT password storage scheme to support the CRYPT-MD5 encoding offered by a number of Linux and UNIX systems. Issue:DS-8431
Updated the UnsupportedOperationExceptions thrown by the Server SDK to include details about the exceptions that were thrown including the method name and the name and/or Java class of the extension that failed to implement the method. Issue:DS-8421 SF#:1898
These features were added for version 4.0.0.0 of the Directory Server:
Update the names of the UnboundID-branded products, which are now:
Add support for uncached attributes, which can be used to indicate that certain attributes should be stored in a manner amenable for applying different cache settings. This can help administrators better control the memory footprint of the server, particularly in deployments in which the underlying system doesn't have enough memory to fully cache all data.
The server includes support for a simple uncached attribute criteria that allows the administrator to specify the attribute types that should be uncached, optionally restricted to those attributes with at least a minimum number of values or total value size. Server SDK support is also included so that custom uncached attribute criteria implementations can be created using Java or Groovy code.
Make it possible to configure the Identity Data Store so that some entries may be excluded from the database cache, thereby making it possible to prioritize which entries should be held in memory versus those which require disk access to retrieve.
The selection of entries to exclude from the database cache is performed using an uncached entry criteria object, and the criteria to use may be customized on a per-backend basis. The Identity Data Store currently includes two forms of criteria: one which uses a filter to indicate which entries should be cached and which should be uncached, and another which uses the last access time to ensure that only recently-accessed entries are cached. The Server SDK has also been updated to make it possible for administrators to define their own uncached entry criteria.
Introduce the Identity Access API, a generic REST API that can be enabled in the Identity Data Store or Identity Proxy to expose access to raw LDAP data over HTTP using the SCIM protocol. For configuration information, please refer to the "Managing the SCIM Servlet Extension" chapter of the Administration Guide. For API documentation, please refer to the UnboundID Identity Access API Client Developer Guide.
Add support for RPM based installation.
Add support for a new last access time plugin that can be used to update a ds-last-access-time attribute in an entry that has been targeted by an add, bind, compare, delete, modify, and modify DN operations, as well as search result entries returned to the client. The format of the last login time value can be customized to help avoid updating entries too frequently (e.g., no more than once per day).
Add support for a new control that may be used to indicate that updates to certain operational attributes should be suppressed for the associated operation. At present, the control makes it possible to suppress updates to any combination of the following elements:
* An entry's last access time
* An entry's lastmod attributes (creatorsName, createTimestamp, modifiersName, modifyTimestamp)
* A user's last login time
* A user's last login IP address
The ldap-diff tool has been updated to use this control if the server supports it so that it will not require updating the last access time for all entries being examined.
Add a new task (and a corresponding tool to invoke it) that makes it possible to re-encode all or a selected portion of the entries in a local DB backend. This can be useful after a configuration change that impacts the way that entries should be encoded, including:
* If the uncached attribute and/or uncached entry feature has been enabled and you wish to re-encode the entries so that the appropriate portions of the data are uncached.
* If you're using the last access time uncached entry criteria and wish to migrate entries that haven't been accessed in a while to the uncached database.
* If you have enabled or disabled data encryption and/or compression, or if you have changed an encryption key, and want the data to be re-encoded to apply that change.
The set of entries to re-encode may be customized so that entries in specified branches are included or excluded, and/or that entries matching specified filters are included or excluded. It is also possible to exclude entries that are fully and/or partially uncached so that only cached data will be accessed. A rate limiting option can be used to help ensure that re-encode processing will have a minimal impact on other operations handled within the server.
Note that the re-encode processing does not have any impact on the content of the entries (e.g., there are no updates to the lastmod or last access time attributes), nor does it cause the entries to be re-indexed.
These were known issues at the time of the release of version 4.0.0.0 of the Directory Server:
UnboundID RPMs do not support the "--relocate" option. However, the RPMs are relocatable using the "--prefix" option at install time. Issue:DS-7890
These issues were resolved with version 4.0.0.0 of the Directory Server:
The default "SCIM HTTP Connection Handler" has been replaced by two default HTTP connection handlers, "HTTP Connection Handler" and "HTTPS Connection Handler". They are disabled by default unless the Identity Data Store or Identity Proxy is set up using the setup tool's "--httpPort" or "--httpsPort" options. Issues:DS-7517,DS-7679
File Server HTTP Servlet Extensions now allow a default MIME type to be set with the default-mime-type property. Issue:DS-6959
The SCIM service will now return an HTTP 500 status code instead of a 400 or 404 to the client when the request results in an LDAP result code 52. Issues:DS-7231,DS-7703
To better comply with the SCIM 1.1 specification, the SCIM servlet will now issue a severe warning at startup if SSL is not enabled. Issue:DS-7252
The SCIM servlet now allows HTTP basic authentication to be disabled if OAuth bearer token authentication is enabled. Issue:DS-7264
The default File-Based Access Logger will now log SCIM-initiated LDAP operations by default. These log items will be marked with an 'origin="scim"' attribute. Issue:DS-7472
To comply with the SCIM 1.1 specification, the default scim-resources.xml configuration file now maps SCIM IDs to LDAP entryUUIDs rather than DNs by default. Issue:DS-7478
Fix an issue in which certain password policy and sensitive attribute settings were not enforced if a request originated over an insecure SCIM connection. Issue:DS-7504
The SCIM service will now return an HTTP 400 status code instead of a 500 when a failure occurs during to a sensitive attribute violation. Issue:DS-7703
Fix an issue with the SCIM XMLStreamMarshaller where it did not correctly handle invalid XML characters. Attributes that are not explicitly declared as BINARY in the schema may now be returned as base64-encoded strings if they contain any invalid XML characters. The server will add the "base64Encoded=true" attribute to any XML elements for which this is done, so that the client will know the data is encoded. Issue:DS-7782
Change the stop-* tools to behave like other task based tools. These tools require the use of the --task argument to ensure that user knows they are using a server task. These tools also will not use properties files unless you provide the --usePropertiesFile or --propertiesFilePath arguments.
Fix a performance issue when handling Get Changelog Batch requests with data from replicas that are external to a server's dataset. Issue:DS-7463 SF#:1812
Fix a bug that resulted in extraneous warning messages being seen in tool output. Issue:DS-4533 SF#:1803
Fix a bug that allowed a MODDN operation to use a new RDN with an invalid syntax. Issue:DS-7502 SF#:1814
Audit logging previously logged add, modify, modifydn and delete operations within batched and interactive transactions whether the transaction was successful or aborted. The Identity Data Store now only logs operations performed within a transaction after the transaction has been committed. Issue:DS-7429
Update both the GUI and CLI Directory installers to solicit HTTP/S port information from the user and provide just enough SCIM extension configuration to get the web services running following setup. If the user specifies that they would like HTTP support enabled, setup will configure the HTTP and HTTPS Connection handlers, which are now available in the default configuration out of the box. Afterward, it will perform a search and replace of the scim-resources.xml file, replacing the default dc=example,dc=com base DN with the DN chosen during setup. Finally, it will install the recommended ACIs. Further information is printed regarding additional SCIM setup steps. Issue:DS-7517
Add an option to enable ACI debug traces in the Debug Access Log Publisher. Issue:DS-3322
Update the lastmod plugin so that modifersName and modifyTimestamp will not be updated for operations invoked by the internal root user. Issue:DS-7584
Deprecate support for the large attribute capability, since this capability has been superseded by uncached attribute support. Issue:DS-7369
Fix a bug that prevented viewing hidden and complex configuration properties using dsconfig in a non-interactive mode. Issue:DS-7245
Update the audit logger to provide the ability to exclude information about updates to a specified set of attributes. By default, updates to the ds-last-access-time, ds-pwp-last-login-time, and ds-sync-hist attributes will be suppressed. Information about updates to these attributes will also be suppressed in the LDAP changelog by default. Issue:DS-7584
Improve the performance of ldifmodify when executed with a large source LDIF file. Issue:DS-7656
Fix a bug in the manage-extension tool that would cause an error when attempting to install an extension if that extension's getExtensionDescription method returned null (which is allowed as per the documentation). Issue:DS-7367
Add a Short Unique ID virtual attribute provider that generates short unique identifiers from a sequence number. Each time the virtual attribute is requested for an entry, the sequence number attribute on that entry is incremented and a new unique identifier is returned as the value of the virtual attribute. The short unique identifier is a base62-encoded string containing letters and digits. The short unique identifier incorporates a replica ID to guarantee uniqueness across replication. Issue:DS-7548
Update the dsreplication enable command to correct a server version comparison intended to ensure that the tool may only be used to add a server of the same or newer version in order to prevent configuration incompatibilities between replicating servers. The comparison erroneously failed when attempting to add a server of a newer major version. In order to add a version 4.0 server to a topology containing 3.5 or 3.6 servers, it will be necessary to patch one of the older servers before the 4.0 can be added to the topology using the dsreplication enable command. Issue:DS-7672
Increase the frequency at which search time limits are checked in order to provide more accurate adherence. Issue:DS-7688 SF#:1834
Fix a bug that output low level logging output to console when using dsconfig. Issue:DS-7642
Update dsconfig to allow configuration objects to reference group entries that don't exist (for example in the 'all-included-user-group-dn' property of SimpleConnectionCriteria). This prevents certain errors when running dsconfig in batch mode or when configuring things out of order. Issue:DS-4178
Update the lastmod plugin (responsible for maintaining the creatorsName, createTimestamp, modifiersName, and modifyTimestamp attributes) so that it does not attempt to alter the values of these attributes for replicated operations. The server which initially processed the change will set these attributes and they will continue to be replicated, but there were previously corner cases in which these attributes might not be updated on the source server but would then get set on all downstream replicas, which could lead to their values getting out of sync. Issue:DS-7670
Critical: Improve server stability by disabling explicit garbage collections that were being caused by JMX connections. Issue:DS-7633
Update the import-ldif and rebuild-index tools so that any errors encountered during the index merging phase (e.g., running out of file descriptors) will be more visible to administrators. Also, fix a bug in the rebuild-index tool that could cause an index to be marked trusted even if an error occurred during the index merging phase that made the index untrustworthy. Issue:DS-7363
Fix a bug in the LDAPConnectionHandler where it did not close the NIO Selector on shutdown. On some platforms this caused the underlying socket channel to remain bound, which prevented the server from being able to restart. Issue:DS-7373
Update the backend finalization code so that it can now make multiple attempts to close a database. This may help the backend shut down cleanly if the first attempt at closing a database fails because one or more long-running operations are still accessing that database (e.g., holding a cursor open). Issue:DS-7746
These features were added for version 3.6.0.0 of the Directory Server:
Update the PingDirectory Server and PingDirectoryProxy Server to provide improved support for LDAP transactions. It is now possible to use batched transactions (either the UnboundID proprietary implementation or standard LDAP transactions as per RFC 5805) through the Directory Proxy Server in both simple and entry-balanced configurations, although only in cases in which all requests may be processed within the same backend server and within the same Berkeley DB JE backend. It is not currently possible to process a transaction that requires changes to be processed across multiple servers or multiple Directory Server backends.
In addition, both the PingDirectory Server and PingDirectoryProxy Server now provide support for a new multi-update extended operation that makes it possible to submit multiple updates in a single request. These updates may be processed either as individual operations or as a single atomic unit.
SCIM 1.1 support is now integrated into the PingDirectory Server and PingDirectoryProxy Server, and a separate install of the SCIM extension is no longer required. An initial SCIM HTTP connection handler and SCIM HTTP servlet extension is included with the out of the box config but is disabled by default.
Add support for the PATCH operation in the SCIM SDK and server implementation. This allows for resources to be partially updated without having to send the entire contents of the resource across the network, reducing network and processing overhead. This is especially beneficial for resources with many attributes, such as Groups.
Add support for OAuth 2.0 bearer token authentication to the SCIM interface. This requires an OAuthTokenHandler extension built with the UnboundID Server SDK in order to decode and validate bearer tokens.
Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism that provides a simple form of multifactor authentication by requiring both a client certificate (supplied during SSL/TLS negotiation) and a password.
Add the ability to create custom SASL mechanism handlers using the Server SDK. This makes it possible for third-party developers to create their own custom authentication logic to better integrate with software that needs to perform a kind of authentication that the server does not support out of the box.
IPv6 is now a supported deployment option.
64-bit JDK 7 is now a supported deployment option, but 32-bit JDKs are no longer supported.
These were known issues at the time of the release of version 3.6.0.0 of the Directory Server:
When reinitializing replication for a directory server, it is important not to disable and re-enable replication. If replication is ever disabled for a replica, then the cleanup-local-server command must be run before replication is re-enabled. Issue:3159
Support for the SCIM protocol is now built in to the server. A disabled HTTP Connection Handler called "SCIM HTTP Connection Handler" and an HTTP Servlet Extension called "SCIM" will be added to the configuration during the update process; to prevent upgrade conflicts, any existing Server SDK-based SCIM extensions should be uninstalled prior to running update. Issue:DS-7324
These issues were resolved with version 3.6.0.0 of the Directory Server:
Fix an issue where modifications to attributes with options were not recorded correctly in the LDAP changelog nor in the recent changes database of the Local DB Backend. Issue:DS-6753
Change the installer to use Large Pages when testing available memory if the OS is configured to use Large Pages. Issue:DS-6760 SF#:1745
Update the replica code to never perform a search using the ds-sync-hist attribute on backends using the Berkeley DB database. Update error messages to better reflect severity and to omit reference to num-recent-changes on non-Berkeley DB backends. Issue:DS-6744
Update the JMX Connection Handler configuration to issue a warning if it is enabled. On some JVMs, enabling this aspect of JMX can lead to long garbage collection pauses. Issue:DS-6832
Fix a bug that prevented search requests for attributes with specific options from not returning all of the intended results. Issue:DS-6944 SF#:1765
Update the ChangelogBackend to filter by ChangeType early in the examination process (before decoding the full ChangeLogEntry), for better efficiency. Update the ChangelogBackend to use the current thread to read each ChangelogEntry if a GetChangelogBatch request is only interested in a sparse subset of the changes available. This will reduce contention when processing lots of these requests. Issues:DS-6911,DS-6912
Add help text to web console deployment descriptor with JBoss compatibility tips. Issue:DS-6976 SF#:1749
Update the logic that the server and its associated tools use to select the SSL/TLS protocol version for secure communication to provide the best combination of security and compatibility. Also, a new log message type is available that can provide information about the negotiated security protocol, including the selected SSL/TLS protocol version and cipher suite. Issues:DS-6720,DS-6903
Upgrade the directory server to use version 5.0.58 of Berkeley DB Java Edition. Issue:DS-6935
Provide a secondary database storage format for attribute indexes that can be more efficient for writes. A new advanced property exploded-index-entry-threshold allows index keys with high entry counts to be written to a separate database in an exploded format. The exploded format stores each entry ID independently in its own record, so does not require the entire set of entry IDs for a key to be rewritten on each update.
An index statistics summary table is now output after an LDIF import or index rebuild, to aid in tuning the index configuration.
A new property substring-index-entry-limit allows substring indexes to have their index-entry-limit value set independently from other types of index for the same attribute. Issue:DS-5864
Update the PingDirectory Server to fix a bug that prevented the simple paged results control from being handled properly for searches spanning multiple backends. Issue:DS-5953
Fix a race condition bug that could result in replication thread crashes when replicas are slow to respond with monitoring data. Issue:DS-6994 SF#:1782
Replace the move-entry tool with a new move-subtree tool. The move-subtree tool provides all of the capabilities of the move-entry tool, but also adds the ability to move entire subtrees (ideally with a relatively small number of entries, since both the source and target servers hold locks during the move). Issue:DS-6035
Prevent failures for configuration group changes where the parent configuration entry may or may not exist amongst the various servers in the configuration group. Issue:DS-6088
Fix an issue where a replica restored from backup may not receive some changes that have been applied after the backup was taken. Issue:DS-6812
Add support for a new set subtree accessibility extended operation that can be used to make a specified subtree either read-only or hidden. Issue:DS-7028
Update the PingDirectory Server to not issue a work-queue-backlogged alert after doing an explicitly invoked garbage collection. Issue:DS-3320
Update the Server SDK to provide support for developing custom account status notification handlers (which may be used to take action like notifying users and/or administrators of significant password policy or account state events) using Java or Groovy. Issue:DS-3651
Add support for a new extended operation that can be used to retrieve information about all subtree accessibility restrictions defined in the server. Issue:DS-7029
Allow a soft-deleted entry to be moved by the move-subtree command line tool. Issue:DS-6592
Address a server performance degradation when the separate-monitor-entry-per-tracked-application property of Processing Time Histogram Plugin was set to true. Issue:DS-7045
Fix an issue in the migrate-ldap-schema tool where the --trustStorePath argument did not work. Issue:DS-5924
Fix a bug where the PermissiveModifyRequestControl was not honored in conjunction with the objectClass attribute. Issue:DS-7046
Fix the manage-tasks tool so that it does not use an insecure connection when --useStartTLS is specified, and does not prompt for certificate trust when --trustAll is specified. Issue:DS-5924
Fix an issue where an attempt to proxy as another user incorrectly failed with insufficient access rights. This only occurred when a search operation spanned multiple database backends in the Directory Server. Issue:DS-6372
Changed the default replication domain and server window sizes to 5000 since this leads to improved performance in some situations. Issue:DS-7229
Add the --isCompressed option to the parallel-update tool so that it can read input LDIF files that are gzip compressed. Issue:DS-7237
Fix a problem in the manage-extension tool where it would fail on Windows because it tried to delete some temp files that were currently in use. Issue:DS-6770
Add a new subtree-accessibility tool that can be used to make a subtree hidden or read-only, or to revert it back to its normal accessibility state.
