UnboundID Directory Proxy Server Release Notes

UnboundID Logo
  Return to Documentation Index

Directory Proxy Server

Following are notes for version of the UnboundID Directory Proxy Server. Notes for the following versions of the Directory Proxy Server are also available in this document:

Resolved Issues

The following issues have been resolved with this release of the Directory Proxy Server:

  • Update the replication backlog health check to make the monitor searches more efficient. Issue:DS-9229

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Delete requests going through an entry balancing request processor no longer require the requester to have permission to use the pre-read request control ( on the backend servers. The pre-read request can be used to keep the global index up to date for deleted entries, but it requires explicitly adding permission for this control on the backend servers. This functionality can be enabled by setting the advanced "global-index-update-method-for-deletes" configuration option for entry balancing request processors to "pre-read-request-control." Issue:DS-10961 SF#:2260

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Added additional logic for maintaining the global index and preventing duplicates when adding, deleting, or renaming entries with the same DN. Issue:DS-10468 SF#:2183

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

No information is available

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Improve performance for proxy transformations. Issue:DS-7351 SF#:1806

  • Fix an issue where dsconfig could apply changes to multiple servers in a failure situation even though it claimed that no changes were applied. Issue:DS-8677

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Address a server performance degradation when the separate-monitor-entry-per-tracked-application property of Processing Time Histogram Plugin was set to true. Issue:DS-7045

  • Fix a bug in dsconfig that prevented going back when adding a new configuration object inside of an existing one. Issue:DS-7263 SF#:1793

Directory Proxy Server

New Features

These features were added for version of the Directory Proxy Server:

  • The Metrics Engine is a core server product that collects and aggregates key diagnostic, capacity, and usage information from an UnboundID server topology consisting of instrumented Directory Server, Directory Proxy Server, and Synchronization Servers running release and above. Metrics data can be explored and graphed using the included query-metric tool, and the Metrics Engine REST API makes this information available to custom applications and third-party systems. To learn more about the Metrics Engine, please refer to the UnboundID Metrics Engine Administration Guide.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Directory Proxy Server:

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Fix a bug that allowed ModDN Operations on a proxy with entry balancing to duplicate an existing entry dn. Issue:DS-6866 SF#:1753

  • Add help text to web console deployment descriptor with JBoss compatibility tips. Issue:DS-6976 SF#:1749

Directory Proxy Server

New Features

These features were added for version of the Directory Proxy Server:

  • Server SDK extension bundles may now be installed and updated using the manage-extension tool. For information about using the tool and building and packaging extensions, please refer to the UnboundID Server SDK documentation.

  • The server now includes an HTTP Connection Handler that can be used to provide HTTP access to the server. An HTTP Connection Handler can be configured to reference either an HTTP Servlet Extension written with the Server SDK or a standard web application (via a Web Application Extension configuration object). For more information, please refer to the Configuring HTTP Access for the Directory Server section of the Configuring the Server chapter in the UnboundID Directory Server Administration Guide.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Directory Proxy Server:

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Fix an issue where multiple server configuration changes would fail if any of the servers were configured with an LDAPS (SSL) connection handler. Issue:DS-5100

  • Update the collect-support-data tool to include the equivalent of jstack output for IBM VMs on non-AIX platforms. Issue:MON-5027

  • Enhance configuration change detection for Locations used in Load Balancing Algorithms. Issue:DS-5105 SF#:1582

  • Fix a bug in proxy console where Monitor Dashboard failed to render properly in an entry balanced environment. Issue:DS-5345

  • Add the ability to specify a reason when entering and leaving lockdown mode. This is recorded in the logs and in the alerts that are generated. Issue:DS-5331

  • Update the server to provide the ability to customize the client connection policy that is used for internal operations. Previously, the server would always use an internal policy that only knows about local backends, but in the Directory Proxy Server, this could prevent internal operations from accessing content in backend servers.

    The Server SDK has also been updated to provide ClientContext and OperationContext methods that make it possible to get internal connections using either the server's configured default internal client connection policy or the policy associated with the client connection on which the request was received. Issue:DS-5553

  • Fix a bug that could cause the server to pass the old configuration into the isConfigurationChangeAcceptable method for a number of types of Server SDK extensions. Issue:DS-5597

  • Update the server to support tracking LDAP operation processing statistics on a per application basis. Applications are identified using Connection Criteria referenced from the tracked-application property of the Global Configuration. The Processing Time Histogram Plugin and Periodic Stats Logger Plugin include settings to control whether per-application statistics are exposed in the monitor and logged to CSV files. Issues:DS-270,DS-5241

  • Update the Server SDK to provide extensions a way to dynamically register their own monitor providers with the server, without requiring any server-side configuration objects. Issue:DS-5271

  • Add workaround in SSL processing to detect potential buffer underflow or renegotiation even when processing appears to be OK. Issue:DS-5748 SF#:1636

  • Fix a bug where method level debug tracing could cause extraneous logging from other methods in the same class. Issue:DS-5760 SF#:1636

  • collect-support-data now excludes binary files unless --includeBinaryFiles is specified. Issue:DS-4260

  • Add a new servlet extension that can be used to serve static content like HTML pages, images, or other kinds of files. Issue:DS-5827

  • Add support for a new UNBOUNDID-TOTP SASL mechanism that uses the time-based one-time password mechanism as described in RFC 6238. This mechanism uses a base32-encoded shared secret stored in the user entry in conjunction with the current time to generate a temporary password that may be used during the authentication process. The one-time password may also be used in conjunction with a static password (e.g., as stored in the userPassword attribute) for a form of multifactor authentication which requires both knowledge of that static password and a device capable of generating the appropriate one-time password.

    The Google Authenticator app (which is available for Android, iOS, and Blackbery devices) supports TOTP and can be used to generate the generate the appropriate one-time password. The UnboundID LDAP SDK for Java has also been updated with support for generating TOTP passwords, and includes support for the UNBOUNDID-TOTP SASL mechanism. Issue:DS-5852

  • Add code to support proxy transformations on failed operations. Issue:DS-5856

  • Change proxy setup to prevent modification of external servers to establish trust. This should be handled manually by the administrators of the server installation. Issue:DS-5866

  • Fix an issue where DirectoryThreads did not set their context classloader to the one provided by our ClassLoaderProvider. This caused all the threads in the server to use the system classloader by default, which only has access to the classes specified on the classpath (i.e the core server libraries under the /lib directory). This becomes problematic if one of these threads calls into a library that uses Thread.getContextClassLoader() to load a class that is outside of the core server libraries (for example in an extension library). In this case it would use the system classloader and subsequently throw a NoClassDefError. Issue:DS-5876

  • Fix a bug where peer installs were updating servers of the wrong type from the master server's ADS. Issue:DS-5552

  • Update the HTTPConnectionHandler to use Jetty version 8.1.0, which fixes several problems in the IO layer with respect to the latest JVMs and browsers. Switch the configuration to use Jetty's more efficient NIO socket connectors instead of the traditional blocking socket connectors. Issues:DS-5622,DS-5900

  • Change prepare-external-server to allow not supplying a trust store password in non-interactive mode, which will force the script to only trust the servers that are already present. Issue:DS-5872

  • Add a new property override-local-password to the Pass Through Authentication Plugin so that with the default value of false, it will only attempt the bind remotely if and only if the local bind fails because there is not a local password defined. When set to true, it will attempt the bind remotely if the local bind fails for any reason.

    The new override-local-password property changes the default behaviour of the Pass Through Authentication Plugin. To restore the previous behaviour, change the value to true. Issue:DS-5766

  • Fix an issue where the Proxy Server could process a Get Changelog Batch includeBase incorrectly. A request was sometimes forwarded to a Directory Server that did not need to process the request. Issue:DS-4868

  • Fix a problem where the collect-support-data tool could timeout when connecting over SSL, or prompt the user to verify the server certificate even when the --no-prompt argument was specified. Issue:DS-4823

  • Fix a bug that prevented ldappasswordmodify from working through the proxy when a user attempts to modify their own password. Issue:DS-5997 SF#:1667

  • Add an advanced property to the Search LDAP Health Check configuration to specify whether the administrative operation request control should be used for the search. The default behavior is unchanged (i.e. the administrative operation control is used if the external server is an UnboundID server). Issue:DS-5433

  • Fix an issue in the Admin Alert Health Check where a health check score would not be lowered if the server was already in the degraded state and the degradation became worse. Issue:DS-4405

  • Changes to the location property in the global configuration now require a server restart. Issue:DS-5901

  • Fix a bug that caused many command-line tools to output to stderr rather than stdout. Existing scripts that depend on the old behavior may need to be modified in order to continue working correctly. Issues:DS-3610,DS-4195

  • Change password policy processing on the Proxy Server to not attempt any validation that can only be done on the Directory Server, in these cases the Proxy Server will rely on the Directory Server providing the authoritative password policy. Issue:DS-6097

