Ping Identity Directory Proxy Server Release Notes |
|
Return to Documentation Index |
Notes for the following versions of the Ping Identity Directory Proxy Server are available in this document:
Updating to the latest version of the Directory Proxy Server addresses the following critical issues from previous versions. Affected servers should be updated.
The following enhancements were made to the topology manager to make it easier to diagnose the connection errors described in PDSTAGING-570:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry.
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.
The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.
Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.
SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.
It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.
Update the replication backlog health check so that if a problem is encountered while attempting to retrieve monitor information from a backend server, that server will only be classified as degraded rather than unavailable.
Fix a bug that allows users with expired passwords to change attributes in their own entry other than password.
Update the PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl.
Following are notes for version 7.3.0.7 of the Directory Proxy Server.
The following issues have been resolved with this release of the Directory Proxy Server:
Updated the proxy to check if the proxy's backend has been sufficiently initialized prior to performing a health check. Issue:DS-40274 SF#:00674438
Fixed an issue where the server was attempting to connect by an IP address rather than a hostname when DNS lookup was successful. Issue:DS-40366 SF#:00668508
To support multiple trace loggers, each trace logger now has its own resource key, which is shown in the "Resource" column in the output of "status". This key allows multiple alarms, due to sensitive message types for multiple trace loggers. Issue:DS-37955
Fixed an issue that stopped new extensions from being installed. Issue:DS-41054 SF#:00677974
Added a --duration argument to collect-support-data. When used, only the log files covering the specified duration before the current time will be collected. Issue:DS-40771
Allows users who were migrated from the admin backend to the topology to manage the topology. Migrated users are granted the "manage-topology" privilege if they do not already have it. Issue:DS-39799
Added a cache for password policies stored in user data rather than in the configuration. The cache will hold up to 500 policies by default, but the cache size can be configured (or the cache disabled) using the maximum-user-data-password-policies-to-cache property in the global configuration. Issue:DS-40681
Fixed a memory leak when performing SCIM queries on the Directory Server. Issue:DS-41206 SF#:00681395
These issues were resolved with version 7.3.0.4 of the Directory Proxy Server:
Fixed an issue where some state associated with a JMX connection was not freed after the connection was closed. This led to a slow memory leak in servers that were monitored by an application that created a new JMX connection each polling interval. Issue:DS-40828
These issues were resolved with version 7.3.0.3 of the Directory Proxy Server:
Fixed an issue that could cause the server to leak a small amount of memory each time it failed to establish an LDAP connection to another server. Issue:PDSTAGING-840
Fix an issue where an LDAP search across entry-balanced server sets sometimes returned 0 (success) even though all servers in one of the sets failed with a timeout. The search should return 52 (unavailable) in this situation. Issue:DS-40327 SF#:00672852
Important upgrade considerations for version 7.3.0.1 of the Directory Proxy Server:
The remove-sample-directory-data-aci.ldif file provided with the Delegated Admin installation package was updated in version 3.5.0 to reinstate permissions for users to change their own password (self-service password reset). If you have used an earlier version of this LDIF file, then consider manually adding the following ACI from the updated version:
dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword")(version 3.0; acl "Allow users to update their own password"; allow (write) userdn="ldap:///self";)
These issues were resolved with version 7.3.0.1 of the Directory Proxy Server:
Fixed an issue where Delegated Admin would not work properly if the name of the REST Resource Type was not the same as the resource endpoint. Issue:DS-39347
Updated the Groovy scripting language version to 2.5.7. For a list of changes, visit groovy-lang.org and view the Groovy 2.5 release notes. As of this release, only the core Groovy runtime and the groovy-json module are bundled with the server. To deploy a Groovy-scripted Server SDK extension that requires a Groovy module not bundled with the server, such as groovy-xml or groovy-sql, download the appropriate jar file from groovy-lang.org and place it in the server's "lib/extensions" directory. Issues:DS-39176,DS-39308
Delegated Admin enhancements for constructed attributes.
- Allow a required attribute to be read-only if it is constructed.
- Add a configured list of "Update Constructed Attributes" on the REST resource type, similar to the "Post Create Constructed Attributes", so that constructed attributes can be updated when dependent attributes change.
- Handle constructed attributes which reference other constructed attributes. Issues:DS-39525,DS-39526
Fixed an issue where Delegated Admin search results were truncated and invalid upon encountering a Directory entry containing a Boolean or Integer syntax attribute whose values were invalid because they did not conform to the appropriate syntax. With this fix, the offending values are omitted from the results and a warning message is logged to the server errors log. Issue:DS-39693
Added a "cn=Server Status Timeline,cn=monitor" monitor entry to track a history of the local server's last 100 status changes and their timestamps. Updated the LDAP external server monitor to include attributes tracking health check state changes for external servers. The new attributes include the number of times a health check transition has occurred, timestamps of the most recent transitions, and messages associated with the most recent transitions. Issue:DS-17278
Fixed a plugin incompatibility issue resulting from unexpected vendor names. Issue:DS-39751 SF#:00670860
Important upgrade considerations for version 7.3.0.0 of the Directory Proxy Server:
To ensure correct search results with Delegated Admin, disable client caching by updating the Delegated Admin HTTP Servlet Extension to return response headers, and then stop and restart the server, as follows:
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --set "response-header:Cache-Control: no-cache, no-store, must-revalidate" --set "response-header:Expires: 0" --set "response-header:Pragma: no-cache"
These features were added for version 7.3.0.0 of the Directory Proxy Server:
New features for data encryption in transit and at rest: added support for TLS 1.3, ability to encrypt and automatically decrypt sensitive files such as tools.properties and keystore pin files using the server data encryption keys, and the ability to more easily and securely separate master keys from data encryption keys by protecting the server encryption settings database using either Amazon Key Management Service (AWS KMS) or HashiCorp Vault.
Added support for Amazon Corretto JDK 8, Windows Server 2019, Red Hat Enterprise Linux 7.6, CentOS 7.6, Amazon Linux 2, and Docker 18.09.0 on Ubuntu 18.04 LTS.
New load balancing algorithm for performance and improved reliability. By default for new configurations, the load balancing algorithm uses a failover strategy for writes and fewest operations strategy for reads. This means that normally all writes will go to the same server, which reduces replication conflicts or unique attribute conflicts, while all reads are distributed to the servers with lightest load, which distributes server utilization and improves performance. This combination strategy works in tandem with a change to PingDirectory to use assured replication by default for several types of write operations, which reduces the chances of data consistency issues when write operations are immediately followed by read operations for the same objects and attributes.
These issues were resolved with version 7.3.0.0 of the Directory Proxy Server:
HTTP Connection Handlers now accept client-provided correlation IDs by default. To adjust the set of HTTP request headers that may include a correlation ID value, change the HTTP Connection Handler's correlation-id-request-header property. Issue:DS-37617
Updated the server to enable TLSv1.3 by default on JVMs that support it (Java 11 and higher). Issue:DS-38072
Updated the server to support encrypting the contents of the PIN files needed to unlock certificate key and trust stores. If data encryption is enabled during setup, then the default PIN files will automatically be encrypted.
Also, updated the command-line tool framework so that the tools.properties file (which can provide default values for arguments not provided on the command line), and passphrase files (for example, used to hold the bind password) can be encrypted. Issue:DS-38050
Added support for insignificant configuration archive attributes.
The configuration archive is a collection of the configurations that have been used by the server at some time. It is updated whenever a change is made to data in the server configuration, and it is very useful for auditing and troubleshooting. However, because the entries that define root users and topology administrators reside in the configuration, changes to those entries will also cause a new addition to the configuration archive. This is true even for changes that affect metadata for those entries, like updates to the password policy state information for one of those users. For example, if last login time tracking is enabled for one of those users (especially with high-precision time stamps), a new configuration may be generated and added to the configuration archive every time that user authenticates to the server. While it is important for this information to be persisted, it is not as important for it to be part of the server's configuration history.
This update can help avoid the configuration archive from storing information about updates that only affect this kind of account metadata. If a configuration change only modifies an existing entry, and if the only changes to that entry affect insignificant configuration archive attributes, then that change may not be persisted in the server's configuration archive.
By default, the following attributes are now considered insignificant for the purpose of the configuration archive:
* ds-auth-delivered-otp * ds-auth-password-reset-token * ds-auth-single-use-token * ds-auth-totp-last-password-used * ds-last-access-time * ds-pwp-auth-failure * ds-pwp-last-login-ip-address * ds-pwp-last-login-time * ds-pwp-password-changed-by-required-time * ds-pwp-reset-time * ds-pwp-retired-password * ds-pwp-warned-time * modifiersName * modifyTimestamp * pwdAccountLockedTime * pwdChangedTime * pwdFailureTime * pwdGraceUseTime * pwdHistory * pwdReset Issue:DS-37959
Fixed an issue in the installer where the Administrative Console’s trust store type would be incorrectly set if it differed from the key store type. Issue:DS-38085 SF#:648467
Critical: The following enhancements were made to the topology manager to make it easier to diagnose the connection errors described in PDSTAGING-570:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period. Issues:DS-38334,PDSTAGING-570 SF#:00655578
Critical: The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry. Issues:DS-38344,PDSTAGING-570 SF#:00655578
Reduced the default max-connection-age value in LDAP External Server configuration objects to 10 minutes. This should avoid the problems created when firewalls between the proxy and the external server silently close connections that have been open for too long. Issue:DS-38176
Critical: The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master. Issues:DS-38335,PDSTAGING-570 SF#:00655578
Fixed an issue that could prevent certain types of initialization failures from appearing in the server error log by default. Issue:DS-38403
Updated the file retention recurring task to no longer log an informational message if there are no log matching files to delete. Issue:DS-38421
The Delegated Admin configuration has changed significantly. Delegated Admin Resource Types were removed and replaced by REST Resource Types. Delegated Administrators and Delegated Group Administrators were removed and replaced by Delegated Admin Rights and Delegated Admin Resource Rights. Previous configurations are converted to the new configuration definitions by the update tool when the server is updated. Issue:DS-37960
Made visible the index-priming-idle-listener-timeout property of the Entry Balancing Request Processor configuration object. During global index priming, this property specifies the amount of time an extended operation response listener can be idle while in progress. For example, if the global index is priming and a backend server stops returning results but does not disconnect, this timeout can be used to force a retry of the operation. Issue:DS-37174
Added a cipher stream provider that can be used to protect the contents of the encryption settings database with a key from the Amazon Key Management Service. Issue:DS-15734 SF#:3718
The response header used for correlation IDs may now be set at the HTTP Servlet Extension level using the correlation-id-response-header configuration property. If set, this property overrides the HTTP Connection Handler's correlation-id-response-header property. Issues:DS-38090,DS-38564,DS-38567
Added a cipher stream provider that can be used to protect the contents of the encryption settings database with a secret passphrase obtained from a HashiCorp Vault instance. Issue:DS-38512
Updated create-initial-proxy-config to change the load-balancing configuration that it generates.
Previously, the tool generated a fewest operations load-balancing configuration for all operations. While this may provide the best overall performance throughput, it increases the risk of replication conflicts, unique attribute conflicts, and application issues resulting from replication latency.
The tool now generates a criteria-based load-balancing configuration that uses a failover strategy for writes and fewest operations for reads. This ensures that under normal circumstances when all servers are available, all write requests will go to the same server, which eliminates the change for replication conflicts or unique attribute conflicts. When paired with a corresponding change in the Directory Server to use assured replication by default for all add, delete, and modify DN operations, as well as for all modify operations that involve passwords or certain password policy state attributes, the risk of read-after-write issues resulting from replication latency is also dramatically reduced, so it is therefore safe to continue using a fewest operations load-balancing algorithm for read operations. Issue:DS-38021
Added an HTTP servlet extension that can be used to retrieve the server's current availability state. It accepts any GET, POST, or HEAD request sent to a specified endpoint and returns a minimal response whose HTTP status code may be used to determine whether the server considers itself to be AVAILABLE, DEGRADED, or UNAVAILABLE. The status code for each of these states is configurable, and the response may optionally include a JSON object with an "availability-state" field with the name of the current state.
Two instances of this servlet extension are now available in the default configuration. A request sent to /available-state will return an HTTP status code of 200 (OK) if the server has a state of AVAILABLE, and 503 (Service Unavailable) if the server has a state of DEGRADED or UNAVAILABLE. A request sent to the /available-or-degraded-state will return an HTTP status code of 200 for a state of AVAILABLE or DEGRADED, and 503 for a state of UNAVAILABLE. The former may be useful for load balancers that you only want to have route requests to servers that are fully available. The latter may be useful for orchestration frameworks if you wish to destroy and replace any instance that is completely unavailable. Issue:DS-18060
Fixed a bug where the startIndex value for SCIM requests would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file. Issue:DS-38670 SF#:00643950
Critical: Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords. Issues:DS-38897,DS-38908
Fixed an issue in which backups of the encryption settings database could be encrypted with a key from the encryption settings database. Issue:DS-38550
Added an indent-ldap-filter tool that can make it easier to visualize the structure and components of a complex search filter. Issue:DS-38849
Make Fingerprint Certificate Mapper and Subject DN to User Attribute Certificate Mapper disabled by default on fresh installations. This will not affect upgrades from installations where these mappers are enabled. Issue:DS-37839
Fixed an issue where inter-server bind requests would fail if the cipher used reported a maximum unencrypted block size of 0. Issue:DS-38737 SF#:00658314
Fixed an issue that would throw an exception when trying to delete an entry containing uncached attributes if the LDAP changelog was enabled and using reversible form. Issue:DS-38957 SF#:00662848
Added the --skipHostnameCheck command line option to the setup script, which bypasses validation of the provided hostname for the server. Issue:DS-38109
Updated the ldapdelete command-line tool to improve robustness and add features. Some of the new features include support for client-side subtree delete, deleting entries that match search filters, following referrals, writing failures to a rejects file, rate limiting, and support for a variety of additional controls. Issue:DS-36474
Changed the default value of the HTTP Configuration property include-stack-traces-in-error-pages from 'true' to 'false'. Disabling this property prevents information about exceptions thrown by servlet or web application extensions from being revealed in HTTP error responses. Issue:DS-38864
Added a set of message types to Trace Log Publishers that records events related to access token validation. Issue:DS-38913
Removed the version information page from the docs/build-info.txt endpoint. This information is now available in build-info.txt, which is located in the root directory. Issue:DS-39086
Internal connections created by HTTP requests are now associated with one of the configured client connection policies. A client connection policy may be selected using simple client connection criteria matching the client address, the user performing the request, and the protocol "HTTP/1.1". This change affects the following HTTP interfaces: SCIM, Directory REST API, Consent API and Delegated Admin API. Issue:DS-38873
Important upgrade considerations for version 7.2.1.0 of the Directory Proxy Server:
To ensure correct search results with Delegated Admin, disable client caching by updating the Delegated Admin HTTP Servlet Extension to return response headers, and then stop and restart the server, as follows:
dsconfig set-http-servlet-extension-prop --extension-name "Delegated Admin" --set "response-header:Cache-Control: no-cache, no-store, must-revalidate" --set "response-header:Expires: 0" --set "response-header:Pragma: no-cache"
These issues were resolved with version 7.2.1.0 of the Directory Proxy Server:
Critical: The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
- Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
- Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period. Issue:DS-38334 SF#:00655578
Critical: The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved. Issue:DS-38344 SF#:00655578
Critical: The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master. Issue:DS-38335 SF#:00655578
The Delegated Admin configuration has changed significantly. Delegated Admin Resource Types were removed and replaced by REST Resource Types. Delegated Administrators and Delegated Group Administrators were removed and replaced by Delegated Admin Rights and Delegated Admin Resource Rights. Previous configurations are converted to the new configuration definitions by the update tool when the server is updated. Issue:DS-37960
These issues were resolved with version 7.2.0.1 of the Directory Proxy Server:
Introduced new Delegated Admin configuration which allows users created by delegated administrators to manage their own profiles within PingFederate.
- To configure this feature ensure the PingFederate local identity schema from local-identity-pingdirectory.ldif has been added to PingDirectory per PingFederate documentation for customer identities.
- Create a constructed attribute for pf-connected-identity (for example where entryUUID is the PingFederate user ID attribute) dsconfig create-constructed-attribute --attribute-name pf-connected-identity --set attribute-type:pf-connected-identity --set value-pattern:auth-source=pf-local-identity:user-id={entryUUID}
- Configure the Delegated Admin resource type. dsconfig set-delegated-admin-resource-type-prop --type-name users --add auxiliary-ldap-objectclass:pf-connected-identities --set post-create-constructed-attribute:pf-connected-identity Issue:DS-38116
Important upgrade considerations for version 7.2.0.0 of the Directory Proxy Server:
The Delegated Admin web app now supports creation of new users. Installations created using older versions of the install script require a command like the following to be run after upgrade. The 'sn' attribute is a required attribute for inetOrgPerson entries.
dsconfig create-delegated-admin-attribute --type-name users --attribute-type sn --set "display-name:Last Name"
To enable user creation, one of the new configuration properties org-entry-dn or org-search-filter must be set on the Delegated Admin resource type.
These features were added for version 7.2.0.0 of the Directory Proxy Server:
Introduced a Directory REST API to create, read, update and delete (CRUD) any object in the directory using JSON over HTTP. Compared to the SCIM-based Identity Access API (introduced in 4.0), the Directory REST API offers more capability without the configuration overhead and SCIM protocol limitations. See https://apidocs.pingidentity.com/pingdirectory/directory/v1/api/guide/ for more information.
Improved group management in the delegated user administration web app (packaged separately.) Whereas before delegated administrators could add users to groups and remove users from groups, now admins can add and remove sub-groups as well.
Added support for Oracle Java JDK 11 and OpenJDK 11. Added support for RedHat 7.5, CentOS 7.5, and Ubuntu 18.04 LTS.
These issues were resolved with version 7.2.0.0 of the Directory Proxy Server:
Updated the administrative alert health check to improve error handling and to add safeguards against the possibility of having too many active persistent searches to consume alerts from backend servers. Issue:DS-36674 SF#:00637939
Added support for an exec task that can invoke commands on the server. There are several safeguards in place to prevent unauthorized users from invoking arbitrary commands on the server system, including a new exec-task privilege and a whitelist file that must be updated to include the absolute paths of the allowed commands. A new schedule-exec-task tool helps create an exec task from the command line, and the LDAP SDK has also been updated to allow interacting with exec tasks programmatically. Issue:DS-35873
Added support for recurring exec tasks. Issue:DS-35873
Added support for a delay task, which can be used on its own or as a recurring task. It is primarily intended to be used as a spacer between other tasks, and can sleep for a specified period of time, wait for the server to be idle (that is, there are no outstanding operations and all worker threads are idle), or wait for sets of search criteria to match at least one entry (for example, until a monitor entry indicates that the server is in a desired state). Issue:DS-36510
Added support for a new file retention task that can identify files in an indicated directory that match a given pattern and remove any matching files that fall outside of the specified retention criteria. You can specify the minimum number of files that should be retained, the minimum age of files that should be retained, the minimum aggregate size of files that should be retained, or any combination thereof. The files that match the pattern will be sorted by timestamp so that if any files are to be removed, the most recent files will be retained and the oldest files will be deleted.
The file retention task can be scheduled as a standalone task or as a recurring task. Two instances of the file retention recurring task have been defined in the default configuration: one that can clean up old expensive operation dump files, and another that can clean up old work queue backlog thread dump files. In each case, the recurring task is configured to keep at least the 100 most recent files, and no files less than 30 days old will be removed. While these recurring tasks are defined in the out-of-the-box configuration, they are not part of any recurring task chain and therefore will not actually be invoked unless they are configured as part of a chain.
The PingDirectory Server and PingDirectoryProxy Server now include recurring tasks in the out-of-the-box configuration that can clean up old expensive operation dump log files or work queue backlog thread dump log files if too many of them have collected in the server logs directory. For each type of file, if there are more than 100 of them in the server logs directory, then any of the remaining files that are more than 30 days old are candidates for removal. A recurring task chain will perform this cleanup every day at 12:05 a.m. in the JVM's default time zone. Issues:DS-35652,DS-36559
Updated the server to allow delaying the response to failed bind operations by a specified length of time. While the response is delayed, no other operations will be allowed on the connection. This can be used instead of, or in addition to, account lockout as a means of limiting the rate at which an attacker may try to guess user passwords. Issue:DS-1132
A header containing a correlation ID is now added to outgoing HTTP servlet responses, allowing HTTP responses to be correlated with log messages across server instances. The name of the correlation ID response header defaults to "Correlation-Id" but may be changed by setting the HTTP Connection Handler's correlation-id-response-header property. By default, the server will generate a globally unique correlation ID automatically, but the correlation-id-request-header configuration property may be used to optionally specify one or more request headers that provide an existing correlation ID value from the requesting client. The correlation ID header can be disabled on a per-HTTP Connection Handler basis using the use-correlation-id-header configuration property.
For Server SDK extensions that have access to the current HttpServletRequest, the correlation ID can be retrieved as a String via the HttpServletRequest's "com.pingidentity.pingdata.correlation_id" attribute. For example: <code>(String) request.getAttribute("com.pingidentity.pingdata.correlation_id");</code> Issue:DS-36209
HTTP Connection Handlers will now raise an alarm during initialization if a context path conflict is detected. Issue:DS-35909
Fixed an issue in which the HTTP Servlet Config Monitor could cause an exception in an HTTP Servlet Extension when attempting to determine its context paths. This caused the status tool and the Administrative Console to potentially omit the HTTP Servlet Extension from the list of active HTTP extensions. Issue:DS-37131
Multiple instances of the SCIM HTTP Servlet Extension may now be created, allowing for multiple SCIM 1.1 service configurations per server instance. For more information, please refer to the "Managing the SCIM Servlet Extension" chapter of the Administration Guide. Issue:DS-35865
Bearer token authentication for the Consent API may now be enabled or disabled using the bearer-token-auth-enabled property of the Consent HTTP Servlet Extension. Issue:DS-36519
The SCIM v1 servlet extension is no longer enabled by default for new installations. Existing installations will be unaffected on an upgrade. Customers are encouraged to use the new "Directory REST API" for REST access from now on. Issue:DS-36988
Fixed an uncommon issue where unsuccessful searches, with a base DN below the entry balancing point, would remove the data set from the global attribute index. Issue:DS-37153
Added a Mock Access Token Validator, which accepts access tokens without validating the authenticity of the tokens using a trusted authorization server or signing certificate. When enabled, a Mock Access Token Validator accepts bearer tokens in the form of a plain text JSON object containing an arbitrary set of claims. Mock Access Token Validators are intended for test or demonstration use only and should never be enabled in production deployments or used to access sensitive data. Issue:DS-36433
Updated the client connection policy configuration to add a maximum-concurrent-operations-per-connection-exceeded-behavior property that specifies the behavior that the server should exhibit if a client tries to exceed the limit set by the maximum-concurrent-operations-per-connection property. Previously, any requests in excess of the maximum-concurrent-operations-per-connection limit would have been rejected with a busy result. The server now offers additional choices for the result code to use when rejecting requests (including admin limit exceeded, constraint violation, unavailable, unwilling to perform, or other), and the server can also be configured to close the connection and abandon all outstanding operations on that connection. Issue:DS-36585
Added a time limit retention policy to support removing log files older than a specified age. Issue:DS-37492
To facilitate testing in multiple GC (garbage collection) environments, GC JVM options having been moved to separate Java properties in the java.properties file. The new ".gc-type" suffix will select the GC type to use, and the new ".gc-<GC type>-args" suffix will have the JVM options for that GC type. Issue:DS-6930
These issues were resolved with version 7.0.1.3 of the Directory Proxy Server:
Fixed a bug where the startIndex value for SCIM requests would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file. Issue:DS-38670 SF#:00643950
Critical: Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
* When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
* When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.