Fix a bug in which the PingDirectory Server may return an incorrect referral if it encounters an LDAP URL with a scheme of "ldaps" rather than "ldap". Issue:DS-7246
Update the active operations monitor entry so that information about active search operations will include "unindexed=true" for searches known to be unindexed. Issue:DS-5904
Fix a bug in dsconfig that prevented going back when adding a new configuration object inside of an existing one. Issue:DS-7263 SF#:1793
Add a new "examples-of-all-tags.template" make-ldif template that demonstrates and explains the use of all variations of all supported tags. This template isn't intended to actually be used to generate entries, but merely to document the available tags. Issue:DS-5947
Update the dsreplication tool to fix the --noPropertiesFile option which was previously ignored. Issue:DS-7319
Update the PingDirectory Server to acquire an exclusive lock in the backend while processing changes for a batched transaction or atomic multi-update operation. This can help prevent other clients from performing operations which may result in conflicts with those operations that are part of the transaction. Issue:DS-7235
Fix a bug that could cause an error during server startup if the root DSE backend was configured with an explicit set of subordinate base DNs. Issue:DS-7325
Fix a bug in which a successful bind using a password-based SASL mechanism would not clear the record of previous authentication failures for the account. Issues:DS-7387,DS-7388
Fix an issue where the PingDirectory Server reported inaccurate and fluctuating values of estimatedChangesRemaining in the access log for changelog batch requests. This was evident when the Sync Server in notification node was configured to detect changes through a Proxy Server with entry-balancing across the PingDirectory Servers. Issue:DS-7355
Critical: Fix a bug in the LDAP Changelog where the changelog index manager could capture new changes for an attribute in one index after already hitting the end of another index. This created the possibility for changes to be missed when processing get-changelog-batch-requests at the same time that live traffic is happening. Issue:DS-7422
These features were added for version 3.5.1.0 of the Directory Server:
The Metrics Engine is a core server product that collects and aggregates key diagnostic, capacity, and usage information from an UnboundID server topology consisting of instrumented PingDirectory Server, PingDirectoryProxy Server, and Synchronization Servers running release 3.5.0.0 and above. Metrics data can be explored and graphed using the included query-metric tool, and the Metrics Engine REST API makes this information available to custom applications and third-party systems. To learn more about the Metrics Engine, please refer to the UnboundID Metrics Engine Administration Guide.
These issues were resolved with version 3.5.1.0 of the Directory Server:
Fix a bug that prevented search requests for attributes with specific options from not returning all of the intended results. Issue:DS-6944 SF#:1765
Add help text to web console deployment descriptor with JBoss compatibility tips. Issue:DS-6976 SF#:1749
Fix a race condition bug that could result in replication thread crashes when replicas are slow to respond with monitoring data. Issue:DS-6994 SF#:1782
These features were added for version 3.5.0.0 of the Directory Server:
WAN-Friendly Replication
Replicated PingDirectory Servers are often deployed at multiple data centers. In order to reduce WAN traffic between data centers, PingDirectory Servers no longer propagate updates to all other PingDirectory Servers directly. Instead, a PingDirectory Server is automatically selected in each data center to handle update messages to and from remote data centers. For more information, see the WAN-Friendly Replication section in the Managing Replication chapter of the PingDirectory Server Administration Guide.
Soft Deletes
The PingDirectory Server now supports the ability to retain an entry after the delete operation. Instead of performing a permanent delete of an entry, a delete request with the Soft Delete Request control causes an entry to be renamed and hidden from subsequent searches. An entry preserved in the deleted state is known as a soft-deleted entry and may be undeleted at a later time. Users with the soft-delete-read privilege and access to the Soft Delete Entry Access Control may search for soft-deleted entries or non-deleted and soft-deleted entries. Soft-deleted entries are undeleted when an Add request with the Undelete control and the ds-undelete-from-dn attribute is processed.
Features:
The ldapsearch tool supports an --includeSoftDeletedEntries option, which causes soft-deleted entries to be included in search results. This option takes one of the following values: with-non-deleted-entries (default), without-non-deleted-entries, and deleted-entries-in-undeleted-form.
The ldapmodify tool supports an --allowUndeletes argument which treats selective changetype: add ldif entries with the ds-undelete-from-dn attribute as an undelete.
Password policy objects may now be stored in the Directory rather than in the configuration backend. For example, an organization may need to delegate administration of password policies without granting Directory Administrator privileges or configuration-write privileges to an organization administrator. Password policies may be stored relative to the members of an organization, e.g. "cn=Organization Password Policy,cn=Password Policies,cn=config,o=Acme,ou=organizations,dc=example,dc=com" allowing for configuration of a virtual attribute provider specifying the password policy for organization members using the ds-pwp-password-policy-dn attribute. Presently dsconfig only creates password policies in the PingDirectory Server configuration; to create, update or delete password policies in the Directory, password policy entries may be managed with the ldapmodify command.
The static group cache has been enhanced to improved nested static group performance. Support for nested static groups is now always enabled, and the setting for the support-nested-groups property of the Static Group Implementation configuration object no longer applies. However, to support nesting of dynamic groups inside static groups, the cache-user-to-group-mappings property is now disabled.
The isMemberOf virtual attribute can now be configured to only include a user's direct memberships (i.e., not dynamically derived and/or not through nested groups) using the new direct-memberships-only property. The new isDirectMemberOf virtual attribute, which is disabled by default, may also be used for this purpose.
Server SDK extension bundles may now be installed and updated using the manage-extension tool. For information about using the tool and building and packaging extensions, please refer to the UnboundID Server SDK documentation.
The server now includes an HTTP Connection Handler that can be used to provide HTTP access to the server. An HTTP Connection Handler can be configured to reference either an HTTP Servlet Extension written with the Server SDK or a standard web application (via a Web Application Extension configuration object). For more information, please refer to the Configuring HTTP Access for the PingDirectory Server section of the Configuring the Server chapter in the UnboundID PingDirectory Server Administration Guide.
These were known issues at the time of the release of version 3.5.0.0 of the Directory Server:
With Sun Java version 1.6.0_21 through 24, there is a known issue with frequent, long garbage collection pauses. To avoid these, we recommend using version 1.6.0_25 or higher of the JVM where this issue has been addressed.
When reinitializing replication for a directory server, it is important not to disable and re-enable replication. If replication is ever disabled for a replica, then the cleanup-local-server command must be run before replication is re-enabled. Issue:3159
When using a GSSAPI SASL Mechanism Handler the kerberos-service-principal property is only used to determine the protocol (i.e. "ldap"). The hostname will always be determined using the server-fqdn property. Issue:DS-5053
The move-entry tool cannot currently be used to move a soft-deleted entry, as the server disallows external attempts to add an entry with the ds-soft-delete-entry object class. Issue:DS-6592
When a large number of virtual static groups exist, retrieving the membership of a virtual static group may be more expensive than in versions prior to 3.5.0.0. Issue:DS-6842
A case exists where the re-initialization of a replica via the binary copy method may result in missed changes. When a replica is to be re-initialized, it is recommended that it not receive write requests directly from clients after the point in time when the backup was taken on the source server. Issue:DS-6812
These issues were resolved with version 3.5.0.0 of the Directory Server:
Fix an issue where multiple server configuration changes would fail if any of the servers were configured with an LDAPS (SSL) connection handler. Issue:DS-5100
In some cases, replication used not to delay the startup of the server even if the backlog was above the configured startup threshold. Issue:DS-5194
Fix the LastMod Plugin and the Changelog Backend so that the 'modifiersName' attribute will get correctly replicated and show up on changelog entries as the DN of the user who last modified the entry, for all operation types including DELETE. Issue:DS-4171
Fix a bug with replication backlog alert where a unlimited threshold would always result in an alert being sent. Issue:DS-3337
Add support for properties file usage with summarize-config Issue:DS-5213
Update the collect-support-data tool to include the equivalent of jstack output for IBM VMs on non-AIX platforms. Issue:MON-5027
Improve the communication between Replicas and Replication Server in the same process to use direct communication instead of network sockets. Issue:DS-3308
Improve OID syntax checking in ACIs Issue:DS-3323
Add the ability to specify a reason when entering and leaving lockdown mode. This is recorded in the logs and in the alerts that are generated. Issue:DS-5331
Update the Subject Attribute to User Attribute Certificate Mapper so that duplicate mappings are not allowed for the same certificate attribute. Issue:DS-5547
Fix a bug where replication conflict entries were being filtered from search results, but counted towards the size limit. Issue:DS-5405 SF#:1604
Update the server to provide the ability to customize the client connection policy that is used for internal operations. Previously, the server would always use an internal policy that only knows about local backends, but in the PingDirectoryProxy Server, this could prevent internal operations from accessing content in backend servers.
The Server SDK has also been updated to provide ClientContext and OperationContext methods that make it possible to get internal connections using either the server's configured default internal client connection policy or the policy associated with the client connection on which the request was received. Issue:DS-5553
Fix a bug that could cause the server to pass the old configuration into the isConfigurationChangeAcceptable method for a number of types of Server SDK extensions. Issue:DS-5597
Update the server to support tracking LDAP operation processing statistics on a per application basis. Applications are identified using Connection Criteria referenced from the tracked-application property of the Global Configuration. The Processing Time Histogram Plugin and Periodic Stats Logger Plugin include settings to control whether per-application statistics are exposed in the monitor and logged to CSV files. Issues:DS-270,DS-5241
Update the Server SDK to provide extensions a way to dynamically register their own monitor providers with the server, without requiring any server-side configuration objects. Issue:DS-5271
Fix a bug where virtual attributes were not being pared from changelog in the same way as non-virtual attributes Issue:DS-5608 SF#:1629
Fix a bug where access logger was not using the include-add-attribute-names property correctly Issue:DS-5549 SF#:1612
Fix an issue with the FIFO Entry Cache where under high load, improper thread synchronization could lead to an entry in the cache being corrupted. Issue:DS-5659 SF#:00001632
Remove support for configuring multiple base DNs during install. Secondary Base DNs can still be added after running setup as needed. Issue:DS-808
Improve replication change management Issues:DS-5108,DS-5572
Add workaround in SSL processing to detect potential buffer underflow or renegotiation even when processing appears to be OK. Issue:DS-5748 SF#:1636
Fix a bug where method level debug tracing could cause extraneous logging from other methods in the same class. Issue:DS-5760 SF#:1636
collect-support-data now excludes binary files unless --includeBinaryFiles is specified. Issue:DS-4260
Address an issue where search index processing would examine more entries than necessary when executing AND searches that included fully-indexed, complex components, such as (&(app=X)(|(priv=A)(priv=B))). Issue:DS-5783
Add system time change detection for backwards jumps in system time. Issue:DS-710
Fix a bug where rotate log files were being included in collect-support-data archive if they were compressed. Issue:DS-5745
Add a new servlet extension that can be used to serve static content like HTML pages, images, or other kinds of files. Issue:DS-5827
Add support for a new UNBOUNDID-TOTP SASL mechanism that uses the time-based one-time password mechanism as described in RFC 6238. This mechanism uses a base32-encoded shared secret stored in the user entry in conjunction with the current time to generate a temporary password that may be used during the authentication process. The one-time password may also be used in conjunction with a static password (e.g., as stored in the userPassword attribute) for a form of multifactor authentication which requires both knowledge of that static password and a device capable of generating the appropriate one-time password.
The Google Authenticator app (which is available for Android, iOS, and Blackbery devices) supports TOTP and can be used to generate the generate the appropriate one-time password. The UnboundID LDAP SDK for Java has also been updated with support for generating TOTP passwords, and includes support for the UNBOUNDID-TOTP SASL mechanism. Issue:DS-5852
Fix a bug where a replica unexpectedly leaving the replication topology may cause one or more servers to become out-of-sync. Issue:DS-5862
Fix an issue where DirectoryThreads did not set their context classloader to the one provided by our ClassLoaderProvider. This caused all the threads in the server to use the system classloader by default, which only has access to the classes specified on the classpath (i.e the core server libraries under the /lib directory). This becomes problematic if one of these threads calls into a library that uses Thread.getContextClassLoader() to load a class that is outside of the core server libraries (for example in an extension library). In this case it would use the system classloader and subsequently throw a NoClassDefError. Issue:DS-5876
Fix a bug where the dsreplication enable subcommand may could to initialize the server registry when enabling replication between islands of servers already replicating. Issue:DS-5881
Update Berkeley DB to version 5.0.34. This version uses an updated on-disk database format that is not backwards compatible with the previous versions. Any existing databases using the previous format will be automatically updated when the server is started. Issue:DS-5657
Update the HTTPConnectionHandler to use Jetty version 8.1.0, which fixes several problems in the IO layer with respect to the latest JVMs and browsers. Switch the configuration to use Jetty's more efficient NIO socket connectors instead of the traditional blocking socket connectors. Issues:DS-5622,DS-5900
Prevent modification operation failures against replication conflict entries when the entry is already a replication conflict entry. Issue:DS-5601
Add a monitor entry (cn=Group Cache,cn=monitor) for the group cache that contains statistics for all the group implementations. Issue:DS-4728
The changelog backend will now index all modified user attributes by default. Previously, no attributes are indexed by default. Users who have changed the index-include-attribute configuration parameter from its previous default value may need to make additional changes after an upgrade. Issue:DS-5002
Add a new property override-local-password to the Pass Through Authentication Plugin so that with the default value of false, it will only attempt the bind remotely if and only if the local bind fails because there is not a local password defined. When set to true, it will attempt the bind remotely if the local bind fails for any reason.
The new override-local-password property changes the default behaviour of the Pass Through Authentication Plugin. To restore the previous behaviour, change the value to true. Issue:DS-5766
Add fix to handle SSL/TLS renegotiation attempts during secure communication. Issue:DS-5965
The dsreplication status command line does not display the replication server status table by default, only the replica table. The --displayServerTable argument may be used to display the server status table as well. The Age of Oldest Backlog Change, the Generation ID and the Replication Server ID columns are no longer displayed by default. The --showAll argument may be used to display these fields as well. Location, WAN Gateway Priority and Recent Change Rate are new columns shown in their respective tables. The new --location argument allows restricting the status report to servers and replicas in the specified location(s) only. Servers in the displayed tables are now sorted by location first and then by hostname/port number. Issue:DS-5341
Fix a problem where the collect-support-data tool could timeout when connecting over SSL, or prompt the user to verify the server certificate even when the --no-prompt argument was specified. Issue:DS-4823
Changes to the location property in the global configuration now require a server restart. Issue:DS-5901
Add safety measures for replication detach: Detaching will now set the writability of the Backends to internal-only; Enabling will warn when Backends have limited writability and fail if backend is read-only. Issue:DS-5301
The userPassword and authPassword attributes are now excluded from returned entries for enhanced security. This is currently implemented with a new default global ACI that denies read, search, and compare access to the attributes instead of the sensitive attributes feature for backwards compatibility. Root users will still be able to view the password attributes over LDAP. Please refer to the documentation for how to fully protect the password attributes by using a global sensitive attributes configuration instead. Issue:DS-3641
Fix a bug that caused many command-line tools to output to stderr rather than stdout. Existing scripts that depend on the old behavior may need to be modified in order to continue working correctly. Issues:DS-3610,DS-4195
Fix a bug with DN decoding from strings with special characters to ensure that the changelog will store a valid DN for the targetDN even if the original entry's DN was not properly escaped. Issue:DS-6061 SF#:1679
Update the file format used by "dsconfig --batch-file" to support using '\' as a line continuation character. If the last character on a line is a '\', then it will be removed and the following line concatenated on to it. Issue:DS-635
Remove the "Custom" type from the list when creating new objects in dsconfig. This was often confused with the "Third-Party" and "Groovy Scripted" types when users intended to create a Server SDK extension. Issue:DS-5229
Assigned NO-USER-MODIFICATION to the following directoryOperation attributes:
ds-sync-conflict changelog-add-entry changelog-deleted-entry changelog-modify-changes compact-after-values compact-before-values compact-entry-key-attrs ds-private-naming-contexts ds-pwp-auth-failure ds-pwp-last-login-time ds-pwp-password-changed-by-required-time ds-pwp-reset-time ds-pwp-warned-time pwdReset
There attributes will no longer be modifiable over LDAP.