  • Update the file format used by "dsconfig --batch-file" to support using '\' as a line continuation character. If the last character on a line is a '\', then it will be removed and the following line concatenated on to it. Issue:DS-635

  • Allow load-balancing algorithms to be selected based on connection criteria or request criteria. A proxying request processor may now specify a list of criteria-based load-balancing algorithms, which permits an alternate load-balancing algorithm to be selected for requests that match the criteria. Issue:DS-5987 SF#:00001683

  • Remove the "Custom" type from the list when creating new objects in dsconfig. This was often confused with the "Third-Party" and "Groovy Scripted" types when users intended to create a Server SDK extension. Issue:DS-5229

  • Assigned NO-USER-MODIFICATION to the following directoryOperation attributes:

    ds-sync-conflict changelog-add-entry changelog-deleted-entry changelog-modify-changes compact-after-values compact-before-values compact-entry-key-attrs ds-private-naming-contexts ds-pwp-auth-failure ds-pwp-last-login-time ds-pwp-password-changed-by-required-time ds-pwp-reset-time ds-pwp-warned-time pwdReset

    There attributes will no longer be modifiable over LDAP.

    dsreplication cleanup-local-server subcommand will no longer generate a cleanup-backends.ldif file to remove the replication related attributes from the backend. Instead, the user needs to rely on import/export to clean affected backends. Issue:DS-4718

  • Update ldap-diff to use the schema of the target server when comparing entries. This enables comparing entries whose DN's include case-sensitive components. Issues:DS-2748,DS-6197

  • A new property named obscure-attribute on the audit logger allows specified attributes to have their values obscured in the audit log. The default setting for the Proxy Server is to obscure the userPassword and authPassword values. Each value of an obscured attribute is replaced in the audit log with a string of the form "***** OBSCURED VALUE *****". The default setting for Directory Server is not to obscure any attributes, since the values of password attributes appear in hashed form rather than in the clear. Issue:DS-5278

  • Fix a bug that allows users with expired passwords to change attributes in their own entry other than password. Issue:DS-6054

  • Modify the ldap-diff tool to add LDAP connection options for SSL, StartTLS, and SASL authentication. Issue:DS-6034

  • Update the status tool to fix an issue in the tool may fail to connect to the server to retrieve some status information when the --no-prompt option is specified. Issue:DS-5989

  • Update the Server SDK to make it possible to create an internal connection that behaves like an external connection and is subject to its constraints. Issue:DS-5851

  • Update the Directory Proxy Server to respect the size-limit, time-limit, and idle-time-limit specified on the proxied user entry (if they are present). These are specified by the ds-rlim-size-limit, ds-rlim-time-limit, and ds-rlim-idle-time-limit attributes. Issue:DS-1257

  • Fix a bug that prevented searching against an entry balanced environment with a compound filter with contained equality and presence component filters. Issue:DS-6423 SF#:1717

  • Fix an issue where out-of-the-box server required more memory than it should have, because of how the DictionaryPasswordValidator stored its word dictionary. The memory usage has been reduced by roughly 35MB. Issue:DS-6040

  • Fix an issue where failures encountered during processing of the route-to-server control were not handled correctly. An operation could have been retried on a server where the operation had just failed, rather than selecting a different server. Also, the server could have made one more retry than should have been permitted, and this could have increased the length of time required to process the operation. Issue:DS-4650

  • Updated the server to support hosting of standard web applications using the HTTP Connection Handler. Issue:MON-754

  • Provide Directory Server and Proxy Server support for GetChangelogBatch options to control whether to return changes for modify or delete of soft-deleted entries. Issue:DS-6362

  • Update the Directory Server to apply access controls when processing the GetAuthorizationEntryRequestControl. Issue:DS-854

  • Add support for soft deletes and undeletes to parallel-update. Issue:DS-6408

  • Provide an argument to the setup tool to configure the server to automatically include verbose garbage collection output in the server.out log file. Issue:DS-5681

  • On Linux, the server and its tools now attempt to raise the limit on maximum user processes to 16,383 if the current value reported by ulimit is less than that. This is because Linux counts a thread as a user process, and some recent Linux distributions have a very low default value for max user processes. Issue:DS-6410

  • Update dsconfig so that inclusion of the --advanced option will list expert-level objects. Issue:DS-6652

  • Improve the prompt that is displayed by command-line tools when establishing a secure connection to a server when no trust manager was specified and the server certificate should not be automatically trusted. The information is formatted more neatly, and the prompt will now include MD5 and SHA-1 versions of the certificate fingerprint and information about the issuer certificate chain if appropriate. There will also be an additional warning if the certificate is self signed. Issue:DS-5127

  • Update tools that can perform LDAP SASL authentication to add support for the UNBOUNDID-TOTP SASL mechanism that can be used for multifactor authentication. Issue:DS-6676

  • Update the LDAP connection handler so that any attempt to explicitly configure the allowed SSL protocols and/or cipher suites will be validated before being put into service. Any attempt to use an unsupported protocol or cipher suite will be rejected with an error message including the acceptable values. Issue:DS-6663

  • Fix an issue where the reload-index tool did not reload indexes for all entry-balancing request processors matching a given base DN. Issue:DS-6405

  • Update the ldifsearch tool so that it will no longer report errors for entries that violate the server schema by default. This behavior can be restored using the new --checkSchema option. Also, update the ldifmodify tool to provide better schema checking by default, and to add a --noSchemaCheck option that allows it to work with LDIF files and change sets that violate schema constraints. Issue:DS-4326

  • Fix an issue where the Proxy Server might not return the Password Expired control to the client in response to a Bind operation (depending on which entry-balancing data set the user entry resided in). The Password Expiring and Password Policy response controls were also affected. Issue:DS-6600 SF#:00001738

  • Add a new WebAppServerContext interface to the Server SDK, which can be used by web applications running in the server to interact with the server by doing things like invoking internal operations, registering change listeners and monitor providers, performing logging and debugging, and generating administrative alerts. The new WebAppServerContextFactory class may be used to obtain a server context instance. Issue:DS-6723

  • Update the JMX Connection Handler configuration to issue a warning if it is enabled. On some JVMs, enabling this aspect of JMX can lead to long garbage collection pauses. Issue:DS-6832

Directory Proxy Server

New Features

These features were added for version of the Directory Proxy Server:

  • AIX is now a supported deployment operating system.

  • Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Directory Proxy Server:

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Fix a bug in the web-console new Attribute Type and new Objectclass dialogs which is some cases could cause a schema element saved erroneously into a file called 'New File...'. Issue:3410

  • Modify the web-console so that extraneous carriage returns are removed from files containing exported schema elements. Issue:3411

  • Fix a bug that could cause inaccurate timestamps to be displayed in the active operations monitor entry for operations that are still waiting in the work queue and have not yet been picked up for processing by a worker thread. Issue:3419

  • Fix an issue that led to work queue backlogs in DS when the Sync Server was synchronizing from an entry-balanced Proxy Server configuration. Issue:3431 SF#:1486

  • Update the Directory Proxy Server so that it will attempt to abandon any operation which has not completed within the configured timeout period. This behavior may be controlled by the abandon-on-timeout configuration property in the LDAP external server configuration. Issue:3350

  • Update command-line tools providing support for SASL authentication to add additional properties that may be used in conjunction with the GSSAPI mechanism. This includes the ability to control whether a ticket cache should be allowed and/or required, the ability to specify an alternate location for the ticket cache file, the ability to request that the Kerberos ticket-granting ticket be renewed, and the ability to supply a custom JAAS configuration file rather than using one automatically generated by the tool. Issue:3437

  • Fix a bug that prevents going back from the type selection when creating a new configuration object in dsconfig. Issue:2913 SF#:1435

  • Update a number of LDAP command-line tools to provide a new --help-sasl option that can be used to obtain information about the SASL mechanisms that are available for use and the supported options for those mechanisms. In addition, the command-line tool reference has been updated to provide a new page on supported SASL mechanisms and options. Issue:3452

  • Fix a bug in which dsconfig and other tools may not properly evaluate path-based property values for remotely managed servers. Issue:3439 SF#:00001484

  • Improve the consistency of performance for Sync through Proxy with Entry Balancing. When the Proxy Server is processing a Get Changelog Batch request and it has received maxChanges in total from the backend Directory Servers, it now cancels the outstanding requests in order to expedite the return of the result to the Sync Server. When the Directory Server receives a cancel request for a Get Changelog Batch request, it now stops processing the request and returns the result containing a resume token. Issue:3438 SF#:1492

  • Modify the update tool to handle potential issues migrating the admin-backend.ldif backend file if the ds-create-time attribute is present in the entry cn=all-servers,cn=Server Groups,cn=admin. Issue:3584 SF#:00001501

  • Update shell scripts used for the server and associated tools so that they will display a warning if it is not possible to set the desired number of file descriptors. Issue:3590

  • Fix a corner-case bug that could interfere with the Directory Proxy Server's ability to perform health checking against a backend server that had been classified as UNAVAILABLE. Issue:3611

  • Add support for a new "operation purpose" request control that clients can use to identify the intention for each request that they send to the server. The control may include the name and version of the application that created the request, the location in the application code from which the request was created (which may be automatically generated by the UnboundID LDAP SDK for Java), and a human-readable message explaining the purpose for the operation.