In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.
We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords. Issues:DS-38897,DS-38908
These issues were resolved with version 7.0.1.2 of the Directory Proxy Server:
Updated the proxy entry balancing request processor to skip an extra search for authorization ID in an entry balanced environment in two cases. In each case, the authorization identity must be specified by providing the full DN of the desired user (as opposed to just a username).
In the first case, the authorization identity is not subordinate to the balancing point, then it can be assumed that the entry will be available within all backend sets.
In the second case, the target entry of the operation and the authorization identity are both at least one level below the balancing point, and they have the same RDN component exactly one level below the balancing point, then they must exist on the same backend set. Issue:DS-36786 SF#:00617726
Updated the Periodic Stats Logger to include columns for the average response time of operations sent to each LDAP external server. Issue:DS-37255
These issues were resolved with version 7.0.1.1 of the Directory Proxy Server:
Updated the administrative alert health check to improve error handling and to add safeguards against the possibility of having too many active persistent searches to consume alerts from backend servers. Issue:DS-36674 SF#:00637939
These features were added for version 7.0.1.0 of the Directory Proxy Server:
New capabilities have been added to the Delegated Admin application (packaged separately). Now directory administrators can delegate the responsibility of managing group memberships for users in the PingDirectory Server. Administrators can delegate to individuals or groups of users, and assign authority over one or more groups in the PingDirectory Server.
Improved the way the PingDirectoryProxy distributes requests in the failover load-balancing configuration. This is especially helpful for multi-tenant environments to better distribute requests per tenant. Now you can configure a load-spreading base DN such that requests to DIT branches below the load-spreading base DN are balanced among the PingDirectory servers. The proxy will automatically maintain affinity between servers and DIT branches.
These were known issues at the time of the release of version 7.0.1.0 of the Directory Proxy Server:
An ACI starting with "GENERATED D-ADMIN ACCESS" is generated automatically by the server from Delegated Admin configuration. Do not create your own custom ACI with the same prefix, for example by copying and pasting from the generated ACI. A custom ACI with this prefix will be deleted when the server is restarted, and whenever a Delegated Admin configuration change causes the Delegated Admin ACI to be regenerated. Issue:DS-37044
Servers to be monitored by the PingDataMetrics Server must have an instance name of less than 256 characters. A server's instance name is specified during setup. Issue:DS-36788
These issues were resolved with version 7.0.1.0 of the Directory Proxy Server:
Updated the failover load-balancing algorithm to add support for load spreading. By default, the failover load-balancing algorithm will consistently route all requests to the same server (subject to the health and location of each of the backend servers), which provides the highest level of protection against issues that may result from replication propagation delay. However, it also means that most of the servers are left idle, only to be used if a problem arises with the primary server.
Load spreading allows the server to retain many of the consistent routing benefits of the failover load-balancing algorithm's default configuration while also taking better advantage of the available servers in the topology. If the failover load-balancing algorithm is configured with one or more load-spreading base DNs, then requests that target entries below a load-spreading base DN may be balanced across any of the servers with the same health check state and location. Requests targeting a specific portion of the data will consistently be routed to the same server, but requests targeting a different portion of the data may be sent to a different server.
Load spreading is primarily beneficial to deployments in which the DIT contains a large number of branches below a common parent, and in which most operations (including search operations, as indicated by the search base DN) only target entries at least one level below that common parent. For example, this may be a good fit for a multi-tenant deployment in which all of the entries for a given tenant are within their own branch, and all of the tenant branches reside below a common parent. Issue:DS-17439
Fixed an issue in which an unprivileged Consent API client could modify the actor value of a consent record. Issue:DS-36814
Improved the behavior that the server exhibits under certain network conditions when it is not possible to write to a client without blocking. This includes:
* If the server cannot write data to a client after waiting for a length of time specified by the connection handler's max-blocked-write-time-limit configuration property, the access log message indicating that the client has been disconnected because of an I/O timeout will now more clearly indicate that the reason was the inability to write data to the client.
* The server now limits the number of threads that can be blocked while trying to send data to the same client over the same client connection. If too many threads would have been blocked while trying to send data over the same connection, that connection will be terminated, and the disconnect access log message will include the reason for the disconnect.
* If the server is trying to send data to the client that it considers optional (for example, certain types of unsolicited notifications), then the server may skip sending that optional data if the write would have caused the server thread to block. Issue:DS-36325 SF#:00627663
Delegated Admin operations now appear in the LDAP access log. Issue:DS-37021
Added a configuration option to allow a null serverFQDN for the GSSAPI SASL mechanism to allow an unbound SASL server connection. Issue:DS-36642 SF#:00637397
Changed Resource IDs produced by the Delegated Admin API so that they no longer contain percent characters from Base64 padding. Issue:DS-37132
Updated the external server monitor entry to include a histogram of response times per operation type. This makes it easier to understand the source of response time outliers in the proxy. Issue:DS-37141
Updated the name of LDAP external server monitor entries to not include product version information, since this can affect integration with JMX monitoring tools. Issue:DS-37175
Added a getRequestProcessors() method to the ProxyServerContext interface within the Server SDK. This can be used to gain access to an EntryBalancingRequestProcessor, and hence the global index. Issue:DS-37169
Updated the keys and values used in the monitoring JMX MBeans to conform with best practices. The keys "type" and "name" are now used in place of "Rdn1" and "Rdn2".
To maintain backwards compatibility with existing monitoring solutions, installations upgrading to this release will retain the old behavior, but they can revert to the default behavior by changing the Global Configuration property jmx-use-legacy-mbean-names to false. Issue:DS-37235
The Notification Delivery Thread will now log unexpected errors rather than throwing them as exceptions. Issue:DS-37292 SF#:00645037
Prevent a notification destination from assuming the master notification delivery role if that server is in lockdown mode or replication hasn't finished initialization. Issue:DS-37362 SF#:00646374
Important upgrade considerations for version 7.0.0.0 of the Directory Proxy Server:
This release introduces significant changes to the way servers in a topology are configured with information about each other. Once a server has been upgraded from a pre-7.0 version to 7.0 or later, reverting to the previous version is not supported. Before beginning the upgrade process, make sure you have read and understood the Administration Guide's chapter "Upgrading the Server".
SCIM 2 error responses, including Config API error responses, now represent the "status" field as a JSON string rather than as a number. Clients written to expect the earlier version format will need to be updated. In particular, clients written using the SCIM 2 SDK for Java should upgrade to version 2.2.0 or higher.
The Administrative Console now uses server information found in the topology registry to populate its server selection control. If the Console is used to manage a legacy server that does not use the topology registry, then the server selection control will not be populated. To manage a different server, the administrator will need to log out of the Console and provide the other server's connection details from the login page.
These features were added for version 7.0.0.0 of the Directory Proxy Server:
Simplified management tasks related to configuring servers in a large cluster topology or in an automated deployment. Most notably, servers can now be added to a cluster while other servers are offline.
Added management features for SSL/TLS certificates. The default certificates used in inter-server replication can be replaced; validation of client certificates for HTTPS-based services like the SCIM REST API can be configured; and you can reload from the trust store for HTTPS client certificates without restarting the server or the HTTP-based services.
Added support for these operating system versions: Ubuntu LTS 16.04, CentOS 7.4, RedHat Linux 7.4, SUSE Enterprise 12 SP3
These were known issues at the time of the release of version 7.0.0.0 of the Directory Proxy Server:
Simultaneous cloning multiple PingDirectory Proxy, PingData Sync, and PingDataGovernance Servers from another server of the same type is not currently possible. To create server instances that are identical to a master server, cloning must be performed one at a time.
These issues were resolved with version 7.0.0.0 of the Directory Proxy Server:
Support for the IBM JDK has been retired. Issue:DS-35536
Updated the JMX connection handler's monitor provider so that when a JMX connection is closed, it is removed from the list of established connections. After a JMX client disconnects, it may take the server a few minutes to detect the closure and update the monitor. Issue:DS-35576
The admin backend and the tool used to manage it, dsframework, have been replaced by the topology registry and dsconfig, respectively. The topology registry is automatically mirrored across all servers in the topology, so administrative information is kept in-sync on all servers at all times. Issues:DS-14281,DS-14282,DS-14283,DS-14284,DS-17197,DS-17366,DS-4570
Added a new manage-certificates tool that can be used to perform a number of functions related to TLS certificate management. Issue:DS-17891
Added a new Monitor Entry for SSL Cipher Suite and Protocol information. It is available under cn=SSL Context,cn=monitor. Issue:DS-35601
Added a missing double-quote to bat/transform-ldif.bat, which prevented the command from being invoked successfully on Windows systems. Issue:DS-35648
Updated the PingDirectoryProxy Server to improve performance when detecting that a server has become unavailable, especially when communication is secured with TLS and TLS negotiation is stalled.
Also added a new health-check-connect-timeout configuration property for LDAP external servers. This property can be used to specify a shorter timeout when connecting to a server for the purpose of evaluating the health of the server than when creating a connection that will be used to forward client requests to that server. If a health-check-connect-timeout value is not configured, then the PingDirectoryProxy Server will continue to use the value of the connect-timeout property for health check connections as well as for connections used to process client requests. Issue:DS-35596
Fixed an issue in which the PingDirectoryProxy Server did not set the correct response timeout for forwarded bind operations. If a backend server did not respond to a bind request, the PingDirectoryProxy Server would have waited for up to five minutes before trying another server or returning an error response to the client. Issue:DS-35697
Changed enable-sub-operation-timer on the Global Configuration to be true by default. This exposes operation timing information in the Sub-Operation Timing Monitor and any Operation Timing Access Log Publishers that have been configured. Enabling this tracking has about a 3% impact on operation throughput and latency, which will not be noticeable in most deployments and is an acceptable tradeoff for understanding where operation processing time is spent. However, it can be explicitly set to false to turn this tracking off. Issue:DS-35709
Updated the server to include an instance of the Periodic Stats Logger Plugin that is enabled out-of-the-box to aid in diagnosing support issues. The "Historical Stats Logger" plugin will log performance statistics to logs/monitor-history/historical-dsstats.csv every five minutes. This works in concert with the "Monitor History" plugin, which logs the full contents of cn=monitor to logs/monitor-history every five minutes. The tail of this csv file is automatically included in the output generated by collect-support-data. Issue:DS-35581
Fixed a defect where a web application extension's base context path could be set to "/" with no name. Issue:DS-18204
Added support for multiple client connection policies for sensitive attributes. Support for different sensitive attributes per client requires the use of multiple client connection policies with the same names on the PingDirectory Server and the Proxy Server. When a client request is processed by a Proxy Server, the PingDirectory Server looks for a policy in its own configuration with the same name as the one in the Proxy Server. The PingDirectory Server then uses this policy rather than the one associated with the Proxy Server's connection. Issue:DS-35750
Fixed a defect where configuring a Directory server on a Windows machine with a space in the home directory pathname would cause server setup to fail. Issue:DS-35583
Added the ability to configure data encryption during setup using a randomly generated key, a key generated from a user-supplied passphrase, or a key obtained from an export of another server's encryption settings database. When setting up multiple instances, providing the same encryption passphrase to each instance will ensure that all instances have the same encryption key.
The encryption-settings tool has also been updated to allow creating encryption settings definitions from a passphrase, to allow providing a description when creating a new encryption settings definition, and to record a create timestamp for new definitions. It is now possible to create ciphers that use the Galois Counter Mode (GCM) cipher mode (for example, using a cipher transformation of "AES/GCM/PKCS5Padding") for authenticated encryption. Definitions created with with just a cipher algorithm but no transformation will now use stronger settings.
The default encryption settings export format now provides stronger encryption. Newer server instances should be able to import encryption settings exported from other servers without issue. When exporting encryption settings for import into older servers, use the new --use-legacy-export-format argument. Issues:DS-15223,DS-35895
The create-systemd-script command now suggests placing the script created in "/etc/systemd/system." Issue:DS-35868
Added an ldap-debugger tool that acts as a simple LDAP proxy between a client and a directory server and decodes all requests and responses that pass through it. Issue:DS-17883
Added an encrypt-file tool that can encrypt and decrypt data with a user-supplied passphrase, an encryption settings definition, or a topology key shared among server instances. It includes support for decrypting the content in encrypted backups, LDIF exports, and log files. Issue:DS-36054
Fixed an issue with compressed logging that could leave some data buffered in memory and not actually written out to disk until the logger is closed. Issue:DS-36070 SF#:00628238
Added support for encrypted logging, using a key generated from an encryption settings definition. Encrypted log files may be decrypted with the encrypt-file tool. Issue:DS-6970
Made a number of improvements to backend backup and restore, and to LDIF export and import:
* Added the ability to encrypt backups and LDIF exports with a key generated from a user-supplied passphrase or with a key generated from an encryption settings definition. Previously, encrypted backups and LDIF exports only used a secret key that was known only to servers within the replication topology. The new options make it easier to restore encrypted backups and import encrypted LDIF files in servers outside of the replication topology. The encrypt-file utility can be used to decrypt encrypted backups and LDIF exports, regardless of how the encryption key was obtained.
* Added the ability to limit the rate at which backups and LDIF exports will be written to disk, which can help avoid performance problems that result from these operations saturating the disk subsystem.
* Added new global configuration properties for automatically encrypting backups and LDIF exports by default, which will be set to true if data encryption is enabled during setup.
* Added new global configuration properties that can specify which encryption settings definitions will be used to obtain the encryption keys for automatically encrypted backups and LDIF exports. If not specified, then the server will use its preferred encryption settings definition, or an internal topology key if no encryption settings definitions are available.
* Added a new configuration property for automatically compressing encrypted LDIF exports.
* Updated the backup tool to add new --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments that can be used to specify which key to use for encrypting the backup. Added a new --doNotEncrypt argument that can be used to force a backup to be unencrypted even if automatic encryption is enabled. Added a new --maxMegabytesPerSecond argument that can be used to impose a limit on the rate at which the backup may be written to disk.
* Updated the restore tool to add new --promptForEncryptionPassphrase and --encryptionPassphraseFile arguments that can be used to provide a user-supplied passphrase for use in accessing the contents of an encrypted backup. For backups encrypted with an encryption settings definition or an internal topology key, the server will automatically be able to determine the correct key.
* Updated the export-ldif tool to add new --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments that can be used to specify which key to use for encrypting the export. Added a new --doNotEncrypt argument that can be used to force an LDIF export to be unencrypted even if automatic encryption is enabled. Added a new --maxMegabytesPerSecond argument that can be used to impose a limit on the rate at which the LDIF file may be written to disk.
* Updated the import-ldif tool to add new --promptForEncryptionPasshprase and --encryptionPassphraseFile arguments that can be used to provide a user-supplied passphrase for use in accessing the contents of an encrypted LDIF export. The --isEncrypted and --isCompressed arguments are no longer necessary, as the tool can automatically detect encryption and compression (although those arguments are still available to preserve backward] compatibility), and it can automatically identify the correct key for exports encrypted with a key obtained from an encryption settings definition or an internal topology key. Issues:DS-12157,DS-35896 SF#:3628
Updated setup to include key usage, extended key usage, and subject alternative name extensions in the self-signed certificates that it generates. Issues:DS-35727,DS-35728
Updated the entry balancing request processor's handling of add operations within an atomic multi-update extended operation. Now, backend servers are not searched for a pre-existing entry if the parent entry was already found to not exist while processing the multi-update request. This eliminates some redundant searches, which reduces the load on the backend servers. Issue:DS-17176 SF#:00631846
Implemented invocation logging for several server tools, which will write to logs/tools/tool-invocation.log by default upon startup and shutdown. Some of the information recorded by log entries include the tool's start and completion times, the command-line arguments used to initialize them, and the name of the system account used to launch the tool. To modify this behavior, edit the config/tool-invocation-logging.properties file. Issue:DS-4406
Updated tools that interact with log or LDIF files to support reading from input files that are compressed and encrypted and writing to compressed and encrypted output files. Issue:DS-36075
Added support for TLS1.2 with STARTLS to connect to an SMTP server. Issue:DS-36093 SF#:00631871
Added the ability to generate administrative alert notifications when a task starts running, when it completes successfully, or when it fails to complete successfully. Also added the ability to send an email message to a specified set of users when a task starts running or completes successfully, which complements the existing ability to send an email message when a task fails to complete successfully or when it completes with any state, regardless of success or failure. Issue:DS-426
Added support for TLS1.2 with STARTLS to connect to SMTP server Issue:DS-36093 SF#:00631871
Added a close-connections-when-unavailable property to the LDAP Connection Handler configuration. This allows a connection handler to be closed whenever the server sets an unavailable alert type, such as when backend data is unavailable. This should trigger clients to failover to another server. When the unavailable alert type is cleared, the connection handler is started again. When using this configuration setting, we recommend using two connection handlers: one for client traffic, with this option set to true, and one for administration and monitoring, with this option set to false. This allows the server to be visible to administrators but not to clients. Issue:DS-36025
Provided the means to request that the server dynamically reload the certificate key and trust stores used by all HTTP connection handler instances that provide support for HTTPS. The request can be made using a new reload HTTP connection handler certificates task, the reload-http-connection-handler-certificates tool, or programmatically from a Server SDK extension using the ServerContext#reloadHTTPConnectionHandlerCertificates method. Issue:DS-35990 SF#:00629638
Fixed an issue where a configuration change to enable a Delegated Administrator could be incorrectly rejected after a configuration change to the parent Delegated Admin Resource Type. Issue:DS-36377
The update tool now enforces specification of a new product license when updating to a new major version. The license can be specified using the --licenseKeyFile command-line options, or by copying the license file to the top-level directory of the server package used to perform the update. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html, or contact sales@pingidentity.com. Issue:DS-35523
In addition to specifying an exact set of desired cipher suites for the LDAP and HTTP Connection Handlers, administrators can now specify inclusions to, or exclusions from, the set of cipher suites selected by the server. Issue:DS-36088
Added support for recurring tasks, which can be used to automatically invoke certain kinds of administrative tasks based on a specified schedule.
At present, only certain kinds of tasks can be scheduled as recurring tasks. This includes both backups and LDIF exports, each of which provides retention support to limit the amount of disk space that the backups and LDIF files consume. It also includes support for any kind of task in which each instance of the task should use exactly the same values for all of the task-specific attributes. The Server SDK also provides an API for creating custom third-party recurring task implementations. Issue:DS-426
Updated the proxy server to discard a connection whenever an operation times out rather than reusing it. A new connection is then established. This avoids a cascading error condition when a network problem allows traffic from the proxy server to the directory server but not the reverse. Issue:DS-36455
Updated the server to reduce contention when converting between strings and the bytes that comprise those strings. Issue:DS-36328 SF#:626850
Added a sanitize option to the Monitor History Plugin that, if enabled, will redact the small amount of potentially personally identifiable information that could appear in search filters and LDAP DNs within the monitor. This makes it easier to share the monitor history files with the support team in secure environments. Issue:DS-36545
Updated the PingDirectoryProxy Server so that if it encounters a problem while trying to follow a referral on behalf of the client (for example, if it can't establish a connection to the server indicated in the referral), it will include additional information about the failure in the access log message for that operation. Issue:DS-36315
Increased the default size of the queue used to hold alert notifications so they can be asynchronously processed by a background thread. This makes it less likely that the queue will become full if many alerts are generated in a short period of time, which would cause subsequent attempts to generate alerts to block while the server catches up. Also updated the server to log a message when the queue becomes full so that administrators will be aware of the problem and will have suggestions for addressing it. Issue:DS-36360 SF#:635134
Improved the server's handling of DNs and RDNs that contain characters whose UTF-8 encodings require more than two bytes. Issue:DS-36230
Updated the dsconfig list subcommands to list objects of all complexity levels rather than requiring the --advanced flag to list advanced and expert objects. Issue:DS-16508
These issues were resolved with version 6.2.0.0 of the Directory Proxy Server:
Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend. Issue:DS-16906 SF#:3556
The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set. Issue:DS-16405
Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the PingDirectory Server. This includes:
- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.
- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the PingDirectory Server.
- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism. Issue:DS-17002
Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction. Issue:DS-17008 SF#:3644
The server now requires Java version 8. Issue:DS-17019
Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned. Issue:DS-17078 SF#:00003677,00003683
Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.
Some of the changes include:
- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).
- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set. Issue:DS-17146
Fixed an issue where incorrect names were displayed in the usage for the start scripts. Issue:DS-16593
Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security. Issue:DS-17318
Updated the installer to discourage the use of weak root passwords.
When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.
When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.
In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints. Issue:DS-2074
Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation. Issue:DS-16509 SF#:3536
Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files. Issues:DS-15861,DS-15862
Improved error reporting for the manage-extensions tool. Issue:DS-17080
The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made. Issue:DS-16858
Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running. Issue:DS-13721
The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration. Issue:DS-1029
Improved support for password modify extended requests processed through the PingDirectoryProxy Server. Those operations will now be processed more reliably and the results will be more consistent with the results obtained from sending the requests directly to a PingDirectory Server instance. Issue:DS-15871 SF#:3190,610530
Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK. Issue:DS-17606
The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root. Issue:DS-17544
Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file. Issue:DS-811
Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.
Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed. Issue:DS-16361 SF#:00003514
Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.
Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear. Issue:DS-10694
Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the PingDirectory Server (for cases in which each server contains a complete copy of the data) or the PingDirectoryProxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing). Issue:DS-12520
Addressed an issue where LDAP throughput and response time data were not available for tracked applications configured in the Directory Proxy Server. The problem occurred when the applications were identified by user entries stored in a PingDirectory Server that was referenced by a proxying request processor where a value of 'true' was configured for the assign-client-connection-policy-from-backend-server setting. Issue:DS-17716 SF#:610880
The Administrative Console is no longer compatible with older versions of the server. Issue:DS-17241
Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.
In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.
Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.
Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest. Issue:DS-17444
Fixed an issue that could prevent an entry-balaned Directory Proxy Server from returning a get password policy state issues response control in response to a failed bind attempt. Also, updated the access logger to include additional details in FORWARD-FAILED messages, including matched DN, referral URLs, and response controls. Issue:DS-17880
The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product. Issue:DS-16789
Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information. Issue:DS-17576
The Globally-Unique Attribute Plugin has a new multiple-attribute behavior option named "unique-in-combination." When selected, this option ensures the uniqueness of combinations of values for the configured attributes. For example, if no two users may have the same value for both givenName and sn, but users may have the same givenName or the same sn, use unique-in-combination. Issue:DS-11217
Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:
- Whether the password update is a self change or an administrative reset
- Whether to accept or reject pre-encoded passwords
- Whether to perform or skip password quality validation for the new password
- Whether to check to see if the new password matches the current password or any password in the user's history
- Whether to enforce or ignore the minimum password age constraint
- Which password storage scheme to use when encoding the new password
- Whether the user must be required to choose a new password before being permitted to request any other operations Issue:DS-18018
Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs. Issue:DS-17968
Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler. Issue:DS-10748 SF#:00003622,614777
Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses. Issue:DS-14650
Addressed an issue in the Server SDK where internal searches performed by extensions could fail in entry balanced environments. An internal search listener was not properly synchronized and could become corrupted when accessed by multiple threads when doing a broadcast search. Issue:DS-18185 SF#:622103
Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance with the capability to run as Windows Services. Issue:DS-4161
Updated the Admin Alerts Health Check to tolerate an incorrect LDAP result code returned by Active Directory when testing for the existence of cn=alerts. With this change, having use-for-all-servers=true configured on the Admin Alerts Health Check will no longer cause Active Directory servers to be flagged as UNAVAILABLE. Issue:DS-17463
Round-robin load-balancing algorithm has been deprecated. The fewest-operations load-balancing algorithm should be used instead since it utilizes a pool of servers more efficiently than a simple round-robin algorithm. Issue:DS-18142
Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions. Issue:DS-18016
Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.
Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.
The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).
The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced. Issue:DS-17243
Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes. Issue:DS-35495
A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com. Issue:DS-18100
Removed the ability to create custom HTTP trace loggers using the Server SDK. Issue:DS-18188
Added a disabled-alert-type configuration property to the Alert Backend that can be used to suppress specific alert types from being added to the backend. Issue:DS-16906 SF#:3556
The SNMP context name for the server can now be configured using the new context-name property of the SNMP Subagent Plugin. The server instance name remains the default context name when this property is not set. Issue:DS-16405
Updated support for the UNBOUNDID-MS-CHAP-V2 SASL mechanism to make it easier for an intermediate application to support delegating MS-CHAPv2 authentication to the PingDirectory Server. This includes:
- The client SDK has been updated to make it easier to issue separate bind requests for each phase of the two-step authentication process. Previously, the API only exposed a single bind request that would perform both stages of the process.
- A new "proxied MS-CHAPv2 details" request control has been provided, which can be used to allow an intermediate application acting as an MS-CHAPv2 server to generate its own server challenge rather than obtaining one from the PingDirectory Server.
- The client SDK has been updated to improve the javadoc documentation. A number of examples are included to demonstrate the process of using the SDK to authenticate with the UNBOUNDID-MS-CHAP-V2 mechanism. The README file has also been updated with instructions for enabling server-side support for the UNBOUNDID-MS-CHAP-V2 mechanism. Issue:DS-17002
Fixed an issue that could impede the timely replication of subtree-delete requests contained in a transaction. Issue:DS-17008 SF#:3644
The server now requires Java version 8. Issue:DS-17019
Updated a couple of cases where filtered SCIM searches for groups with missing members were not returned. Issue:DS-17078 SF#:00003677,00003683
Updated the logic used to select which TLS cipher suites should be enabled by default, and the logic used to prioritize those cipher suites. The selection process has been updated to use the guidelines provided in the OWASP "Transport Layer Protection Cheat Sheet" document.
Some of the changes include:
- The server already preferred cipher suites that support forward secrecy over those that don't. It now prefers DHE over ECDHE, and avoids suites that use non-RSA keys.
- The server already avoided cipher suites that used known-weak cryptographic weaknesses, including null encryption, the RC4 symmetric cipher, and the MD5 digest algorithm. It now also avoids anonymous encryption, the single-DES symmetric cipher, the IDEA symmetric cipher, and any suite using export-level encryption.
- The server now prefers cipher suites that use the Galois/Counter Mode (GCM) over the Cipher Block Chaining (CBC) mode.
- The server now prefers AES-based cipher suites with 256-bit keys over those that use 128-bit keys. For suites with equivalent key sizes, it prefers suites with a stronger message digest algorithm over suites with a weaker digest algorithm (e.g., SHA384 over SHA256 over SHA).
- The server now provides better support for selecting and prioritizing ciphers when running on the IBM JVM. The IBM JVM uses somewhat different naming for its cipher suites than the Oracle implementation, which previously allowed certain desirable suites to not be included in the selected set. Issue:DS-17146
Fixed an issue where incorrect names were displayed in the usage for the start scripts. Issue:DS-16593
Removed the default root password from the out-of-the-box configuration. This password was never actually used because it was replaced by the user-supplied password provided when running setup, and it has been removed for additional security. Issue:DS-17318
Updated the installer to discourage the use of weak root passwords.
When run in interactive mode, setup will display a list of password quality recommendations before prompting for the initial root password, suggesting that it should be at least 12 characters long, should not be contained in a dictionary of English words, and should not be contained in a dictionary of commonly-used passwords. If the proposed password does not meet these constraints, then the user will be given the option of proceeding with the provided weak password or choosing a different password.
When run in non-interactive mode, setup will exit with an error if the proposed initial root password does not satisfy the above constraints, unless the command line also includes the --allowWeakRootUserPassword argument.
In either mode, when a strong initial root password is supplied, setup will also configure the root users' password policy to ensure that subsequent root user passwords will also be required to satisfy these constraints. Issue:DS-2074
Updated the access and audit loggers so that, when logging information about an internal operation that was triggered by an external client request, the log message will include the connection and operation ID for that request. Also updated the error logger so that when logging a message from a thread that is actively processing an operation, the log message will include the connection and operation ID for that operation. Issue:DS-16509 SF#:3536
Replaced the ldapsearch and ldapmodify tools with new versions. The new versions are backward-compatible, but offer a number of new features, including better connection handling, better output formatting, better support for bulk operations, support for referrals, support for additional request and response controls, and rate limiting. The ldapsearch tool now offers the ability to output results in JSON, CSV, or tab-delimited text as an alternative to LDIF, and provides support for a number of data transformations. The ldapmodify tool now supports the LDIF control syntax, as well as writing to output and reject files. Issues:DS-15861,DS-15862
Improved error reporting for the manage-extensions tool. Issue:DS-17080
The modifierName and modifyTimestamp attributes are now updated when offline configuration changes are made. Issue:DS-16858
Corrected the port number returned in the error message that is displayed when an administrator is trying to set up a server that is already running. Issue:DS-13721
The server now monitors important certificates used for client and inter-server communication. Certificate information is available in the Administrative Console and in the status tool output. An alarm is raised and alerts are sent when a monitored certificate is 30 days from expiration. Issue:DS-1029
Improved support for password modify extended requests processed through the PingDirectoryProxy Server. Those operations will now be processed more reliably and the results will be more consistent with the results obtained from sending the requests directly to a PingDirectory Server instance. Issue:DS-15871 SF#:3190,610530
Fixed an issue in the fingerprint, subject attribute to user attribute, and subject DN to user attribute certificate mappers. When configured for use in processing SASL EXTERNAL bind requests, these certificate mappers would return the target user entry without any operational attributes. This could cause the server to behave incorrectly for any user-specific functionality that depends on operational attributes to function properly. This problem did not affect the subject equals DN certificate mapper, nor any custom certificate mapper implemented with the Server SDK. Issue:DS-17606
The Administrative Console can be deployed in an external web container, such as Tomcat, using the contents of resource/admin-console.zip, located in the server root. Issue:DS-17544
Added an optional reason parameter for dsconfig changes that will be automatically included in the server's config-audit.log file. Issue:DS-811
Updated the server to fix a problem with the way that DNs containing hex-encoded RDN values are treated, which could cause the server to accept certain incorrectly encoded DNs, to incorrectly store DNs provided with hex encoding, and to fail to identify the correct DN when using a non-hex-encoded DN to reference a DN that was stored with a hex-encoded representation or when using a hex-encoded DN to reference a DN that was stored with a non-hex-encoded representation.
Using hexadecimal encoding in DNs is very rare in practice, so this should have no effect on most deployments. However, any deployments that contain entries stored with hex-encoded DNs, whether used in the DN of the entry or as a value for an indexed attribute with a DN syntax, may need to export that data before performing an update and re-import that data after the update has completed. Issue:DS-16361 SF#:00003514
Updated the Server SDK to provide methods for obtaining a single LDAP connection or an LDAP connection pool with connections established to a specified LDAP external server defined in the server configuration.
Also updated the server configuration to add support for obscured values. An obscured value is a general-purpose string that is stored in an obscured form in the configuration so that its plaintext value is not readily discernible to anyone looking at the configuration file and so that the value is not displayed in administrative interfaces. The Server SDK provides a method for obtaining the plaintext representation of an obscured value, and this mechanism can be used to store potentially sensitive values in the configuration for use in Server SDK extensions without the need to store those values in the clear. Issue:DS-10694
Updated the Server SDK to include an example plugin that enforces that values of a specified JSON field are unique across entries or across multiple values within the same entry. The plugin can be used in either the PingDirectory Server (for cases in which each server contains a complete copy of the data) or the PingDirectoryProxy Server (for cases in which the data is spread across multiple servers, like when using entry balancing). Issue:DS-12520
Addressed an issue where LDAP throughput and response time data were not available for tracked applications configured in the Directory Proxy Server. The problem occurred when the applications were identified by user entries stored in a PingDirectory Server that was referenced by a proxying request processor where a value of 'true' was configured for the assign-client-connection-policy-from-backend-server setting. Issue:DS-17716 SF#:610880
The Administrative Console is no longer compatible with older versions of the server. Issue:DS-17241
Updated the server to reduce the use of the SHA-1 message digest. The server will now use a 256-bit SHA-2 digest instead of a SHA-1 digest in all of the following cases:
- When hashing or signing a backup. - When signing an LDIF export. - When signing log data. - When generating MACs for an encrypted collect-support-data archive. - When generating unique identifiers for encryption settings definitions. - When determining whether the configuration changed with the server offline.
In all of the above cases, the server includes metadata in the output of the cryptographic processing to indicate the digest or MAC algorithm used for that processing, which ensures that the output remains compatible across server versions. For example, an LDIF export that uses a signature generated with the SHA-2 digest can be successfully imported into older versions of the server.
Also, the fingerprint certificate mapper has been updated so that it can use the 256-bit SHA-2 digest when mapping a client certificate to the corresponding user entry. The previous MD5 and SHA-1 digests remain supported.
Finally, the example enhanced password storage scheme provided with the UnboundID Server SDK has been updated so that it uses the 256-bit SHA-2 digest instead of a SHA-1 digest. Issue:DS-17444
Fixed an issue that could prevent an entry-balaned Directory Proxy Server from returning a get password policy state issues response control in response to a failed bind attempt. Also, updated the access logger to include additional details in FORWARD-FAILED messages, including matched DN, referral URLs, and response controls. Issue:DS-17880
The script files used to stop and start the server have been renamed stop-server and start-server. The older scripts are still present but may be removed in a future release of the product. Issue:DS-16789
Updated the Server SDK's ServerContext to expose a ValueConstructor, which can be used to build String values using a value-pattern template that references attribute values within an Entry. See the Javadoc for the ValueConstructor class with the Server SDK packaging for more information. Issue:DS-17576
The Globally-Unique Attribute Plugin has a new multiple-attribute behavior option named "unique-in-combination." When selected, this option ensures the uniqueness of combinations of values for the configured attributes. For example, if no two users may have the same value for both givenName and sn, but users may have the same givenName or the same sn, use unique-in-combination. Issue:DS-11217
Added support for the password update behavior request control, which allows requesters with the password-reset privilege to override certain behaviors that the server would normally exhibit when setting a user's password. The control can be included in an add request, modify request, or password modify extended request and can be used to override the server's normal behavior for any or all of the following:
- Whether the password update is a self change or an administrative reset
- Whether to accept or reject pre-encoded passwords
- Whether to perform or skip password quality validation for the new password
- Whether to check to see if the new password matches the current password or any password in the user's history
- Whether to enforce or ignore the minimum password age constraint
- Which password storage scheme to use when encoding the new password
- Whether the user must be required to choose a new password before being permitted to request any other operations Issue:DS-18018
Limited the ACI search on collect support data tool to only pull 100 entries. This will reduce the time the tool takes to run for organizations with a large number of ACIs. Issue:DS-17968
Added configuration options for setting the SSL Protocol and/or the SSL Cipher Suites to the HTTPS Connection Handler. Issue:DS-10748 SF#:00003622,614777
Enhanced the HTTPS Connection Handler to send a HTTP Strict Transport Security header by default in all responses. Issue:DS-14650
Addressed an issue in the Server SDK where internal searches performed by extensions could fail in entry balanced environments. An internal search listener was not properly synchronized and could become corrupted when accessed by multiple threads when doing a broadcast search. Issue:DS-18185 SF#:622103
Updated PingDirectory, PingDirectoryProxy, PingDataSync, and PingDataGovernance with the capability to run as Windows Services. Issue:DS-4161
Updated the Admin Alerts Health Check to tolerate an incorrect LDAP result code returned by Active Directory when testing for the existence of cn=alerts. With this change, having use-for-all-servers=true configured on the Admin Alerts Health Check will no longer cause Active Directory servers to be flagged as UNAVAILABLE. Issue:DS-17463
Round-robin load-balancing algorithm has been deprecated. The fewest-operations load-balancing algorithm should be used instead since it utilizes a pool of servers more efficiently than a simple round-robin algorithm. Issue:DS-18142
Added support for the X-Forwarded-Prefix header to override the context path of operations processed by Http Servlet Extensions. Issue:DS-18016
Added support for a uniqueness request control, which can be included in an add, modify, or modify DN request to indicate that the server should attempt to identify any conflicts that the requested operation might introduce with one or more other entries that exist within the directory topology.
Criteria for identifying conflicts can be specified with one or more attribute types, with a search filter, or both. If the uniqueness criteria includes multiple attribute types, then a multiple attribute behavior can be used to indicate whether to enforce uniqueness separately for each attribute type, to prevent conflicts across any of the specified attribute types, or to ensure that each entry has a unique combination of the values of those attributes.
The server can perform pre-commit validation, in which case it will reject the request without applying any changes if it detects that it would have introduced a conflict, and it can also perform post-commit validation, where it can detect conflicts that may have arisen after changes were applied (for example, because of another change being processed at the same time on a different server). When attached to a request sent through the PingDirectoryProxy Server, the uniqueness request control may include pre-commit and post-commit validation levels to indicate how thoroughly it should work to identify conflicts (for example, to perform the search in a single backend server, in at least one server in each backend set, or in all available backend servers).
The control can also include a base DN that can be used to narrow the scope of conflict detection (for example, to ensure that there will not be any conflicts within one particular branch, while ignoring conflicts with entries that may exist elsewhere in the DIT), and it can detect or ignore conflicts with soft-deleted entries. Multiple uniqueness controls can be included in the same request if multiple uniqueness constraints should be enforced. Issue:DS-17243
Updated dsconfig batch mode to operate more efficiently over the WAN by consolidating the number of LDAP searches required to retrieve the full configuration when pre-validating configuration changes. Issue:DS-35495
A license key is required when setting up a server for the first time. Request a license key through the Ping Identity licensing website https://www.pingidentity.com/en/account/request-license-key.html or contact sales@pingidentity.com. Issue:DS-18100
Removed the ability to create custom HTTP trace loggers using the Server SDK. Issue:DS-18188
Important upgrade considerations for version 6.0.0.0 of the Directory Proxy Server:
Note: The product names have been updated to reflect the UnboundID acquisition by Ping Identity. This is a naming and branding change only; the code base is the same as in prior releases and will continue to be maintained into the future.
If upgrading the server that was running an older version of the JDK, run the dsjavaproperties --initialize command after the software upgrade to compare the settings of the older JDK with requirements for the new server software. Apply any necessary changes to the upgraded server based on previous performance settings.
The 6.0 release makes these changes to supported platforms:
PBKDF2 is now the default encoding for root passwords. This only affects new installations.
In addition to changing the default password storage scheme for root users to PBKDF2, the default password storage scheme for regular users has been changed to salted 256-bit SHA-2.
HTTPS defaults to ON: servers now default to use HTTPS for console and API connections including the SCIM API. This may affect automation scripts and development environments where HTTPS has not been in use before.
Generated user passwords, for example those created by the server during a password reset sequence, are now created as pass-phrases instead of random character strings. This makes them them easier to type and remember. This change will not affect upgrades.
The /config directory file permissions have been changed so that they are only accessible by the server user.
Customers who choose to use the optional encryption algorithms provided by the third-party BouncyCastle library are encouraged to upgrade to BouncyCastle 1.54.
These features were added for version 6.0.0.0 of the Directory Proxy Server:
Added a new control for very large result sets 'maximum-sort-size-limit-without-vlv-index,' which allows client applications to request that the server gracefully degrades to unsorted results in cases where sorting a very large result set would have caused a time-out.
Added LDAP support for applications that authenticate users with Yubikey one-time passwords. The extensions include the UNBOUNDID-YUBIKEY-OTP SASL handler configuration object, extended operations and command line tools for registering a user’s Yubikey device, deregistering, and supporting authentication using either the one-time password (OTP) only, or the OTP together with a static password. The server can be configured to use the public Yubico validation service, or a different validation service. The Yubikey FIDO U2F, OATH HOTP, and PGP modes are not supported.
Added new "generate TOTP shared secret" and "revoke TOTP shared secret" extended operations to make it easier for applications to enable TOTP authentication for users. While these operations are primarily intended to be invoked programmatically, a generate-totp-shared-secret tool can be used to invoke these operations from the command line.
A new transform-ldif tool is available to read an LDIF file and write an updated file with a number of changes applied. The transformations include:
A new load-ldap-schema-file tool is available for loading LDAP schemas while a server is active and on-line.
A new register-yubikey-otp-device tool is available for creating or changing associations between users and specific OTP devices.
The *rate performance testing tools now includes some additional sample rate pattern files: hockey stick, step-function, sine, triangle, sawtooth and square wave patterns.
The setup command now logs its input arguments, making it easier to confirm or duplicate a setup process. This changes the content of the log and may affect automated scripts that read these log files.
The config-diff tool, which makes it easy to compare and reconcile settings between server instances, now also supports the --pretty-print option which adds line breaks to the generated lists of dsconfig commands.
The manage-account tool has been enhanced significantly to make it easier to perform operations that affect large sets of user accounts including bulk lock-outs, parallel processing of updates, support for input filter criteria and DN lists. In particular, the manage-account tool now supports explicitly setting user accounts to the "locked-out" state. This is an improvement over earlier versions which required manipulation of operational attributes. See the command help for a complete list of the options and new sub-commands.
For easier consumption by third-party analysis tools, the Directory and Proxy Servers can now output JSON log formats. Similar support will be added to the Data Sync and Governance Brokers in a later release.
To help avoid issues when indexes near their index-entry-limit, the verify-indexes command now has the following two options:--listKeysNearestIndexEntryLimit, and --listKeysExceedingIndexEntryLimit. The Admin Guide includes a new section, "Monitoring Index Entry Limits", which explains how to set, track, and tune the server's Index Entry Limit values.
Monitor entries have been added for a number of related metrics, all of which can be set to trigger alarms:
The Pass-Through Authentication plugin has a new "allowLaxPassThroughAuthenticationPasswords" option that permits password changes that do not comply with the PingDirectory Server's password policy. This facilitates integration in cases where the pass-through system has less-strict rules for new passwords.
For Java developers whose tools and workflows make use of Maven, the Server SDK jar has been deployed to Maven Central so that a developer can now add the Server SDK as a project dependency by adding a few lines to a project's pom.xml. Also, developers can now generate a Server SDK project that Maven-aware IDEs such as IntelliJ IDEA can package into an extension bundle with no special configuration needed. This benefit extends similarly to continuous integration systems such as Jenkins.
The dsconfig tool provides the ability to search for and quickly navigate to configuration objects and properties in which the name, synopsis, or description matches a provided pattern.
A new rotate-log tool and task have been added, which can be used to trigger rotation of one or more log files.
The Configuration API is now fully supported for all servers. In this release, the API was changed to match SCIM conventions for attribute naming, resource modeling, and the standard HTTP verbs. The UnboundID SCIM 2 SDK (available through GitHub) can now be used with the Configuration API.
All servers have an updated web Administrative Console, which includes:
The new Administrative Console can also be deployed to independent application servers instead of being co-hosted by the servers. This simplifies deployment models and increases separation between data and application layers.
To assist with situations where a very large number of changes may cause disk, memory, and server start time to increase unexpectedly, alerting and gauge features have been added to the Recent Changes Database.
Servers can now trigger events whenever log file rotation occurs. This includes "copy on rotate" and "summarize on rotate" listeners, as well as Server SDK support for creating custom log file rotation listeners.
It is now possible to create, change, and remove root user accounts across the topology using the dsconfig tool and Administrative Console.
These were known issues at the time of the release of version 6.0.0.0 of the Directory Proxy Server:
When deploying the Administrative Console in Tomcat 8, and accessing the Administrative Console application using Tomcat's Web Application Manager, some browsers (including Safari and Firefox) will generate a path URL that encodes the dash in ubid-console. This results in a path such as http://localhost:8888/ubid%2Dconsole/, which causes session management errors. To workaround this issue, copy and paste the generated link into a browser, and replace the encoded dash with a dash (-) character.