dsreplication cleanup-local-server subcommand will no longer generate a cleanup-backends.ldif file to remove the replication related attributes from the backend. Instead, the user needs to rely on import/export to clean affected backends. Issue:DS-4718
Update ldap-diff to use the schema of the target server when comparing entries. This enables comparing entries whose DN's include case-sensitive components. Issues:DS-2748,DS-6197
Update the replication code to handle port checks from the dsreplication command line utility. This prevents the server from logging SSL connection attempt failures. Issue:DS-6190
Ensure that critical and unsupported controls using a virtual attribute filter will fail since they are not supported in tandem. Issue:DS-6244 SF#:1694
A new property named obscure-attribute on the audit logger allows specified attributes to have their values obscured in the audit log. The default setting for the Proxy Server is to obscure the userPassword and authPassword values. Each value of an obscured attribute is replaced in the audit log with a string of the form "***** OBSCURED VALUE *****". The default setting for Directory Server is not to obscure any attributes, since the values of password attributes appear in hashed form rather than in the clear. Issue:DS-5278
Introduce a global property "ds-cfg-use-compact-sync-hist" that when enabled, will not encode historical single-valued attribute values if they are the same as the current value of the attribute for add and repl change types. This encoding will not be backwards compatible and all historical data must be flushed before reverting back to a previous version by exporting the replicated base DN without the ds-sync-hist attribute and re-importing the data. Issue:DS-6055
Fix a bug that prevented proxied authorization from working as expected during a search that crosses into a secondary backend. Issue:DS-6171 SF#:1686
Critical: Fix a bug that allows users with expired passwords to change attributes in their own entry other than password. Issue:DS-6054
Modify the ldap-diff tool to add LDAP connection options for SSL, StartTLS, and SASL authentication. Issue:DS-6034
Update the status tool to fix an issue in the tool may fail to connect to the server to retrieve some status information when the --no-prompt option is specified. Issue:DS-5989
Update the Server SDK to make it possible to create an internal connection that behaves like an external connection and is subject to its constraints. Issue:DS-5851
Fix an issue with dsreplication remove-defunct-server where removing one of many servers configured with SSL could result in the wrong server being removed from the ADS. Issue:DS-6193
Add support for a number of operational attributes which can be added to user entries in order to restrict who those users can proxy as when using proxied authorization, in addition to enhancing existing operational attributes tha can be used to restrict who a user can be proxied as. The complete list of attributes and intended use is as follows:
Fix a bug that prevented ACIs with a targetFilter from working properly with search operations with an entryUUID filter. Issue:DS-6102 SF#:1668
Nesting dynamic groups inside static groups are now always supported. The static group cache is now always enabled and the cache-user-to-group-mappings configuration property is no longer maintained. Issue:DS-6272
Fix the PingDirectory Server code so that the a replicated server correctly determines when updates only from a single server should be accepted at startup. Issue:DS-5980
Update the Synchronization Server to make sure it merges remote state from all other servers at least once before letting the sync pipes begin. This eliminates a very small window that could only happen at startup, where a Synchronization Server could take over the master status and begin syncing before it has merged any remote state from secondary Synchronization Servers.
Update the Synchronization Server to handle a network partition between redundant instances. This guarantees that the true master will incorporate state from the other master(s) after the network is restored.
Fix a bug in the LDAP changelog where it would not incorporate GetChangelogBatch token information about other replicas in a certain edge-case scenario. Issues:DS-4520,DS-6320,DS-6340
Fix a bug that prevented overlapping binds from succeeding when used with a client connection policy that has request criteria containing connection required tied to a specific bind user. Issue:DS-6432 SF#:1717
Enable the capturing of DBPrintLog information for each BDB JE Backend to the collect-support-data archive. Issue:DS-6075
Fix an issue where out-of-the-box server required more memory than it should have, because of how the DictionaryPasswordValidator stored its word dictionary. The memory usage has been reduced by roughly 35MB. Issue:DS-6040
Compact encoding of historical attribute values is now enabled by default. This encoding will not be backwards compatible and all historical data must be flushed before reverting back to a previous version by exporting the replicated base DN without the ds-sync-hist attribute and re-importing the data. Issue:DS-6284
The dsreplication initialize-all subcommand has been updated to allow more time for the destination replicas to complete the import process. Issue:DS-6437
Update the dsreplication enable subcommand to prevent adding a server using a prior version into the topology. In mixed version environments, dsreplication enable may only be executed from an instance running the older version of the product. Issue:DS-6060
Update Berkeley DB to version 5.0.48. This version uses an updated on-disk database format that is not backwards compatible with the previous versions. Any existing databases using the previous format will be automatically updated when the server is started. Issue:DS-6202
Updated the server to support hosting of standard web applications using the HTTP Connection Handler. Issue:MON-754
Fix a bug that prevented collect-support-data from using the bindPasswordFile argument. Issue:DS-6402 SF#:1719
Fix an issue which caused extremely poor import-ldif performance when a VLV index was configured. Issue:DS-5712
Provide better monitoring of group cache memory usage by adding "current-cache-used-bytes" and "current-cache-used-as-percentage-of-max-heap" attributes to the Group Cache monitor provider. Also add "memory-consumer" attribute to the JVM Memory Usage monitor provider to provide usage summary of all registered memory consumers. Issue:DS-6482
Log a warning when two or more HTTP Servlet Extensions are configured to use exactly the same servlet context path. Issue:DS-5739
Update the LDAP Changelog monitor entry to have a unique object class: ds-changelog-backend-monitor-entry. Issue:DS-5059
Provide more monitoring for the LDAP Changelog backend especially for GetChangelogBatch request processing expose monitoring information for this backend in the Periodic Stats Logger. Issue:DS-5700
Improve performance of retrieving changes from the LDAP Changelog using the GetChangelogBatch request by reducing changelog entry processing for entries that are excluded by base DN. Issue:DS-5701
Provide config options to smooth out database delete operations during LDAP changelog purging to reduce impact on server throughput and response time. Issue:DS-5724
Critical: Address an issue where a directory server might resend duplicate changes when processing a GetChangelogBatch request in an environment that is under heavy load. Issue:DS-5656
Expose replication changelog database monitoring information in cn=monitor and the Periodic Stats Logger Plugin. Issue:DS-5723
Provide PingDirectory Server and Proxy Server support for GetChangelogBatch options to control whether to return changes for modify or delete of soft-deleted entries. Issue:DS-6362
Critical: Update the PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl. Issue:DS-854
Fix an issue where replicas could diverge in the event of a conflict between two undelete operations on a soft-deleted entry to two different DNs. Issue:DS-6407
Fix a bug that prevented collect-support-data from running the status command successfully when the trustStorePath argument was provided. Issue:DS-6311
Add support for soft deletes and undeletes to parallel-update. Issue:DS-6408
Added full directory listing to collect-support-data for files relocated outside of the server root. Issue:DS-6289
Provide an argument to the setup tool to configure the server to automatically include verbose garbage collection output in the server.out log file. Issue:DS-5681
The server no longer attempts to execute tasks at startup which are in the RUNNING state. Such tasks could exist if they were running when the server was killed or otherwise terminated abruptly. Issue:DS-5710
Monitor the available disk space in the backup directory during a backup of local DB backends, the changelog backend and the replication backend. If disk space gets too low, the backup is cancelled and all individual backend backups that were created during this backup are removed. The server now sends an alert for any individual backend backup that fails during an online backup. Issues:DS-6353,DS-6601
Fix an issue where rebuild-index only rebuilt the first VLV index when a second VLV index had a common prefix in its name. Issue:DS-5645
On Linux, the server and its tools now attempt to raise the limit on maximum user processes to 16,383 if the current value reported by ulimit is less than that. This is because Linux counts a thread as a user process, and some recent Linux distributions have a very low default value for max user processes. Issue:DS-6410
Update dsconfig so that inclusion of the --advanced option will list expert-level objects. Issue:DS-6652
Fix an issue where the PingDirectory Server could truncate the resume token when processing a GetChangelogBatchExtendedRequest, which could cause downstream errors in clients such as the Synchronization Server. Issue:DS-6655 SF#:1733
Provide better validation of the file-based key manager provider configuration. In particular, the key manager provider now rejects a configuration where the keystore cannot be loaded using the provided PIN. The PingDirectory Server will no longer start if an LDAP connection handler (with security enabled) references an incorrectly configured key manager provider. Issue:DS-6512
Fix an issue with import-ldif where it could fail when specifying --includeBranch on backend with base DN subordinate to another backend base DN. Issue:DS-3038
Update Berkeley DB to version 5.0.55. Issue:DS-6680
Provide additional properties in Simple Result Criteria that match against the authorization user (originating user) of the operation, similar to properties in Simple Connection Criteria that match against the authenticated user. The authorization user is often the same as the user authenticated on the connection but not when the operation has come through a proxy server. Issue:DS-6505
Improve the prompt that is displayed by command-line tools when establishing a secure connection to a server when no trust manager was specified and the server certificate should not be automatically trusted. The information is formatted more neatly, and the prompt will now include MD5 and SHA-1 versions of the certificate fingerprint and information about the issuer certificate chain if appropriate. There will also be an additional warning if the certificate is self signed. Issue:DS-5127
Update tools that can perform LDAP SASL authentication to add support for the UNBOUNDID-TOTP SASL mechanism that can be used for multifactor authentication. Issue:DS-6676
Update the LDAP connection handler so that any attempt to explicitly configure the allowed SSL protocols and/or cipher suites will be validated before being put into service. Any attempt to use an unsupported protocol or cipher suite will be rejected with an error message including the acceptable values. Issue:DS-6663
Fix a bug that prevented setup from using external keystore and truststore PIN files in the final installation's configuration. Issue:DS-6516
Update the ldifsearch tool so that it will no longer report errors for entries that violate the server schema by default. This behavior can be restored using the new --checkSchema option. Also, update the ldifmodify tool to provide better schema checking by default, and to add a --noSchemaCheck option that allows it to work with LDIF files and change sets that violate schema constraints. Issue:DS-4326
Fix a bug in the passthrough authentication plugin that could cause its initialization to fail if any of the target servers is unavailable. Issue:DS-5746
Fix a bug where groups with a multi-valued DN were not being escaped properly. Issue:DS-6732 SF#:1746
Add a new LDAP URL attribute syntax and modify the memberURL and ref attribute types to use it instead of their previous directory string and IA5 string syntaxes. By default, the LDAP URL syntax will ensure that only valid LDAP URLs can be assigned to an attribute with that syntax, which prevents errant behavior resulting from malformed LDAP URLs. However, it is possible to alter the configuration for the attribute syntax so that any arbitrary string is allowed if that capability is needed.
Note that if you are upgrading a PingDirectory Server instance with existing data, and if that data contains entries which have memberURL or ref attributes with values that are not valid LDAP URLs, then attempts to modify those entries may fail as a result of those malformed values. If your existing data includes malformed memberURL or ref values, then you will either need to correct those values so that they are valid LDAP URLs, or you will need to reconfigure the LDAP URL attribute syntax so that it does not require strict adherence to the LDAP URL format. Issue:DS-6491
Modify the global configuration so that by default the server will allow no more than ten concurrent unindexed searches, rather than the previous default which did not enforce any such limit. This will help prevent the server from becoming unresponsive if too many clients issue unindexed search requests. Issue:DS-6735
Update the connection handler monitor entry so that listeners without an explicit listen address will be reported as "*:port" rather than just ":port". This helps prevent the listen address value from requiring base64 encoding in LDIF form. Issue:DS-6714
Introduce automatic purging of soft-deleted entries. The soft-delete policy can be configured to purge the oldest soft-deleted entries by retention time and/or the number of soft-deleted entries to be retained. Issue:DS-6400
Enhance the way setup handles security arguments to ensure server is configured properly. Issue:DS-6514
Add a new extended operation handler that may be used to validate a TOTP (time-based one-time password) without performing authentication. This can help add additional assurance about the identity of a user that has already been authenticated. Issue:DS-6748
Fix a bug that could cause idle account lockout to be enforced even if last login time tracking is not enabled. In addition, when changing the server's idle account lockout configuration, administrative tools will also warn about ensuring that last login time tracking has been enabled for a period of time to ensure that user accounts have been populated with the necessary state information. Issue:DS-6679
Add a new WebAppServerContext interface to the Server SDK, which can be used by web applications running in the server to interact with the server by doing things like invoking internal operations, registering change listeners and monitor providers, performing logging and debugging, and generating administrative alerts. The new WebAppServerContextFactory class may be used to obtain a server context instance. Issue:DS-6723
Fix an issue where modifications to attributes with options were not recorded correctly in the LDAP changelog nor in the recent changes database of the Local DB Backend. Issue:DS-6753
Change the installer to use Large Pages when testing available memory if the OS is configured to use Large Pages. Issue:DS-6760 SF#:1745
Update the replica code to never perform a search using the ds-sync-hist attribute on backends using the Berkeley DB database. Update error messages to better reflect severity and to omit reference to num-recent-changes on non-Berkeley DB backends. Issue:DS-6744
Update the JMX Connection Handler configuration to issue a warning if it is enabled. On some JVMs, enabling this aspect of JMX can lead to long garbage collection pauses. Issue:DS-6832
These features were added for version 3.2.0.0 of the Directory Server:
AIX is now a supported deployment operating system.
In the LDAP changelog, add support for indexing changes separately for each modified attribute, which allows clients to more efficiently retrieve changes to a subset of attributes using the get-changelog-batch request.
Update the LDAP changelog to provide support for paring down the contents of changelog entries based on the access control and sensitive attribute restrictions that are in place for the entry that was added, deleted, or updated.
Introduce an audit-data-security tool that identifies potential risks or other notable security characteristics contained in directory data.
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations.
These issues were resolved with version 3.2.0.0 of the Directory Server:
Fix a bug in the web-console new Attribute Type and new Objectclass dialogs which is some cases could cause a schema element saved erroneously into a file called 'New File...'. Issue:3410
Modify the web-console so that extraneous carriage returns are removed from files containing exported schema elements. Issue:3411
Fix a bug that could cause inaccurate time stamps to be displayed in the active operations monitor entry for operations that are still waiting in the work queue and have not yet been picked up for processing by a worker thread. Issue:3419
Fix an issue that led to work queue backlogs in DS when the Sync Server was synchronizing from an entry-balanced Proxy Server configuration. Issue:3431 SF#:1486
The dsreplication tool's cleanup-local-server subcommand will now remove the public key certificates of all formerly trusted replicas as a result of being removed from a replication topology. Issue:3385
Update command-line tools providing support for SASL authentication to add additional properties that may be used in conjunction with the GSSAPI mechanism. This includes the ability to control whether a ticket cache should be allowed and/or required, the ability to specify an alternate location for the ticket cache file, the ability to request that the Kerberos ticket-granting ticket be renewed, and the ability to supply a custom JAAS configuration file rather than using one automatically generated by the tool. Issue:3437
Fix a bug that prevents going back from the type selection when creating a new configuration object in dsconfig. Issue:2913 SF#:1435
Update a number of LDAP command-line tools to provide a new --help-sasl option that can be used to obtain information about the SASL mechanisms that are available for use and the supported options for those mechanisms. In addition, the command-line tool reference has been updated to provide a new page on supported SASL mechanisms and options. Issue:3452
The replication server changelogDb directory can now be relocated because the replication-db-directory property is no longer read-only. Also, the LDAP Changelog Backend database directory can be relocated because it now has a db-directory property. Issue:3359 SF#:00001484
The dsreplication command line utility has been updated to prevent multiple dsreplication instances to be changing the replication configuration simultaneously.
The utility has been updated to keep a history of invocations in the logs/tools/dsreplication.history file.
The utility has been updated to keep the log of up to 10 dsreplication sessions in the logs/tools directory. Issues:2347,2716,623,661
Fix an issue where a subtree delete operation that timed-out could bring both replication and the LDAP changelog to a halt. Issue:3465
Fix a bug in which dsconfig and other tools may not properly evaluate path-based property values for remotely managed servers. Issue:3439 SF#:00001484
Fix an issue where the LDAP Changelog Backend could encounter a deadlock while purging old entries if changelog batch requests were simultaneously trying to read those entries. Issue:3080
Improve the consistency of performance for Sync through Proxy with Entry Balancing. When the Proxy Server is processing a Get Changelog Batch request and it has received maxChanges in total from the backend PingDirectory Servers, it now cancels the outstanding requests in order to expedite the return of the result to the Sync Server. When the PingDirectory Server receives a cancel request for a Get Changelog Batch request, it now stops processing the request and returns the result containing a resume token. Issue:3438 SF#:1492
Fix an issue in the PingDirectory Server that could affect synchronizing changes through the PingDirectoryProxy Server in an Entry Balanced environment that had global replication configured across all PingDirectory Server instances. Under certain circumstances, the PingDirectory Server would go too far back in the changelog when searching for the next batch of changes, and it might issue an incorrect warning that some changes had been purged. Issue:3543
Fix an issue in the PingDirectory Server that could cause the Sync Server to show a large number of un-retrieved changes after restarting a sync pipe. This issue affected Sync through Proxy in an entry-balanced configuration. Issue:3543
Modify the update tool to handle potential issues migrating the admin-backend.ldif backend file if the ds-create-time attribute is present in the entry cn=all-servers,cn=Server Groups,cn=admin. Issue:3584 SF#:00001501
Update shell scripts used for the server and associated tools so that they will display a warning if it is not possible to set the desired number of file descriptors. Issue:3590
Fix a potential bug in index merge processing during import-ldif and rebuild-index processing that could cause the tool to silently complete without any indication of problems even if an error occurred. Issue:3590
Add je-property configuration to Changelog Backend to allow for advanced settings as needed. Issue:3600
Fix a bug when keeping track of an index that has exceeded the entry limit in the verify-index tool. Issue:3358
Fixed an issue in the LDAP Changelog where it could throw a NoSuchElementException either when it is first enabled or during replication replay. Issue:2760
Fix a bug where dsreplication cleanup-local-server command would fail in non-interactive mode if the changelogDir argument was not provided. Issue:3453
Update the JE backend to add new id2children-index-entry-limit and id2subtree-index-entry-limit configuration options that can be used to set the limits for these independently of the backend-wide default index entry limit. If these values are not set, then the backend-wide limit will continue to be used. Issue:3608
Change setup command to check for minimum required BDB JE version before running. Issue:3441
Update the CRYPT password storage scheme to make it possible to encode passwords using the 256-bit and 512-bit SHA-2 variants available in many Linux and UNIX distributions. These mechanisms apply multiple rounds of a very strong cryptographic digest to make the process of encoding passwords more expensive and significantly impede brute force, dictionary, and other kinds of attacks that may be launched by someone with access to a password's encoded representation. Issue:3593
Add support for a new "operation purpose" request control that clients can use to identify the intention for each request that they send to the server. The control may include the name and version of the application that created the request, the location in the application code from which the request was created (which may be automatically generated by the UnboundID LDAP SDK for Java), and a human-readable message explaining the purpose for the operation.