    This can help improve security and debuggability because it can offer a kind of audit trail. If a request includes this control, then information from the control will be included in access log messages for those operations. Issue:3616

  • Update client connection policies to support two new configuration attributes. The required-operation-request-criteria property can be used to cause the server to reject any request which does not match the referenced request criteria, and the prohibited-operation-request-criteria property can be used to cause the server to reject any request which does match the referenced request criteria. Issue:3645

  • Update dsconfig to make the list-properties subcommand more visible and more usable. This includes the following changes:

    - The list-properties output will now be written to standard output rather than standard error. This makes it easier to process the output with text tools like grep.

    - The list-properties subcommand can now be used with the "--offline" argument even if the server is running.

    - A new "--complexity" argument has been added that can be used to customize the complexity level of the objects included in the output.

    - A new "--includeDescription" argument has been added that can be used to include synopsis and description information in the output.

    - The top-level dsconfig help now includes an example demonstrating the use of the list-properties option.

    - A docs/config-properties.txt file containing this information is now provided with the server. This information was previously already available in the HTML config reference guide. Issue:DS-2985 SF#:00001413

  • Update a number of access loggers to provide a new max-string-length configuration property that specifies the maximum length of any string that may be included in a log message. If any string has more than this number of characters, then that string will be truncated and a placeholder will be apended to indicate the number of remaining characters in the original string. Issue:DS-3551

  • Update the server to provide a new additional-supported-control-oid configuration property in the root DSE backend that can be used to add a specified OID to the supportedControl attribute of the server's root DSE. This is primarily intended for compatibility with other servers which may include certain response control OIDs in this list even though LDAP specifications indicate that it should only include request control OIDs.

    The Server SDK has also been updated to provide support for registering and deregistering supported control OIDs. This may be used for extensions which themselves add support for additional controls. Issue:DS-3467

  • Make it possible to configure the server to configure the number of file descriptors that it should attempt to use on UNIX-based systems. Previously, the server was hard-coded to try to use 65535 file descriptors. It is now possible to override this default by setting the NUM_FILE_DESCRIPTORS environment variable with the desired number of descriptors to use. Alternately, you can do this by creating a config/num-file-descriptors file with a single line, like:


    If an error occurs while attempting to use the desired number of file descriptors, then a message will be written to the terminal, and if the error occurs while starting the server, then a message will be logged to the server's error log. Issue:DS-3590

  • Add the ability to compress log files as they are written. This can significantly increase the amount of data that can be stored in a given amount of space so that log information can kept for a longer period of time. Because of the inherent problems with mixing compressed and uncompressed data, compression is something that can be enabled only at the time the logger is created, and compression cannot be turned on or off later. Further, because of problems in trying to append to an existing compressed file, if the server encounters an existing log file on startup, it will rotate that file and begin a new one rather than attempting to append to the previous file.

    Compression is performed using the standard gzip algorithm, so compressed log files can be accessed using readly-available tools. Further, the summarize-access-log tool has been updated so that it can work directly on compressed log files rather than requiring them to be uncompressed first. However, because it can be useful to have a small amount of uncompressed log data available for troubleshooting purposes, administrators using compressed logging may wish to have a second logger defined that does not use compression and has rotation and retention policies that will minimize the amount of space consumed by those logs while still making them useful for diagnostic purposes without the need to uncompress files before examining them. Issue:DS-2983 SF#:00001410

  • Update the description for the time-limit global configuration option to indicate that it is an upper bound that will be enforced for local operations and may be included in forwarded requests, but that other operation timeouts (like those defined in a load-balancing algorithm) may interrupt the operation before that time limit is reached. Issue:DS-3429

  • Update dsconfig to remove a redundant prompt when a user chose to "Change the value" of an existing property. Issue:DS-2140

  • Update the suppress attribute proxy transformation to provide support for suppressing multiple attributes, and to make it possible to supply the attributes to suppress as an exclude list (i.e., "suppress all attributes except") instead of an include list if desired. In order to provide the attributes to suppress as an exclude list, prefix the attribute name or OID with a caret (e.g., "^cn" to not suppress the cn attribute).

    The transformation has also been updated to do a much more complete job by suppressing uses of the specified attribute in other cases, including in the values of a number of types of controls like the assertion, join, and server-side sort request controls; pre-read, post-read, and get authorization entry response controls; and the join result search result entry control. Issue:DS-2984 SF#:1411

  • Add a new reject-insecure-requests global configuration option that can cause the server to reject all operations except StartTLS extended requests received over insecure connections. This makes it easier to allow clients to use StartTLS without allowing other requests over an insecure connection. Issue:DS-4397

  • Provide an alternate password policy in the out-of-the-box configuration that is significantly more secure than the default policy. This policy is not configured for use, but it can be selected as the default policy, used as a policy for a select set of users, or used as a template creating a new custom policy with a more secure starting point than the default policy.

    In addition, a new sensitive attribute definition is included in the default configuration that declares userPassword and authPassword to be sensitive attributes and forbids them from being returned to clients, used in search filters, or targeted by compare operations, and also requires that adds and modifies including passwords be processed over a secure connection. This sensitive attribute definition is not used by anything by default, but it can be easily referenced in the sensitive-attribute option of a client connection policy to turn it on. Issue:DS-4396

  • Update server access loggers to add a number of new options:

    - An option to include request details in search result entry messages. - An option to include request details in search result reference messages. - An option to include request details in intermediate response messages. - An option to include the names of attributes included in an add request. - An option to include the names of attributes targetd in a modify request. - An option to include the names of attributes included in a search result entry. - An option to include extended search request details, including the size limit, time limit, types only, and alias dereferencing behavior. Issue:DS-4404

  • Update the server to add a "--lockdownMode" argument which can be used to cause the server to be started in lockdown mode. Issue:DS-1488

  • Update the server to generate an administrative alert if it detects that a configuration change was made with the server offline (whether by manually editing the configuration file or using dsconfig in offline mode). Issue:DS-4407

  • Update the server to provide better reporting around the use of third-party extensions. If any such extensions are loaded in the server, then the DNs of their configuration entries will be listed in the thirdPartyExtensionDN attribute of the cn=monitor entry. Further, some extensions are loaded at startup, and a message will be written to the error log with the DNs of all of their configuration entries. Please note that not all extensions are loaded at startup, in particular Sync extensions. Issue:DS-4398

  • Fix an issue in which terminal focus may be lost during command-line setup just before the Summary step is shown. Issue:DS-4551

  • Fix an issue in which dsconfig cannot set an unlimited value for an object property that supports an unlimited value. Issue:DS-4173

  • Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations. By default, eight worker threads will be created for this purpose, but this may be altered via the num-administrative-session-worker-threads property in the work queue configuration.

    Some administrative tools like dsconfig, status, collect-support-data, enter-lockdown-mode, and leave-lockdown-mode will automatically attempt to create an administrative session in which all operations they request will be processed in this dedicated pool. Other tools like ldapsearch, ldapmodify, ldapcompare, ldapdelete, ldappasswordmodify, backup, restore, import-ldif, export-ldif, and manage-tasks have a new "--useAdministrativeSession" argument that can be used to request that they attempt to use this dedicated thread pool for operations that they process. Further, the Commercial Edition of the UnboundID LDAP SDK for Java has been updated to provide support for the new start administrative session and end administrative session extended operations that are needed to use this feature, so third-party applications can also take advantage of this capability.