The PermSize and MaxPermSize JVM properties are no longer supported in JDK 8, and will safely be ignored. These properties can be removed by modifying the config/java.properties file and running "bin/dsjavaproperties" while the server is offline.
Security criteria for root passwords with the default configuration will be increased in a future release. This might affect automated installation scripts that currently use less secure passwords. This will not affect existing root accounts.
The dsconfig tool and the Administrative Console enables creating and managing new Root DN users in this release. However, there is a limitation with changing the password of the currently logged in administrator. The ldappasswordmodify command can be used to change the administrator's password by providing the current and new password.
These issues were resolved with version 6.0.0.0 of the Directory Proxy Server:
Updated command-line tools based on the LDAP SDK tool APIs to add the following features:
Fixed a race condition in the attribute index's cleanup thread, which was causing the Proxy Server to hang during startup. Issue:DS-14866 SF#:00003172
Improved the admin alert health check system to handle situations where a massive number of admin alerts generated on an external server could result in the server being seen as unavailable. Issue:DS-14805 SF#:2990
Added a --prettyPrint option to the config-diff tool to make the output more human-readable. Issue:DS-14694
Improved memory utilization when processing entries with very large attributes, to prevent possible data retention in memory. Issue:DS-14878 SF#:00003169
Fixed an issue where the Proxy Server forwarded an atomic multi-update extended operation twice to the same backend set in an entry-balanced configuration, when the operation included a RouteToBackendSet control with absolute routing. Issue:DS-14889 SF#:2640,3186
Fixed an issue with the dsjavaproperties tool where java properties for PermSize and MaxPermSize could be added when using JDK 8, which no longer supports these options. Issue:DS-14857 SF#:3187
Improved the subordinate subtree view processing logic to only use the exclude branch request control for subordinate views that are within the scope of the target DN, for search requests processed by the parent subtree view. Issue:DS-14922 SF#:3188
Updated the bcrypt, crypt, PBKDF2 and scrypt password storage schemes so they can be used to create new instances. Issue:DS-14923
Changed the Proxy Server search behavior to fail when processing a critical RouteToBackendSetRequestControl with an unknown entry balancing request processor ID included. Non-critical controls will ignore unknown request processor IDs. Issue:DS-12555 SF#:2652
Updated the Proxy Server to forward Password Policy State and Validate TOTP Password extended operations to the backend PingDirectory Server for processing. Also, the Proxy Server is now able to forward the following extended operations to a backend PingDirectory Server in an entry-balancing configuration: Deliver Password Reset Token, Deliver Single Use Tokens and Get Supported OTP Delivery Mechanisms. Issue:DS-11076 SF#:00003190
Updated the Apache commons collections library to address the security vulnerability described by CVE 2015-4852. Issue:DS-14430 SF#:00003216
Fixed a case where attribute syntax configuration changes would not apply to undefined attributes, which rely on default attribute types. Issue:DS-14979
Collect-support-data tool now captures Kerberos config and log information. Issue:DS-13823
Updated the server's support for the Twilio Messaging Service so that it uses the newer "Messages" API when sending SMS messages instead of the older "SMS" API. The older API has been deprecated, and Twilio now imposes a 120-character limit for messages sent via that API. The messages API allows the server to take advantage of the full 160 characters per SMS message. Issue:DS-14749
Fixed an issue with simple paged results that require spanning multiple backend servers through an entry balanced request processor to fill a single page. The operation would return with a 'no such object' result code if one of the backend servers used did not have any matching results. Issue:DS-15059 SF#:3219
Server SDK extensions are now built with a Java source version of 1.7 by default. Issue:DS-15015
Improved the locking strategy for multi-update requests to better accommodate delete and add requests for the same entry. This also enables graceful failures for bad requests, instead of lock timeouts. Issue:DS-15132 SF#:3248
Fixed a rare condition where priming the Proxy server would not complete if a backend PingDirectory Server server becomes unavailable. Issue:DS-15186 SF#:00003270
Added support for server affinity using extended operations. Issue:DS-15195 SF#:00003269
Changed interactive setup default value for HTTPS enablement. Issue:DS-15221
Added support for authenticating with one-time passwords generated by YubiKey devices. The server may be configured to require static passwords in conjunction with YubiKey one-time passwords as a form of two-factor authentication, or it may be configured so that a one-time password alone is sufficient for authentication. Issue:DS-7017
Updated the initial server configuration to improve security and usability. These changes apply only to new installations and will not be applied when updating an existing installation. Changes include:
Updated the default file permissions for new installations on UNIX-based systems. Files and directories included in the zip file will be only be accessible to their owner (the user that unzipped the file) by default.
Newly-created files and directories will also be assigned permissions that allow them to be accessed only by the account used to run the server. Existing configuration options for setting file permissions (the log-file-permissions and db-directory-permissions properties) will continue to behave as before. The new config/server.umask file will control the default permissions for all other newly-created files and directories. Issues:DS-13571,DS-13860,DS-7505 SF#:2703
Updated the global ACIs that ship with the server to use a separate ACI for each control or extended request to allow by default, rather than grouping all desired controls together in one ACI and all desired extended requests together in a second ACI. This change will only be reflected in new installations, and not when updating an existing deployment. Issue:DS-15417
Addressed an issue where dsconfig incorrectly allowed certain configuration objects to be deleted. Issue:DS-15400
Updated interactive setup to display default values, and improved the overall layout and appearance. Issues:DS-15361,DS-15363,DS-15434
Added more logging information when initializing web application and servlet extensions in case an extension causes conflicts or delays. Issue:DS-15466
Updated setup to encode the root password with the PBKDF2 password storage scheme instead of SSHA512. Issue:DS-15521
Increase the minimum memory requirements for the server process from 256MB to 384MB to accommodate the Administrative Console. Issue:DS-15571
Added a load-ldap-schema-file tool that will allow the server to recognize a new schema file, or an updated version of an existing schema file, and make the definitions immediately available without needing to restart the server. Issue:DS-15576
Updater tool will increase PermSize and MaxPermSize parameters to recommended value to prevent Java JVM pauses. Issue:DS-15522 SF#:00003324
Fixed an error that could occur during upgrade when the configuration can not be loaded due to missing custom schema. Issue:DS-15592 SF#:3340
Updated the Groovy Scripting Language version to 2.4.6. Issue:DS-15621
Added support for an UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION SASL mechanism that indicates that an application attempted to verify the identity of a user whose account is stored in the server but that used a form of authentication that is external to the server (for example, via social login). The server will not alter the authentication state of the underlying connection, but may veto a successful external authentication if the user's account is not in a usable state (for example, the account is locked or disabled, or the password is expired), or it may update password policy state for the user to reflect the authentication attempt (for example, updating the last login time and IP address for a successful authentication, or recording the failed attempt and potentially locking the account for an unsuccessful authentication). Issue:DS-15559
Added a new rotate-log tool to request the rotation of one or more log files. Issue:DS-10464
The server now enforces that attributes referenced in configuration properties are defined explicitly in the local schema. This includes cached attribute types as well, such as, the attribute types that a Proxy Server caches from backend PingDirectory Server instances. Issue:DS-14699
Improved the error messages produced by the manage-extensions tool when attempting to install invalid extensions. Issue:DS-15412
Addressed an issue where jsonObjectFilterExtensibleMatch queries in the proxy would fail if any DN Mappers were configured. Issue:DS-15943
Improved the error messages and examples for create-rc-script and create-systemd-script by explicitly suggesting the use of sudo so that the scripts can modify protected files. Issue:DS-15178
Rewrote the manage-account tool to provide many new features:
Updated the globally-unique attribute plugin so that the filter property applies to conflict searches, and matches entries being added or modified. Issue:DS-15827
The former suite of Administrative Console applications, each of which were tied to a particular product (for example the dsconsole.war for the PingDirectory Server) are no longer available, and have been superceded by a new version of the Administrative Console capable of managing any server product. You can choose to access the Administrative Console by hosting it within a server, or by deploying it in an external servlet container. For the former, enable an HTTP Connection Handler and add the Administrative Console Web Application Extension to the handler. For the latter, download and unzip the management-console-[version].zip file, and install the ubid-console.war file according to your container's instructions. Issue:DS-15088
Root DN User configuration entries can now be fully managed through the configuration management interfaces such as dsconfig and the Administrative Console. Issue:DS-15422
Added support for log file rotation listeners, which allow for custom processing whenever a log file is rotated out of service so that the server will no longer write to it. A copy listener (which will copy the rotated log file to an alternate location, optionally compressing it in the process), and a summarize listener (which will invoke the summarize-access-log tool on the rotated log file) are included. The Server SDK also includes an API for creating custom log file rotation listeners. Issue:DS-4235
Improved the way we handle unexpected errors and invalid DNs during proxy transformations. Issue:DS-16053 SF#:3454
Improved the warnings given when the maximum memory that all server components can consume is greater than the available memory in the JVM. Issue:DS-15920
Replaced the scramble-ldif tool with a more powerful transform-ldif tool with support for a number of additional transformation types. The new transform-ldif tool is backward compatible with the former scramble-ldif tool, and the scramble-ldif shell script and batch file are still included with the server to ensure compatibility with scripts that depend on that tool. Issue:DS-15108
Updated the password policy state extended operation and the manage-account tool to provide a way to obtain a list of the SASL mechanisms and OTP delivery mechanisms that are available to a user, to determine whether a user has a TOTP shared secret, and to retrieve and manipulate the set of public IDs for the YubiKey OTP devices registered for a user. Issue:DS-16104
Improved the collect-support-data tool to include information provided by systemd on platforms that support it. Issue:DS-13401
Improved the error messages for create-rc-script and create-systemd-script when the directory in which the script will be created does not exist. Issue:DS-15337
Added support for a "generate TOTP shared secret" extended operation that allows a client to request that the server generate a shared secret for a specified user that will be stored in the user's entry and returned to the client. That shared secret can be used to generate time-based one-time passwords for use in the course of authenticating to the server through the UNBOUNDID-TOTP SASL mechanism. A "revoke TOTP shared secret" extended operation was also added to allow a shared secret to be eliminated if it is no longer needed or may have been compromised. The password policy state extended operation and the manage-account command-line tool have also been updated to provide support for manipulating the set of TOTP shared secrets for a user. Issue:DS-15349
Added the server's process ID to the output of the status tool. Issue:DS-10312
Added support for JSON-formatted access and error log messages. Issue:DS-14919
Added a monitor entry for each Server SDK extension. Issue:DS-14548
The Configuration API now returns unquoted, native Javascript values for integer, real number, and boolean properties. Duration and size property values, for example '1 w' or '100 G', continue to be represented as Javascript string types. Issue:DS-15175
Added the ability to create local constants in LDIF template files using the new 'local' keyword. Issue:DS-14213
Updated the server to allow users with expired passwords to authenticate with SASL mechanisms that do not involve passwords. Issue:DS-15789
Addressed a few issues in config-diff. In some situations, config-diff would not generate commands in an order that respected all dependencies. This has been fixed. Most expected warnings are now excluded by default but can be included in the output with the --includeAllWarnings option. The --sourceBindPasswordFile and --targetBindPassword are now applied in conjunction with the --targetConfigGroup and --sourceConfigGroup options. Issues:DS-10466,DS-10765,DS-14479,DS-15318,DS-16154
Added support for setting the request header size in the Jetty http configuration server properties. Issue:DS-12191 SF#:00002580
Updated the restore command so that it can no longer be used to restore a backup of the config backend. The command now points the administrator for safer ways to revert configuration changes, including using config-diff. Issue:DS-14704
Updated the sanitize-log tool to add support for JSON-formatted access and error log files. Issue:DS-16224
Increased the maximum size of the thread pool that is used to process entry balancing broadcast operations. The maximum is now 64 times the number of worker threads with an upper limit of 2048. Issue:DS-15168
Added the ability to search for configuration objects and their properties by name with the dsconfig tool. Issue:DS-979
Added a --dry-run option to dsconfig, which can be used in batch mode to validate the configuration changes in a batch file without applying them. Issue:DS-10946
Tools used to prepare a server for access by another server, such as prepare-external-server, now validate base DN entries before any modifications are performed on the prepared server. Issue:DS-14807
Fixed an issue that prevented the deletion of disabled debug loggers. Issue:DS-15622
These were known issues at the time of the release of version 5.2.0.0 of the Directory Proxy Server:
When deploying a .war file through the Web Application HTTP Servlet Extension, dependencies bundled in the file may conflict with the server's own dependencies if the server version differs from the version in the .war file. This may cause the Web Application HTTP Servlet Extension or the server itself to not start correctly. For reference, all server dependencies are available in
These issues were resolved with version 5.2.0.0 of the Directory Proxy Server:
The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483
SCIM, through proxy, does not support pagination. Pagination requires the use of VLV and Server Side Sort controls, which are not natively supported by the Identity Proxy Server. The SCIM proxy configuration script incorrectly included these controls in the ACI and supported controls sections. These have now been removed. Issue:DS-12480 SF#:2636
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse hostname lookups. Issue:DS-12610 SF#:00002632
Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496
Fixed an issue where using the RouteToBackendSetRequestControl with an incorrect entry-balancing request processor ID could result in a NullPointerException. Issue:DS-12555 SF#:2652
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
Fixed an issue where the Proxy Server returned an incorrect result code when attempting to add an entry that already exists more than one level below an entry balancing base DN. The Proxy Server in some cases would incorrectly return NO_SUCH_OBJECT rather than ENTRY_ALREADY_EXISTS. Issue:DS-12607
Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576
Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.
The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.
The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.
Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently. Issue:DS-12138
Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285
Fixed an issue that would result in long server startup when many locations and load balancing algorithms are defined. Issue:DS-12802 SF#:2677
Added support for three new extended operations for interacting with single-use tokens:
Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client. Issues:DS-12560,DS-12561
Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717
Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880
MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples. Issue:DS-12798
Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries. Issue:DS-9842
Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727
The setup and initial configuration tools now support offline modes that can be used to bootstrap the server configuration while it is not running. Also, files generated by theses tools are now saved to the server's resource directory. Issues:DS-12704,DS-8794,DS-9652
Addressed an issue where data definition language (DDL) log field mappings for the JDBC error log were not previously documented. Issue:DS-13163
Fixed an issue where debug logging at a fine-level could consume large amounts of memory. Issue:DS-13124
Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010
The Proxy Server processing for Third-Party Proxied Extended Operation Handlers has been changed for extended operations containing "Route To Backend Set" request controls. The default behavior is now to process the operation only on backends in the entry-balancing request processors specified in the request controls. The old behavior to process on backends in other request processors too may be obtained through the advanced "route-to-backend-set-behavior" configuration property on the Third-Party Proxied Extended Operation Handler. Issue:DS-13248 SF#:2738
Updated the server's JVM arguments to always log garbage collection information to a rotating set of log files stored within logs/jvm/gc.log.N. The file system usage is limited to 300MB. If the server had previously been configured with VERBOSE_GC, then garbage collection logging information will no longer be logged to logs/server.out. Issue:DS-11522
The following UnboundID product names have changed: - Identity Data Store to Data Store - Identity Proxy to Proxy Server - Identity Data Sync Server to Data Sync Server - Identity Broker to Data Broker Issue:DS-12799
Updated the prepare-external-server tool to suppress output when run with the --quiet option. Issue:DS-13242
Custom HTTP loggers are no longer permitted to modify the requests and responsesbeing logged. Calling a forbidden method will result in a subclass of UnsupportedOperationException. For requests, the forbidden methods are authenticate, getReader, login, logout and setCharacterEncoding. For responses, the forbidden methods are addCookie, addHeader, addIntHeader, flushBuffer, getOutputStream, getWriter, reset, sendError, sendRedirect, setBufferSize, setCharacterEncoding, setContentLength, setContentType, setHeader, setIntHeader, setLocale and setStatus. Issue:DS-10283
Fixed a bug where using the advanced arguments of some tools would result in changing the saved complexity settings for the dsconfig tool. Issue:DS-12897
Fixed a case where duplicate entry searches performed prior to an ADD operation in an entry-balanced environment may not honor a maximum response timeout. Issue:DS-13501 SF#:00002830
Updated the installer to increase the maximum suggested JVM size on Linux systems with at least 48 GB of RAM. Issue:DS-12982
Added a new search-logs tool. Similar to the command line tool 'grep,' this tool searches across log files to extract lines matching the provided pattern(s). The search-logs tool can handle multi-line log messages, extract log messages within a given time range, and include rotated log files. Issue:DS-3095
Updated the create-systemd-script tool by adding resource limits for available open file descriptors (NOFILE), and shared memory reservations (MEMLOCK). The generated script lists the recommended file descriptors limit and the resource limit setting for enabling large page support. The settings in the create-systemd-script output supersedes prior documentation for setting the number of open file descriptors on non-systemd systems. Issue:DS-13678
Updated the server to allow an initial heap size over 128 GB. Due to limitations of older JVMs, this was previously capped at 128 GB, even when the maximum heap size was larger. Issue:DS-13554
Added support for a "name with entryUUID" request control. If this control is included in an add request, the entry will be added with a distinguished name whose RDN contains only the entryUUID attribute. This offers a number of potential benefits:
Updated the server to better utilize worker threads and reduce the potential for a work queue backlog when processing multiple concurrent long-running operations. Issue:DS-13783
Fixed an issue involving transactions sent through a Proxy Server with Entry Balancing configured. If the transaction contained requests that targeted entries that were not in the global index, then duplicate requests were included in the resulting Multi-Update operation forwarded to the Data Store. Issue:DS-13820 SF#:2851
Updated interactive dsconfig to include an option to toggle between sorting similar properties together or sorting them alphabetically. Issue:DS-1706
The collect-support-data tool now has the option to collect logging information within a specified time range via the '--timeRange' argument. Issue:DS-1261
Improved the server's support for selecting TLS cipher suites. When the server is configured to use a specific set of cipher suites, it will now always validate that all of the configured suites are supported by the JVM. When the server is not configured to use a specific set of cipher suites, it will now customize the set of default suites to prioritize those using strong cryptography (especially those that offer forward secrecy), and exclude suites with known weaknesses. Issues:DS-12681,DS-13475
Updated the alert handler configuration to indicate whether the alert handler should be invoked asynchronously in a background thread rather than by the thread that generated the alert. For alerts generated during the course of processing an operation, invoking potentially time-consuming alert handlers in a background thread can avoid adversely impacting the response time for that operation while still ensuring that administrators are made aware of the issue that arose. Issue:DS-12833
Updated the server to provide support for SMTP connection pooling. When sending an email message, the server will attempt to reuse an existing SMTP connection rather than establishing a new connection for each message. Issue:DS-12833
Fixed an issue where there could be missing or duplicated changes when synchronizing through a Proxy Server in an entry-balancing configuration. The issue only affected Proxy Server configurations with multiple entry-balancing request processors referencing the same proxying request processor. Issue:DS-14088 SF#:00002928
Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074
Updated the prepare-* tools to avoid unnecessary confirmation for trust of the prepared server's certificate when the --trustStorePath argument specifies a trust store that establishes trust. Issue:DS-12616
Fix an issue in the SCIM interface where an attribute required by the SCIM schema could be deleted by a PATCH operation. Issue:DS-14060
Fixed a log publisher defect that would result in an unreadable file when both compression and signing were enabled at the same time. Issue:DS-13552
Updated the LDAP connection handler to enable the use of multiple threads for accepting connections and preparing them for use. This improves concurrency for deployments in which the process of accepting a new connection may take some time to complete, possibly because of expensive DNS lookups or invoking time-consuming post-connect plugins). Issue:DS-12627
The ldifsearch command now supports the option "---isCompressed" for LDIF files that have been compressed with gzip. Issue:DS-14140
Added properties to the task backend for limiting the number of log messages retained in task entries, in order to limit the size of the in-memory representation of those entries. All log messages generated by a task will still be recorded in the server error log, even if they are not all retained in the corresponding entry in the task backend. Issue:DS-11067 SF#:2282
Fixed an issue where configuration changes to an external server would not notify all load-balancing algorithms defined for that server. Issue:DS-14353 SF#:00003029
Improved processing of abandon requests with subordinate operations by avoiding canceling twice and not waiting for internally canceled operations. Issue:DS-14350 SF#:2284
Fixed an issue with the collect-support-data tool when using the --pid argument. Only one jstack was being collected, instead of using the amount specified by the --maxJstacks argument. Issue:DS-14349
These issues were resolved with version 5.1.5.2 of the Directory Proxy Server:
Added the ability to protect Velocity templates using the basic authentication scheme. Issue:DS-14074
These issues were resolved with version 5.1.5.0 of the Directory Proxy Server:
Updated the installer to increase the maximum suggested JVM size on Linux systems with at least 48 GB of RAM. Issue:DS-12982
Fixed a race condition in the LDAP SDK that could result in poor performance when using the separate-connections verify-credentials-method on an external server. SF#:2745
Added a gauge to monitor the number of available file descriptors. This Available File Descriptors gauge can detect if a server if running out of file descriptors and degrade the server appropriately. Issue:DS-12727
Updated the server to allow an initial heap size over 128 GB. Due to limitations of older JVMs, this was previously capped at 128 GB, even when the maximum heap size was larger. Issue:DS-13554
Important upgrade considerations for version 5.1.0.0 of the Directory Proxy Server:
The summarize-config tool is deprecated, and will be removed in future versions of the product. Use the config-diff tool with the "sourceBaseline" argument to list a summary of changes to the local server configuration.
These features were added for version 5.1.0.0 of the Directory Proxy Server:
Added initial support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. Indexing options are currently limited. Please see the full release note below for DS-12138.