This can help improve security and debuggability because it can offer a kind of audit trail. If a request includes this control, then information from the control will be included in access log messages for those operations. Issue:3616
Add support for a number of operational attributes which can be added to user entries in order to restrict the way those users can authenticate and the circumstances under which they can be used for proxied authorization. Issue:3621
Fix an issue in the PingDirectory Server that caused Sync Server polling to get stuck when changes had been purged from the changelog. Issue:3594
Increase the efficiency of LDAP changelog purging by reading less data from the database. Also, retry purge transactions that fail with a lock conflict exception. Issues:3595,3604 SF#:00001486
Update client connection policies to support two new configuration attributes. The required-operation-request-criteria property can be used to cause the server to reject any request which does not match the referenced request criteria, and the prohibited-operation-request-criteria property can be used to cause the server to reject any request which does match the referenced request criteria. Issue:3645
Add the ability to configure the LDAP Changelog backend to preload database files into the file system cache prior to purging changelog entries. This can eliminate high disk utilization during purging. Issue:3603 SF#:1486
Update the export-ldif tool to add a new "--encryptLDIF" option that can be used to cause the data to be encrypted as it is written. Also, update the import-ldif tool to add a new "--isEncrypted" option to make it possible to import LDIF data from an encrypted file. Both of these options are only available when running as a task with the server online, as is also the case when creating or restoring an encrypted backup. Issue:3617
Boost the performance of the Get Changelog Batch extended request in the PingDirectory Server by using multiple threads to process the request. Issue:3606
Increase minimum heap size used by setup when no value is provided by end user. Issue:DS-3580
Fix a bug where a schema file shipped with the server was being listed as a custom schema. Issue:DS-3563
Update the LDIF export task to add support for digitally signing the contents of the LDIF export, and update the LDIF import task to add an option that can be used to verify the contents of the signature. If the import task is configured to verify signed content but the LDIF is not signed or has an invalid signature, then the import will complete but the server will place itself in lockdown mode to avoid the possibility of exposing untrusted data to clients. As with encrypted LDIF support, signing support is only available while the server is online and cannot be used in offline mode. Issue:DS-3617
Add a new argument to collect-support-data to control the number of jstack samples to collect. Issue:DS-4159
Update the FIFO entry cache to add support for new configuration options that make it possible to restrict the entry cache to holding only entries with at least a specified number of attribute values (either across all user attributes, or optionally across only a specified set of attributes). This can be used to avoid wasting cache memory with small entries that are very efficient to decode directly from the database and for which the entry cache does not provide significant benefit. Issue:DS-4210
Update the PingDirectory Server to require a minimum Berkeley DB JE version of 4.1.10. Issue:DS-3549
Update dsconfig to make the list-properties subcommand more visible and more usable. This includes the following changes:
- The list-properties output will now be written to standard output rather than standard error. This makes it easier to process the output with text tools like grep.
- The list-properties subcommand can now be used with the "--offline" argument even if the server is running.
- A new "--complexity" argument has been added that can be used to customize the complexity level of the objects included in the output.
- A new "--includeDescription" argument has been added that can be used to include synopsis and description information in the output.
- The top-level dsconfig help now includes an example demonstrating the use of the list-properties option.
- A docs/config-properties.txt file containing this information is now provided with the server. This information was previously already available in the HTML config reference guide. Issue:DS-2985 SF#:00001413
Update a number of access loggers to provide a new max-string-length configuration property that specifies the maximum length of any string that may be included in a log message. If any string has more than this number of characters, then that string will be truncated and a placeholder will be apended to indicate the number of remaining characters in the original string. Issue:DS-3551
Update the server to provide a new additional-supported-control-oid configuration property in the root DSE backend that can be used to add a specified OID to the supportedControl attribute of the server's root DSE. This is primarily intended for compatibility with other servers which may include certain response control OIDs in this list even though LDAP specifications indicate that it should only include request control OIDs.
The Server SDK has also been updated to provide support for registering and deregistering supported control OIDs. This may be used for extensions which themselves add support for additional controls. Issue:DS-3467
Allow directory server to ignore illegal trailing space characters for existing schema files. Issue:DS-3586
Make it possible to configure the server to configure the number of file descriptors that it should attempt to use on UNIX-based systems. Previously, the server was hard-coded to try to use 65535 file descriptors. It is now possible to override this default by setting the NUM_FILE_DESCRIPTORS environment variable with the desired number of descriptors to use. Alternately, you can do this by creating a config/num-file-descriptors file with a single line, like:
NUM_FILE_DESCRIPTORS=12345
If an error occurs while attempting to use the desired number of file descriptors, then a message will be written to the terminal, and if the error occurs while starting the server, then a message will be logged to the server's error log. Issue:DS-3590
Fix a bug that prevented use of dsconfig with SASL options. Issue:DS-3535
Increase the concurrency of the FIFO Entry Cache when it contains a large number of entries. Issue:DS-4249
Add the ability to compress log files as they are written. This can significantly increase the amount of data that can be stored in a given amount of space so that log information can kept for a longer period of time. Because of the inherent problems with mixing compressed and uncompressed data, compression is something that can be enabled only at the time the logger is created, and compression cannot be turned on or off later. Further, because of problems in trying to append to an existing compressed file, if the server encounters an existing log file on startup, it will rotate that file and begin a new one rather than attempting to append to the previous file.
Compression is performed using the standard gzip algorithm, so compressed log files can be accessed using readly-available tools. Further, the summarize-access-log tool has been updated so that it can work directly on compressed log files rather than requiring them to be uncompressed first. However, because it can be useful to have a small amount of uncompressed log data available for troubleshooting purposes, administrators using compressed logging may wish to have a second logger defined that does not use compression and has rotation and retention policies that will minimize the amount of space consumed by those logs while still making them useful for diagnostic purposes without the need to uncompress files before examining them. Issue:DS-2983 SF#:00001410
Enable the isMemberOf virtual attribute by default so that it will be usable in an out-of-the-box deployment without any administrative action. Issue:DS-4267
Update the logic used for index evaluation so that it can skip evaluating some or all of the search filter against the entry if the parts which have been omitted are guaranteed to match the candidate entries based on the use of indexes. Issue:DS-4211
Add a new monitor entry for the FIFO Entry Cache that reports details on the operation of the cache. Also, update the Periodic Stats Logger to expose many of these statistics in a continuous fashion. Issues:DS-3657,DS-3658
Add a new option to the dsreplication tool that can be used to override a lock on the topology held by a separate invocation of the tool. This option should be used with caution. Issue:DS-3487
Update dsconfig to remove a redundant prompt when a user chose to "Change the value" of an existing property. Issue:DS-2140
Fix a bug that prevented collect-support-data from properly using SASL connection options Issue:DS-4239
Include a "Static Group Entry Cache" in the out-of-the-box configuration to improve server performance with large static groups whenever this entry cache is enabled. Issue:DS-4248
Fix an issue where, in rare circumstances, replication did not forward some update messages. Issue:DS-4329
Add a change to prevent server from being considered degraded when creating a new index. Issue:DS-4217
Address rare case when the dsreplication utility assigned the same identifier to a replication server and a replication domain causing a failure during online initialization. Issue:DS-3472
Fix a bug that could cause a search result to incorrectly indicate that zero entries were returned to the client. This only occurred when using a Server SDK plugin to return additional search entries to the client during processing. Issue:DS-4349
Improve search performance when an ACI references a group that does not exist. Issue:DS-4365
Modify updater tool to ignore conflicting configuration additions that already exist. Issue:DS-4352
Update the simple search entry criteria configuration object to indicate that the included-entry-filter options will be evaluated against the pared-down entry actually returned to the client rather than the complete entry that exists in the server. Issue:DS-4360
Improve the write throughput of the LDAP changelog when persistent searches are active in the directory, but none apply to the changelog content. Issue:DS-4494
Fix a bug where some configuration variables were not initialized during LDIF import on a changelog backend. Issue:DS-4419
Update the replication server monitor entry to include an ssl-encryption-available attribute that indicates whether the server supports replication over SSL.
Note that even if the server is configured to support replication over SSL, it does not mean that all communication actually uses SSL. The ssl-encryption attribute of the replication server handler monitor entries should be examined to determine where SSL is and is not in use for replication. Issue:DS-3238
Prevent improper state propagation in replication that used to result in increased protocol traffic. Issue:DS-4493
Add a new reject-insecure-requests global configuration option that can cause the server to reject all operations except StartTLS extended requests received over insecure connections. This makes it easier to allow clients to use StartTLS without allowing other requests over an insecure connection. Issue:DS-4397
Provide an alternate password policy in the out-of-the-box configuration that is significantly more secure than the default policy. This policy is not configured for use, but it can be selected as the default policy, used as a policy for a select set of users, or used as a template creating a new custom policy with a more secure starting point than the default policy.
In addition, a new sensitive attribute definition is included in the default configuration that declares userPassword and authPassword to be sensitive attributes and forbids them from being returned to clients, used in search filters, or targeted by compare operations, and also requires that adds and modifies including passwords be processed over a secure connection. This sensitive attribute definition is not used by anything by default, but it can be easily referenced in the sensitive-attribute option of a client connection policy to turn it on. Issue:DS-4396
A server restart is no longer required after setting up replication to use encrypted communication. Issue:DS-1459
Update server access loggers to add a number of new options:
- An option to include request details in search result entry messages. - An option to include request details in search result reference messages. - An option to include request details in intermediate response messages. - An option to include the names of attributes included in an add request. - An option to include the names of attributes targetd in a modify request. - An option to include the names of attributes included in a search result entry. - An option to include extended search request details, including the size limit, time limit, types only, and alias dereferencing behavior. Issue:DS-4404
Update the server to add a "--lockdownMode" argument which can be used to cause the server to be started in lockdown mode. Issue:DS-1488
Update the PingDirectory Server to make it possible to define sensitive attributes as a global configuration option that will automatically apply across all client connection policies. It was previously only possible to associated sensitive attributes with individual client connection policies, and this option still exists. In addition, it is possible to indicate that a client connection policy should exclude one or more global sensitive attributes. Issue:DS-4402
Update the server to generate an administrative alert if it detects that a configuration change was made with the server offline (whether by manually editing the configuration file or using dsconfig in offline mode). Issue:DS-4407
Improve the 'excludeReplication' option on the export-ldif command to also exclude replication conflict entries in addition to replication related attributes. Issue:DS-3332
Update the server to provide better reporting around the use of third-party extensions. If any such extensions are loaded in the server, then the DNs of their configuration entries will be listed in the thirdPartyExtensionDN attribute of the cn=monitor entry. Further, some extensions are loaded at startup, and a message will be written to the error log with the DNs of all of their configuration entries. Please note that not all extensions are loaded at startup, in particular Sync extensions. Issue:DS-4398
Improve the performance of searches that do not return any results by not fetching the base entry of the search unless it contains referrals. Issue:DS-4525
Fix an issue in which terminal focus may be lost during command-line setup just before the Summary step is shown. Issue:DS-4551
Fix an issue in which dsconfig cannot set an unlimited value for an object property that supports an unlimited value. Issue:DS-4173
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations. By default, eight worker threads will be created for this purpose, but this may be altered via the num-administrative-session-worker-threads property in the work queue configuration.
Some administrative tools like dsconfig, status, collect-support-data, enter-lockdown-mode, and leave-lockdown-mode will automatically attempt to create an administrative session in which all operations they request will be processed in this dedicated pool. Other tools like ldapsearch, ldapmodify, ldapcompare, ldapdelete, ldappasswordmodify, backup, restore, import-ldif, export-ldif, and manage-tasks have a new "--useAdministrativeSession" argument that can be used to request that they attempt to use this dedicated thread pool for operations that they process. Further, the Commercial Edition of the UnboundID LDAP SDK for Java has been updated to provide support for the new start administrative session and end administrative session extended operations that are needed to use this feature, so third-party applications can also take advantage of this capability.
In order to request that operations be processed using the administrative session thread pool, the requester must have the use-admin-session privilege (which is included in the default set of privileges automatically granted to root users). The use of the administrative session thread pool will be recorded in the access log, and a new "using-administrative-session-worker-thread" property has been added to the simple request criteria and can be used to filter operations based on whether they are using this capability. Issue:DS-4401
Fix SASL support for the status command. Issue:DS-4313 SF#:1563
Update the changelog backend to provide support for paring down the contents of changelog entries based on the access control and sensitive attribute restrictions that are in place for the entry that was added, deleted, or updated. This capability is disabled by default, but it can be enabled using the apply-access-controls-to-changelog-entry-contents configuration property. If enabled, then the contents of attributes like changes, deletedEntryAttrs, ds-changelog-entry-key-attr-values, ds-changelog-before-values, and ds-changelog-after-values may be altered or removed based on what the requester can access in the target entry.
This change also includes support for a new option in the get changelog batch extended request. If the pareEntriesForUserDN element is present in the request, then the changelog entry contents may be further pared down to match the intersection between what is accessible to the requester and the user specified in that pareEntriesForUserDN element. If this element is included in the get changelog batch request, then this paring will be performed even if apply-access-controls-to-changelog-entry-contents has a value of false.
If the changelog entry content was altered as a result of this processing, then the changelog entry returned to the client may include additional information about what was removed. If the report-excluded-changelog-attributes configuration property is given a value of attribute-counts, then information about the number of suppressed user and operational attributes will be provided in the changelog entry through ds-changelog-num-excluded-user-attributes and ds-changelog-num-excluded-operational attributes. If it is given a value of attribute-names, then the names of the suppressed attributes will be provided in ds-changelog-excluded-user-attribute and ds-changelog-excluded-operational-attribute. Issue:DS-4157 SF#:00001409
Dramatically reduce the memory consumption of static groups, especially when the ratio of total memberships to unique members is high. The configuration property cache-user-to-group-mappings should only be disabled if nested group support is needed as it helps to reduce memory consumption. The property intern-member-dns is removed since it is no longer useful. Issue:DS-4698
Update the replication server to fix two potential race conditions that result in an error message "Replication server caught exception while listening for client connections null" . Issue:DS-4557
Fix a bug where collect-support-data was not passing all of the SASL arguments needed to the status command. Issue:DS-4816
Remove bind user and password prompts when starting dsconfig in interactive mode if valid SASL bind options are provided. Issue:DS-4579 SF#:1562
Change collect-support-data to not prompt for bind user/password when SASL arguments are provided. Issue:DS-4596
Fix a bug that could cause virtual and real values for the same attribute type to be returned as two separate attributes, which could cause problems with some kinds of LDAP clients. Issue:DS-4707
Update the PingDirectory Server support for virtual attributes so that it is possible for multiple virtual attribute definitions to contribute values to the same attribute in an entry. Previously, only one virtual attribute definition would be used, and the process for selecting that one definition was not well defined.
As part of this solution, two new configuration properties have been added to virtual attribute definitions:
* multiple-virtual-attribute-evaluation-order-index -- This is a numeric value which can be used to assign relative priorities to virtual attribute definitions. Definitions will be evaluated in ascending order based on this index, and definitions without an explicitly-assigned index will be evaluated last. It is acceptable to have definitions with the same index, in which case their relative order will be determined based on lexicographic comparison of the name of the configuration object. It is also acceptable to have gaps in the ordering, so it is not necessary to define the order using only sequentially-increasing values.
* multiple-virtual-attribute-merge-behavior -- This specifies the behavior that the server should use when multiple virtual attribute definitions apply to the same multivalued attribute in a given entry (for single-valued attributes, the server will only ever use the first definition as determined by the order specified above). Values for this property may be "use-first-definition" (in which case only the first applicable virtual attribute definition may contribute values to an entry), "use-only-definitions-with-the-lowest-evaluation-order-index" (in which case the first applicable definition will be used, along with all other definitions that have the same evaluation order index as that first definition), or "use-all-definitions" (in which all applicable virtual attribute definitions may contribute values to the entry).