    In order to request that operations be processed using the administrative session thread pool, the requester must have the use-admin-session privilege (which is included in the default set of privileges automatically granted to root users). The use of the administrative session thread pool will be recorded in the access log, and a new "using-administrative-session-worker-thread" property has been added to the simple request criteria and can be used to filter operations based on whether they are using this capability. Issue:DS-4401

  • Add unique-to-single-subtree-view-search-attribute as a global configuration option on the proxy as a means to optimize equality searches for attributes with unique values across all subtree views. This can eliminate broadcast searches in environments that have multiple subtree views, especially when one of those is entry balanced. Issues:DS-4583,DS-4584,DS-4587

  • Update the logic the server uses for address patterns to support the use of subnet masks. It was previously only possible to use CIDR notation (e.g., "") to specify the number of significant bits, but it is now possible to use subnet masks (e.g., "") to specify address masks. Issue:DS-4710

  • Fix an issue where old configuration data may get left in a topology of Sync or Proxy servers after a server is uninstalled or removed from the topology. Issue:DS-4712

  • Modify the tools to recognize instances of the Sun DSEE 7 Directory Server when deployed as part of the Oracle Identity Management 11g. Issue:DS-4716

  • Update the server to discourage disabling schema checking since this can lead to unexpected behavior in the server and client applications, as well as introduce performance problems. A warning message is printed when dsconfig or the console is used to update the configuration to disable schema checking. The server now generates an alert when schema checking is disbled. The --skipSchemaValidation option has been removed from import-ldif. Issue:DS-4336

  • Improve the config definition for the idle-lockout-interval password policy property to indicate that it relies on the last login time but may fall back on the password changed time or account creation time if no last login time is available. It also recommends having last login time tracking enabled for a period of time before enabling idle account lockout. Issue:DS-4878

  • Update the server to record access log information about certain requests rejected very early in the life of an operation that were not previously recorded, including:

    - Operations requested by a user that must change his/her password before being allowed to perform any other operation. - Operations rejected because there is a bind in progress on the connection. - Operations rejected because the server is in lockdown mode. - Operations rejected as a result of the reject-unauthenticated-requests or reject-insecure-requests configuration option. - Operations rejected because a client has exceeded the maximum number of operations per connection or maximum concurrent operations per connection. Issue:DS-4912

  • Fix a bug in the attribute value password validator that can cause it to incorrectly reject add attempts if the password attribute itself is included in the set of attributes to examine. Issue:DS-4888

  • Fix a bug in the create-initial-proxy-config tool that could cause it to terminate with an error if it encounters an unrecognized type of directory server. Issue:DS-4865

  • Add support for the IBM JDK for the GSSAPI SASL bind mechanism handler and when using GSSAPI SASL binds with tools and utilities. Due to restrictions with the IBM JDK, when using tools and utilities and the option "ticketcache" is set, the bind will always fail if the credentials are not found in the specified ticket cache, even if the option "requirecache" option is false. Issue:DS-4749

  • Improve the dsframework tool to support multi-valued server propreties. Issue:DS-5040

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Add new global configuration attribute that allows specifying a SMTP timeout to use for all configured SMTP servers. Issue:2283

  • Update the server so that access log messages for operations the server tried to interrupt (e.g., as the result of an abandon or cancel request, because the client connection was being closed, because the server was shutting down, etc.) will include an additionalInfo element with more information about the reason for the cancel attempt. Issue:2971

  • Limit collect-support-data to only run against the local server it is ran from. All supported versions of the products have collect-support-data available, and should use that version to do any needed data collection. Issue:2827

  • Enhance timeout for SMTP External Servers to be used for socket I/O and connection based timeouts. Previously the timeout value applied only to socket I/O. Issue:2939

  • The update and revert-update tools now respect that -Q/--quiet option which when specified, suppresses console output of messages that are not warnings or errors. In addition, the tools will not solicit input if the -n/--no-prompt option is specified. Issue:3056 SF#:00001432

  • Fix an issue where the Web Console provides a dsconfig command to modify root dn user aliases that does not work in dsconfig. Dsconfig will now accept those commands. Issue:1692 SF#:1238

  • The dsconfig tool has been fixed to that it does not exit in an error when the root DSE entry is not available. Issue:3122

  • Add a new type of access logger which can be used to obtain very detailed information about requests and responses and the contexts in which the associated operations have been processed. This is primarily intended for troubleshooting purposes rather than general use, and the content is meant to be human-readable rather than machine-parsable. Further, because the output can be quite verbose, it is recommended that it only be enabled when attempting to diagnose a problem, and that it be used in conjunction with the filtered logging framework so that only potential messages of interest will be captured. Issue:3064

  • Update tools, such as searchrate, that use --ratePerSecond to not use 100% of one CPU when running at a low rate. The cutoff for this rate depends on the minimum amount of time that a process can sleep, which is operating system dependent.

  • Update the Server SDK to add support for creating file-based access and error loggers. The new APIs are similar to the existing access and error logger APIs, but they take advantage of the server's existing high-performance and high scale log writer and provide support for advanced features like log file rotation and retention policies. Issue:3115

  • Add a configuration change to prevent Subtree View configuration properties from being modified after they are set at creation time. Modifications to live SubtreeView objects is not supported and this change rectifies that issue. Issue:2907

  • Update the move-entry tool so that it provides the ability to move multiple entries rather than just one. The --entryDN argument can be provided multiple times to specify the target entry DNs, or the new --entryDNFile argument may be used to specify the path to a file containing the DNs of the entries to move. If multiple entries are to be moved, then a separate transaction will be used for each. Issue:3111

  • Add a serversAccessed field to result access log messages to include a list of the backend servers accessed in the course of processing the associated operation. Issue:2780

  • Update collect-support-data to collect more system level information (especially on Linux) and validate that any value specified with the --pid option does not match the servers PID, since information about the server process is always collected. Issues:2920,2930,3152,3171,3206

  • Add a --missingOnly option to ldap-diff to allow the tool to only report on entries that exist on only one of the servers; entries that exist on both servers but are out-of-sync are ignored. Issue:2918

  • Update tools which can be used to schedule tasks to add a new "--task" argument that makes it explicit that the tool is intended to run as a task rather than in offline mode. At present, this argument is optional, but we intend to make it required in the future, and if a tool is invoked as a task without this new "--task" argument, then a warning message will be displayed recommending that it be used in the future.

    In addition, if the "--task" argument is provided but the tool was not given an appropriate set of other arguments to allow it to connect and/or authenticate to the server, then an error message will be displayed and the tool will exit with an error. This behavior will also be exhibited for other arguments that are only applicable for tools running as tasks, including the "--start", "--dependency", "--failedDependencyAction", "--completionNotify", and "--errorNotify" arguments. Issue:3224

  • Update the manage-tasks tool so that it can detect cases in which the authenticated user doesn't have permission to access information about tasks in the server and will provide a more useful error message. It would previously always report that there were no tasks in the server, which may not be true and is not very helpful. Issue:2957

  • Update the proxy server access log such that targetHost and targetPort are provided in result log messages in an entry balancing configuration (note that these fields are only ever logged in result log messages when log-forwards is turned off). For search result log messages, since only one target server is ever logged for an operation, one of the target servers that contributed search entries is logged in preference to one that did not contribute any search entries. Independently, all the servers accessed during the course of an operation are always logged to the serversAccessed field of the log message. Issue:3079

  • Change the default access logger configuration so that intermediate response messages will be suppressed rather than logged, although logging them can be enabled if desired. However, for operations that did send one or more intermediate response messages to the client, the result access log message will now include an intermediateResponsesReturned element that provides the number of intermediate response messages that were returned. Issue:3096

  • Update the proxy server so that it no longer retries operations that return ADMIN-LIMIT-EXCEEDED. The previous behavior could have unintended consequences for Subtree Delete operations. It is most unlikely that an operation returning ADMIN-LIMIT-EXCEEDED will succeed when retried on an alternate server. Issue:3132

  • Update tools which create scheduled tasks to display a message indicating that killing the tool will not interrupt the task. For tasks that can be interrupted, the tool will also display a manage-tasks command line that can be used to cancel that task. Issue:2954

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Fix an issue in the Directory Proxy Server which could cause the Synchronization Server's resync command to fail when the base DN being synchronized had a single component (e.g. o=example). Issue:3220 SF#:1473

  • Fix a bug in web consoles where version mismatch warning was not being displayed on initial login. Issue:3146 SF#:1459

  • Add an option to collect-support-data for collecting data from expensive processes. These expensive operations will not be executed by default. Issue:3176

  • Fix an issue where debug messages logged by a command line tool (when using --enableDebug) might not be flushed to disk before the command exited. Issue:3218

  • Update the server's support for GSSAPI authentication to allow it to use a more flexible service principal. Previously, the service principal was hard-coded to be "ldap/" followed by the fully-qualified name of the system. This is still the default, but it is possible to override that in order to use a custom service principal. In addition, client tools which support GSSAPI authentication have been updated to support a "protocol" SASL option that can be used to specify the protocol for the service principal, and a "debug" SASL option that can enable GSSAPI debugging in the JVM. Issue:3262

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Modify the update tool to fix an issue where in some cases the tool would fail to migrate an older configuration, displaying errors related to duplicate LDIF change records. Issues:2942,2962,2967

  • Fix a regression with the stop-proxy command where the port argument was ignored. Issue:2925

  • Fix an issue where the status command would warn that the port argument was ignored even though the argument was not provided. Issue:3052 SF#:1447

  • The command-line tools now use the full terminal width for output on Windows platforms. Issue:1019

  • Fix a potential issue that could cause an exception if a client tried to establish a secure connection to a server that already had the maximum number of concurrent client connections established for the associated client connection policy. Issue:3072

  • The setup tool has been modified to correct an issue in which the presence of the --rootUserDN option, when specified with any of the "Set Up From Peer/Master Server Options", would cause setup to exit with an error. Issue:3084

  • Increase the default value for duplicate error messages (allow 2000 in 5 minutes) and alerts (allow 100 in 1 hour) before they are suppressed. Avoid duplicate suppression for certain types of alerts, such as configuration changes. Ensure that the severity of a duplicate alert summary message matches the severity of the duplicate messages being suppressed.