These issues were resolved with version 5.1.0.0 of the Directory Proxy Server:
The setup tool has been updated to use HTTPS for initial configuration. Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
Added support for running on Oracle Java 8 and OpenJDK 8 platforms. Issue:DS-12483
SCIM, through proxy, does not support pagination. Pagination requires the use of VLV and Server Side Sort controls, which are not natively supported by the Identity Proxy Server. The SCIM proxy configuration script incorrectly included these controls in the ACI and supported controls sections. These have now been removed. Issue:DS-12480 SF#:2636
Fixed an issue where configuring numeric IPv4 address filtering by connection criteria in a log publisher performed unnecessary reverse hostname lookups. Issue:DS-12610 SF#:00002632
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
Added logging of all HTTP requests disallowed due to CORS. This should make it easier to debug HTTP 403/Forbidden errors. Issue:DS-12496
Fixed an issue where using the RouteToBackendSetRequestControl with an incorrect entry-balancing request processor ID could result in a NullPointerException. Issue:DS-12555 SF#:2652
Critical: The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
Fixed an issue where the Proxy Server returned an incorrect result code when attempting to add an entry that already exists more than one level below an entry balancing base DN. The Proxy Server in some cases would incorrectly return NO_SUCH_OBJECT rather than ENTRY_ALREADY_EXISTS. Issue:DS-12607
Update the Detailed HTTP Operation Log Publisher to log the correct return code (404 NOT FOUND) when a request is not handled by defined endpoints. Issue:DS-12576
The Configuration API has been updated to support filtering, sorting, and paging for object list operations. See the Administration guide for usage. Issue:DS-12245
Added support for a JSON object attribute syntax, which can be used for attribute types whose values are JSON objects. The syntax requires that each value of this type is a valid JSON object. Two matching rules have also been added for use in conjunction with the JSON object syntax: jsonObjectExactMatch and jsonObjectFilterExtensibleMatch.
The jsonObjectExactMatch equality matching rule is used in evaluating equality filters in search operations, as well as for matching performed against JSON object attributes for add, compare, and modify operations. It determines whether two values are logically-equivalent JSON objects. The field names used in both objects must match exactly (although fields may appear in different orders). The values of each field must have the same data types. String values will be compared in a case-insensitive manner. The order of elements in arrays will be considered significant.
The jsonObjectFilterExtensibleMatch matching rule can perform more powerful matching against JSON objects. The assertion values for these extensible matching filters should be JSON objects that express the constraints for the matching. These JSON object filters are described in detail in the Javadoc documentation (available in the Commercial Edition of the UnboundID LDAP SDK for Java) for the com.unboundid.ldap.sdk.unboundidds.json.JSONObjectFilter class and its subclasses. Although the LDAP SDK can facilitate searches with this matching rule, these searches can be issued through any LDAP client API that supports extensible matching.
Indexing is supported only for the jsonObjectExactMatch matching rule. If possible, non-baseObject searches that use the jsonObjectFilterExtensibleMatch matching rule should be wrapped in an LDAP AND filter that also contains one or more indexed components so that the search can be processed more efficiently. Issue:DS-12138
Fixed an issue where changes to SMTP External Server configurations did not take effect until after a server restart. Issue:DS-12285
Fixed an issue that would result in long server startup when many locations and load balancing algorithms are defined. Issue:DS-12802 SF#:2677
Added support for three new extended operations for interacting with single-use tokens:
- The "get supported OTP delivery mechanisms" operation provides information about which one-time password delivery mechanisms are configured in the server, and which of those are available for a specified user.
- The "deliver single-use token" operation can generate a token value and provide it to a specified user through an out-of-band communication mechanism like email, SMS, or voice call.
- The "consume single-use token" operation indicates that the user has received a single-use token from the "deliver single-use token" operation, and to consume that token so that it cannot be reused. Issues:DS-12594,DS-12596
Updated the server to avoid the use of the server-side sort and virtual list view request controls in search requests that span multiple subtree views or multiple entry-balanced backend sets. If the server cannot honor a non-critical server-side sort or virtual list view control, then it will process the search operation as if the control had not been included in the request. If the server cannot honor a critical server-side sort or virtual list view control, then it will return an error result to the client. Issues:DS-12560,DS-12561
Fixed a rare condition that might cause the logger rotation and retention thread to exit under heavy file system load or a network file system outage. Issue:DS-12880
MakeLDIF templates now have the ability to escape special characters curly braces, angle brackets, and square brackets using a backslash. See config/MakeLDIF/examples-of-all-tags.template for further examples. Issue:DS-12798
Improved server locking used by dsconfig in offline batch mode, so that the server lock is held for the entire batch duration, instead of for each invocation. Also, reduced the probability of contention for file locks used by server tools to determine the server status. Issue:DS-12969 SF#:2717
Added the ability to configure the Globally-Unique Attribute and Unique Attribute plugins with a filter to limit attribute uniqueness checking to a subset of matching entries. Issue:DS-9842
Reduced the memory overhead of debug logging in high throughput environments by sharing logging buffers across multiple threads. Issue:DS-10010
The Proxy Server processing for Third-Party Proxied Extended Operation Handlers has been changed for extended operations containing "Route To Backend Set" request controls. The default behavior is now to process the operation only on backends in the entry-balancing request processors specified in the request controls. The old behavior to process on backends in other request processors too may be obtained through the advanced "route-to-backend-set-behavior" configuration property on the Third-Party Proxied Extended Operation Handler. Issue:DS-13248 SF#:2738
These issues were resolved with version 5.0.1.0 of the Directory Proxy Server:
The setup tool has been updated to use HTTPS when configuring the HTTP Connection Handler(s). Unsecure HTTP can be enabled post-setup, or by using non-interactive setup. Issue:DS-12182
Addressed cases where some messages may be suppressed in logs and alerts. Issue:DS-12287
Updated the server to automatically monitor and report the length of time each operation spends waiting in the work queue before a worker thread can begin to process it. Issue:DS-12218
Updated the Configuration API output where properties and their values are listed to include those that are undefined. Issue:DS-12123
Updated UnboundID work queue processing to log expensive work queue operations and diagnostic thread stack traces when a queue backlog alarm is raised. Issue:DS-12319
SCIM, through proxy, does not support pagination. Pagination requires the use of VLV and Server Side Sort controls, which are not natively supported by the Identity Proxy Server. The SCIM proxy configuration script incorrectly included these controls in the ACI and supported controls sections. These have now been removed. Issue:DS-12480 SF#:2636
Added features to allow clients to better determine the set of requirements that the server will impose for user passwords. The get password quality requirements extended operation can be used to retrieve information about the requirements before an attempted password change. Those requirements can be conveyed to the end user, and can potentially be used to enable some types of client-side validation to identify problems with a password before it is sent to the server. The password validation details request control can be included in an add request, a modify request, or a password modify extended request to identify which specific validation requirements may not have been met by the password provided in the request.
Password validators can be configured with user-friendly messages that better describe the constraints that the validator will impose for passwords, and that the validator should return if a proposed password does not satisfy those constraints. The server will generate these messages if they are not provided in the configuration. Issues:DS-12107,DS-12137
Added the ability to reset user passwords with a single-use, time-limited token that is delivered to the end user through some out-of-band mechanism like SMS or email. After determining the identity of the user for whom the password reset token should be generated, an application can use the new "deliver password reset token" extended operation to cause the server to create and deliver the token to the user. This token can then be provided to the "password modify" extended operation in lieu of the user's current password in order to allow that user to select a new password. Password reset tokens can optionally permit users to reset their passwords even if their account is not usable (for example, because their account is locked or their password is expired). Issue:DS-8739
The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state. Issue:DS-12579 SF#:2655
Fixed an issue that would result in long server startup when many locations and load balancing algorithms are defined. Issue:DS-12802 SF#:2677
These features were added for version 5.0.0.0 of the Directory Proxy Server:
Java 7 is now required when setting up a new server or upgrading an existing server.
Added a poll-backend-servers-for-global-index-changes configuration property to allow the entry-balancing request processor to retrieve information about changes processed in backend servers and keep the global index up to date. All backend servers must be configured to maintain an LDAP changelog if this feature is enabled.
Added Server SDK support for creating custom server affinity providers.
Enabled support for the SSLv2Hello TLS protocol by default in JVMs that support it. This does not enable support for the insecure SSLv2 protocol, but it can improve compatibility with clients running older versions of Java that may start TLS negotiation with an SSLv2 client hello packet before negotiating to a higher version of the TLS protocol. Support for SSLv2Hello in the initial phase of negotiation does not in any way compromise the strength of the integrity and/or confidentiality protection that is ultimately negotiated between the client and the server.
Added a Monitor History plugin that periodically records cn=monitor to timestamped files to aid in isolating intermittent problems. By default, it logs the full cn=monitor branch every five minutes to compressed files within logs/monitor-history/. Files are deleted automatically, but a sparse set of older files are kept to provide historical perspective on server performance. The collect-support-data tool has also been updated to collect a few of these files to aid in root cause analysis.
The default SCIM base context path changed from / to /scim. Any clients using the previous base context path will no longer be able to access SCIM services until they are updated. The following dsconfig command may be used to revert to the previous base context path after update:
dsconfig set-http-servlet-extension-prop --extension-name SCIM --set base-context-path:/
Introduced the Configuration HTTP Servlet Extension, which can be used for querying and updating the configuration over a REST API. This feature is currently experimental and is subject to change in the future. Your feedback is welcome.
These were known issues at the time of the release of version 5.0.0.0 of the Directory Proxy Server:
For Entry Balancing deployments referencing custom schema in the Global Attribute Index, the attributes should be defined in the Proxy's schema as well as the external Data Store.
These issues were resolved with version 5.0.0.0 of the Directory Proxy Server:
Fixed the gauge configuration manager to only re-initialize the gauge that was changed, and not any of the other gauges that did not change. Issue:DS-11472
Fixed the alarm manager to generate alarm-cleared alerts when internal alarms are cleared and the alarm manager's generated-alert-types property has the "alarm" value. Issue:DS-11541 SF#:2421
Updated the javadoc for the Example Overload Handler plugin to include the argument "invoke-for-internal-operations" with a value of "false" during the plugin creation. Previously, the plugin, when enabled, would drop internal queries to the monitor backend initiated by the gauge state provider.
Fixed an issue in the Example Overload Handler plugin's applyConfiguration method, where when any changes were made to the plugin's configuration itself (such as adding a new pre-parse type), it would drop requests because we were doing an LDAP search for the gauge argument in the config backend over a client connection, instead of using an internal connection.
Fixed an issue where when the Example Overload Handler plugin was disabled and then re-enabled, an IllegalStateException occurred because the monitor provider that publishes drop stats was previously registered. Issue:DS-11565 SF#:00002421
Fixed the alarm manager to not include the details of the old alarm, (the alarm being cleared), in the "alarm-cleared" alert message. Issue:DS-11546
Updated gauge alert details to include the last threshold value that was crossed. Issue:DS-11396
Fixed the dsconfig tool to suppress all stray output when run in batch mode with the --quiet option. Issue:DS-10460
Updated the uninstall tool so that it unregisters the local server from any configured peer servers. Issue:DS-11564
Fixed an issue in which tools such as dsconfig, status, and dsreplication could not connect to the server over SSL or StartTLS. This occurred when a certificate was accepted with the 'Manually validate' option, while using the interactive LDAP connection menu. Issue:DS-11688
Updated the alarm manager to not generate "alarm-normal" alert when a gauge's condition abates Issue:DS-11637
Updated the entry-balancing request processor to reject atomic multi-update requests that have one or more changes targeting entries at or outside of the balancing point. Issue:DS-11642
Reduced the severity of the "unrecognized alert type" message in the error log from SEVERE_WARNING to NOTICE. The message now states that this is expected if the server is reverted to a version prior to the implementation of these alert types. Issue:DS-11453
Removed the "alarm-normal" alert. Issue:DS-11730
Updated the server so that alarm-cleared, alarm-warning, alarm-minor, alarm-major, and alarm-critical alerts are not subject to duplicate alert suppression. Separate alert notifications of these types may represent distinct conditions and resources that should not be suppressed. Issue:DS-11738
Updated the alarm manager to not persist normal alarms. Issue:DS-11719
Updated the ExampleOverloadHandlerPlugin to monitor the alarm backend for delete actions, so that it can react appropriately to abating gauge conditions. Issue:DS-11719
Critical: Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.
SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.
It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination. Issue:DS-11782
Updated the Web Console so that upon login, the user's old session is always invalidated. Issue:DS-11624
Updated the Web Console to suppress LDAP responses in user messages, such as when the server is unavailable or for authentication failures. Also added a context parameter to exclude stack traces and detailed error messages from appearing in the application's internal error page. Issues:DS-11629,DS-11645
Updated numeric gauges so that their severity changes when the current gauge value equals the threshold's exit value. Previously the value had to be strictly less than the exit value for the severity to change. Issue:DS-11837
Updated the PingDirectoryProxy Server to return a "size limit exceeded" result for a baseObject search that matches multiple entries because entries with the same DN exist in multiple entry-balanced backend sets. Previously, the server could return multiple entries, which is undesirable for a baseObject search. Issue:DS-11850
Updated the HTTP Detailed Access logger to use time stamps with millisecond precision. Issue:DS-11755
Fixed incorrect property references for trustStorePassword and keyStorePasswordFile in tools.properties that corresponded to the wrong argument names. Issue:DS-11751
Fixed an issue where the server would hang during startup due to a previous unexpected service outage resulting in an empty tasks.ldif file. Issue:DS-11868
Updated the setup tools to enable definition of external server instances that are configured to reject unauthenticated requests. Previously the tools would erroneously indicate these servers were unavailable. Issues:DS-11068,DS-11784,DS-11887
Fixed an issue where deleting values of a multi-valued attribute using SCIM PATCH could silently fail. Modifications in SCIM PATCH are now mapped directly to LDAP modifications to take advantage of the matching rules configured in the Identity Data Store, when matching deleted values. Since the SCIM PATCH is now applied by the Data Store, the Permissive Modify Request Control (1.2.840.113556.1.4.1413) is now required by the SCIM component. This will ensure that adding an existing value or deleting a non-existent value in the PATCH request will not result in an error.
To continue using SCIM component after an upgrade of the Identity Data Store or Identity Proxy, access controls and configuration may need to be updated to allow access to the Permissive Modify Request Control.
Identity Data Store:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
Identity Proxy:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2 || 1.2.840.113556.1.4.473 || 1.2.840.113556.1.4.319 || 2.16.840.1.113730.3.4.9 || 1.3.6.1.1.12 || 1.2.840.113556.1.4.1413")(version 3.0;acl "Authenticated access to controls used by the SCIM servlet extension"; allow (all) userdn="ldap:///all";)'
dsconfig set-request-processor-prop --processor-name dc_example_dc_com-req-processor --add supported-control-oid:1.2.840.113556.1.4.1413
Note that "dc_example_dc_com-req-processor" is the default processor name and it may be different depending on your configuration.
Identity Broker: For each Identity Data Store used as an user store, the following configuration changes are required:
dsconfig set-access-control-handler-prop --remove 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319")(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'
dsconfig set-access-control-handler-prop --add 'global-aci:(targetcontrol="1.3.6.1.1.13.2||1.3.6.1.4.1.30221.2.5.3||1.3.6.1.4.1.30221.2.5.25||1.2.840.113556.1.4.1413||1.3.6.1.4.1.30221.2.5.5||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.2.840.113556.1.4.319||1.2.840.113556.1.4.1413”)(version 3.0; acl "Broker User access to selected controls"; allow (read) userdn="ldap:///cn=Broker User,cn=Root DNs,cn=config";)'
Note that the user DN "cn=Broker User,cn=Root DNs,cn=config" is default user name created when the external store is prepared. It may be different depending on your configuration. Issue:DS-11138
The Identity Proxy Server will now periodically persist the global index to a file, and optionally prime the global index from the persisted file when the server is restarted. Issue:DS-11122
Reduced the Identity Proxy Server's global index memory use by tokenizing the attribute type in the RDN index and compacting indexed attribute values for syntaxes that support it, such as integer, hex string, and bit string syntaxes. Issue:DS-11402
Added the ability for a Server SDK extension, such as a Plugin, to register for notifications when an operation completes using the OperationContext#registerOperationCompletedListener() method. Issue:DS-11406
Fixed an issue where attempting to cancel many outstanding proxy operations could make the proxy server unresponsive. Issue:DS-12000 SF#:00002535
Fixed the index rebuild job so that it does not generate redundant "index-degraded" alerts when an index is being rebuilt. Issue:DS-11879
Updated the proxy server to limit the number of parallel threads that will be created to process entry balancing operations that must be broadcast. In configurations with a large number of worker threads or a large number of backend sets, this keeps the server from creating too many threads. Issue:DS-12002 SF#:2535
Improved the PingDirectoryProxy Server's handling for the rare case in which a number of backend server connections become invalidated, but that backend server still accepts connections and those newly-established connections can be successfully used to process operations. Issue:DS-12077
Disabled log rotation during startup to prevent potential problems with rotation dependencies on server components that have not yet been initialized. Issue:DS-10441
Added a gauge to the server to track JVM memory usage and alert if the amount of free memory gets low enough that it could impact server performance. Issue:DS-11993
Updated the server to make it easier to control the order of values in the ssl-protocol and ssl-cipher-suite properties in the LDAP connection handler and crypto manager configuration objects. Issue:DS-12147
Updated the server to perform a health check against an entry-balanced backend server in the event of a failure while processing a broadcast operation. Issue:DS-12077
Updated the HTTP Connection Handler to return a 404 Not Found response to requests for endpoints not handled by any servlet or web application extensions. Previously the hander would return a 200 OK with no response body. Issues:DS-12120,DS-8368
Updated the HTTP/HTTPS connection handler to Jetty 8.1.16.v20140903. Issue:DS-11959
These features were added for version 4.7.0.0 of the Directory Proxy Server:
Updated the server to support Alarms. An alarm represents a stateful condition of the server that might indicate a problem, such as low disk space or external server unavailability. The status command line utility and the monitoring page of the web console have been updated to expose the active alarms. Many existing alert types have been updated to be treated as alarms. When the condition associated with an alarm abates, the alarm is cleared.
Added support for Gauges. A gauge examines specific server monitoring data, and raises an alarm when a configured threshold is crossed. The server has out-of-the-box gauges such as CPU Usage and Disk Busy, and new ones can be added through the Gauge Data Source and Gauge configuration object types.
Added support for a matching entry count request control that uses server index data to quickly determine the number of entries that match the associated search request. The matching entry count response control will indicate whether the value is an exact count or an upper bound, and may contain additional debug messages describing the use of indexes to derive that count. This functionality is exposed on the ldapsearch command line tool with the --countEntries option.
Exposed more fine-grained control of transaction locking and retry. Added local DB backend configuration properties that can be used to specify default transaction settings that will be used for external transactions (LDAP transactions or atomic multi-update operations) that do not include a transaction settings request control. Added support for a transaction settings request control that can be used to customize the behavior of the server when processing a batched transaction or an atomic multi-update operation. Customizable settings include the commit durability, the number of retry attempts, the conditions under which to acquire an exclusive lock in the target backend while the commit is in progress, and upper and lower bounds for transaction lock timeouts.
OpenJDK 7 is now supported on Linux.
These were known issues at the time of the release of version 4.7.0.0 of the Directory Proxy Server:
JDK 6 is currently deprecated and will not be supported in the next major release.
UnboundID products are not supported on JDK 8.
These issues were resolved with version 4.7.0.0 of the Directory Proxy Server:
Fixed the web console so that attempts to reconnect (after the console is restarted) succeed. Issue:DS-11043
Updated the server preparation tools to use secure communication when setting up a Data Store for access over TLS. Previously the tools may fail when the server is configured to reject insecure requests. Issues:DS-11058,DS-6200
Updated the processing time histogram to use a more sensible format for aggregate percent values. The LDAP SDK monitor parsing support for this monitor entry has also been updated to accommodate either format. Issue:DS-11146
Added a result code tracker that maintains a monitor entry with counts and response times of results. Each result is categorized by operation type, post-response result code, and whether it is a failure or non-failure. Issue:DS-3270
Exposed LDAP extended operation throughput and response time data in the Periodic Stats Logger and the Metrics Engine to expand upon the set of tracked operation types. Issue:DS-10369
Exposed local & non-local external server health check states in the Proxy load balancer monitor entry. Issue:DS-10552
Fixed an issue with HTTP Connection Handlers that allowed them to be configured with ports that were already in use. Now the server will not start if an HTTP Connection Handler is configured to use a port that is in use. Issue:DS-11202
To ensure consistent response times, the server actively alerts when its threads are paused for more than a few seconds due to environmental issues. Causes may include running within a virtualized environment, disk swapping, and garbage collection. With this change, the server uses information provided by the JVM about recent garbage collection pauses to either rule out garbage collection as the source of the detected pause, or to provide details about the type of garbage collection that could have caused the pause. Issue:DS-10930
Added tracking of extended operations by type to the LDAP Result Code Tracker to increase the granularity of reported data. Issue:DS-11011
Updated the PingDirectoryProxy Server to ensure that the backend server connection is re-authenticated if a proxied operation fails with an AUTHORIZATION_DENIED result. Issue:DS-11127
Fixed a problem that could occur when using the "separate connections" verify credentials method against an UnboundID or Alcatel-Lucent 8661 PingDirectory Server. If a user entry was deleted shortly after a bind had been performed to authenticate that user, then the connection used to process that bind could be terminated and could cause the next attempt to use that connection to fail. Issue:DS-11454
Fixed a problem that prevented the server from starting if a TLS-enabled connection handler was configured with a certificate nickname that referenced a non-RSA certificate. Issue:DS-10949
Fixed an internal server error resulting from a multi-update request containing only password modify extended requests with target identities not prefixed with "dn:". Issue:DS-11449
These were known issues at the time of the release of version 4.6.0.0 of the Directory Proxy Server:
UnboundID products, Java SE, and the JVM do not use OpenSSL libraries and are therefore not vulnerable to OpenSSL issues. Oracle has provided a statement on the April 2014 OpenSSL Heartbleed vulnerability at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html. Issue:DS-10807
These issues were resolved with version 4.6.0.0 of the Directory Proxy Server:
Updated the validate-file-signature tool to ensure that it will always display a final summary message to indicate whether any warnings or errors were encountered during processing. Issue:DS-10333
Updated the signed logging implementation to better handle any problems that may arise during cryptographic processing. If any such problem is encountered, the server will now include a message with information about the error in the signature block rather than suspending the logger with an exception recorded in the server.out log file. Issue:DS-10310
Fixed an issue in the Periodic Stats Logger, where no logging would occur when suppress-if-idle=true was configured, even when the server was not idle. Issue:DS-10387 SF#:2170
Added a new sanitize-log tool that can be used to remove sensitive information from server log files, including the file-based access log, the operation timing access log, the file-based error log, the file-based sync log, the file-based resync log, and the detailed HTTP operation log.
The sanitization process operates on fields that consist of name-value pairs. The field name and equal sign will always be retained, but in cases where the value may contain sensitive data, that value may either be replaced with the string "---REDACTED---", or it may be tokenized. If the tokenized value is a DN or filter, then attribute names in that DN or filter will be preserved while the values will be replaced with a string consisting of a number inside curly braces. If the tokenized value is not a DN or filter, then the entire value will be replaced with a number inside curly braces. If a string to be tokenized appears multiple times in the log, the same replacement token will be used for each occurrence of that string to make it possible to correlate occurrences of that string without revealing the actual content.