In the event that multiple virtual attribute definitions will be applied for a given attribute in an entry, the conflict-behavior and multiple-virtual-attribute-merge-behavior values for the first applicable definition will be used for all virtual attribute definitions applied for that attribute, even if subsequent definitions have behaviors that conflict with that of the first applicable definition. Issue:DS-2483
Update the logic the server uses for address patterns to support the use of subnet masks. It was previously only possible to use CIDR notation (e.g., "1.2.3.0/24") to specify the number of significant bits, but it is now possible to use subnet masks (e.g., "1.2.3.0/255.255.255.0") to specify address masks. Issue:DS-4710
Improve the server to now report group cache stats and memory usage at startup. Issue:DS-2855
Modify the tools to recognize instances of the Sun DSEE 7 Directory Server when deployed as part of the Oracle Identity Management 11g. Issue:DS-4716
Update the server to discourage disabling schema checking since this can lead to unexpected behavior in the server and client applications, as well as introduce performance problems. A warning message is printed when dsconfig or the console is used to update the configuration to disable schema checking. The server now generates an alert when schema checking is disbled. The --skipSchemaValidation option has been removed from import-ldif. Issue:DS-4336
Improve the config definition for the idle-lockout-interval password policy property to indicate that it relies on the last login time but may fall back on the password changed time or account creation time if no last login time is available. It also recommends having last login time tracking enabled for a period of time before enabling idle account lockout. Issue:DS-4878
Update the server to record access log information about certain requests rejected very early in the life of an operation that were not previously recorded, including:
- Operations requested by a user that must change his/her password before being allowed to perform any other operation. - Operations rejected because there is a bind in progress on the connection. - Operations rejected because the server is in lockdown mode. - Operations rejected as a result of the reject-unauthenticated-requests or reject-insecure-requests configuration option. - Operations rejected because a client has exceeded the maximum number of operations per connection or maximum concurrent operations per connection. Issue:DS-4912
Make a change to the entry encoding format for attributes with attribute options. This will primarily impact data sets which use a wide variety of attibute options (and especially those other than ";binary" or ";lang-*"). In data sets with a very wide variety of attribute options, LDIF import and LDAP add performance should be dramatically improved.
Note that this may have an impact on the ability to revert to an older version if the data makes use of attribute options other than ";binary" or ";lang-*". In such cases, or in cases in which the data may use attribute types not defined in the server schema, then you should export data to LDIF before performing the revert, and then re-import data from LDIF after the revert. Issue:DS-4869
Fix a bug in the attribute value password validator that can cause it to incorrectly reject add attempts if the password attribute itself is included in the set of attributes to examine. Issue:DS-4888
Update the changelog backend to add a new include-virtual-attributes property that can be used to indicate when virtual attributes can be included in changelog entries. Virtual attributes may be included in none, some, or all of the following cases:
- The set of attributes for an add operation - The set of deleted entry attributes for a delete operation - The set of changes for a modify operation (but only when use-reversible-form is true -- when it's false, the changes are what the client sent the server) - The before and after values for updated attributes (regardless of the value of use-reversible-form) - The key entry attributes Issue:DS-4714
Update the behavior of 'use-reversible-form' on the Changelog Backend to make sure it always includes a changelog entry, even if there was no net change to the directory entry. Changing attributes to the same value they already had will now result in an ADD and a DELETE of those same values showing up in the 'changes' attribute on a changelog entry, to provide an indication of what was in the original modification. Issue:DS-4957
Add support for the IBM JDK for the GSSAPI SASL bind mechanism handler and when using GSSAPI SASL binds with tools and utilities. Due to restrictions with the IBM JDK, when using tools and utilities and the option "ticketcache" is set, the bind will always fail if the credentials are not found in the specified ticket cache, even if the option "requirecache" option is false. Issue:DS-4749
Change the default low-space-error-percent-threshold to 1. This will help to avoid costly database recovery and/or replication initialization operations when the directory server runs out of disk space on default installations. Issue:DS-4872
Address an issue with the LDAP Changelog where a modify operation that added and deleted the same value for an attribute (effectively a no-op) would show up in the changelog incorrectly. Issue:DS-5005
The LDAP change log now supports attribute indexing so that the Sync Server can request changes that target specific attributes much faster. This feature is configured by the index-include-attribute and index-exclude-attribute properties on the Changelog Backend. Issue:DS-4938
Update the LDAP Changelog Backend to separate out virtual attributes from real attributes. There are now separate attributes for storing before/after values, key attributes, and added or deleted entry attributes which are virtual. Virtual attributes are not included in changelog entries at all by default, but can be included in any or all of before/after values, key entry attrs, added entry attributes, and deleted entry attributes using the 'include-virtual-attributes' property on the changelog backend. Issue:DS-5043
Fix a bug in which the server did not always properly handle changes to an attribute with the same attribute type as used in an entry's RDN and could reject an operation with a "not allowed on RDN" result when the RDN value itself was not actually altered. Issue:DS-4950
Improve the dsframework tool to support multi-valued server propreties. Issue:DS-5040
Critical: Fix a bug where PingDirectory Servers could potentially miss some update messages in large topologies after a restart. Issue:DS-3592
Update the Local DB Backend so that the way that individual indexes (including system indexes) are preloaded aligns with the index's cache-mode setting. If a cache-mode is set to evict-leaf-immediately, then leaf nodes will never be preloaded. If a cache-mode is set to evict-bin-immediately, then nothing will be preloaded. Issue:DS-4860
Hide the include-backend-subtree-views property in client connection policy configuration objects in the PingDirectory Server. The only legitimate use of this configuration property is in the Directory Proxy Server, so it should not be exposed in the PingDirectory Server. Issue:DS-5057
Change collect-support-data and a couple of other tools to enable use of a tools.properties file when present. Issue:DS-4932 SF#:1563
Fix a bug that prevented configuration changes to attribute syntaxes (e.g., to allow zero-length directory string values) from taking effect without a server restart. Issue:DS-5060
Fix a bug to prevent server registry from corruption where, in some cases, the dsreplication detach subcommand used to update the server registry of the detached servers before the replication servers disconnected from each other. Issue:DS-5058
Fix a bug that required server restart when re-enabling virtual attributes. Issue:DS-5106
Fix an issue with replication where a server might miss some changes, specifically during stress tests that included a high volume of modify traffic and repeatedly killing the server process. Issue:DS-5227
Fix a bug that prevented use of stop-ds command on a remote server. Issue:DS-5279
These issues were resolved with version 3.1.0.0 of the Directory Server:
The dsreplication tool now requires specification of the --ignoreWarnings option when performing a pre-external-initialization operation using the --no-prompt option. Issue:3019
The dsreplication status output has been updated to include a table that lists replication servers and their important properties. Issue:3019
The dsreplication tool now disallows specification of an empty password for the global admin user account. Issue:3019
The dsreplication tool now prohibits enabling replication between two servers for base DNs of empty subtrees. Before enabling replication, at least one servers must have been initialized with data. Issue:3019
The dsreplication tool's interactive menu system has been overhauled to provide better organization and contextual help for its operations. Issue:3019
Add new global configuration attribute that allows specifying a SMTP timeout to use for all configured SMTP servers. Issue:2283
Change dsreplication command line interface to detect an invalid hostname provided during an interactive session, instead of failing at the end. Issue:2763
Update the server so that access log messages for operations the server tried to interrupt (e.g., as the result of an abandon or cancel request, because the client connection was being closed, because the server was shutting down, etc.) will include an additionalInfo element with more information about the reason for the cancel attempt. Issue:2971
Limit collect-support-data to only run against the local server it is ran from. All supported versions of the products have collect-support-data available, and should use that version to do any needed data collection. Issue:2827
Enhance timeout for SMTP External Servers to be used for socket I/O and connection based timeouts. Previously the timeout value applied only to socket I/O. Issue:2939
Fix an issue with export-ldif command that resulted in object classes always being included in the output. Issue:2482
Heartbeat messages on replication server connections used to be ignored. Issue:3016
The update and revert-update tools now respect that -Q/--quiet option which when specified, suppresses console output of messages that are not warnings or errors. In addition, the tools will not solicit input if the -n/--no-prompt option is specified. Issue:3056 SF#:00001432
Add an option for configuration group change failures to force configuration changes when one or more servers in the group are unable to process the operation. Forcing the change is optional and the user is given a chance to modify the configuration change and retry if they decline. The --applyChangeTo argument now allows a value of "server-group-force" to provide the same functionality non-interactively. Issue:789
Fix an issue where the Web Console provides a dsconfig command to modify root dn user aliases that does not work in dsconfig. Dsconfig will now accept those commands. Issue:1692 SF#:1238
Improves our port checking code for local ports to be more accurate. Issue:2621 SF#:1399
The dsconfig tool has been fixed to that it does not exit in an error when the root DSE entry is not available. Issue:3122
Add a new type of access logger which can be used to obtain very detailed information about requests and responses and the contexts in which the associated operations have been processed. This is primarily intended for troubleshooting purposes rather than general use, and the content is meant to be human-readable rather than machine-parsable. Further, because the output can be quite verbose, it is recommended that it only be enabled when attempting to diagnose a problem, and that it be used in conjunction with the filtered logging framework so that only potential messages of interest will be captured. Issue:3064
Update tools, such as searchrate, that use --ratePerSecond to not use 100% of one CPU when running at a low rate. The cutoff for this rate depends on the minimum amount of time that a process can sleep, which is operating system dependent.
Enable the UseLargePages JVM flag during setup for Linux systems when the aggressive tuning option is used. Issue:2804
Update the Server SDK to add support for creating file-based access and error loggers. The new APIs are similar to the existing access and error logger APIs, but they take advantage of the server's existing high-performance and high scale log writer and provide support for advanced features like log file rotation and retention policies. Issue:3115
Add the ability to cancel an index rebuild task in the server. Previously, this was not possible and it could prevent an administrator from aborting an index rebuild, or even prevent the server from shutting down if a rebuild was in progress. Note that if an index rebuild is interrupted, then the index will remain untrusted and the rebuild must be re-invoked in order to allow that index to be properly generated before it will be used again. Issue:2955
The replication code has been updated to avoid a race condition when updates may not be delivered to a replica that was just added to the topology for a short period of time. Issues:2222,3159
Fix an issue where a disabled backend in the directory server could cause sync server endpoints to become out of sync when synchronizing through the proxy server. By default, a disabled backend now causes the directory server to set a degraded alert and to reject operations in the backend with the UNAVAILABLE result code. This allows the proxy server to route around the degraded directory server. Two new configuration properties on the backend control this behavior: set-degraded-alert-when-disabled and return-unavailable-when-disabled. Issue:3143
Update the way that the rebuild-index tool works in offline mode so that it can use multiple threads to provide better performance and scalability, and to reduce the amount of disk space consumed during the rebuild process. Also, update the way that the verify-index tool works when examining entries so that it can provide better performance and scalability, particularly when used to validate multiple indexes at the same time.
Update the rebuild-index tool so that it will monitor available disk space on volumes containing the database files and the temporary index files. If disk space gets too while rebuild-index processing is in progress, then it will log warning messages and may abort processing if available disk space becomes critically low. Issue:3251
Add the close-connections-on-explicit-gc option to the LDAP Connection Handler to allow connections to be closed gracefully when an explicit garbage collection is triggered by the Periodic GC Plugin or the Force GC Task. This allows hardware load balancers to more easily fail over to other instances. Outstanding operations will be given a chance to complete before connections are closed. Issue:2931
Update the PingDirectory Server's support for interactive transactions so that it properly honors the writeLock flag in the interactive transaction specification request control. Issue:3263
Add a validate-acis tool that can be used to read access control definitions from an LDIF file or an LDAP directory in order to determine whether they will be accepted in an UnboundID Directory Server. Issue:3062
Update the move-entry tool so that it provides the ability to move multiple entries rather than just one. The --entryDN argument can be provided multiple times to specify the target entry DNs, or the new --entryDNFile argument may be used to specify the path to a file containing the DNs of the entries to move. If multiple entries are to be moved, then a separate transaction will be used for each. Issue:3111
An issue in the public key management process could cause replication to fail with certificate errors. Issue:3268
Fix an issue where a failed rebuild-index task did not release the lock it had acquired on the backend. Issue:3282
Make the download instructions for BDB JE more accurate. Issue:2980
Update collect-support-data to collect more system level information (especially on Linux) and validate that any value specified with the --pid option does not match the servers PID, since information about the server process is always collected. Issues:2920,2930,3152,3171,3206
The replication code has been updated to fix a rare race condition found when reinitializing a very small database immediately after starting the PingDirectory Server. Issue:3302
Hide the subtree-view option in the Client Connection Policy configuration in DS and Sync. There is currently no way to create manual subtree views for these products, but this option may be add back for future features as needed. Issue:3125
Fix an issue where a valid ACI was rejected because the ACI name included a parenthesis. Issue:3145
Update the LDIF parser to reject entries with illegal trailing spaces with a better error message that more clearly explains what the problem is. Also, update the import-ldif and ldapmodify tools so that they provide a "--stripTrailingSpaces" option that can cause the LDIF parser to strip off illegal trailing spaces rather than rejecting the associated entry or change record. Issue:3216
Two new Local DB Backend configuration properties are available to control the behavior of the directory server when the contents of one or more Local DB Indexes are untrusted. An index is untrusted if it needs to be rebuilt, or is in the process of being rebuilt. The first property, 'set-degraded-alert-for-untrusted-index', determines whether the directory server enters a degraded state when the backend has an index whose contents are untrusted. The second property, 'return-unavailable-for-untrusted-index', determines whether the directory server returns UNAVAILABLE for any LDAP search operation that would use an untrusted index of the backend. The default settings are 'true', which allows a proxy server to fail over to an alternate directory server when the contents of one or more Local DB Indexes are untrusted. Issue:3143
Add a --missingOnly option to ldap-diff to allow the tool to only report on entries that exist on only one of the servers; entries that exist on both servers but are out-of-sync are ignored. Issue:2918
Update tools which can be used to schedule tasks to add a new "--task" argument that makes it explicit that the tool is intended to run as a task rather than in offline mode. At present, this argument is optional, but we intend to make it required in the future, and if a tool is invoked as a task without this new "--task" argument, then a warning message will be displayed recommending that it be used in the future.
In addition, if the "--task" argument is provided but the tool was not given an appropriate set of other arguments to allow it to connect and/or authenticate to the server, then an error message will be displayed and the tool will exit with an error. This behavior will also be exhibited for other arguments that are only applicable for tools running as tasks, including the "--start", "--dependency", "--failedDependencyAction", "--completionNotify", and "--errorNotify" arguments. Issue:3224
Update the manage-tasks tool so that it can detect cases in which the authenticated user doesn't have permission to access information about tasks in the server and will provide a more useful error message. It would previously always report that there were no tasks in the server, which may not be true and is not very helpful. Issue:2957
Change the default access logger configuration so that intermediate response messages will be suppressed rather than logged, although logging them can be enabled if desired. However, for operations that did send one or more intermediate response messages to the client, the result access log message will now include an intermediateResponsesReturned element that provides the number of intermediate response messages that were returned. Issue:3096
Fix an issue in online rebuild-index processing that can cause incorrect counts for the total number of entries and the number of entries processed so far. Issue:3283
Update tools which create scheduled tasks to display a message indicating that killing the tool will not interrupt the task. For tasks that can be interrupted, the tool will also display a manage-tasks command line that can be used to cancel that task. Issue:2954
Fix an issue in the subtree delete implementation that could cause subordinate entries to be deleted without removing the parent, and a failure result for the operation in the case that the number of subordinate entries exactly matched the subtree delete size limit. Also, slightly modify the interpretation of the subtree delete size limit to be the maximum number of subordinate entries that can be removed so that the base entry itself is not counted as part of this limit. Issue:3335
Updated the PingDirectory Server so that the backlog of replication changes is received from only one other server in case the instance was disconnected from the topology for a long period of time. Issues:1105,2886
Added support for the special values "*" and "+" to the LDAP changelog configuration so that all user attributes or all operational attributes can be included or excluded from changelog entries. Issue:3269
Update the LDAP changelog so that it will not create a changelog entry with an empty 'changes' attribute when all modifications within a replicated modify operation are discarded because they are stale with respect to the local entry. Issue:3349
Fix an issue in the migrate-sun-ds-config tool that could cause it to generate a configuration batch file that could not be successfully applied when it included the creation of a new backend. Issue:3129
These issues were resolved with version 3.0.3.0 of the Directory Server:
Upgrade the server to require Berkeley DB Java Edition 4.1.8, which fixes a potential deadlock issue found in version 4.1.7.