  • Address an issue that could affect the Synchronization Server synchronizing changes through the proxy when there was more than one dataset behind the proxy, for instance an entry balanced environment. In this scenario, if all directory servers were unavailable for one backend set, then no changes would be synchronized for the environment. This would delay any changes that were applied to the server sets that were available. Issue:3100

  • Address an issue where Server SDK extensions running within a command line tool could cause the process to run out of memory if they logged a high volume of error log messages. Issue:3173

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Change collect-support-data tool to prompt for missing LDAP connection arguments if needed. Issue:2461

  • Add statistics about the entry balancing global indexes to the status command output for the proxy server. Issue:2199

  • The script file for stopping the server on non-Windows operating systems have been modified so that when it is invoked with no arguments, the server is killed using the operating system's kill command, ensuring that the server will have stopped when the script returns. Issue:2821

  • The remove-defunct-server tool has been enhanced to allow the user to choose to continue processing of topology servers even if one of the servers is down. In non-interactive mode this is accomplished using the --continueOnError option. Issue:2856

  • Fix an issue where the Proxy Server could return duplicate entries in an entry balanced configuration where the Directory Servers held both global and restricted replicated data. Issue:2781

  • Update the server so that some of the specialized access loggers (e.g., failed operations and expensive operations) do not include messages about intermediate responses. Issue:2822

  • Update the load-balancing algorithm configuration to add initial-connections and max-connections properties which can be used to specify the number of connections to establish for each backend server. If specified, these options will override the number of connections defined in the LDAP external server configuration for that load-balancing algorithm. Issue:2600

  • A new global-index-size tool is provided with the Proxy Server to estimate how much memory is required for a global index from the number of keys and the average key size. Issue:2462

  • Fix a bug that could prevent the use of object classes which reference attribute types whose name begins with a numeric digit or contains an underscore character. Although such names are technically invalid, the server may allow based on the value of the allow-attribute-name-exceptions global configuration property. Issue:2882

  • Fix a bug that could cause some command-line tools (including ldapsearch and ldapmodify) to fail when parsing DNs containing attributes whose names require the attribute-name-exceptions feature in the server, even if that feature was enabled. Issue:2883

  • Address an issue with collect-support-data when run on Windows where certain commands that were executed would timeout without reading the full output of the command.

  • The entry balancing request processor has a new log-index-duplicates property that may be enabled to get details on entries that are duplicated in the global index. Issue:2369

  • Add a new external server type for configuring SMTP servers. This can be used to provide secure connections and authentication to outgoing mail servers. Issue:1150

  • Fix an issue where entry balancing operations forwarded to backend directory servers were not canceled when the request to the proxy server was canceled. Issue:2789

  • The SNMP Master Agent Plugin is no longer exposed as configurable because it is not a supported component. It is only used for test purposes.

  • Fix a bug in the web console that prevented the creation of configuration objects with a slash character in the name. Issue:2836

  • Add the ability to log debug statements from server components that are running within the context of a command line tool. This also enables logging from third-party extensions developed with the Server SDK to be captured when run from the context of a command line tool. Issue:2834

  • The dsframework tool has been modified so that whenever a server is registered or updated with port values whose corresponding protocol enablement properties (ldapEnabled, ldapsEnabled) are not present, the tool will automatically set the value of the enablement property to "true". Issue:783

  • Add new configuration to entry balancing request processor called preferred-failure-result-codes. This is an ordered list, from highest to lowest priority, which is used to determine which result code to return when there are conflicting values received from more than one backend server. This list will also be used to determine if the failure should be reported instead of trying additional backend servers. Issue:2946 SF#:1428

Directory Proxy Server

New Features

These features were added for version of the Directory Proxy Server:

  • Server SDK - Server-side SDK for extending the functionality of the core server.

  • Synchronization Through Proxy - Support for Synchronizing to or from an load-balanced or entry-balanced proxy server deployment.

  • Virtualization Support - Achieved "VMware Ready Status" for all of our server products, which we now support deploying in VMware environments.

Known Issues and Workarounds

These were known issues at the time of the release of version of the Directory Proxy Server:

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • The default setting for the entry balancing prime-index-source property has been changed to 'ds' instead of 'ds,proxy'. Issue:2233 SF#:00001345

  • To prevent unexpected delays and errors while running create-initial-proxy-config, index priming is no longer done as soon as the tool applies an entry balancing configuration to the proxy server. Instead the tool warns that the proxy server must be restarted after the tool is run to have index priming take place. Issue:2227

  • Fix a bug that could cause a recursion loop resulting in a stack overflow when using aggregate connection criteria. Issue:2240

  • Expose version information for many of the libraries used by the server in both "status --fullVersion" and in the "cn=Version,cn=monitor" entry. It will always include the LDAP SDK version number, and if available may also include any or all of the Berkeley DB JE, JZlib, SNMP4J, SNMP4J Agent, and SNMP4J AgentX library versions strings.

  • Add a configuration option that may be used to indicate whether the server should shut down in the event that a severe error (e.g., out of memory) is raised within the JVM that indicates it may not be able to continue running properly. Issue:2265

  • Add a new "rebind" authorization method that can be used to forward authorization information to backend servers that don't support either the intermediate client control or the proxied authorization v1 or v2 controls. This is only supported for clients using simple authentication. Issue:2268

  • The dsjavaproperties tool now supports options for generating, regenerating, and updating the config/java.properties file. Issue:2280

  • Fix a bug in the timestamp-naming mechanism used in log file rotation which could cause log files that were manually renamed to still get rotated and eventually deleted if their names were still parsable as the original file name. Issue:1285

  • Update the stop script so that the "restart" option will correctly restart the server after a successful shutdown Issue:2329 SF#:1362

  • Update dsconfig to work correctly in environments with a server-group set. This issue only affected dsconfig when run in a partially interactive mode where some of the configuration arguments were provided on the command line. The user is now prompted whether the configuration change should be applied to the current server or all servers in the group. Issue:2373 SF#:1370

  • Allow the Directory Proxy Server to dynamically read and incorporate schema elements from backend servers. The schema elements will be exposed in the Directory Proxy Server schema subentry but will not be written to the local schema files. Issue:2300

  • Address an issue where the Unique Attribute Plugin incorrectly detected conflicts when under heavy. Issue:1873

  • Web Console displays a communication error alert when editing configurations objects if the server has been disconnected. Issue:2270 SF#:1239

  • Fix a bug in which the server and tool JVM configurations in java.properties would lack -Xms and/or -Xmx options if the amount of memory specified as the maximum heap size was not available when setup was run. Issue:890

  • Fix a bug in which setup fails if the 'locks' directory is missing, setup erroneously indicated that the server was running.

  • Fix a bug that prevented the display in dsconfig and the web console of configuration objects whose name contained a slash character. Issue:2244 SF#:1373

  • Update the auto-generated single-server pass through load balancing algorithm with a name that indicates it's auto-generated. Issue:2337 SF#:1364

  • Modify the update tool to disallow the update tool from being used from a package in which setup has been run. Issue:2464

  • Provide a custom title renderer that escapes configuration object names in the web console. This avoids a theoretical security concern with configuration object names that contain embedded JavaScript. Issue:2454

  • The progress messages for global index priming now include the number of keys in the index to provide an indication of how long priming may take. Issue:2463

  • Fix a bug in the ldapmodify command-line tool that caused it to incorrectly treat a 'referral' result as success. Referrals are still not supported by this tool, but it will now treat them as a special kind of error and will provide a more useful message. Issue:1062

  • Update the UnboundID work queue configuration so that it is not possible to configure a value of zero for the number of write queues. Previously, if a nonzero number of write worker threads was configured with zero write queues, then the server would encounter an error and would be unable to start. Issue:2119

  • Update prepare-external-server so that the server is configured for access control regardless of whether the proxy user account exists.