The sanitize-log tool has a default configuration that should be sufficient for many environments, allowing it to tokenize or redact sensitive information while preserving non-sensitive content for use in diagnosing problems or understanding usage patterns. However, this behavior can be customized using command-line arguments by indicating whether to preserve, tokenize, or redact a given log field. Issue:DS-10472
Fixed issues with the JDBC Access Logger that were related to Oracle Thin Client, where column values were "null" and disabling the logger resulted in losing a connection to the server when using the dsconfig command. Issue:DS-10485
Added additional logic for maintaining the global index and preventing duplicates when adding, deleting, or renaming entries with the same DN. Issue:DS-10468 SF#:2183
Fixed an issue so that collect-support-data now generates filename entries correctly. Previously, the tool would hang if the archiving of files following a symbolic link required generating a non-duplicating filename entry. Issue:DS-10582
Enabled the Host System Monitor Provider by default so that system CPU and memory utilization will be reported automatically through the server's monitoring framework. Disk and network monitoring can be enabled by configuring values for the disk-devices and network-devices configuration properties. Issue:DS-10562
The default timeout period for smtp-timeout was changed from none to two minutes to prevent non-responsive mail servers from disrupting administrative functions. Issue:DS-10230
Added a new type of Server SDK extension that can be used to allow extended requests to be forwarded to one or more backend servers in entry-balanced and/or simple proxy configurations. Issue:DS-10498
The Proxy Server bind response no longer includes IntermediateClient response controls if the IntermediateClient request control was not in the bind request. Issue:DS-10672 SF#:00002238
Updated configuration object descriptions and menu items to reflect that PingDirectory Server Enterprise Edition support applies to both Sun and Oracle branded versions of the product. Issue:DS-10449
Added support for two new controls that can help influence how requests are routed in an entry-balanced environment. The get backend set ID request control may be used to determine which backend sets were used to process an operation, and the route to backend set request control may be used to either hint at or explicitly specify the backend sets in which a request should be processed. Each of these controls may be used in conjunction with add, simple bind, compare, delete, modify, modify DN, and search operations. They can also be used in conjunction with the multi-update extended operation, and with any operation supported by a proxied extended operation handler. Issue:DS-10497
The setup command no longer saves user-provided key store and trust store passwords in PIN files. Passwords provided during setup are encrypted with the configuration data. If the administrator chooses to use PIN files to supply the passwords, the files are referenced in the server configuration by the key manager and trust manager. Issue:DS-10787
Updated the access logger so that result messages include user-friendly names for result codes in addition to their numeric values. Issue:DS-9946
Updated the Periodic Stats Logger to include an empty value in the output rather than "infinity" in certain circumstances. This avoids problems plotting the output in a spreadsheet. Issue:DS-8842
Fixed an issue that prevented the password policy control from being forwarded through a proxy when included with a password modify extended operation. Issue:DS-10931 SF#:2220
Fixed an issue where ldap-diff would stop working when it encountered an invalid DN from one of the servers. The command now finishes processing, but ignores invalid entries. Issue:DS-10650
Updated dsconfig to treat tabs as whitespace in batch files. Issue:DS-10549
Added Metrics Collection Size Limit Retention Policy to the metrics backend to allow up to 2 GB of metric data to be buffered locally, which allows the Metrics Engine to be offline for a longer time without missing collected data. Issue:DS-10156
Removed deprecated "lshal" command from Linux-specific processes performed by the collect-support-data tool and added similar command, "udevadm info --export-db" Issue:DS-10713
Delete requests going through an entry balancing request processor no longer require the requester to have permission to use the pre-read request control (1.3.6.1.1.13.1) on the backend servers. The pre-read request can be used to keep the global index up to date for deleted entries, but it requires explicitly adding permission for this control on the backend servers. This functionality can be enabled by setting the advanced "global-index-update-method-for-deletes" configuration option for entry balancing request processors to "pre-read-request-control." Issue:DS-10961 SF#:2260
Updated the Replication Servers table produced by the dsreplication tool to omit unnecessary "Security" column. Issue:DS-10442
Clients with the 'privilege-change' privilege are now able to add entries with ds-privilege-name values through the proxy server. Issue:DS-10935
These features were added for version 4.5.1.0 of the Directory Proxy Server:
The collect-support-data tool now refers to tools.properties for default command-line options.
The collect-support-data tool now supports an option to encrypt the data archive, to ensure protection of customer data while in transit, and an option to reduce the amount of potentially sensitive data that is collected.
Cross-origin Resource sharing (CORS) support is now included for HTTP Servlet Extensions, including the SCIM RESTful APIs.
These were known issues at the time of the release of version 4.5.1.0 of the Directory Proxy Server:
When the Velocity servlet receives CORS-enabled requests and has a cross-origin policy in effect, it will return multiple Access-Control-* headers with duplicate values. This will cause cross-origin requests issued by web browsers to fail. Issue:DS-10205
These issues were resolved with version 4.5.1.0 of the Directory Proxy Server:
Update the make-ldif tool to no longer assign the objectClass value of extensibleObject to branch entries. If needed, "objectClass: extensibleObject" can be added explicitly to the branch definition. Issue:DS-8530
Fix a bug where authentication with SCIM would fail because the password provided contains a colon character. Note: HTTP Basic Authentication does not allow for usernames to contain a colon character, but LDAP DNs can, so avoid using DNs with a colon when authenticating with SCIM. Issue:DS-10045 SF#:2112
The setup tool's --aggressiveJVMTuning and --verboseGC command-line options have been deprecated. Instead, use --jvmTuningParameter AGGRESSIVE and --jvmTuningParameter VERBOSE_GC respectively. Issue:DS-9079
Add support for a password retirement feature. If enabled, whenever a user's password is changed, the server will retire the user's former password in a way that allows it to continue to be used for a configurable length of time. This makes it possible to have a grace period when changing a password so that applications which have been configured with the previous password will still be able to authenticate with that password until they can be updated with the new password.
This capability is disabled by default but can be enabled to automatically retire user passwords on self changes and/or administrative resets. It is also possible to allow passwords to be retired via the use of a control included in a modify request or a password modify extended request. Issue:DS-9848 SF#:00002075
Update the server configuration to use a new default limit for duplicate alert suppression. The previous default imposed a maximum of 100 alerts of the same type per hour. The new default imposes a maximum of 10 alerts of the same type every ten minutes. This is more likely to suppress bursts in which the same alert is repeatedly generated over a short time without interfering with multiple occurrences of alerts of the same type over a longer period of time. Issue:DS-9259
Update the replication backlog health check to make the monitor searches more efficient. Issue:DS-9229
Fix a bug in the PingDirectoryProxy Server that could prevent a transaction from succeeding in an entry-balanced environment if it consisted only of add operations below an existing entry beneath the balancing point. Issue:DS-9881
Add a new load-balancing algorithm monitor entry that reports on the health of the load-balancing algorithm, including the aggregate state of the load-balancing algorithm, the number of AVAILABLE, DEGRADED, and UNAVAILABLE servers associated with the load-balancing algorithm, and the individual health check states of each server associated with the load-balancing algorithm. The status command has also been updated to report this information. Issue:DS-9026
For a number of LDAP-enabled tools that support including arbitrary controls in requests, the tool supports the use of a user-friendly name instead of the OID for certain controls. This was not previously documented, but the tool usage for the "--control" argument now provides those user-friendly names so they are easier to use. Issue:DS-8685
Update the server to improve the caching behavior for PIN files as used by key and trust manager providers. In the case that the keystore or truststore file has been updated to require a new PIN and the existing PIN file is updated without a configuration change to the associated key or trust manager provider, the server would previously keep trying to use the old PIN. It will now look for and use an updated PIN if a failure is encountered while using the old PIN. Issue:DS-10113 SF#:2123
Update the collect-support-data tool so that it can encrypt the data that is captured to protect it from unauthorized third parties. The encryption key is generated from a passphrase which may be read from a file, interactively provided by the user, or dynamically generated by the tool. This passphrase must be provided to support personnel (ideally over a different communication channel than the encrypted support data archive itself) for them to be able to access the information it contains.
There is also a new option to decrypt an encrypted collect-support-data archive when provided with the encryption passphrase. Issue:DS-10129
Update the collect-support-data tool so that it is possible to configure default values for most arguments in the tools.properties file. Issue:DS-10178
Update the collect-support-data tool to further reduce the possibility of gathering sensitive information. Potentially sensitive data will be replaced with ---REDACTED--- in the output. A new "--securityLevel maximum" option can also be specified that redacts DNs and search filters, which might include personally identifiable information. Issue:DS-10115
These features were added for version 4.5.0.0 of the Directory Proxy Server:
The Proxy Server is now supported when deployed between SiteMinder and the Identity Data Store.
A new plugin that enforces global uniqueness for individual attributes or sets of attributes through the Identity Proxy Server. This includes topologies that have data split across multiple servers through entry balancing, or that store data in different subtree views on different servers.
The plugin can provide pre-commit and/or post-commit assurance. In pre-commit processing, the plugin identifies any existing conflicts, and will reject the operation if any are found. In post-commit processing, the plugin identifies conflicts and will generate an administrative alert if any are found.
A new config-diff command line utility can compare two server configurations and produce the difference as a dsconfig batch file. The file can then be used to bring the source configuration in line with the target. Comparisons can be done between live servers or configuration files, and between current or legacy configurations. Run 'config-diff --help' to get more information including example use cases.
These were known issues at the time of the release of version 4.5.0.0 of the Directory Proxy Server:
Java 1.7 has a synchronization bottleneck in HashMap that severely impacts performance. Use update 1.7u40, if possible, to avoid this issue. Issue:DS-9477
These issues were resolved with version 4.5.0.0 of the Directory Proxy Server:
Update the Identity Access API to automatically map LDAP attributes using the Generalized Time attribute syntax to the SCIM DateTime data type. Issue:DS-9758
Update SCIM and the Identity Access API to return a 400 status code when the id attribute is included in a PATCH request, as the id attribute is read-only. Issue:DS-9195
Fix a bug in the JDBC Access Logger that could cause incompatibility with some database versions and display a "Cannot commit when autoCommit is enabled" error message. Issue:DS-8750
Fix a potential case in which the server could log an access log message with raw binary content if that content was included in the response from a backend server that rejected a request that was forwarded to it. Issue:DS-8524
Update the server startup process so that if no messages have been logged for at least five minutes, the server will generate and log a message about the current phase of startup processing. This can help reassure administrators that the server is still starting and provide information about what phase of startup may be taking so long. Issue:DS-7450
Update the TOTP SASL mechanism handler to provide an option that will prevent TOTP passwords from being used multiple times, even in the same time interval. Issue:DS-8738
Enable the validate TOTP password extended operation handler in the out-of-the-box configuration. Issue:DS-8756
Fix a memory leak that could affect long-lived connections that are used to process a large number of non-anonymous bind operations without using the retain identity control. Issue:DS-8833
Update java.properties generation so that comments related to alternative JVM tunings are no longer present in the file. In most cases, rather than updating java.properties by hand you should use the dsjavaproperties tool to generate JVM options. Issue:DS-8339
Add an allow-insecure-local-jmx-access option to the global config that will expose JMX data via insecure local JVM connection Issue:DS-4300
Add support for a new multifactor authentication mechanism that uses one-time passwords that have been delivered to the end user through some out-of band mechanism. The authentication is performed in a two-step process:
- The client first sends a "deliver one-time password" extended request, which includes an authentication ID to identify the target user, the static password for that user, and an optional list of allowed delivery mechanisms. If successful, this extended request will cause a one-time password to be generated and made available to the user through some mechanism (the server comes with support for delivering one-time passwords through e-mail via SMTP, and through SMS using the Twilio web service, and it also includes Server SDK support for creating custom delivery mechanisms).
- Once the user has received the one-time password, they may use it to authenticate via the UNBOUNDID-DELIVERED-OTP SASL mechanism, which includes an authentication ID, an optional authorization ID, and the one-time password value that was provided to them.
A new deliver-one-time-password command-line tool has been provided to make it possible to test the extended request used to provide the one-time password to the user, and all command-line tools that support SASL authentication have been updated to make it possible to use the UNBOUNDID-DELIVERED-OTP SASL mechanism. Issue:DS-6969
Add support for the LDAP simple paged results control in proxied environments, including both simple proxy configurations in which each instance has the entire data set, and in entry-balanced deployments in which the data is split across multiple sets of servers. Issue:DS-544
Add a new alert handler that can use the Twilio service to deliver administrative alerts via SMS. Long alerts may be either truncated or split into multiple SMS messages. Issue:DS-5587
Update the configuration schema to make the ds-cfg-inherit-default-root-privileges attribute mandatory for object class ds-cfg-root-dn-user which is used to define Root User DNs. When this attribute is not present on Root DN User entries, the effect is for the root user to inherit default privileges. It has been made mandatory to make this behavior more explicit. During an update of the server, root DN user entries that do not explicitly declare a value for this attribute will be updated with a value of 'true'. Issue:DS-8450
Fix a bug in which setting the show-all-attributes property to true in the root DSE or schema backends could cause the associated operational attributes to behave incorrectly if they appeared in other entries in the server (e.g., if this setting was enabled for the root DSE, then it could cuase the subschemaSubentry operational attribute to behave as a user attribute in other entries as well). Issue:DS-8788
Improve performance when large static groups are retrieved over SCIM. The UnboundID Join Request Control is used to gather the attributes needed from each member entry and return them from the data store in a single operation. Issue:DS-7681
Add a WebLogic specific descriptor file for the web console to help with deployment compatibility. Issue:DS-8925 SF#:1915
The trust store password options have been deprecated for most tools that do not require read-write access to a trust store. Issue:DS-8789
Make a number of criteria-related improvements:
- Add Server SDK support for creating custom connection, request, result, search entry, and search reference criteria implementations.
- Update the simple request criteria type to make it possible to consider the search scope in determining whether a search operation matches the criteria.
- Update the simple result criteria type to make it possible to consider the indexed/unindexed status in determining whether a search operation matches the criteria.
- Add a new type of request criteria that may be used to more easily identify operations that target the server root DSE.
- Add a new type of result criteria that may be used to classify operations based on replication assurance requirements and/or whether those requirements were satisfied.
- Add a new allowed-insecure-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an insecure connection and the server is configured to reject insecure requests.
- Add a new allowed-unauthenticated-request-criteria global configuration property that may be used to identify requests that the server should allow even if they are received over an unauthenticated connection and the server is configured to reject unauthenticated requests. Issues:DS-5079,DS-8168,DS-8770
Add a new PingDirectoryProxy Server plugin that can be used to maintain referential integrity in proxied environments, including environments in which data is split across multiple servers using entry balancing or hierarchical separation. Issue:DS-5650
Make two new tools available that can be used in conjunction with referential integrity and unique attribute processing:
Update the server support for LDAP transactions (both standard LDAP transactions as described in RFC 5805, and the UnboundID-proprietary batched transactions implementation) to add support for proxied authorization by including a proxied authorization v1 or v2 control, or an intermediate client control with an alternate client identity, in the start transaction request. Issue:DS-8989
Add a new sign-log configuration property to file-based loggers that may be used to cause the server to digitally sign messages written by that logger. A new validate-file-signature tool may be used to verify signature information in signed log files, as well as LDIF files generated by signed LDIF exports. Issue:DS-8662
Add alternate auth support from the Entry Balancing Request Processor config for proxied authorization controls. Issue:DS-9134 SF#:1978
Add some safeguards against runtime exceptions in proxy transformations. Issue:DS-9142 SF#:1977
Fix a bug where internal searches using size limit restrictions could return incorrect and unexpected results when serviced by an entry balanced request processor. Issue:DS-9154 SF#:1977
Add support for two new extended operations. A list configurations extended operation may be used to obtain information about the configurations that are available within to the server, including the currently-active configuration, the baseline configuration (i.e., the base configuration for an out-of-the-box installation of the current version), and all archived configurations that reflect configuration changes over time. A get configuration extended operation may be used to retrieve a specific configuration from the server. Issue:DS-9149
Update setup to fix a bug in which file path options specified as relative to the current directory may cause the server to be configured incorrectly or cause setup failure. Issue:DS-8389
Update the HTTP Connection handler to support configuration for tracking sessions either through HTTP cookies or by URL rewriting. Issues:DS-8639,DS-9128
Update the server so that it will allow TLS renegotiation by default if it is running in a JVM that we can detect includes support for the extension described in RFC 5746. Older JVMs are vulnerable to a man-in-the-middle attack that could exploit a renegotiation flaw to inject arbitrary cleartext into a secure communication stream, and support for renegotiation was disabled by default to eliminate the possibility of such an attack against the server. However, modern JVMs have fixed the vulnerability and allowing TLS renegotiation in such systems can allow for better compatibility with clients that attempt to perform renegotiation. Issue:DS-6307 SF#:1972
Update the server to provide a degree of sandboxing around Server SDK extensions so that an unexpected exception thrown by an extension will be caught and result in an administrative alert rather than being caught further up in the stack and potentially causing other problems. Issue:DS-9247
In the rare cases where it is necessary to forcefully terminate the JVM from within the server itself, ensure that any files marked for deletion when the JVM shuts down are manually deleted before the JVM is terminated. This can help avoid problems like server shutdown not being detected properly because the server PID file hasn't been removed. Issue:DS-9267
Provide improved schema validation to detect additional cases in which certain misspelled tokens in the definition for a schema token could be silently interpreted as an extra property for that schema element. The server will now log a warning message about these unexpected tokens so that administrators can either correct them or prefix them with "X-" to indicate that they are an extra property provided for informational purposes. Issue:DS-9236
Reduce the time it takes the server to shut down in certain situations. Background threads sometimes missed a signal to wake up and had to wait for their next polling interval to see that a shut down had been requested. Issue:DS-9334
Update the default behavior of all file-based loggers to have include-thread-id=true. This will include a compact thread ID in all log messages. This can make it easier to correlate log messages generated by the same thread within a single log file or across different types of log files. Issue:DS-9352
Fix a bug where incorrect result codes could be returned from a Proxy configured for entry balancing with only a single subordinate request processor. Issue:DS-9389 SF#:2018
Add an option to avoid incorrectly classifying a server as UNAVAILABLE, by updating the maximum-allowed-local-response-time and maximum-allowed-nonlocal-response-time properties to be 10 seconds for the Admin Alert, Replication Backlog, and Work Queue Busyness LDAP Health Checks. The default values on the Search LDAP Health Check, which is the health check that is primarily concerned with server response time, have not been changed. Health Checks are also now run in an order from fastest to slowest to try and catch problems as soon as possible. Issue:DS-8974
Remove -XX:+UseMembar from the default set of generated JVM properties except on early JVM versions where this setting was required to work around a threading bug in the JVM.
Update the server JVM arguments generated by setup and dsjavaproperties to explicitly define -XX:MaxNewSize and -XX:NewSize for JVM's 1GB in size and larger. Also, add a comment to the generated java.properties file directing the administrator to use dsjavaproperties for making memory-related changes to this file rather than editing it directly. Issue:DS-9227
Fix an issue where the server could return an invalid result code (-1) in a few exceptional cases. These cases have been updated to return the appropriate result code and a general check has been added to convert any future cases where this occurs into a generic but valid server error code. Issue:DS-9409
Add password file arguments to the scripts used to prepare external servers. Issue:DS-9406
The SCIM configuration for the Groups derived attribute now indicates whether to rely on the isMemberOf attribute or not. The default behavior is to rely on isMemberOf. This change eliminates unnecessary group membership searches in the case where an entry does not belong to any groups. Issue:DS-9051
Update the make-ldif utility such that first and last names are now generated randomly instead of in sequential alphabetical order. The original ordered behavior can be enabled by using the --orderedNames option. Issue:DS-9504
Update the setup and dsjavaproperties tools to permit maximum heap size values for memory that is not currently available on the host, though the value must still be less than the total amount of memory present on the host. Issue:DS-9111
Update the setup and dsjavapropeties tools to permit JVM heap size values to be as large as the amount of memory present on the system would permit. Issue:DS-9494
Update the Server SDK to provide the ability to run command line utilities within the server process. A ToolExecutor can be retrieved from the ServerContext. Currently, only the config-diff command is supported, but additional commands might be supported in the future. Issue:DS-9537 SF#:00001858
Enhance dsconfig to write to the config audit log when in offline mode. Issue:DS-1495
Alter some potential error messages that could expose the server's key or trust store file path to the client if the server configuration for that key or trust store was not correct (e.g., if it was configured with an incorrect PIN). Issue:DS-8873
If an SSL certificate nickname is specified in the configuration of an LDAP connection handler (to indicate which certificate the server should present to clients), validate that the specified certificate is actually available via the configured key manager provider. Previously, it could be difficult to troubleshoot problems that may arise as the result of specifying the nickname for a nonexistent certificate. Issue:DS-8947
On Linux, issue a warning on startup and after a JVM pause if the kernel setting vm.swappiness is not 0 as this can cause the server to become unresponsive for several seconds when memory is paged back from disk during a garbage collection. Issue:DS-9070
Update the server to provide improved support for the intermediate client control with alternate authorization identities in entry-balanced environments. Issue:DS-9139
Automatically record server monitor data at shutdown, as it may be useful for debugging purposes in cases where a problem was experienced within the server that was resolved by a restart. Issue:DS-9777
Update the config definitions for the client connection policy and simple connection criteria objects to provide additional documentation about using connection criteria in conjunction with client connection policies. In particular, it is now clearer that connections secured with StartTLS are initially considered insecure before the StartTLS operation has been completed and therefore insecure connections must be allowed in order to permit them to submit the StartTLS requests needed to secure them. Issue:DS-9097
Improve the performance of certain monitor entry searches that target specific monitor entries by object class. In particular, this includes searches with AND or OR filters, as well as filters that target object classes not defined in the server schema. Issue:DS-9772
Update the LDAP processing within the server to be able to interpret malformed abandon requests sent by versions of the Netscape LDAP SDK for Java built before March 2001. Issue:DS-9865
Fix an issue where the Identity Access API would not return search results when filtering by an operational attribute unless the "attributes" query parameter was also used. Issue:DS-7891
Fix a problem that could interfere with the ability to react to configuration changes for some server components. Issue:DS-9897
Fix a bug that caused bind failures due to decoding errors associated with createTimestamp when connecting from a newer Proxy Server (4.x) to an older PingDirectory Server (3.x). Issue:DS-9895 SF#:2082
Critical: Update the replication backlog health check so that if a problem is encountered while attempting to retrieve monitor information from a backend server, that server will only be classified as degraded rather than unavailable. Issue:DS-9726
Update the message emitted by the server when a JVM pause is detected to list additional possible causes beyond garbage collection. Issue:DS-9859
These features were added for version 4.1.0.0 of the Directory Proxy Server:
The UnboundID Identity Broker is the first of a new class of components for consumer and subscriber identity management architectures.