Add support to the LDAP changelog for capturing all the before/after values of a changed attribute. This can be capped at a maximum number of values to store per attribute. Also add support to the LDAP changelog for capturing the current value of any 'key' attributes on every change to an entry, regardless of whether they were the attributes that changed. Issues:3020,3060
Fix a bug in web consoles where version mismatch warning was not being displayed on initial login. Issue:3146 SF#:1459
Add an option to collect-support-data for collecting data from expensive processes. These expensive operations will not be executed by default. Issue:3176
Clarify the results of the status command when a user attempts to collect status from a remote server. Status results will always be based on the local server even if the user attempts to run the command on a remote server. Issue:3121
Fix an issue where debug messages logged by a command line tool (when using --enableDebug) might not be flushed to disk before the command exited. Issue:3218
Update the server's support for GSSAPI authentication to allow it to use a more flexible service principal. Previously, the service principal was hard-coded to be "ldap/" followed by the fully-qualified name of the system. This is still the default, but it is possible to override that in order to use a custom service principal. In addition, client tools which support GSSAPI authentication have been updated to support a "protocol" SASL option that can be used to specify the protocol for the service principal, and a "debug" SASL option that can enable GSSAPI debugging in the JVM. Issue:3262
Change replication server logic to prevent resending updates to pre-3.0 replication servers whenever they leave the replication topology, as this could temporarily lead to larger than expected backlogs. Issue:2911
These issues were resolved with version 3.0.2.0 of the Directory Server:
Modify the update tool to fix an issue where in some cases the tool would fail to migrate an older configuration, displaying errors related to duplicate LDIF change records. Issues:2942,2962,2967
The status-panel tool is no longer supported and has been removed from the server packaging. Issue:2973
Fix an issue where a Mirror Virtual Attribute Provider could cause a stack overflow in the directory server. Issue:2999
Fix in issue in the PingDirectory Server that could cause a search result entry to be artificially delayed (and possibly returned after its subordinates) if a search spans multiple backends and is indexed in some of those backends but is unindexed in others. Issue:3008
Fix a regression with the stop-ds command where the port argument was ignored. Issue:2925
Fix a replication incompatibility issue between a version 2.1.2 server instance and a server instance updated to a later version. The updated server could not process replicated modify operations from the older version instance. Issue:2935
Fix an issue, where in rare cases, the flow control mechanism in the replication server delayed message. Issue:3027
If replication is enabled, the access logger now reports the replication change ID in the access log by default. Issue:3030
The command 'dsreplication cleanup-local-server' now removes all administrative information from the local server including any known servers and configured server groups. Any prior steps made to register the server with a replication topology or a configuration server group will need to be repeated if necessary. Issues:2792,2868
Fix an issue where the status command would warn that the port argument was ignored even though the argument was not provided. Issue:3052 SF#:1447
The command-line tools now use the full terminal width for output on Windows platforms. Issue:1019
Fix a potential issue that could cause an exception if a client tried to establish a secure connection to a server that already had the maximum number of concurrent client connections established for the associated client connection policy. Issue:3072
Add a document which describes differences in the default behavior between the UnboundID/Alcatel-Lucent 8861 PingDirectory Server and Sun/Oracle DSEE and the reasons for those differences. With minor editing, this document may also be used as a dsconfig batch file to apply changes to the PingDirectory Server to make it behave more like DSEE. Issue:2978
The 'dsreplication disable' command now removes the ds-sync-state attribute from the formerly replicated backend. Issue:2887
Fix an issue where a disable and enable of a local DB Backend could result in lost replication changes. Issue:3001
Fix a potential problem that could cause replication to break when merging two previously-disconnected topologies with multiple servers, or when concurrently adding multiple new servers to an existing replication topology. Issue:3114
Increase the default value for duplicate error messages (allow 2000 in 5 minutes) and alerts (allow 100 in 1 hour) before they are suppressed. Avoid duplicate suppression for certain types of alerts, such as configuration changes. Ensure that the severity of a duplicate alert summary message matches the severity of the duplicate messages being suppressed.
Fix an issue that could cause search result entries returned by a persistent search to be significantly delayed. Issue:3128
Address an issue where Server SDK extensions running within a command line tool could cause the process to run out of memory if they logged a high volume of error log messages. Issue:3173
These issues were resolved with version 3.0.1.0 of the Directory Server:
Change collect-support-data tool to prompt for missing LDAP connection arguments if needed. Issue:2461
Fix an issue where an incorrect search base DN would be written in the access log when a search operation spanned multiple backends.
Add support for a new exclude branch request control, which may be used to suppress search result entries below one or more base DNs. Issue:2845
Update the PingDirectory Server so that when processing a search operation, it will try to consolidate the last search result entry with the search result done message so that we try to send both messages in the same packet. This improves search performance and reduces network congestion. Issue:2853
Update sensitive attribute support to utilize the intermediate client request control if present in the client request in order to determine whether all downstream clients communicated with the server over a secure connection, rather than just considering the communication with the immediate client. This can help make more intelligent determinations for operations requested through a PingDirectoryProxy Server instance. Issue:2852
Update the server so that some of the specialized access loggers (e.g., failed operations and expensive operations) do not include messages about intermediate responses. Issue:2822
Update the attribute value password validator to provide the ability to perform substring matching on passwords. With this capability enabled, it is possible to reject passwords which are substrings of attribute values, or to reject passwords which contain substrings of attribute values. Issue:2579
The replication changelog backend (replicationChanges) is now always enabled to facilitate restoring the replication changelog database from another server before replication is enabled. Issue:2645
Fix a bug that could prevent the use of object classes which reference attribute types whose name begins with a numeric digit or contains an underscore character. Although such names are technically invalid, the server may allow based on the value of the allow-attribute-name-exceptions global configuration property. Issue:2882
Fix a bug that could cause some command-line tools (including ldapsearch and ldapmodify) to fail when parsing DNs containing attributes whose names require the attribute-name-exceptions feature in the server, even if that feature was enabled. Issue:2883
Fix a bug in the import-ldif tool that caused it to ignore the server's check-schema global configuration property and always perform schema checking unless the --skipSchemaValidation argument was provided. Issue:2891
Fix a regression that was causing replication initialization to fail if the domain name included a dot character. Issue:2894
Address an issue with collect-support-data when run on Windows where certain commands that were executed would timeout without reading the full output of the command.
Replication now issues an alert if the replica is unable to publish all updates messages to the replication server before shutting down. Issue:2720
Upgrade the server to require Berkeley DB Java Edition 4.1.7, which fixes a couple of notable bugs found in version 4.1.6.
Add a new external server type for configuring SMTP servers. This can be used to provide secure connections and authentication to outgoing mail servers. Issue:1150
Fix a bug in which one or more backend indexes could be incorrectly considered trusted if LDIF import or index rebuild processing was interrupted before completing index-related processing. Issue:1944
The SNMP Master Agent Plugin is no longer exposed as configurable because it is not a supported component. It is only used for test purposes.
During shutdown, suppress replication error log messages that are triggered by closing connections to remote replication servers. Issue:2349
Fix a bug in the web console that prevented the creation of configuration objects with a slash character in the name. Issue:2836
Add the ability to log debug statements from server components that are running within the context of a command line tool. This also enables logging from third-party extensions developed with the Server SDK to be captured when run from the context of a command line tool. Issue:2834
The dsframework tool has been modified so that whenever a server is registered or updated with port values whose corresponding protocol enablement properties (ldapEnabled, ldapsEnabled) are not present, the tool will automatically set the value of the enablement property to "true". Issue:783
The dsreplication enable subcommand in interactive mode used to fail when one of the PingDirectory Server instances had the global administrator user defined. Issue:2843
Update replication messages and monitor attributes to use the term "Replication Backlog" instead of "Missing Changes" since "Missed Changes" refers to changes that have been lost due to purging. Issue:2736
dsreplication detach subcommand now requires that all servers in the topology to run version 3.0 or later. Issue:2844
These features were added for version 3.0.0.0 of the Directory Server:
Database Cache Compaction - With many datasets the database cache now uses 10-20% less memory to cache the same data.
Server SDK - Server-side SDK for extending the functionality of the core server.
Entry Encryption - Full entry-level encryption for Local DB backends.
Sensitive Attributes - An additional layer of protection from exposing data that is considered sensitive by allowing you to define policy that restricts how clients interact with a set of attribute types. For instance, you can define policy that will perform some of the following actions: 1) Reject add, compare, modify, or search requests that target these attributes, 2) Force clients to connect with a secure connection to interact with them, or 3) Automatically strip them out of entries before returning them to clients.
Virtualization Support - Achieved "VMware Ready Status" for all of our server products, which we now support deploying in VMware environments.
Global Replication - Support for replicating shared data between data sets in an Entry Balanced environment. This includes centrally managing and monitoring replication for all Directory Servers in an Entry Balanced environment.
These issues were resolved with version 3.0.0.0 of the Directory Server:
Fix a bug that could cause a recursion loop resulting in a stack overflow when using aggregate connection criteria. Issue:2240
Expose version information for many of the libraries used by the server in both "status --fullVersion" and in the "cn=Version,cn=monitor" entry. It will always include the LDAP SDK version number, and if available may also include any or all of the Berkeley DB JE, JZlib, SNMP4J, SNMP4J Agent, and SNMP4J AgentX library versions strings.
Add a configuration option that may be used to indicate whether the server should shut down in the event that a severe error (e.g., out of memory) is raised within the JVM that indicates it may not be able to continue running properly. Issue:2265
The dsjavaproperties tool now supports options for generating, regenerating, and updating the config/java.properties file. Issue:2280
Fix a bug in the support for the simple paged results control that could cause it to fail for a search that was unindexed. Issue:2286
Fix a bug in the timestamp-naming mechanism used in log file rotation which could cause log files that were manually renamed to still get rotated and eventually deleted if their names were still parsable as the original file name. Issue:1285
Fix a bug in the implementation of the userattr access control bind rule that could cause an access control rule to fail to properly match entries. Issue:2310
Fix a bug in the server that may cause the server to incorrectly parse some extensible match search filters from their string representations. Issue:2313
Update the stop script so that the "restart" option will correctly restart the server after a successful shutdown Issue:2329 SF#:1362
Address an issue where the dsreplication command line utility in interactive mode ignored the selection from a server list and used the currently connected server to execute subcommands. This issue affected the disable, initialize, and initialize-all subcommands. Issue:2335
Issue an new admin alert when a replication operation fails to be replayed due to abnormal circumstances. Issue:2353 SF#:1368
Update dsconfig to work correctly in environments with a server-group set. This issue only affected dsconfig when run in a partially interactive mode where some of the configuration arguments were provided on the command line. The user is now prompted whether the configuration change should be applied to the current server or all servers in the group. Issue:2373 SF#:1370
Address an issue where the Unique Attribute Plugin incorrectly detected conflicts when under heavy. Issue:1873
Web Console displays a communication error alert when editing configurations objects if the server has been disconnected. Issue:2270 SF#:1239
Fix a bug in which the server and tool JVM configurations in java.properties would lack -Xms and/or -Xmx options if the amount of memory specified as the maximum heap size was not available when setup was run. Issue:890
Fix a bug in which setup fails if the 'locks' directory is missing, setup erroneously indicated that the server was running.
Fix a bug that prevented the display in dsconfig and the web console of configuration objects whose name contained a slash character. Issue:2244 SF#:1373
Update the directory server to allow attributes marked with NO-USER-MODIFICATION to be set if the Replication Repair Control (1.3.6.1.4.1.30221.1.5.2) is included in an add operation. This functionality was already available if the Ignore No User Modification Control (1.3.6.1.4.1.30221.2.5.5) was provided in addition to the Replication Repair Control. Issue:2361
Modify the update tool to disallow the update tool from being used from a package in which setup has been run. Issue:2464
Provide a custom title renderer that escapes configuration object names in the web console. This avoids a theoretical security concern with configuration object names that contain embedded JavaScript. Issue:2454
Fix a bug in the ldapmodify command-line tool that caused it to incorrectly treat a 'referral' result as success. Referrals are still not supported by this tool, but it will now treat them as a special kind of error and will provide a more useful message. Issue:1062
Update the status command to include information about the replication changelog database. Issue:2449
Update the UnboundID work queue configuration so that it is not possible to configure a value of zero for the number of write queues. Previously, if a nonzero number of write worker threads was configured with zero write queues, then the server would encounter an error and would be unable to start. Issue:2119
Update the local database backend so that if an index is found to be in a degraded state, it will now include both the backend ID and base DN in the message that is generated in addition to the name of the affected index. Previously, the message would only include the index name. Issue:2445
Online import-ldif now supports the --skipFile argument. Issue:841 SF#:00001350
Fix an issue, where in some cases, the PingDirectory Server shutdown process was significantly delayed because of an improper shutdown of a replication related thread. Issue:2430
Generate a warning message at startup if the server is unable to determine the IP address or hostname of the local system, or if the local system's hostname resolves to a different IP address. These conditions may indicate a problem with the system configuration that could cause certain server components to break or function abnormally. Issue:2318
Creating an additional local database backend no longer generates severe warning messages in the server error log about degraded indexes. Issue:1113
Change the way that the serverUUID value is generated so that it is based on a combination of the system's primary IP address and the canonical server root path. This can be used to help detect cases in which a new server instance is created by copying the files associated with an existing server instance, which would have previously created two instances with the same serverUUID value. In the event that the stored serverUUID does not match the generated value, a log message will be generated to warn administrators of the change, and the newly-generated UUID will continue to be used. Issue:2470
Fix a NullPointerException error that could result from the use of targetscope="onelevel" in an ACI. Issue:2404
The import-ldif tool now verifies that the LDIF file argument is specified as an absolute path in case of an online import. Issue:2385
Fix a bug in the audit logger where the value of binary attributes could show up incorrectly when the audit logger was configured with use-reversible-form=true. Issue:2472
Remove support for the --append option of import-ldif since it was frequently used incorrectly, and in many situations led to situations that were difficult to recover from. Bulk adding entries to a backend that already has data can be done using the ldapmodify or parallel-update commands. Issues:1916,2427,54 SF#:00001299
Fix a bug that refused all writes to a backend when the write-ability mode was set to internal-only. Issue:949
Update the dbtest tool messages to make it clear that only backends of type local DB are supported. Issue:2436
Fix an issue where referential integrity fails when an entry referencing a deleted entry contains two attributes being managed by the referential integrity plugin. Issue:2365
Change the backend finalizers to run in parallel during shutdown to speed up the shutdown process. Issue:2110
Prevent cleaner and checkpoint threads from being interrupted before backend environment is closed. Issue:2020
Update the server to make it possible for change subscription handlers to be notified only of changes on a particular set of change subscriptions. Previously, change subscription handlers would always be notified of changes to any change subscription defined in the server. Issue:2475
Fix an issue when performing a modify operation to create an ACI that returned a result of Insufficient Access Rights instead of Invalid Attribute Syntax when the aci attribute was malformed. Issue:2477 SF#:1376
Fix a bug that could cause incorrect behavior for unindexed searches with a base DN equal to a base DN of the backend if one or more common-compact-parent-dn values were defined for entries below that base DN. In that case, only entries in the backend but not below any of the defined common compact parent DNs may be returned. Issue:2481 SF#:00001380
Improve the output of the ldapsearch tool to mention that a password has expired when the bind occurs. Issue:1981 SF#:1227
Fix a bug that prevented updating a user entry that needs a password change. Issue:2492 SF#:9999
Fix a bug where a virtual attribute rule based on group membership could cause the server to shut down. Issue:2434
Modify the updater so that the --ignoreWarnings option can be used to continue with update when there are warnings related to version compatibility issues. This allows an update to be run in a non-interactive environment, such as a script. Issue:2495
Set the autocomplete flag on the login form of the web console to be explicitly set to false. Issue:2496 SF#:1383
Update the audit logger to use the filtering criteria specified in the configuration. Issue:2443
The admin alerts list no longer includes alert types that are clearly not applicable to the product. Issue:1738
Update generated command line arguments (such as for dsconfig) to be quoted in a mechanism specific to the operating system where they are generated and to eliminate all escaping with \, which had caused problems when replaying certain commands. This is done with as much portability across systems as possible. Issue:2455
Update the server to improve its behavior when dealing with attribute types that were switched from user to operational, or vice versa. In such cases, existing entries would treat them as user or operational based on the state of those attributes at the time the entry was written and as such operations involving those attributes may behave incorrectly. Issue:2546 SF#:00001379
Fix a bug that made it possible to re-use a password in the password history using ldappasswordmodify. Issue:2497
Enabling replication between the current and prior version of the product may cause schema initialization problems. The code has been updated so that configuration schema elements are not overridden when enabling replication. When adding a PingDirectory Server to a replication topology running a prior version of the product, it is recommended to use a server from the topology as the first server of the dsreplication command. Alternatively, schema replication may be excluded during dsreplication enable by using the --noSchemaReplication argument. Issue:2555
Improved status command output to better inform the user of how the local server status was determined, based on the arguments provided. Issue:2487
Cap db-evictor-critical-percentage configuration for backends so that the total cache percentage never goes above 90%. Issue:2285
Update cli documentation to include new commands for updating and reverting a server installation. Issue:2573 SF#:1390
Update the PingDirectory Server to add support for sensitive attributes, which can be used provide an additional layer of protection to avoid leaking data that might be considered sensitive. It is possible to reject add, compare, modify, or search requests which target sensitive attributes, or to restrict them so that they may only be allowed over secure connections, and it is also possible to always strip those attributes out of entries returned to the client, or to allow them to only be returned to clients using secure connections. Issue:2412
Tools using a scope argument are now correctly documented in the CLI documentation. Issue:2594
Several enhancements to the Periodic Stats Logger: all columns in the output can now be turned on/off, many more built-in metrics are available to be logged, and additional custom metrics driven off of cn=monitor entries can be added by creating Custom Logged Status objects. Issue:2039
The naming of the replication domain configuration has been updated to facilitate scripted installations by removing the replication domain ID from the name. Issue:2245
Fix a bug that did not use the password policy during an add operation if it was assigned using a virtual attribute. Issue:2622 SF#:1398
Fix an issue in the PingDirectory Server which would cause ldap-diff to miss entries from a subordinate local DB backend when the scope of the comparison includes more than one local DB backend. This could be the case for an entry-balanced PingDirectory Server. Issue:2618
Fix a problem where import-ldif would never finish if entries were rejected with invalid attribute syntax. Issue:2514
Change the way abandon and cancel requests are run in order to prevent request handler threads from being detained while these operations wait to get back results. Issue:2631 SF#:1395
The server now issues an alert when it has begun the startup process. Issue:2642
The server now issues an alert when a JVM pause (possibly due to garbage collection) has been detected. Issue:2637
The web console now allows the specification of multiple LDAP servers to be used for authentication and discovery of topology servers. Issue:2466
The web console now supports specification of a server from its login page. Issue:2190
In case a replica is backlogged, the PingDirectory Server is supposed to issue an alert. The PingDirectory Server is also expected to delay completing the startup until the size of the backlog (if any) has been determined. In some cases, the PingDirectory Server did not issue an alert before the startup had completed. Issue:2662
The entry checksum virtual attribute provider has been extended to allow excluding attributes from the checksum calculation. The provider has also been updated to ignore the insertion order of attribute values when calculating the checksum. Checksums of two identical entries used to differ if the values of at least one multi-valued attribute had been added in different order. Issue:1156
The import-ldif tool new features option --addMissingRdnAttributes which when present will silently add attribute/values from the RDN components of the DN that do not appear in the set of attribute values for the entry. When this option is not present, import-ldif will now reject such entries. Issue:2612
Update the ldappasswordmodify tool to supply the bind password as the user's current password when making a self-change. This is convenient when making a root user password change so that the current password does not have to be specified twice in the command line arguments. Issue:2525
Provide better descriptions in the MIB for SNMP trap variable bindings. Issue:2508
Fix an issue where explicitly requested attributes would not be returned when an access control rule allowing access to them contained a target filter on an attribute that was not one of those requested. Issue:2564
The file-based loggers now optionally support millisecond level precision. Issue:2603
Fix an issue where the referential integrity plugin would not perform all the appropriate actions for all kinds of ModifyDN operations. Issue:2498
Fix an issue where stop-ds on a replicated server could hang after logging an error indicating that the Replication Server db thread had exited while holding one or more read locks. Issue:2668
Added a "invoke-gc-day-of-week" property to the Periodic GC Plugin so that it can be configured to run only on certain days of the week. Issue:2660
Update the Periodic Stats Logger so that on shutdown it logs stats from the final interval. Issue:2684
Add an option, db-compact-key-prefixes, to the Local DB Backend. This exposes a new feature of BDB JE 4.1.6, which leads to a reduction in the memory needed to cache the database. It defaults to true. Issue:2693
If there are only two replicated servers in the topology, then dsreplication disable subcommand will disable replication on both servers. The disable subcommand will only target the specified server if there are more than two replicated servers in the topology. Issue:1794
Improve output when JVM errors occur in scripts used to set up environment for command line tools. Issue:2172
Fix a bug in the restore tool that could prevent it from operating in "dry-run" (used to verify a backup without restoring it) mode with the server online. Issue:2692
Update the default JVM arguments to improve garbage collection tuning.