  • Generate a warning message at startup if the server is unable to determine the IP address or hostname of the local system, or if the local system's hostname resolves to a different IP address. These conditions may indicate a problem with the system configuration that could cause certain server components to break or function abnormally. Issue:2318

  • Change the way that the serverUUID value is generated so that it is based on a combination of the system's primary IP address and the canonical server root path. This can be used to help detect cases in which a new server instance is created by copying the files associated with an existing server instance, which would have previously created two instances with the same serverUUID value. In the event that the stored serverUUID does not match the generated value, a log message will be generated to warn administrators of the change, and the newly-generated UUID will continue to be used. Issue:2470

  • Update the server to make it possible for proxy transformations to be configured with request criteria. If criteria are defined, then the transformation will only be invoked for operations in which the request matches that criteria. If no criteria are defined, then the transformation will be invoked for all operations. Issue:2321

  • Improve the output of the ldapsearch tool to mention that a password has expired when the bind occurs. Issue:1981 SF#:1227

  • Modify the updater so that the --ignoreWarnings option can be used to continue with update when there are warnings related to version compatibility issues. This allows an update to be run in a non-interactive environment, such as a script. Issue:2495

  • Set the autocomplete flag on the login form of the web console to be explicitly set to false. Issue:2496 SF#:1383

  • Update the audit logger to use the filtering criteria specified in the configuration. Issue:2443

  • The admin alerts list no longer includes alert types that are clearly not applicable to the product. Issue:1738

  • The proxy server no longer generates an alert at startup when an external server's health-check-state is explicitly configured as unavailable. Issue:2359

  • Update generated command line arguments (such as for dsconfig) to be quoted in a mechanism specific to the operating system where they are generated and to eliminate all escaping with \, which had caused problems when replaying certain commands. This is done with as much portability across systems as possible. Issue:2455

  • Change peer proxy index priming to respect the health check state if set. A proxy will not prime from a peer proxy in UNAVAILABLE or DEGRADED state. Issue:2201

  • Improved status command output to better inform the user of how the local server status was determined, based on the arguments provided. Issue:2487

  • Update cli documentation to include new commands for updating and reverting a server installation. Issue:2573 SF#:1390

  • Tools using a scope argument are now correctly documented in the CLI documentation. Issue:2594

  • Several enhancements to the Periodic Stats Logger: all columns in the output can now be turned on/off, many more built-in metrics are available to be logged, and additional custom metrics driven off of cn=monitor entries can be added by creating Custom Logged Status objects. Issue:2039

  • The proxy installer now supports the option of basing a new server's configuration on an existing proxy server. This feature is invoked when the user indicates during setup that they would like to add the proxy to an existing proxy server topology. Issue:2414

  • The Proxy Server now includes the 'remove-defunct-server' tool which can be used to remove a server from a set of servers each of which are registered with each other's administrative data. Issue:2640

  • Change the way abandon and cancel requests are run in order to prevent request handler threads from being detained while these operations wait to get back results. Issue:2631 SF#:1395

  • The server now issues an alert when it has begun the startup process. Issue:2642

  • The server now issues an alert when a JVM pause (possibly due to garbage collection) has been detected. Issue:2637

  • The web console now allows the specification of multiple LDAP servers to be used for authentication and discovery of topology servers. Issue:2466

  • The web console now supports specification of a server from its login page. Issue:2190

  • Provide a way to throttle proxy global index priming from Sun DS backend servers to reduce the impact of priming on those servers. This is accomplished through a new configuration property prime-search-entry-per-second and a new reload-index property --searchEntryPerSecond. Issue:2293 SF#:00001353

  • Fix an issue where global index background priming could produce duplicate values as seen in the monitor entry. Issue:2206

  • Update the ldappasswordmodify tool to supply the bind password as the user's current password when making a self-change. This is convenient when making a root user password change so that the current password does not have to be specified twice in the command line arguments. Issue:2525

  • Provide better descriptions in the MIB for SNMP trap variable bindings. Issue:2508

  • The file-based loggers now optionally support millisecond level precision. Issue:2603

  • Added a "invoke-gc-day-of-week" property to the Periodic GC Plugin so that it can be configured to run only on certain days of the week. Issue:2660

  • Update the Periodic Stats Logger so that on shutdown it logs stats from the final interval. Issue:2684

  • Improve output when JVM errors occur in scripts used to set up environment for command line tools. Issue:2172

  • Update the default JVM arguments to improve garbage collection tuning.

  • Update dsjavaproperties to validate that all java-home properties specified in config/java.properties reference valid Java installations. Issue:2719

  • Adds warning message when starting proxy server, if two external servers in the same load balancing algorithm are using the same unique id. Issue:2471

  • Fix an issue where the alerts backend could write an incomplete LDIF backing file if an error were to occur during the write. Also, if an error in the LDIF file is discovered when the server is started, the alerts backend will now read as much as it can from the file and preserve a copy of the bad file. Issue:2700

  • Add support for logging intermediate response messages that are returned to the client. Intermediate response logging will be enabled by default, but may be disabled if desired. Issue:2428

  • Fix a bug where the web-console's schema editor could write object class definitions to the server that did not include the object class's type. This occurred when no attempt to change the default value STRUCTURAL was made in the object class creation dialog. Issue:2749

  • Address an issue with the web console where it would not allow read-only configuration properties to be set when an object was initially created. Issue:2730

Directory Proxy Server

Resolved Issues

These issues were resolved with version of the Directory Proxy Server:

  • Modify the command-line argument parsers to generate a warning message if an argument value is the same as the short or long form for another argument. This can help prevent users from forgetting to supply a value for an argument which requires one. Issue:944

  • Streamline the process for sending responses to LDAP clients to use a stream-based approach and avoid the creation of a number of intermediate objects.

  • Update the access log format so that result log messages for operations containing certain controls will include information about that control. For the assertion request control, the assertion filter will be provided. For the matched values request control, the matched values filter will be provided. For the pre-read, post-read, and get authorization entry request controls, the requested attributes will be provided. For the join request control, the join rule (including nested join rules) will be provided. For the server-side sort control, the sort order will be provided. For the virtual list view request control, the offset or assertion error, before count, and after count will be provided. For the simple paged results control, the page size will be provided.

  • Update MakeLDIF to add a "" tag that can be used to include a randomly-selected date from any time within the last ten years. It is also possible to use "" to specify the desired time range, where min and max should be given in the generalized time format. Issue:1083

  • Add support for the stream proxy values extended request, which may be used to prime the Directory Proxy Server global index from another Directory Proxy Server instance. Issue:902

  • Add a new configuration property for alert handlers that makes it possible to filter the types of alerts that should be processed based on the alert severity. By default, all types of alerts will be processed.

  • Modify the prepare-external-server tool so that it will look for trust store and password files in the default locations when using SSL or StartTLS and the locations of those files are not explicitly provided.

  • Provide a new alert handler that can be used to execute a specified command whenever an alert is generated within the server. The details of the alert notification will be provided as arguments when executing that command. The arguments will be provided in the following order: the name of the alert type, the OID for the alert type, the alert severity, the fully-qualified name of the Java class that generated the alert, the unique identifier assigned to that alert, and the text of the alert message. The alert handler will ensure that only one instance of the command may be invoked at a time to avoid problems from commands that aren't safe to run concurrently. If multiple alerts are generated concurrently, then they will be queued and the command will be executed sequentially for each of them. Issue:1146

  • Update the ldapsearch and ldapmodify tools so that in the event that an error response is received from the server, the diagnostic message from that error response will be displayed to the user rather than the generic error message that had previously been used.

  • Add a new error log alert handler, which makes it possible to control which types of alerts should be logged (based on either the alert severity or specific alert type). Further, the severity of the log message will reflect the severity of the alert notification.

  • Update the collect-support-data tool to archive information about the upgrade history of the server installation.

  • Generate administrative alerts for any operation which results in a change to the defined set of access control rules in the server, including global ACIs. Issue:1203

  • Modify the enter-lockdown-mode and leave-lockdown-mode tools to allow them to connect to any local address rather than requiring the request to be sent over the loopback address. Issue:1144

  • Provide the ability to force an explicit garbage collection on startup if the initialization of any request processor takes longer than a specified period of time. This can help improve garbage collection behavior in the Directory Proxy Server when a global index is enabled and automatically primed on startup.

  • Update the LDAP connection handler to disable TLS renegotiation by default, which can eliminate a vulnerability in which a man-in-the-middle could potentially inject arbitrary cleartext between TLS negotiation and initial data from the client.

  • Avoid setting the "-XX:ParallelCMSThreads" JVM argument on systems containing a single CPU. This option has been observed to cause the JVM to fail to run properly, particularly in virtualized environments. Issue:1300

  • Update the active operations monitor entry to include attributes which provide the number of operations and persistent searches currently in progress within the server.

  • Add a configuration option to the Directory Proxy Server which can be used to control what types of operations should be re-tried in the event of a failure which indicates the operation might succeed on an alternate server. By default, it will not attempt to re-try operations for add operations, as that could potentially introduce a replication conflict in the event that the initial add operation actually succeeds on the first server (but the Directory Proxy Server considers a failure, e.g., because of a timeout) and the re-try succeeds on a second.

  • Add configuration options to the Directory Proxy Server that make it possible to have different response timeouts for read and write operations, as well as potentially using a longer timeout for the last server to be tried than was used for earlier attempts.

  • Update the entry-balancing request processor to provide the ability to search all servers in each backend set to determine if an entry already exists when performing an add. This can help prevent duplicate entries when a client attempts to add the same entry multiple times in quick succession.

  • Add a new entry placement algorithm which can be used to select an appropriate backend set based on an MD5 digest of the normalized representation for the DN of the entry to be added. This can be used to ensure that repeated attempts to add an entry will always be sent to the same backend set.