As a stand-alone server, it provides authorization decisions for client applications, provisioning systems, API gateways, and analytical tools in any architecture involving personal, account, or sensitive identity data.
Working together with the UnboundID Identity Data Store and Identity Proxy, the Identity Broker is designed to make high-volume and high-speed authorization decisions based on ever-changing consumer profile and consent data. Functionally, the Identity Broker is both the Policy Decision Point and the OAuth2 provider for externalized authorization. Performance-wise, the Identity Broker can support the request volumes driven by the complex, real-time interactions necessary to support today's consumer-facing mobile, social, and cloud ecosystems.
These issues were resolved with version 4.1.0.0 of the Directory Proxy Server:
Update the PingDirectory Server and PingDirectoryProxy Server to provide improved support for LDAP transactions. It is now possible to use batched transactions (either the UnboundID proprietary implementation or standard LDAP transactions as per RFC 5805) through the Directory Proxy Server in both simple and entry-balanced configurations, although only in cases in which all requests may be processed within the same backend server and within the same Berkeley DB JE backend. It is not currently possible to process a transaction that requires changes to be processed across multiple servers or multiple Directory Server backends.
In addition, both the PingDirectory Server and PingDirectoryProxy Server now provide support for a new multi-update extended operation that makes it possible to submit multiple updates in a single request. These updates may be processed either as individual operations or as a single atomic unit. Issues:DS-1096,DS-524 SF#:00001419
Add the ability to rebalance entries amongst entry-balanced servers when those entries are modified through the Proxy Server, or when child entries are added below existing entries. Entry rebalancing support is currently limited to the entry counter placement algorithm. Issue:DS-6775
Add the ability to create custom SASL mechanism handlers using the Server SDK. This makes it possible for third-party developers to create their own custom authentication logic to better integrate with software that needs to perform a kind of authentication that the server does not support out of the box. Issue:DS-3650
Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism that provides a simple form of multifactor authentication by requiring both a client certificate (supplied during SSL/TLS negotiation) and a password. Issue:DS-4411
Add support for OAuth 2.0 bearer token authentication to the SCIM interface. This requires an OAuthTokenHandler extension built with the UnboundID Server SDK in order to decode and validate bearer tokens. Issue:DS-6763
Add a generic REST API that can be enabled in the PingDirectory Server or PingDirectoryProxy Server to expose access to raw LDAP data over HTTP using the SCIM protocol. Issue:DS-7267
Add support for RPM based installation. Issue:DS-5990
Update the names of the UnboundID-branded products which are now: - Identity Data Store (formerly PingDirectory Server) - Identity Proxy (formerly Proxy Server) - Identity Data Sync Server (formerly Synchronization Server) - Metrics Engine (name unchanged) Issues:DS-7514,DS-7515,DS-7516,DS-7518
Add ability to set the maxHeapSize and listenAddress arguments in a properties file when running setup. Issue:DS-6003
Fix a bug where current heap size was not displayed in error message about being too low. Issue:DS-7292
Fix a bug where under certain error conditions the start server scripts could prompt user to overwrite existing file. Issue:DS-7268
Update the PingDirectoryProxy Server so that entry-balanced environments that use automatic rebalancing will attempt to avoid performing referential integrity processing when the entries are removed from the source server. References to rebalanced entries should remain intact, since the entries are going to stay in the environment with the same DN and attributes. Issue:DS-8038
Introduce an "include-thread-id" configuration property on many of the file-based loggers that when enabled adds a threadID field to logging output. This makes it possible to know exactly which thread logged a message, which can simplify correlating errors between log messages and separate logs. This ID can be correlated to a thread name using the cn=JVM Stack Trace,cn=monitor entry. Issue:DS-8212
Change stop-*.bat to attempt a soft server shutdown before terminating the process. Issue:DS-408
Addressed an issue in the monitoring pages of the web console where they incorrectly listed directory server replication related information. Issue:DS-7289
Update the JMX connection handler to infer an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) for JMX attributes from the underlying LDAP attribute type and value. The legacy behavior to return all JMX attributes as String values can be set if desired through the advanced global configuration property 'jmx-value-behavior'. Issue:DS-7635
Add help text for the --httpPort and --httpsPort options in the Identity Proxy setup command. Issue:DS-8378
Add the --noPropertiesFile option to the status command so that it does not fail when the option is provided to collect-support-data. Issue:DS-8390
Update setup to add a masters/peers trust-all argument so that the deployer must explicitly indicate that they trust the master/peer as well as any other masters/peers that are accessed during setup. In addition, if this argument is not specified a prompting trust store manager will be used instead of the previous behavior of using a trust-all manager all the time. If setup is in non-interactive mode and neither the trust-all argument nor the JKS trust store has been specified, and setup is accessing the master/peer over SSL or StartTLS setup will fail. Issue:DS-8381
These features were added for version 4.0.0.0 of the Directory Proxy Server:
Update the names of the UnboundID-branded products, which are now:
Introduce the Identity Access API, a generic REST API that can be enabled in the Identity Data Store or Identity Proxy to expose access to raw LDAP data over HTTP using the SCIM protocol. For configuration information, please refer to the "Managing the SCIM Servlet Extension" chapter of the Administration Guide. For API documentation, please refer to the UnboundID Identity Access API Client Developer Guide.
Add support for RPM based installation.
These were known issues at the time of the release of version 4.0.0.0 of the Directory Proxy Server:
UnboundID RPMs do not support the "--relocate" option. However, the RPMs are relocatable using the "--prefix" option at install time. Issue:DS-7890
These issues were resolved with version 4.0.0.0 of the Directory Proxy Server:
The default "SCIM HTTP Connection Handler" has been replaced by two default HTTP connection handlers, "HTTP Connection Handler" and "HTTPS Connection Handler". They are disabled by default unless the Identity Data Store or Identity Proxy is set up using the setup tool's "--httpPort" or "--httpsPort" options. Issues:DS-7517,DS-7679
File Server HTTP Servlet Extensions now allow a default MIME type to be set with the default-mime-type property. Issue:DS-6959
The SCIM service will now return an HTTP 500 status code instead of a 400 or 404 to the client when the request results in an LDAP result code 52. Issues:DS-7231,DS-7703
Fix an issue in which a NullPointerException would be thrown when setting the subordinate-base-dn Root DSE Backend property. Issue:DS-7371
To better comply with the SCIM 1.1 specification, the SCIM servlet will now issue a severe warning at startup if SSL is not enabled. Issue:DS-7252
The SCIM servlet now allows HTTP basic authentication to be disabled if OAuth bearer token authentication is enabled. Issue:DS-7264
To comply with the SCIM 1.1 specification, the default scim-resources.xml configuration file now maps SCIM IDs to LDAP entryUUIDs rather than DNs by default. Issue:DS-7478
Fix an issue in which certain password policy and sensitive attribute settings were not enforced if a request originated over an insecure SCIM connection. Issue:DS-7504
The SCIM service will now return an HTTP 400 status code instead of a 500 when a failure occurs during to a sensitive attribute violation. Issue:DS-7703
Fix an issue with the SCIM XMLStreamMarshaller where it did not correctly handle invalid XML characters. Attributes that are not explicitly declared as BINARY in the schema may now be returned as base64-encoded strings if they contain any invalid XML characters. The server will add the "base64Encoded=true" attribute to any XML elements for which this is done, so that the client will know the data is encoded. Issue:DS-7782
Change the stop-* tools to behave like other task based tools. These tools require the use of the --task argument to ensure that user knows they are using a server task. These tools also will not use properties files unless you provide the --usePropertiesFile or --propertiesFilePath arguments.
The proxy server in an entry-balancing configuration now supports moving entries within a data set using MODIFYDN. The new superior entry must reside in the same data set as the target entry. Issue:DS-5958 SF#:00001664
Fix a bug that prevented searching entry balanced backends from inside a proxy transformation. Issue:DS-7532 SF#:1818
Fix a bug that prevented viewing hidden and complex configuration properties using dsconfig in a non-interactive mode. Issue:DS-7245
Update the audit logger to provide the ability to exclude information about updates to a specified set of attributes. By default, updates to the ds-last-access-time, ds-pwp-last-login-time, and ds-sync-hist attributes will be suppressed. Information about updates to these attributes will also be suppressed in the LDAP changelog by default. Issue:DS-7584
Improve the performance of ldifmodify when executed with a large source LDIF file. Issue:DS-7656
Fix a bug in the manage-extension tool that would cause an error when attempting to install an extension if that extension's getExtensionDescription method returned null (which is allowed as per the documentation). Issue:DS-7367
Increase the frequency at which search time limits are checked in order to provide more accurate adherence. Issue:DS-7688 SF#:1834
Update dsconfig to allow configuration objects to reference group entries that don't exist (for example in the 'all-included-user-group-dn' property of SimpleConnectionCriteria). This prevents certain errors when running dsconfig in batch mode or when configuring things out of order. Issue:DS-4178
Fix a bug in the LDAPConnectionHandler where it did not close the NIO Selector on shutdown. On some platforms this caused the underlying socket channel to remain bound, which prevented the server from being able to restart. Issue:DS-7373
These features were added for version 3.6.0.0 of the Directory Proxy Server:
Add the ability to rebalance entries amongst entry-balanced servers when those entries are modified through the Proxy Server, or when child entries are added below existing entries. Entry rebalancing supports either an entry counter placement algorithm or a custom algorithm via a Server SDK extension.
Update the PingDirectory Server and PingDirectoryProxy Server to provide improved support for LDAP transactions. It is now possible to use batched transactions (either the UnboundID proprietary implementation or standard LDAP transactions as per RFC 5805) through the Directory Proxy Server in both simple and entry-balanced configurations, although only in cases in which all requests may be processed within the same backend server and within the same Berkeley DB JE backend. It is not currently possible to process a transaction that requires changes to be processed across multiple servers or multiple Directory Server backends.
In addition, both the PingDirectory Server and PingDirectoryProxy Server now provide support for a new multi-update extended operation that makes it possible to submit multiple updates in a single request. These updates may be processed either as individual operations or as a single atomic unit.
Add support for OAuth 2.0 bearer token authentication to the SCIM interface. This requires an OAuthTokenHandler extension built with the UnboundID Server SDK in order to decode and validate bearer tokens.
Add support for a new UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism that provides a simple form of multifactor authentication by requiring both a client certificate (supplied during SSL/TLS negotiation) and a password.
Add the ability to create custom SASL mechanism handlers using the Server SDK. This makes it possible for third-party developers to create their own custom authentication logic to better integrate with software that needs to perform a kind of authentication that the server does not support out of the box.
IPv6 is now a supported deployment option.
64-bit JDK 7 is now a supported deployment option, but 32-bit JDKs are no longer supported.
These issues were resolved with version 3.6.0.0 of the Directory Proxy Server:
Fix a bug that allowed ModDN Operations on a proxy with entry balancing to duplicate an existing entry dn. Issue:DS-6866 SF#:1753
Update the JMX Connection Handler configuration to issue a warning if it is enabled. On some JVMs, enabling this aspect of JMX can lead to long garbage collection pauses. Issue:DS-6832
Provide adaptive load balancing for GetChangelogBatch requests in the PingDirectoryProxy Server. This allows it to spread the load from GCB requests evenly across backend servers in order to scale horizontally and increase overall throughput. Issue:DS-6910
Add help text to web console deployment descriptor with JBoss compatibility tips. Issue:DS-6976 SF#:1749
Update the logic that the server and its associated tools use to select the SSL/TLS protocol version for secure communication to provide the best combination of security and compatibility. Also, a new log message type is available that can provide information about the negotiated security protocol, including the selected SSL/TLS protocol version and cipher suite. Issues:DS-6720,DS-6903
Update the access logger API, in both the core server and the Server SDK, to add support for logging entry rebalancing processing. Issue:DS-7010
Prevent failures for configuration group changes where the parent configuration entry may or may not exist amongst the various servers in the configuration group. Issue:DS-6088
Address a server performance degradation when the separate-monitor-entry-per-tracked-application property of Processing Time Histogram Plugin was set to true. Issue:DS-7045
Fix the manage-tasks tool so that it does not use an insecure connection when --useStartTLS is specified, and does not prompt for certificate trust when --trustAll is specified. Issue:DS-5924
Update priming of the global index in the Proxy Server so that it fails over to an alternate PingDirectory Server if the initial choice becomes unavailable during priming. Issue:DS-2351
Add the --isCompressed option to the parallel-update tool so that it can read input LDIF files that are gzip compressed. Issue:DS-7237
Fix a problem in the manage-extension tool where it would fail on Windows because it tried to delete some temp files that were currently in use. Issue:DS-6770
Fix a bug in dsconfig that prevented going back when adding a new configuration object inside of an existing one. Issue:DS-7263 SF#:1793
Add a new "examples-of-all-tags.template" make-ldif template that demonstrates and explains the use of all variations of all supported tags. This template isn't intended to actually be used to generate entries, but merely to document the available tags. Issue:DS-5947
Update the PingDirectoryProxy Server to parallelize the process of establishing connections to each backend server. This can dramatically reduce startup time for environments with a lot of connections to servers that are remote and/or slow to respond, and can also help reduce the time needed to establish new connections that may be required after significant events like a configuration or health check state change. Issue:DS-7295
Fix a bug that could cause an error during server startup if the root DSE backend was configured with an explicit set of subordinate base DNs. Issue:DS-7325
Improve performance for proxy transformations. Issue:DS-7351 SF#:1806
These features were added for version 3.5.1.0 of the Directory Proxy Server:
The Metrics Engine is a core server product that collects and aggregates key diagnostic, capacity, and usage information from an UnboundID server topology consisting of instrumented PingDirectory Server, PingDirectoryProxy Server, and Synchronization Servers running release 3.5.0.0 and above. Metrics data can be explored and graphed using the included query-metric tool, and the Metrics Engine REST API makes this information available to custom applications and third-party systems. To learn more about the Metrics Engine, please refer to the UnboundID Metrics Engine Administration Guide.
These issues were resolved with version 3.5.1.0 of the Directory Proxy Server:
Fix a bug that allowed ModDN Operations on a proxy with entry balancing to duplicate an existing entry dn. Issue:DS-6866 SF#:1753
Add help text to web console deployment descriptor with JBoss compatibility tips. Issue:DS-6976 SF#:1749
These features were added for version 3.5.0.0 of the Directory Proxy Server:
Server SDK extension bundles may now be installed and updated using the manage-extension tool. For information about using the tool and building and packaging extensions, please refer to the UnboundID Server SDK documentation.
The server now includes an HTTP Connection Handler that can be used to provide HTTP access to the server. An HTTP Connection Handler can be configured to reference either an HTTP Servlet Extension written with the Server SDK or a standard web application (via a Web Application Extension configuration object). For more information, please refer to the Configuring HTTP Access for the PingDirectory Server section of the Configuring the Server chapter in the UnboundID PingDirectory Server Administration Guide.
These were known issues at the time of the release of version 3.5.0.0 of the Directory Proxy Server:
With Sun Java version 1.6.0_21 through 24, there is a known issue with frequent, long garbage collection pauses. To avoid these, we recommend using version 1.6.0_25 or higher of the JVM where this issue has been addressed.
When using a GSSAPI SASL Mechanism Handler the kerberos-service-principal property is only used to determine the protocol (i.e. "ldap"). The hostname will always be determined using the server-fqdn property. Issue:DS-5053
These issues were resolved with version 3.5.0.0 of the Directory Proxy Server:
Fix an issue where multiple server configuration changes would fail if any of the servers were configured with an LDAPS (SSL) connection handler. Issue:DS-5100
Update the collect-support-data tool to include the equivalent of jstack output for IBM VMs on non-AIX platforms. Issue:MON-5027
Enhance configuration change detection for Locations used in Load Balancing Algorithms. Issue:DS-5105 SF#:1582
Fix a bug in proxy console where Monitor Dashboard failed to render properly in an entry balanced environment. Issue:DS-5345
Add the ability to specify a reason when entering and leaving lockdown mode. This is recorded in the logs and in the alerts that are generated. Issue:DS-5331
Update the server to provide the ability to customize the client connection policy that is used for internal operations. Previously, the server would always use an internal policy that only knows about local backends, but in the PingDirectoryProxy Server, this could prevent internal operations from accessing content in backend servers.
The Server SDK has also been updated to provide ClientContext and OperationContext methods that make it possible to get internal connections using either the server's configured default internal client connection policy or the policy associated with the client connection on which the request was received. Issue:DS-5553
Fix a bug that could cause the server to pass the old configuration into the isConfigurationChangeAcceptable method for a number of types of Server SDK extensions. Issue:DS-5597
Update the server to support tracking LDAP operation processing statistics on a per application basis. Applications are identified using Connection Criteria referenced from the tracked-application property of the Global Configuration. The Processing Time Histogram Plugin and Periodic Stats Logger Plugin include settings to control whether per-application statistics are exposed in the monitor and logged to CSV files. Issues:DS-270,DS-5241
Update the Server SDK to provide extensions a way to dynamically register their own monitor providers with the server, without requiring any server-side configuration objects. Issue:DS-5271
Add workaround in SSL processing to detect potential buffer underflow or renegotiation even when processing appears to be OK. Issue:DS-5748 SF#:1636
Fix a bug where method level debug tracing could cause extraneous logging from other methods in the same class. Issue:DS-5760 SF#:1636
collect-support-data now excludes binary files unless --includeBinaryFiles is specified. Issue:DS-4260
Add a new servlet extension that can be used to serve static content like HTML pages, images, or other kinds of files. Issue:DS-5827
Add support for a new UNBOUNDID-TOTP SASL mechanism that uses the time-based one-time password mechanism as described in RFC 6238. This mechanism uses a base32-encoded shared secret stored in the user entry in conjunction with the current time to generate a temporary password that may be used during the authentication process. The one-time password may also be used in conjunction with a static password (e.g., as stored in the userPassword attribute) for a form of multifactor authentication which requires both knowledge of that static password and a device capable of generating the appropriate one-time password.
The Google Authenticator app (which is available for Android, iOS, and Blackbery devices) supports TOTP and can be used to generate the generate the appropriate one-time password. The UnboundID LDAP SDK for Java has also been updated with support for generating TOTP passwords, and includes support for the UNBOUNDID-TOTP SASL mechanism. Issue:DS-5852
Add code to support proxy transformations on failed operations. Issue:DS-5856
Change proxy setup to prevent modification of external servers to establish trust. This should be handled manually by the administrators of the server installation. Issue:DS-5866
Fix an issue where DirectoryThreads did not set their context classloader to the one provided by our ClassLoaderProvider. This caused all the threads in the server to use the system classloader by default, which only has access to the classes specified on the classpath (i.e the core server libraries under the /lib directory). This becomes problematic if one of these threads calls into a library that uses Thread.getContextClassLoader() to load a class that is outside of the core server libraries (for example in an extension library). In this case it would use the system classloader and subsequently throw a NoClassDefError. Issue:DS-5876
Fix a bug where peer installs were updating servers of the wrong type from the master server's ADS. Issue:DS-5552
Update the HTTPConnectionHandler to use Jetty version 8.1.0, which fixes several problems in the IO layer with respect to the latest JVMs and browsers. Switch the configuration to use Jetty's more efficient NIO socket connectors instead of the traditional blocking socket connectors. Issues:DS-5622,DS-5900
Change prepare-external-server to allow not supplying a trust store password in non-interactive mode, which will force the script to only trust the servers that are already present. Issue:DS-5872
Add a new property override-local-password to the Pass Through Authentication Plugin so that with the default value of false, it will only attempt the bind remotely if and only if the local bind fails because there is not a local password defined. When set to true, it will attempt the bind remotely if the local bind fails for any reason.