Update dsjavaproperties to validate that all java-home properties specified in config/java.properties reference valid Java installations. Issue:2719
Fix an issue where the alerts backend could write an incomplete LDIF backing file if an error were to occur during the write. Also, if an error in the LDIF file is discovered when the server is started, the alerts backend will now read as much as it can from the file and preserve a copy of the bad file. Issue:2700
The dsreplication initialize, initialize-all subcommands have been updated to detect if the source server has active unavailable alerts. In interactive mode, these utilities will display a warning and will not allow the user to select these servers.
The dsreplication status subcommand has been updated to display a warning about any server that has either unavailable or degraded alerts. These servers may not be displayed and may affect the reported number of missing changes. Issue:2707
Add support for logging intermediate response messages that are returned to the client. Intermediate response logging will be enabled by default, but may be disabled if desired. Issue:2428
Modify the import-ldif tool to help guard against accidentally overwriting existing backend data. The new -r/--overwriteExistingEntries option must be present when performing an import into a backend with a branch that already contains entries (although the option need not be present if a branch contains just a single base entry). It should be noted that existing scripts that perform an import-ldif may need to be modified to include this option in order to function as before. Issue:2478 SF#:00001378
Fix a bug where the web-console's schema editor could write object class definitions to the server that did not include the object class's type. This occurred when no attempt to change the default value STRUCTURAL was made in the object class creation dialog. Issue:2749
The dsreplication remove-defunct-server command used to remove the defunct server from the server registry when an incorrect replication port was provided even though the displayed message suggested otherwise. The remove-defunct-server subcommand also used to refuse defunct server replication port argument values larger than 32767. Issue:2751
Address an issue with the web console where it would not allow read-only configuration properties to be set when an object was initially created. Issue:2730
These issues were resolved with version 2.2.0.0 of the Directory Server:
Add support for an LDAP join control, which can be used to provide an SQL-like join capability which can be used to request that the server return other entries which are related to entries matching the initial search criteria. Issue:1012
Modify the command-line argument parsers to generate a warning message if an argument value is the same as the short or long form for another argument. This can help prevent users from forgetting to supply a value for an argument which requires one. Issue:944
Streamline the process for sending responses to LDAP clients to use a stream-based approach and avoid the creation of a number of intermediate objects.
Add support for the permissive modify request control, which may be used to allow a modify operation to succeed even if it tries to add a value which already exists or remove a value which does not exist. Issue:131
Change the way that search result entries are prepared for return to the client to make the process more efficient and create less garbage.
Update the access log format so that result log messages for operations containing certain controls will include information about that control. For the assertion request control, the assertion filter will be provided. For the matched values request control, the matched values filter will be provided. For the pre-read, post-read, and get authorization entry request controls, the requested attributes will be provided. For the join request control, the join rule (including nested join rules) will be provided. For the server-side sort control, the sort order will be provided. For the virtual list view request control, the offset or assertion error, before count, and after count will be provided. For the simple paged results control, the page size will be provided.
Update MakeLDIF to add a "<random:timestamp>" tag that can be used to include a randomly-selected date from any time within the last ten years. It is also possible to use "<random:timestamp:min:max>" to specify the desired time range, where min and max should be given in the generalized time format. Issue:1083
Add a new configuration property for alert handlers that makes it possible to filter the types of alerts that should be processed based on the alert severity. By default, all types of alerts will be processed.
Provide a new alert handler that can be used to execute a specified command whenever an alert is generated within the server. The details of the alert notification will be provided as arguments when executing that command. The arguments will be provided in the following order: the name of the alert type, the OID for the alert type, the alert severity, the fully-qualified name of the Java class that generated the alert, the unique identifier assigned to that alert, and the text of the alert message. The alert handler will ensure that only one instance of the command may be invoked at a time to avoid problems from commands that aren't safe to run concurrently. If multiple alerts are generated concurrently, then they will be queued and the command will be executed sequentially for each of them. Issue:1146
Update the ldapsearch and ldapmodify tools so that in the event that an error response is received from the server, the diagnostic message from that error response will be displayed to the user rather than the generic error message that had previously been used.
Add a new error log alert handler, which makes it possible to control which types of alerts should be logged (based on either the alert severity or specific alert type). Further, the severity of the log message will reflect the severity of the alert notification.
Update the collect-support-data tool to archive information about the upgrade history of the server installation.
Update the LDAP changelog so that changelog entries now contain createTimestamp, modifyTimestamp, creatorsName, and modifiersName attributes. This can be optionally disabled if desired. Issue:1163
Update the LDAP changelog to add support for searches using the persistent search request control.
Generate administrative alerts for any operation which results in a change to the defined set of access control rules in the server, including global ACIs. Issue:1203
Improve the mechanism used to automatically tune the number of database lock tables. It will now be more scalable on systems with more than 100 CPUs, and will operate correctly for work queue implementations which do not have an explicit number of worker threads.
Update the cursor-across-indexes method of priming the backend so that it can use multiple threads to prime separate databases concurrently.
Modify the enter-lockdown-mode and leave-lockdown-mode tools to allow them to connect to any local address rather than requiring the request to be sent over the loopback address. Issue:1144
Fix a bug that could cause replication to be halted if the replication window size was changed in a manner that was not coordinated across all servers. Issue:1235
Provide the ability to force an explicit garbage collection on startup if the initialization of any request processor takes longer than a specified period of time. This can help improve garbage collection behavior in the PingDirectoryProxy Server when a global index is enabled and automatically primed on startup.
Update the LDAP connection handler to disable TLS renegotiation by default, which can eliminate a vulnerability in which a man-in-the-middle could potentially inject arbitrary cleartext between TLS negotiation and initial data from the client.
Allow the Berkeley DB checkpoint interval to be altered within the server configuration. It was previously hard-coded at 60 seconds.
Avoid setting the "-XX:ParallelCMSThreads" JVM argument on systems containing a single CPU. This option has been observed to cause the JVM to fail to run properly, particularly in virtualized environments. Issue:1300
Update the active operations monitor entry to include attributes which provide the number of operations and persistent searches currently in progress within the server.
Fix a potential problem in replication that could result in the servers becoming out of sync in the event of conflicting add operations performed on different servers concurrently. Issues:655,655
Update the UnboundID work queue to change the default capacity from unlimited to 1000 operations, and to add the ability to block for a specified period of time (up to 60 seconds by default) if the work queue is full before giving up and rejecting the operation. This can help prevent clients using asynchronous requests from being able to continually enqueue requests without bound.
Update the server to provide the ability to keep track of the length of time that an operation was required to wait on the work queue before being picked up for processing by a worker thread. This can be used to identify cases in which client threads were forced to wait for a long time for a worker thread to become available, which may indicate a configuration problem or problems due to an inefficient client. It is also possible to define the maximum length of time that an operation may be allowed to wait on the work queue before being rejected with a "busy" response. If queue time monitoring is enabled, then it will appear in access log messages and in the processing time histogram monitor entry, and it may be used in simple result criteria objects.
Add support for creating a special type of equality indexes which include an optional filter such that the index will only be used for search operations whose filter contains the target filter, as well as an equality component including the target attribute.
Update the work queue monitor entry to include a num-busy-worker-threads attribute which indicates the number of worker threads that are in the process of actively processing a request rather than waiting for new work to do.
Add a new Periodic Stats Logger plugin, which can be used to write various server statistics to a file in CSV format with detailed information about processing that occurred within the Directory Server or PingDirectoryProxy Server, as well as the JVM in which the server is running, within the interval since the last update.
Update the server so that it will return a result of "unavailable" rather than "unwilling to perform" for operations from unauthorized clients when operating in lockdown mode.
Add a number of new access loggers to the server configuration which may be used to troubleshoot problems in the server. One will log information about any operation which did not complete successfully to the logs/failed-ops log file. Another will log information about any operation which takes more than 1000 milliseconds to complete to the logs/expensive-ops file. Another will log information about search operations which did not return any entries to the logs/searches-returning-no-entries file. Of these new loggers, only the one writing to the logs/failed-ops file is enabled by default.
Update the UnboundID work queue to add support for maintaining separate pools of worker threads for read and write operations, which can help minimize the performance impact for read operations in the event that write operations are temporarily blocked by expensive processing (e.g., database contention, I/O backlog, etc.). It is also possible to split worker threads across multiple internal queues for reduced contention. This has been observed to provide significantly improved performance on systems with large numbers of CPUs.
Fix a problem which could cause a replication conflict if two modify DN operations were processed in immediate succession in such a manner that the second operation attempted to rename an entry so that it held the same DN as had previously been used by the entry targeted by the first modify DN operation.
Update the system information monitor entry to include information about the system account being used to run the server and a list of all system properties defined in the JVM.
Update the UnboundID work queue to provide the ability to select the type of queue to be used. Also, update the LDAP connection handler to provide the ability to create a separate request handler thread for each connection, rather than allowing request handlers to potentially read requests from multiple clients.
Add the ability to request that changes written to the server audit log be formatted in a reversible form, such that it will be easier to see exactly what change was made, and revert to the previous values used within the entry if desired. In some cases (e.g., modify DN and delete operations), comments may be used to provide information about the previous state of the entry. Issue:970
Add support for a number of different types of resource limits within the server, including: the maximum number of connections that may be established at any given time, the maximum number of concurrent connections from any client (based on either IP address or bind DN) or group of related clients, the maximum number of operations that may be processed over the life of a client connection, the maximum number of operations that may be processed concurrently for a single client connection, the maximum rate at which a single client or a group of related clients may request operations, the maximum length of time that a client connection may remain established, the types of request controls which may be used, the types of search filters which may be used, the minimum number of characters required in substring filters, and caps on resource consumption allowed during search operations.
Add the ability to compress replication communication between servers. Compression will be enabled by default when communicating with a nonlocal replication server. Issue:1319
Update the dbtest tool to add an option to the list-database-containers subcommand that makes it possible to list information about only a single database. This can help improve the ability to use the tool efficiently in an environment with a very large number of entries.
Add a new global configuration option which makes it possible to specify the maximum length of time that the server shutdown process may take before it attempts to interrupt threads which have not yet completed their processing. In most cases, server threads will react to a shutdown in a timely manner and no interrupt is needed.
Improve the shutdown process so that it is less likely to interrupt database threads in a way that could require a lengthy recovery process at startup. The shutdown time has been improved in the general case, and in the abnormal case the server is more patient and will wait for a longer period of time to allow for a graceful shutdown, periodically providing information about the threads that are still running. Issues:1559,1583
Make a change to the UnboundID work queue in order to provide a small performance improvement.
Update the PingDirectory Server so that access log messages for extended operations now include human-readable names for the operation type in addition to the numeric OID when possible.
Fix a bug in the parallel-update tool that could cause operations to be retried even when the --neverRetry argument was provided. Also, when the tool is configured to retry operations, the reject file will now include the result code and diagnostic message received from the last failure after no more progress can be made, rather than providing a generic message.
Fix a bug in the collect-support-data tool that could cause it to make incorrect use of a password file when capturing the output of the status command. Issue:1593
Update the alert generated in the event of a replication backlog so that it no longer counts replicas that are in the process of being initialized. Issue:1123
Update the SNMP alert handler so that the traps it creates have a more sensible value for the uptime field. Previously, the uptime value was always zero, but it will now reflect the length of time that the PingDirectory Server has been online.
Improve the accuracy of the update-sent and update-received attributes in replication server handler monitor entries.
Fix a problem in which percentages logged during online replica initialization were incorrect after approximately 21 million entries had been processed. Issue:1612
Fix a bug in which LDAP request handlers might not properly close the selectors used to read requests from clients. This could cause a memory leak over time, particularly in servers configured to use the request-handler-per-connection option.
Improve the access log message generated whenever a connection is terminated because of a decoding error encountered while reading data from the client. The message will now include the contents of the packet received from the client, indicating the point at which the problem was encountered.
Update the replication mechanism to improve the order in which changes are replayed, and to adjust the use of locking in the replay process to improve the mechanism for ensuring that dependencies between changes are properly upheld. Issue:900
Fix a bug in the LDAP connection handler in which the server could incorrectly handle a request in which the ASN.1 length of the LDAP message was encoded using multiple bytes that were split across separate packets.
Fix a bug in which a search operation which was part of an interactive transaction might not use the corresponding database transaction for part of its processing.
Update the PingDirectory Server to provide the ability to re-try the process of generating the index candidate list in the event of a timeout on the first attempt. Previously, if such a timeout occurred, then the server would proceed with the search as unindexed, which could be very expensive.
Improve the process for stopping threads when the server is shutting down, and provide additional debugging information that may be useful if any threads are slow to stop running. Issue:900
Update the ldap-diff tool to take advantage of the stream directory values extended operation when it is available. This can dramatically improve the performance of the tool when attempting to identify the set of all entries in the server. Issue:794
Update the PingDirectory Server to make replication conflict entries invisible under normal circumstances. They will now only be visible in base-level searches, if the filter contains an equality component of "(objectClass=ds-sync-conflict-entry)", or if the request includes a control with OID 1.3.6.1.4.1.30221.2.5.13. Issue:1660
Update the unique attribute plugin so that it will ignore any replication conflict entries when attempting to determine whether a particular attribute value is already in use within the server. Issue:1661
Fix a bug in the implementation of the stream directory values extended operation that could cause it to fail to work properly across subordinate backends.
Update the ldap-diff tool to provide support for reading the DNs of all the entries in one or both directories from files instead of obtaining them over LDAP. In directories which do not support the stream directory values extended operation, this may provide a significantly faster way to obtain this information if it is already available in some form.
Fix a bug in the ldap-diff tool that could cause it to report incorrect percent complete values when comparing data sets of more than 20 million entries.