  • Update the UnboundID work queue to change the default capacity from unlimited to 1000 operations, and to add the ability to block for a specified period of time (up to 60 seconds by default) if the work queue is full before giving up and rejecting the operation. This can help prevent clients using asynchronous requests from being able to continually enqueue requests without bound.

  • Update the server to provide the ability to keep track of the length of time that an operation was required to wait on the work queue before being picked up for processing by a worker thread. This can be used to identify cases in which client threads were forced to wait for a long time for a worker thread to become available, which may indicate a configuration problem or problems due to an inefficient client. It is also possible to define the maximum length of time that an operation may be allowed to wait on the work queue before being rejected with a "busy" response. If queue time monitoring is enabled, then it will appear in access log messages and in the processing time histogram monitor entry, and it may be used in simple result criteria objects.

  • Update the work queue monitor entry to include a num-busy-worker-threads attribute which indicates the number of worker threads that are in the process of actively processing a request rather than waiting for new work to do.

  • Add a new Periodic Stats Logger plugin, which can be used to write various server statistics to a file in CSV format with detailed information about processing that occurred within the Directory Server or Directory Proxy Server, as well as the JVM in which the server is running, within the interval since the last update.

  • Update the Directory Proxy Server to provide support for failing over to an alternate server in the course of priming the entry balancing global index.

  • Update the server so that it will return a result of "unavailable" rather than "unwilling to perform" for operations from unauthorized clients when operating in lockdown mode.

  • Add a number of new access loggers to the server configuration which may be used to troubleshoot problems in the server. One will log information about any operation which did not complete successfully to the logs/failed-ops log file. Another will log information about any operation which takes more than 1000 milliseconds to complete to the logs/expensive-ops file. Another will log information about search operations which did not return any entries to the logs/searches-returning-no-entries file. Of these new loggers, only the one writing to the logs/failed-ops file is enabled by default.

  • Add the ability to configure the set of result codes that will cause a connection to be considered defunct by the Directory Proxy Server so that a new connection will be created and the existing connection terminated.

  • Update the UnboundID work queue to add support for maintaining separate pools of worker threads for read and write operations, which can help minimize the performance impact for read operations in the event that write operations are temporarily blocked by expensive processing (e.g., database contention, I/O backlog, etc.). It is also possible to split worker threads across multiple internal queues for reduced contention. This has been observed to provide significantly improved performance on systems with large numbers of CPUs.

  • Add a new load-balancing algorithm which will select the backend server to use for an operation by choosing the server with the fewest number of operations already in progress (it will also take the location and health of the server into account). This can help avoid excessive backlogs on one server if something causes it to behave more slowly than the other servers in the environment. This is the new default load-balancing algorithm used when creating an initial proxy configuration.

  • Update the system information monitor entry to include information about the system account being used to run the server and a list of all system properties defined in the JVM.

  • Update the UnboundID work queue to provide the ability to select the type of queue to be used. Also, update the LDAP connection handler to provide the ability to create a separate request handler thread for each connection, rather than allowing request handlers to potentially read requests from multiple clients.

  • Add support for a number of different types of resource limits within the server, including: the maximum number of connections that may be established at any given time, the maximum number of concurrent connections from any client (based on either IP address or bind DN) or group of related clients, the maximum number of operations that may be processed over the life of a client connection, the maximum number of operations that may be processed concurrently for a single client connection, the maximum rate at which a single client or a group of related clients may request operations, the maximum length of time that a client connection may remain established, the types of request controls which may be used, the types of search filters which may be used, the minimum number of characters required in substring filters, and caps on resource consumption allowed during search operations.

  • Add a new global configuration option which makes it possible to specify the maximum length of time that the server shutdown process may take before it attempts to interrupt threads which have not yet completed their processing. In most cases, server threads will react to a shutdown in a timely manner and no interrupt is needed.

  • Add the ability for a proxy transformation to return entries and/or search result references which would not have otherwise been returned to the client (e.g., entries generated within the proxy transformation or obtained from some other source).

  • Update the failover request processor so that it has the ability to re-try a search operation using an alternate request processor if that search completed successfully but did not return any entries. This may be useful in cases in which servers may not always have an identical set of content.

  • Add a new proxy transformation which can be used to supply default values for a specified attribute in add request and/or search result entries. It can be configured to only supply default values if the target attribute is missing, or to always use the default values instead of or in addition to any existing values that were already present. Issue:1589

  • Make a change to the UnboundID work queue in order to provide a small performance improvement.

  • Update the Directory Proxy Server so that if a backend server is explicitly configured to have a health check state of "unavailable", no attempt will be made to communicate with that server. Issue:1512

  • Update the Directory Server so that access log messages for extended operations now include human-readable names for the operation type in addition to the numeric OID when possible.

  • Fix a bug in the parallel-update tool that could cause operations to be retried even when the --neverRetry argument was provided. Also, when the tool is configured to retry operations, the reject file will now include the result code and diagnostic message received from the last failure after no more progress can be made, rather than providing a generic message.

  • Update the Directory Proxy Server so that it will adhere to the client-requested size limit in an entry-balancing configuration. Issue:877

  • Fix a bug in the collect-support-data tool that could cause it to make incorrect use of a password file when capturing the output of the status command. Issue:1593

  • Update the SNMP alert handler so that the traps it creates have a more sensible value for the uptime field. Previously, the uptime value was always zero, but it will now reflect the length of time that the Directory Server has been online.

  • Update the Directory Proxy Server so that the connection pools associated with an LDAP external server will be closed and recreated whenever the health of that server transitions from unavailable to either available or degraded. This will ensure that the server does not contain any references to connections that may have been established before the server was initially classified as unavailable. Issue:1599

  • Fix a bug in which LDAP request handlers might not properly close the selectors used to read requests from clients. This could cause a memory leak over time, particularly in servers configured to use the request-handler-per-connection option.

  • Improve the access log message generated whenever a connection is terminated because of a decoding error encountered while reading data from the client. The message will now include the contents of the packet received from the client, indicating the point at which the problem was encountered.

  • Fix a bug in the LDAP connection handler in which the server could incorrectly handle a request in which the ASN.1 length of the LDAP message was encoded using multiple bytes that were split across separate packets.

  • Improve the process for stopping threads when the server is shutting down, and provide additional debugging information that may be useful if any threads are slow to stop running. Issue:900

  • Update the ldap-diff tool to take advantage of the stream directory values extended operation when it is available. This can dramatically improve the performance of the tool when attempting to identify the set of all entries in the server. Issue:794

  • Update the ldap-diff tool to provide support for reading the DNs of all the entries in one or both directories from files instead of obtaining them over LDAP. In directories which do not support the stream directory values extended operation, this may provide a significantly faster way to obtain this information if it is already available in some form.

  • Fix a bug in the ldap-diff tool that could cause it to report incorrect percent complete values when comparing data sets of more than 20 million entries.

  • Change the default access log format to log only a single line per operation containing details of both the request and response rather than separate lines for requests and responses. In the case of the Directory Proxy Server, that single line will also include information about the backend server to which the request was forwarded, although forward failure messages will still be logged as separate lines by default. Issue:1677

  • Update the Directory Server to add support for interrupting the stream directory values extended operation in the event that the client connection is terminated or the request is abandoned or canceled.

  • Update a number of password storage schemes using salted digests to provide support for salts of arbitrary length rather than requiring them to use a fixed length. This can be useful for encoded passwords imported from external sources.

  • Fix a bug in the upgrade tool that could cause the same warning message multiple times if the version obtained from the server was different from what was expected (e.g., because a server jar file had previously been replaced without using the upgrade tool). Issue:1640

  • Modify the default work queue to make use of multiple queues by default, which can improve performance and scalability on multi-CPU systems.

  • Update the Directory Proxy Server to increase the number of worker threads that will be used by default on systems reporting the presence of at least eight CPUs.

  • Update the parallel-update tool to add the ability to use the permissive modify request control, which may be used to request that the server ignore attempts to add attribute values which are already present or remove attribute values which are not present.

  • Update the ldap-diff tool to make it more likely that its output can be replayed without any alteration. The order of operations has been updated so that all deletes are listed first, followed by all modifies, and finally all adds. In addition, all delete operations are ordered such that subordinate entries will always be removed before their ancestors.

  • Update the scripts used to stop the server to prevent them from falling through to try to stop the server over LDAP if the attempt to kill the process fails or times out, since the attempt to stop the server over LDAP would fail without at least the appropriate authentication credentials, and could potentially be dangerous in some contexts.

  • Update the system information monitor entry to include information about all environment variables defined in the server process. In addition, it will now attempt to determine and report the process ID of the JVM in which the server is running.

  • Update the logic for sending an e-mail message from the server so that it will always attempt to determine the fully-qualified name of the system to include in the HELO/EHLO request. In the event that the fully-qualified name cannot be determined, then the IP address of the server will be used rather than using an unqualified name. Issue:1337

  • Update the server to make it possible to configure the length of time that name-to-IP address mappings may be cached within the server. This may be useful in environments in which the addresses associated with a particular hostname may change frequently. Issue:941

  • Update the upgrade and revert-upgrade tools to ignore directories that contain backup files. Issue:1143

  • Update the Directory Server to change the implementation of the show-all-attributes configuration option in the schema and root DSE backends to be more robust, particularly for clients requests explicitly requesting a specific set of attributes. Issue:1590

  • Updated the logic used to identify previous log files that had been rotated so that only files with names that might have been created by the rotation process will be candidates for removal by the retention policy. Issue:1285

  • Update the Directory Server to add a search shutdown plugin which can be used to perform a specified internal search when the server is shutting down and have the results of that search written to a specified file. This may be useful, for example, to automatically dump the contents of the monitor backend on shutdown. Issue:1334

  • Update the server so that when creating a duplicate of an existing configuration object, some key properties may be excluded from the clone so that they must be explicitly configured by the administrator rather than automatically using the same value as the object being duplicated. This can help prevent problems in which a duplicated value was inadvertently used. Issue:1675

  • Add support for a new CLIENT-CERTIFICATE access log message type which can be used to log information about any certificate presented by a client when negotiating a secure communication channel. Issue:1756

  • Update the Directory Server to provide an option to automatically authenticate clients that have presented their own certificate during SSL or StartTLS negotiation. This option is disabled by default. Issue:1748

  • Update the Directory Proxy Server so that it provides the ability to recognize and react to configuration changes made to single-server load-balancing algorithms without the need to restart the server or disable and re-enable the load-balancing algorithm. Issue:1770

  • Update the Directory Proxy Server to add a new proxy transformation that may be used to intercept a simple bind request and attempt to process it instead as a SASL EXTERNAL bind if the client had already presented a certificate during SSL or StartTLS neotiation. In the event that the SASL EXTERNAL bind attempt fails, then the simple bind may optionally be processed instead. Issue:1749

  • Update the Directory Proxy Server to return an unavailable result to clients in the event that a search request needs to use entry balancing but one or more of the backend sets needed for processing that request does not have any servers which may be used to process that operation. Previously, the server may have incorrectly returned a success response with no matching entries. Issue:1733

  • Fix a bug that may cause intermittent failures for search operations with large result sets when SSL or StartTLS is in use. Issue:1330

  • Add a plugin which may be used to allow the server to act as an SNMP sub-agent rather than requiring it to always operate only as a master agent. Issue:1723

  • Update the Directory Proxy Server to detect and properly configure Red Hat Directory Server instances for use as backend servers, including the related open source Fedora and 389 Directory Server instances. Issue:1751

  • Update the Directory Proxy Server to add the ability to define a number of reserved worker threads that will only be enabled for use if no local servers are available for use so that all communication will target remote servers. In such cases, additional worker threads may be needed to compensate for the increased latency of communication with remote servers. Issue:1857

  • Update the setup process so that the server will be configured without an LDAP connection handler if the "--no-prompt" argument is provided without an "--ldapPort" argument. This option is only available for use when using the non-interactive setup mechanism. Issue:1759

  • Update the server to improve logging performance under heavy load, particularly on systems with relatively slow single-threaded performance.

  • Change the behavior of the dsconfig tool when creating a new configuration object so that the user will first be prompted about whether to create a completely new configuration object or clone an existing object. This simplifies the interface and makes it less likely that an administrator will incorrectly attempt to clone an existing object rather than creating a new one. Issue:1747

  • Update a number of access log retention policies to make them more robust and to fix bugs that could prevent old log files from being removed when the appropriate conditions were met. Over long periods of time, this could potentially cause available disk space to run low and necessitate the manual removal of files to avoid running out of space. Issues:1867,1867

  • Modify the upgrade process so that schema definitions are always migrated before the configuration. In some rare cases, attempting to migrate the configuration before the schema could lead to failures in the upgrade process. Issue:1812

  • Update the server to include more useful information in access log messages reporting the closure of a client connection as a result of an I/O error.

  • Update the repeated characters password validator to provide the ability to reject a password if it contains multiple consecutive characters from the same character set, rather than only rejecting passwords with the same character repeated too many times. Issue:1940

  • Update the Directory Server to fix potential problems in its support for SSL or StartTLS communication if the server was not able to access a complete block of encrypted information at once. Issue:1330

  • Update the Directory Proxy Server to prevent the administrator from attempting to configure a client connection policy with multiple subtree views that have the same base DN. Issue:1650

  • Fix a bug that could prevent a disabled access logger from being removed from the server configuration.

  • Update the server to prevent multiple loggers from being configured with the same target log file. Issue:1676

  • Significantly revise the upgrade tool in an attempt to make it more robust and minimize the amount of work required for performing an upgrade. Issues:1927,1931,2031,2037

  • Add support for a new search-and-mod-rate command line tool which operates in a manner similar to the searchrate tool but that will also modify any entries returned from the search.

  • Fixed a potential bug in the way that the search time limit is enforced that could cause a time limit exceeded result to be returned too soon in a rare corner case.

  • Rename the upgrade tool to be "update", and rename the revert-upgrade tool to be "revert-update".

  • Update the Directory Proxy Server to generate an adminstrative alert if an error occurs while attempting to communicate with a backend server while a proxy component is being initialized. Previously, that server would not be used and would be listed as unavailable in the server monitor information, but no alert would be generated. Issue:1761

  • Update the Directory Proxy Server to add the ability to limit the rate at which expired connections will be closed to prevent a large number of connections from being closed and re-established in a short period of time. Also, add the ability to invoke some level of health checking on connections which are part of the connection pool rather than only performing health checking on separate connections.

  • Update the Directory Server to make the lockdown-mode privilege usable by non-root users. Issue:1109

  • Update the server so that it includes a patch version number in addition to the existing major, minor, and point version numbers. This can help better distinguish versions with the same major, minor, and point version numbers which differ only based on patches applied.

  • Update the Directory Server to abort the startup process with an error message if the admin data backend includes a malformed entry. Previously, malformed entries in the admin data backend would be silently ignored. Issue:2049

  • Update the Directory Proxy Server to immediately return an error to the client if a failure occurs while processing a search operation that has already returned one or more entries. Previously, the search might have been re-tried on an alternate server, which could cause duplicate entries to be returned.

  • Update the collect-support-data tool to change the way that the jstack tool is invoked to dramatically reduce the impact that it has on the running process. Issue:2038

  • Update the Directory Proxy Server so that the create-initial-proxy-config correctly creates an entry balancing request processor. Issue:2121

  • Update the Directory Proxy Server to add the ability to collect high-precision timing for proxy-related processing components.

  • Update the export-ldif and verify-index tools so that they can be used against a server whose database files are contained on a read-only filesystem, including a ZFS snapshot. Issue:71

  • Update the alert backend to be able to handle entries with unrecognized alert types. This is unlikely to occur in normal conditions, but could cause a problem in deployments in which the server was upgraded and subsequently reverted, and an alert was generated in the upgraded server that uses an alert type not defined in the older version. Issue:2126

  • Change the way that the worker thread percent busy values are calculated in the work queue monitor entry to make them more accurate. Also, add new recent-average-queue-size and current-worker-thread-percent-busy monitor attributes. Issue:1982

  • Update the Directory Proxy Server to ensure that any controls configured to be passed through the proxying request processor also appear in the list of supported controls in the root DSE.

  • Modify the update process to require that the system user performing the update is the same as the system user used to run the server. This will help prevent files from being created or altered during the update process with permissions that would prevent the server from being able to access them when the server is started as the appropriate user. Issue:2158

  • Update the Directory Proxy Server so that the create-initial-proxy-config and prepare-external-server tools will provide a better error message if a problem occurs while trying to update the target server (e.g., to add a proxy user account or modify the set of defined access controls). The error message will include an LDIF representation of the changes that may need to be manually applied to ensure correct operation. Issue:1699

  • The SNMP MIB files have been moved to resource/mib. There are now no differences in the alert MIB provided with Directory Server and Directory Proxy Server. Issue:2170

  • Modify the update tool to ensure that the documentation is updated for the new release if appropriate. Issue:2178

  • Update the Directory Proxy Server to fix problems around priming the global index, including reporting the incorrect time and throwing an exception if priming against another Directory Proxy Server whose external server definition does not include a location. A fix was also included for a problem that could cause the Directory Proxy Server an excessive lenght of time to shut down. Issues:1283,2112,2113,2183

  • Update the dsconfig tool and the Web administration console so that they inform the administrator of any administrative action (e.g., disabling and re-enabling the specified component, or restarting the server) that may be required as a result of a configuration change to be made. Issues:211,2132

  • Update the subject attribute to user attribute certificate mapper to provide support for VeriSign certificates whose subject contained an emailAddress attribute with an unusual encoding. Issue:2177

  • Fix a bug in the Directory Proxy Server that could cause global index priming to fail against a backend server that did not support the stream directory values extended operation. Issue:2224