Change the default access log format to log only a single line per operation containing details of both the request and response rather than separate lines for requests and responses. In the case of the PingDirectoryProxy Server, that single line will also include information about the backend server to which the request was forwarded, although forward failure messages will still be logged as separate lines by default. Issue:1677
Fix a problem that could cause problems with replication in the event that the base entry for a backend (which contains important replication metadata) is deleted. Issue:1003
Update the PingDirectory Server to add support for interrupting the stream directory values extended operation in the event that the client connection is terminated or the request is abandoned or canceled.
Update a number of password storage schemes using salted digests to provide support for salts of arbitrary length rather than requiring them to use a fixed length. This can be useful for encoded passwords imported from external sources.
Fixed a bug in the dsreplication tool that could prevent it from adding a replica into the all-servers group if replication had previously been enabled but was subsequently disabled on that replica. Issue:1674
Fix a bug in the upgrade tool that could cause the same warning message multiple times if the version obtained from the server was different from what was expected (e.g., because a server jar file had previously been replaced without using the upgrade tool). Issue:1640
Modify the default work queue to make use of multiple queues by default, which can improve performance and scalability on multi-CPU systems.
Update the parallel-update tool to add the ability to use the permissive modify request control, which may be used to request that the server ignore attempts to add attribute values which are already present or remove attribute values which are not present.
Update the ldap-diff tool to make it more likely that its output can be replayed without any alteration. The order of operations has been updated so that all deletes are listed first, followed by all modifies, and finally all adds. In addition, all delete operations are ordered such that subordinate entries will always be removed before their ancestors.
Update the implementation of the CRYPT password storage scheme to provide support for the 256-bit and 512-bit SHA-2 digests in the format used by the Linux and Solaris crypt tool. This may make it easier to import existing passwords from accounts in a Linux or UNIX environment.
Update the PingDirectory Server to improve the ability to interrupt the process for priming backends if an attempt is made to abort the startup process.
Update the scripts used to stop the server to prevent them from falling through to try to stop the server over LDAP if the attempt to kill the process fails or times out, since the attempt to stop the server over LDAP would fail without at least the appropriate authentication credentials, and could potentially be dangerous in some contexts.
Change the process for selecting the salt used to encode passwords during LDIF import processing so that the salt is computed in a deterministic manner but that will be different for every entry. This makes it possible to preserve resistance to dictionary attacks while ensuring that passwords will be encoded in a consistent manner if the same LDIF file containing clear-text passwords is imported into multiple servers. Previously, this could cause problems if attempts were made to establish replication between those servers. Issue:1142
Update the system information monitor entry to include information about all environment variables defined in the server process. In addition, it will now attempt to determine and report the process ID of the JVM in which the server is running.
Update the logic for sending an e-mail message from the server so that it will always attempt to determine the fully-qualified name of the system to include in the HELO/EHLO request. In the event that the fully-qualified name cannot be determined, then the IP address of the server will be used rather than using an unqualified name. Issue:1337
Update the server to make it possible to configure the length of time that name-to-IP address mappings may be cached within the server. This may be useful in environments in which the addresses associated with a particular hostname may change frequently. Issue:941
Update the upgrade and revert-upgrade tools to ignore directories that contain backup files. Issue:1143
Update the schema backend to make it possible to replace the schema using an LDIF import, and to fix a problem that could occasionally cause multiple values to be reported for the createTimestamp and modifyTimestamp attributes. Issue:1441
Update the PingDirectory Server to change the implementation of the show-all-attributes configuration option in the schema and root DSE backends to be more robust, particularly for clients requests explicitly requesting a specific set of attributes. Issue:1590
Updated the logic used to identify previous log files that had been rotated so that only files with names that might have been created by the rotation process will be candidates for removal by the retention policy. Issue:1285
Update the PingDirectory Server to add a search shutdown plugin which can be used to perform a specified internal search when the server is shutting down and have the results of that search written to a specified file. This may be useful, for example, to automatically dump the contents of the monitor backend on shutdown. Issue:1334
Fix a potential bug in the access control handler to correct its behavior for access control rules with a deny action without any target attribute specification. Issue:1269
Update the server so that when creating a duplicate of an existing configuration object, some key properties may be excluded from the clone so that they must be explicitly configured by the administrator rather than automatically using the same value as the object being duplicated. This can help prevent problems in which a duplicated value was inadvertently used. Issue:1675
Add support for a new CLIENT-CERTIFICATE access log message type which can be used to log information about any certificate presented by a client when negotiating a secure communication channel. Issue:1756
Update the PingDirectory Server to provide an option to automatically authenticate clients that have presented their own certificate during SSL or StartTLS negotiation. This option is disabled by default. Issue:1748
Update the replication mechanism to generate an administrative alert if too many outstanding changes are detected at startup. In addition, the server will place itself in a degraded operation mode until the backlog has been reduced below a configured threshold. Issue:1606
Fix a bug in the upgrade tool that could cause it to behave incorrectly if the server contained custom extensions. Issue:1469
Fix a bug that may cause intermittent failures for search operations with large result sets when SSL or StartTLS is in use. Issue:1330
Update the replication server to provide the ability to listen for communication with other replication servers only on a specific address rather than all addresses associated with the system. Issue:940
Fix a bug in replication monitor entries that could cause the server to incorrectly report that another replica was up to date if a response could not be obtained from that replica in a timely manner. The monitor will now reflect the last known state of that replica rather than always reporting that it is up to date. Issue:1607
Add a plugin which may be used to allow the server to act as an SNMP sub-agent rather than requiring it to always operate only as a master agent. Issue:1723
Update the PingDirectory Server to fix a bug that could interfere with the ability to use compressed communication with replication servers. Issue:1708
Update the PingDirectory Server so that the firstChangeNumber and lastChangeNumber attributes are included in the set of operational attributes which may be treated as user attributes if the show-all-attributes option is enabled. Issue:1825
Fix a bug in the server in which the namingContexts attribute of the root DSE could incorrectly contain DNs which are subordinate to other DNs already present in the list of naming contexts (e.g., if the server is configured with subordinate backends or nested subtree views).
Update the server to generate an administrative alert when starting or completing an index rebuild, and to mark that server as degraded while the rebuild is in progress. Issue:1603
Update the PingDirectory Server to add official support for LDAP transactions as defined in RFC 5805. This implementation is identical to the existing support for batched transactions, but now uses the official OIDs for the controls and extended operations as defined in the RFC. Issue:1811
Add a tool which may be used to dump the DNs of all entries below a specified base DN in the server. This tool uses the stream directory values extended operation and may therefore operate in a very efficient manner.
Update the setup process so that the server will be configured without an LDAP connection handler if the "--no-prompt" argument is provided without an "--ldapPort" argument. This option is only available for use when using the non-interactive setup mechanism. Issue:1759
Update the server to improve logging performance under heavy load, particularly on systems with relatively slow single-threaded performance.
Update the replication mechanism to help avoid cases in which a replication server may be flooded with the same set of changes from multiple servers after being offline for an extended period of time. Issue:1815
Change the behavior of the dsconfig tool when creating a new configuration object so that the user will first be prompted about whether to create a completely new configuration object or clone an existing object. This simplifies the interface and makes it less likely that an administrator will incorrectly attempt to clone an existing object rather than creating a new one. Issue:1747
Fix a bug that could potentially cause an error message to be reported when attempting to access a database in read-only mode when that database did not contain compaction information for all base DNs associated with that backend. This could cause unexpected errors in some rare corner cases (e.g., attempting to perform an LDIF export of a backend that has never been initialized and does not contain any database files). Issue:1114
Update a number of access log retention policies to make them more robust and to fix bugs that could prevent old log files from being removed when the appropriate conditions were met. Over long periods of time, this could potentially cause available disk space to run low and necessitate the manual removal of files to avoid running out of space. Issues:1867,1867
Update the dsreplication tool so that when operating on an existing server (e.g., to initialize or disable a server), the user is allowed to choose the target server from a list rather than being prompted to enter all of the information for connecting to the server. Issues:1613,1893
Update the PingDirectory Server to add the ability to limit the number of unindexed searches which may be in progress at any given time. This can help avoid problems in cases in which unindexed searches may be occasionally required if the client issuing those searches does so too frequently and consumes all available worker threads.
Update the PingDirectory Server to make it possible to prioritize the way that information is stored in the database cache. It is now possible to indicate that contents of some system or attribute indexes should be considered high priority, while the contents of others should be considered low priority or perhaps not cached at all. This capability may be useful to achieve optimal performance and memory behavior on systems which do not have enough memory to fully cache all database contents.
Modify the upgrade process so that schema definitions are always migrated before the configuration. In some rare cases, attempting to migrate the configuration before the schema could lead to failures in the upgrade process. Issue:1812
Update the server to include more useful information in access log messages reporting the closure of a client connection as a result of an I/O error.
Update the changelog backend so that changelog records for deleted entries may include the values of a specified set of virtual attributes associated with an entry at the time it was removed. Issue:1897
Fix a bug in the PingDirectory Server in which it could potentially return entries that were outside the requested search scope when processing a search across subordinate backends. Issue:1934
Fix a potential problem in the replication server that could cause attempts to communicate with other replicas to fail if any of them were in a state in which they accepted TCP connections but did not respond to any communication attempts. Issue:1434
Fix a potential bug in replication that may cause delete operations made in quick succession to be replayed in an incorrect order in a manner that could result in failures if those entries had a hierarchical relationship. Issue:1701
Update the repeated characters password validator to provide the ability to reject a password if it contains multiple consecutive characters from the same character set, rather than only rejecting passwords with the same character repeated too many times. Issue:1940
Add support for a new regular expression password validator which can be used to require that all passwords match a given pattern, or to reject any password which matches a given pattern. Issue:1941
Update the dsreplication tool to better handle scenarios in which the name provided by a user to reference a server does not match the name stored for that server in the administration data repository. Issue:1613
Modify the upgrade tool so that it will not attempt to initialize the replication subsystem during upgrade processing. Issue:1953
Update the PingDirectory Server to fix potential problems in its support for SSL or StartTLS communication if the server was not able to access a complete block of encrypted information at once. Issue:1330
Fix a bug that could prevent a disabled access logger from being removed from the server configuration.
Update the server to prevent multiple loggers from being configured with the same target log file. Issue:1676
Update the PingDirectory Server so that it will generate an administrative alert if an attempt to initialize a backend fails. Previously, this would have resulted in a message written to the error log but would not have caused an administrative alert. Issue:1475
Update the PingDirectory Server to add the ability to identify that some databases within a backend should be primed in their entirety while others should have only their internal nodes primed.
Update the PingDirectory Server to introduce a significantly more compact encoding for the index which correlates entry DNs and entry IDs.
Update the PingDirectory Server to add the ability to prime the contents of a backend to the file system cache using non-sequential reads in a manner to attempt to overcome the limitation imposed by file systems like ZFS that prevent extended sequential reads from being cached. Also, make it possible to configure multiple prime methods for a single backend.
Significantly revise the upgrade tool in an attempt to make it more robust and minimize the amount of work required for performing an upgrade. Issues:1927,1931,2031,2037
Add support for a new search-and-mod-rate command line tool which operates in a manner similar to the searchrate tool but that will also modify any entries returned from the search.
Modify the way that the PingDirectory Server compresses entries for storage in the JE backend. The previous implementation caused the server to consume a significant amount of memory, which eliminated any potential benefit of compressing the entries.
Fixed a potential bug in the way that the search time limit is enforced that could cause a time limit exceeded result to be returned too soon in a rare corner case.
Update the PingDirectory Server so that access log messages for replicated changes may optionally include the replication change number.
Rename the upgrade tool to be "update", and rename the revert-upgrade tool to be "revert-update".
Update the PingDirectory Server to add support for removing replication artifacts from the server. A new "-R" option has been provided to the export-ldif tool that can cause the resulting LDIF file to exclude replication state information, and a cleanup-local-server tool has been added that can be used to remove all replication-related information from the configuration, schema, and server registry. Issue:1913
Update the dsreplication tool so that when disabling replication in a server, all replication state is removed from disabled backends and removes historical values from the server registry. Issue:1913
Update the PingDirectory Server to fix a bug in access control evaluation that could cause evaluation to be performed incorrectly for filters containing a NOT component. This may cause the server to incorrectly prevent clients from seeing search result entries that they should be allowed to access. Issue:1757
Update the PingDirectory Server to log information during task processing that may not have been previously captured in the task entry. This primarily impacted LDIF import and export tasks, and index rebuild and verify tasks.
Update the PingDirectory Server to correctly handle delete operations which included the subtree delete request control. Issue:2066
Update the PingDirectory Server to provide the option to use a dedicated evictor thread for evicting content from the database cache. This may help provide better and more consistent performance in environments which do not have enough memory to fully cache all database contents.
Update the PingDirectory Server so that it will prefer to connect to a co-resident replication server under most conditions rather than connecting to an external replication server instance. Issue:1946
Update the PingDirectory Server to make the lockdown-mode privilege usable by non-root users. Issue:1109
Update the server so that it includes a patch version number in addition to the existing major, minor, and point version numbers. This can help better distinguish versions with the same major, minor, and point version numbers which differ only based on patches applied.
Update the PingDirectory Server to abort the startup process with an error message if the admin data backend includes a malformed entry. Previously, malformed entries in the admin data backend would be silently ignored. Issue:2049
Update the PingDirectory Server to make the online replica initialization process significantly more efficient. Issue:1915
Update the dsreplication tool to warn the user if the supplied hostname is not fully qualified, which may cause problems in environments with multiple subdomains. Issue:2093
Update the PingDirectory Server so that the schema backend uses a new 99-schema-backend-state.ldif file to store state information rather than including it in 99-user.ldif. Issue:1056
Fix a problem with the way that schema replication could be performed if the schema was modified with the server offline and those modifications included malformed schema elements. Issue:986
Update the collect-support-data tool to change the way that the jstack tool is invoked to dramatically reduce the impact that it has on the running process. Issue:2038
Update the PingDirectory Server to add the ability to collect high-precision timing for various phases of operation processing. A new operation timing access logger is available that can be used to get access to this information.
Update the access logger so that updates to replica state information in the base entry for a replication domain are excluded by default. Issue:1804
Update the dsreplication tool so that it is less likely to incorrectly warn an administrator that the initialization process has hung. Issue:1952
Update the export-ldif and verify-index tools so that they can be used against a server whose database files are contained on a read-only file system, including a ZFS snapshot. Issue:71
Update the PingDirectory Server to dramatically improve the performance exhibited when making topology changes to a large replication environment. Issue:2061
Update the PingDirectory Server to add the ability to monitor the process of opening a Berkeley DB Java Edition environment for a backend. In the event that the open process takes a significant amount of time (e.g., because a database recovery is in progress), the server may notify the administrator that startup is still active and directs them to the JE log file for potential information on the progress for opening the environment. Issue:967
Update the alert backend to be able to handle entries with unrecognized alert types. This is unlikely to occur in normal conditions, but could cause a problem in deployments in which the server was upgraded and subsequently reverted, and an alert was generated in the upgraded server that uses an alert type not defined in the older version. Issue:2126
Change the way that the worker thread percent busy values are calculated in the work queue monitor entry to make them more accurate. Also, add new recent-average-queue-size and current-worker-thread-percent-busy monitor attributes. Issue:1982
Update the PingDirectory Server to require Berkeley DB Java Edition version 3.3.100.
Update the PingDirectory Server to provide the ability to detect the addition of new tools when updating from one version to another. If one or more new tools are provided, the java.properties file will be updated to provide an appropriate JVM configuration for them. Issues:2148,2150
Update the dsreplication tool so that the status subcommand includes the ability to determine if an external initialization is in progress. Issue:1309
Add a new pre-parse bind plugin that can be used to intercept a simple bind request and convert it to a SASL EXTERNAL bind under the appropriate conditions. This may be necessary to provide compatibility for some broken LDAP clients (in particular Microsoft Outlook) which expect the server to automatically authenticate the client using the provided certificate and then ignore any subsequent anonymous simple bind.
Update the PingDirectory Server so that it will generate an administrative alert and place the server in a degraded state if a failure is encountered while initializing the replication server. Issue:2052
Modify the update process to require that the system user performing the update is the same as the system user used to run the server. This will help prevent files from being created or altered during the update process with permissions that would prevent the server from being able to access them when the server is started as the appropriate user. Issue:2158
The SNMP MIB files have been moved to resource/mib. There are now no differences in the alert MIB provided with PingDirectory Server and PingDirectoryProxy Server. Issue:2170
Modify the update tool to ensure that the documentation is updated for the new release if appropriate. Issue:2178
Update the dsconfig tool and the Web administration console so that they inform the administrator of any administrative action (e.g., disabling and re-enabling the specified component, or restarting the server) that may be required as a result of a configuration change to be made. Issues:211,2132
Update the subject attribute to user attribute certificate mapper to provide support for VeriSign certificates whose subject contained an emailAddress attribute with an unusual encoding. Issue:2177
Update the PingDirectory Server support for the LDAP join control to include a new reverse DN join rule type, which can be used to perform joins in which the target entries include a specified attribute with a value that is the DN of the source entry. Issue:2218