The new override-local-password property changes the default behaviour of the Pass Through Authentication Plugin. To restore the previous behaviour, change the value to true. Issue:DS-5766
Fix an issue where the Proxy Server could process a Get Changelog Batch includeBase incorrectly. A request was sometimes forwarded to a PingDirectory Server that did not need to process the request. Issue:DS-4868
Fix a problem where the collect-support-data tool could timeout when connecting over SSL, or prompt the user to verify the server certificate even when the --no-prompt argument was specified. Issue:DS-4823
Fix a bug that prevented ldappasswordmodify from working through the proxy when a user attempts to modify their own password. Issue:DS-5997 SF#:1667
Add an advanced property to the Search LDAP Health Check configuration to specify whether the administrative operation request control should be used for the search. The default behavior is unchanged (i.e. the administrative operation control is used if the external server is an UnboundID server). Issue:DS-5433
Fix an issue in the Admin Alert Health Check where a health check score would not be lowered if the server was already in the degraded state and the degradation became worse. Issue:DS-4405
Changes to the location property in the global configuration now require a server restart. Issue:DS-5901
Fix a bug that caused many command-line tools to output to stderr rather than stdout. Existing scripts that depend on the old behavior may need to be modified in order to continue working correctly. Issues:DS-3610,DS-4195
Change password policy processing on the Proxy Server to not attempt any validation that can only be done on the PingDirectory Server, in these cases the Proxy Server will rely on the PingDirectory Server providing the authoritative password policy. Issue:DS-6097
Update the file format used by "dsconfig --batch-file" to support using '\' as a line continuation character. If the last character on a line is a '\', then it will be removed and the following line concatenated on to it. Issue:DS-635
Allow load-balancing algorithms to be selected based on connection criteria or request criteria. A proxying request processor may now specify a list of criteria-based load-balancing algorithms, which permits an alternate load-balancing algorithm to be selected for requests that match the criteria. Issue:DS-5987 SF#:00001683
Remove the "Custom" type from the list when creating new objects in dsconfig. This was often confused with the "Third-Party" and "Groovy Scripted" types when users intended to create a Server SDK extension. Issue:DS-5229
Assigned NO-USER-MODIFICATION to the following directoryOperation attributes:
ds-sync-conflict changelog-add-entry changelog-deleted-entry changelog-modify-changes compact-after-values compact-before-values compact-entry-key-attrs ds-private-naming-contexts ds-pwp-auth-failure ds-pwp-last-login-time ds-pwp-password-changed-by-required-time ds-pwp-reset-time ds-pwp-warned-time pwdReset
There attributes will no longer be modifiable over LDAP.
dsreplication cleanup-local-server subcommand will no longer generate a cleanup-backends.ldif file to remove the replication related attributes from the backend. Instead, the user needs to rely on import/export to clean affected backends. Issue:DS-4718
Update ldap-diff to use the schema of the target server when comparing entries. This enables comparing entries whose DN's include case-sensitive components. Issues:DS-2748,DS-6197
A new property named obscure-attribute on the audit logger allows specified attributes to have their values obscured in the audit log. The default setting for the Proxy Server is to obscure the userPassword and authPassword values. Each value of an obscured attribute is replaced in the audit log with a string of the form "***** OBSCURED VALUE *****". The default setting for Directory Server is not to obscure any attributes, since the values of password attributes appear in hashed form rather than in the clear. Issue:DS-5278
Critical: Fix a bug that allows users with expired passwords to change attributes in their own entry other than password. Issue:DS-6054
Modify the ldap-diff tool to add LDAP connection options for SSL, StartTLS, and SASL authentication. Issue:DS-6034
Update the status tool to fix an issue in the tool may fail to connect to the server to retrieve some status information when the --no-prompt option is specified. Issue:DS-5989
Update the Server SDK to make it possible to create an internal connection that behaves like an external connection and is subject to its constraints. Issue:DS-5851
Update the PingDirectoryProxy Server to respect the size-limit, time-limit, and idle-time-limit specified on the proxied user entry (if they are present). These are specified by the ds-rlim-size-limit, ds-rlim-time-limit, and ds-rlim-idle-time-limit attributes. Issue:DS-1257
Fix a bug that prevented searching against an entry balanced environment with a compound filter with contained equality and presence component filters. Issue:DS-6423 SF#:1717
Fix an issue where out-of-the-box server required more memory than it should have, because of how the DictionaryPasswordValidator stored its word dictionary. The memory usage has been reduced by roughly 35MB. Issue:DS-6040
Fix an issue where failures encountered during processing of the route-to-server control were not handled correctly. An operation could have been retried on a server where the operation had just failed, rather than selecting a different server. Also, the server could have made one more retry than should have been permitted, and this could have increased the length of time required to process the operation. Issue:DS-4650
Updated the server to support hosting of standard web applications using the HTTP Connection Handler. Issue:MON-754
Provide PingDirectory Server and Proxy Server support for GetChangelogBatch options to control whether to return changes for modify or delete of soft-deleted entries. Issue:DS-6362
Critical: Update the PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl. Issue:DS-854
Add support for soft deletes and undeletes to parallel-update. Issue:DS-6408
Provide an argument to the setup tool to configure the server to automatically include verbose garbage collection output in the server.out log file. Issue:DS-5681
On Linux, the server and its tools now attempt to raise the limit on maximum user processes to 16,383 if the current value reported by ulimit is less than that. This is because Linux counts a thread as a user process, and some recent Linux distributions have a very low default value for max user processes. Issue:DS-6410
Update dsconfig so that inclusion of the --advanced option will list expert-level objects. Issue:DS-6652
Improve the prompt that is displayed by command-line tools when establishing a secure connection to a server when no trust manager was specified and the server certificate should not be automatically trusted. The information is formatted more neatly, and the prompt will now include MD5 and SHA-1 versions of the certificate fingerprint and information about the issuer certificate chain if appropriate. There will also be an additional warning if the certificate is self signed. Issue:DS-5127
Update tools that can perform LDAP SASL authentication to add support for the UNBOUNDID-TOTP SASL mechanism that can be used for multifactor authentication. Issue:DS-6676
Update the LDAP connection handler so that any attempt to explicitly configure the allowed SSL protocols and/or cipher suites will be validated before being put into service. Any attempt to use an unsupported protocol or cipher suite will be rejected with an error message including the acceptable values. Issue:DS-6663
Fix an issue where the reload-index tool did not reload indexes for all entry-balancing request processors matching a given base DN. Issue:DS-6405
Update the ldifsearch tool so that it will no longer report errors for entries that violate the server schema by default. This behavior can be restored using the new --checkSchema option. Also, update the ldifmodify tool to provide better schema checking by default, and to add a --noSchemaCheck option that allows it to work with LDIF files and change sets that violate schema constraints. Issue:DS-4326
Fix an issue where the Proxy Server might not return the Password Expired control to the client in response to a Bind operation (depending on which entry-balancing data set the user entry resided in). The Password Expiring and Password Policy response controls were also affected. Issue:DS-6600 SF#:00001738
Add a new WebAppServerContext interface to the Server SDK, which can be used by web applications running in the server to interact with the server by doing things like invoking internal operations, registering change listeners and monitor providers, performing logging and debugging, and generating administrative alerts. The new WebAppServerContextFactory class may be used to obtain a server context instance. Issue:DS-6723
Update the JMX Connection Handler configuration to issue a warning if it is enabled. On some JVMs, enabling this aspect of JMX can lead to long garbage collection pauses. Issue:DS-6832
These features were added for version 3.2.0.0 of the Directory Proxy Server:
AIX is now a supported deployment operating system.
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations.
These issues were resolved with version 3.2.0.0 of the Directory Proxy Server:
Fix a bug in the web-console new Attribute Type and new Objectclass dialogs which is some cases could cause a schema element saved erroneously into a file called 'New File...'. Issue:3410
Modify the web-console so that extraneous carriage returns are removed from files containing exported schema elements. Issue:3411
Fix a bug that could cause inaccurate time stamps to be displayed in the active operations monitor entry for operations that are still waiting in the work queue and have not yet been picked up for processing by a worker thread. Issue:3419
Fix an issue that led to work queue backlogs in DS when the Sync Server was synchronizing from an entry-balanced Proxy Server configuration. Issue:3431 SF#:1486
Update the PingDirectoryProxy Server so that it will attempt to abandon any operation which has not completed within the configured timeout period. This behavior may be controlled by the abandon-on-timeout configuration property in the LDAP external server configuration. Issue:3350
Update command-line tools providing support for SASL authentication to add additional properties that may be used in conjunction with the GSSAPI mechanism. This includes the ability to control whether a ticket cache should be allowed and/or required, the ability to specify an alternate location for the ticket cache file, the ability to request that the Kerberos ticket-granting ticket be renewed, and the ability to supply a custom JAAS configuration file rather than using one automatically generated by the tool. Issue:3437
Fix a bug that prevents going back from the type selection when creating a new configuration object in dsconfig. Issue:2913 SF#:1435
Update a number of LDAP command-line tools to provide a new --help-sasl option that can be used to obtain information about the SASL mechanisms that are available for use and the supported options for those mechanisms. In addition, the command-line tool reference has been updated to provide a new page on supported SASL mechanisms and options. Issue:3452
Fix a bug in which dsconfig and other tools may not properly evaluate path-based property values for remotely managed servers. Issue:3439 SF#:00001484
Improve the consistency of performance for Sync through Proxy with Entry Balancing. When the Proxy Server is processing a Get Changelog Batch request and it has received maxChanges in total from the backend PingDirectory Servers, it now cancels the outstanding requests in order to expedite the return of the result to the Sync Server. When the PingDirectory Server receives a cancel request for a Get Changelog Batch request, it now stops processing the request and returns the result containing a resume token. Issue:3438 SF#:1492
Modify the update tool to handle potential issues migrating the admin-backend.ldif backend file if the ds-create-time attribute is present in the entry cn=all-servers,cn=Server Groups,cn=admin. Issue:3584 SF#:00001501
Update shell scripts used for the server and associated tools so that they will display a warning if it is not possible to set the desired number of file descriptors. Issue:3590
Fix a corner-case bug that could interfere with the Directory Proxy Server's ability to perform health checking against a backend server that had been classified as UNAVAILABLE. Issue:3611
Add support for a new "operation purpose" request control that clients can use to identify the intention for each request that they send to the server. The control may include the name and version of the application that created the request, the location in the application code from which the request was created (which may be automatically generated by the UnboundID LDAP SDK for Java), and a human-readable message explaining the purpose for the operation.
This can help improve security and debuggability because it can offer a kind of audit trail. If a request includes this control, then information from the control will be included in access log messages for those operations. Issue:3616
Update client connection policies to support two new configuration attributes. The required-operation-request-criteria property can be used to cause the server to reject any request which does not match the referenced request criteria, and the prohibited-operation-request-criteria property can be used to cause the server to reject any request which does match the referenced request criteria. Issue:3645
Update dsconfig to make the list-properties subcommand more visible and more usable. This includes the following changes:
- The list-properties output will now be written to standard output rather than standard error. This makes it easier to process the output with text tools like grep.
- The list-properties subcommand can now be used with the "--offline" argument even if the server is running.
- A new "--complexity" argument has been added that can be used to customize the complexity level of the objects included in the output.
- A new "--includeDescription" argument has been added that can be used to include synopsis and description information in the output.
- The top-level dsconfig help now includes an example demonstrating the use of the list-properties option.
- A docs/config-properties.txt file containing this information is now provided with the server. This information was previously already available in the HTML config reference guide. Issue:DS-2985 SF#:00001413
Update a number of access loggers to provide a new max-string-length configuration property that specifies the maximum length of any string that may be included in a log message. If any string has more than this number of characters, then that string will be truncated and a placeholder will be apended to indicate the number of remaining characters in the original string. Issue:DS-3551
Update the server to provide a new additional-supported-control-oid configuration property in the root DSE backend that can be used to add a specified OID to the supportedControl attribute of the server's root DSE. This is primarily intended for compatibility with other servers which may include certain response control OIDs in this list even though LDAP specifications indicate that it should only include request control OIDs.
The Server SDK has also been updated to provide support for registering and deregistering supported control OIDs. This may be used for extensions which themselves add support for additional controls. Issue:DS-3467
Make it possible to configure the server to configure the number of file descriptors that it should attempt to use on UNIX-based systems. Previously, the server was hard-coded to try to use 65535 file descriptors. It is now possible to override this default by setting the NUM_FILE_DESCRIPTORS environment variable with the desired number of descriptors to use. Alternately, you can do this by creating a config/num-file-descriptors file with a single line, like:
NUM_FILE_DESCRIPTORS=12345
If an error occurs while attempting to use the desired number of file descriptors, then a message will be written to the terminal, and if the error occurs while starting the server, then a message will be logged to the server's error log. Issue:DS-3590
Add the ability to compress log files as they are written. This can significantly increase the amount of data that can be stored in a given amount of space so that log information can kept for a longer period of time. Because of the inherent problems with mixing compressed and uncompressed data, compression is something that can be enabled only at the time the logger is created, and compression cannot be turned on or off later. Further, because of problems in trying to append to an existing compressed file, if the server encounters an existing log file on startup, it will rotate that file and begin a new one rather than attempting to append to the previous file.
Compression is performed using the standard gzip algorithm, so compressed log files can be accessed using readly-available tools. Further, the summarize-access-log tool has been updated so that it can work directly on compressed log files rather than requiring them to be uncompressed first. However, because it can be useful to have a small amount of uncompressed log data available for troubleshooting purposes, administrators using compressed logging may wish to have a second logger defined that does not use compression and has rotation and retention policies that will minimize the amount of space consumed by those logs while still making them useful for diagnostic purposes without the need to uncompress files before examining them. Issue:DS-2983 SF#:00001410
Update the description for the time-limit global configuration option to indicate that it is an upper bound that will be enforced for local operations and may be included in forwarded requests, but that other operation timeouts (like those defined in a load-balancing algorithm) may interrupt the operation before that time limit is reached. Issue:DS-3429
Update dsconfig to remove a redundant prompt when a user chose to "Change the value" of an existing property. Issue:DS-2140
Update the suppress attribute proxy transformation to provide support for suppressing multiple attributes, and to make it possible to supply the attributes to suppress as an exclude list (i.e., "suppress all attributes except") instead of an include list if desired. In order to provide the attributes to suppress as an exclude list, prefix the attribute name or OID with a caret (e.g., "^cn" to not suppress the cn attribute).
The transformation has also been updated to do a much more complete job by suppressing uses of the specified attribute in other cases, including in the values of a number of types of controls like the assertion, join, and server-side sort request controls; pre-read, post-read, and get authorization entry response controls; and the join result search result entry control. Issue:DS-2984 SF#:1411
Add a new reject-insecure-requests global configuration option that can cause the server to reject all operations except StartTLS extended requests received over insecure connections. This makes it easier to allow clients to use StartTLS without allowing other requests over an insecure connection. Issue:DS-4397
Provide an alternate password policy in the out-of-the-box configuration that is significantly more secure than the default policy. This policy is not configured for use, but it can be selected as the default policy, used as a policy for a select set of users, or used as a template creating a new custom policy with a more secure starting point than the default policy.
In addition, a new sensitive attribute definition is included in the default configuration that declares userPassword and authPassword to be sensitive attributes and forbids them from being returned to clients, used in search filters, or targeted by compare operations, and also requires that adds and modifies including passwords be processed over a secure connection. This sensitive attribute definition is not used by anything by default, but it can be easily referenced in the sensitive-attribute option of a client connection policy to turn it on. Issue:DS-4396
Update server access loggers to add a number of new options:
- An option to include request details in search result entry messages. - An option to include request details in search result reference messages. - An option to include request details in intermediate response messages. - An option to include the names of attributes included in an add request. - An option to include the names of attributes targetd in a modify request. - An option to include the names of attributes included in a search result entry. - An option to include extended search request details, including the size limit, time limit, types only, and alias dereferencing behavior. Issue:DS-4404
Update the server to add a "--lockdownMode" argument which can be used to cause the server to be started in lockdown mode. Issue:DS-1488
Update the server to generate an administrative alert if it detects that a configuration change was made with the server offline (whether by manually editing the configuration file or using dsconfig in offline mode). Issue:DS-4407
Update the server to provide better reporting around the use of third-party extensions. If any such extensions are loaded in the server, then the DNs of their configuration entries will be listed in the thirdPartyExtensionDN attribute of the cn=monitor entry. Further, some extensions are loaded at startup, and a message will be written to the error log with the DNs of all of their configuration entries. Please note that not all extensions are loaded at startup, in particular Sync extensions. Issue:DS-4398
Fix an issue in which terminal focus may be lost during command-line setup just before the Summary step is shown. Issue:DS-4551
Fix an issue in which dsconfig cannot set an unlimited value for an object property that supports an unlimited value. Issue:DS-4173
Update the UnboundID work queue to add a dedicated thread pool that may be used for processing certain administrative operations. This dedicated thread pool may make it possible for an administrator to diagnose and take corrective action in a server even if all "normal" worker threads are tied up processing other operations. By default, eight worker threads will be created for this purpose, but this may be altered via the num-administrative-session-worker-threads property in the work queue configuration.
Some administrative tools like dsconfig, status, collect-support-data, enter-lockdown-mode, and leave-lockdown-mode will automatically attempt to create an administrative session in which all operations they request will be processed in this dedicated pool. Other tools like ldapsearch, ldapmodify, ldapcompare, ldapdelete, ldappasswordmodify, backup, restore, import-ldif, export-ldif, and manage-tasks have a new "--useAdministrativeSession" argument that can be used to request that they attempt to use this dedicated thread pool for operations that they process. Further, the Commercial Edition of the UnboundID LDAP SDK for Java has been updated to provide support for the new start administrative session and end administrative session extended operations that are needed to use this feature, so third-party applications can also take advantage of this capability.
In order to request that operations be processed using the administrative session thread pool, the requester must have the use-admin-session privilege (which is included in the default set of privileges automatically granted to root users). The use of the administrative session thread pool will be recorded in the access log, and a new "using-administrative-session-worker-thread" property has been added to the simple request criteria and can be used to filter operations based on whether they are using this capability. Issue:DS-4401
Add unique-to-single-subtree-view-search-attribute as a global configuration option on the proxy as a means to optimize equality searches for attributes with unique values across all subtree views. This can eliminate broadcast searches in environments that have multiple subtree views, especially when one of those is entry balanced. Issues:DS-4583,DS-4584,DS-4587
Update the logic the server uses for address patterns to support the use of subnet masks. It was previously only possible to use CIDR notation (e.g., "1.2.3.0/24") to specify the number of significant bits, but it is now possible to use subnet masks (e.g., "1.2.3.0/255.255.255.0") to specify address masks. Issue:DS-4710
Fix an issue where old configuration data may get left in a topology of Sync or Proxy servers after a server is uninstalled or removed from the topology. Issue:DS-4712
Modify the tools to recognize instances of the Sun DSEE 7 Directory Server when deployed as part of the Oracle Identity Management 11g. Issue:DS-4716
Update the server to discourage disabling schema checking since this can lead to unexpected behavior in the server and client applications, as well as introduce performance problems. A warning message is printed when dsconfig or the console is used to update the configuration to disable schema checking. The server now generates an alert when schema checking is disbled. The --skipSchemaValidation option has been removed from import-ldif. Issue:DS-4336
Improve the config definition for the idle-lockout-interval password policy property to indicate that it relies on the last login time but may fall back on the password changed time or account creation time if no last login time is available. It also recommends having last login time tracking enabled for a period of time before enabling idle account lockout. Issue:DS-4878
Update the server to record access log information about certain requests rejected very early in the life of an operation that were not previously recorded, including:
- Operations requested by a user that must change his/her password before being allowed to perform any other operation. - Operations rejected because there is a bind in progress on the connection. - Operations rejected because the server is in lockdown mode. - Operations rejected as a result of the reject-unauthenticated-requests or reject-insecure-requests configuration option. - Operations rejected because a client has exceeded the maximum number of operations per connection or maximum concurrent operations per connection. Issue:DS-4912
Fix a bug in the attribute value password validator that can cause it to incorrectly reject add attempts if the password attribute itself is included in the set of attributes to examine. Issue:DS-4888
Fix a bug in the create-initial-proxy-config tool that could cause it to terminate with an error if it encounters an unrecognized type of directory server. Issue:DS-4865
Add support for the IBM JDK for the GSSAPI SASL bind mechanism handler and when using GSSAPI SASL binds with tools and utilities. Due to restrictions with the IBM JDK, when using tools and utilities and the option "ticketcache" is set, the bind will always fail if the credentials are not found in the specified ticket cache, even if the option "requirecache" option is false. Issue:DS-4749
Improve the dsframework tool to support multi-valued server propreties. Issue:DS-5040
These issues were resolved with version 3.1.0.0 of the Directory Proxy Server:
Add new global configuration attribute that allows specifying a SMTP timeout to use for all configured SMTP servers. Issue:2283
Update the server so that access log messages for operations the server tried to interrupt (e.g., as the result of an abandon or cancel request, because the client connection was being closed, because the server was shutting down, etc.) will include an additionalInfo element with more information about the reason for the cancel attempt. Issue:2971
Limit collect-support-data to only run against the local server it is ran from. All supported versions of the products have collect-support-data available, and should use that version to do any needed data collection. Issue:2827
Enhance timeout for SMTP External Servers to be used for socket I/O and connection based timeouts. Previously the timeout value applied only to socket I/O. Issue:2939
The update and revert-update tools now respect that -Q/--quiet option which when specified, suppresses console output of messages that are not warnings or errors. In addition, the tools will not solicit input if the -n/--no-prompt option is specified. Issue:3056 SF#:00001432
Fix an issue where the Web Console provides a dsconfig command to modify root dn user aliases that does not work in dsconfig. Dsconfig will now accept those commands. Issue:1692 SF#:1238
The dsconfig tool has been fixed to that it does not exit in an error when the root DSE entry is not available. Issue:3122
Add a new type of access logger which can be used to obtain very detailed information about requests and responses and the contexts in which the associated operations have been processed. This is primarily intended for troubleshooting purposes rather than general use, and the content is meant to be human-readable rather than machine-parsable. Further, because the output can be quite verbose, it is recommended that it only be enabled when attempting to diagnose a problem, and that it be used in conjunction with the filtered logging framework so that only potential messages of interest will be captured. Issue:3064
Update tools, such as searchrate, that use --ratePerSecond to not use 100% of one CPU when running at a low rate. The cutoff for this rate depends on the minimum amount of time that a process can sleep, which is operating system dependent.
Update the Server SDK to add support for creating file-based access and error loggers. The new APIs are similar to the existing access and error logger APIs, but they take advantage of the server's existing high-performance and high scale log writer and provide support for advanced features like log file rotation and retention policies. Issue:3115
Add a configuration change to prevent Subtree View configuration properties from being modified after they are set at creation time. Modifications to live SubtreeView objects is not supported and this change rectifies that issue. Issue:2907
Update the move-entry tool so that it provides the ability to move multiple entries rather than just one. The --entryDN argument can be provided multiple times to specify the target entry DNs, or the new --entryDNFile argument may be used to specify the path to a file containing the DNs of the entries to move. If multiple entries are to be moved, then a separate transaction will be used for each. Issue:3111
Add a serversAccessed field to result access log messages to include a list of the backend servers accessed in the course of processing the associated operation. Issue:2780
Update collect-support-data to collect more system level information (especially on Linux) and validate that any value specified with the --pid option does not match the servers PID, since information about the server process is always collected. Issues:2920,2930,3152,3171,3206
Add a --missingOnly option to ldap-diff to allow the tool to only report on entries that exist on only one of the servers; entries that exist on both servers but are out-of-sync are ignored. Issue:2918
Update tools which can be used to schedule tasks to add a new "--task" argument that makes it explicit that the tool is intended to run as a task rather than in offline mode. At present, this argument is optional, but we intend to make it required in the future, and if a tool is invoked as a task without this new "--task" argument, then a warning message will be displayed recommending that it be used in the future.
In addition, if the "--task" argument is provided but the tool was not given an appropriate set of other arguments to allow it to connect and/or authenticate to the server, then an error message will be displayed and the tool will exit with an error. This behavior will also be exhibited for other arguments that are only applicable for tools running as tasks, including the "--start", "--dependency", "--failedDependencyAction", "--completionNotify", and "--errorNotify" arguments. Issue:3224
Update the manage-tasks tool so that it can detect cases in which the authenticated user doesn't have permission to access information about tasks in the server and will provide a more useful error message. It would previously always report that there were no tasks in the server, which may not be true and is not very helpful. Issue:2957
Update the proxy server access log such that targetHost and targetPort are provided in result log messages in an entry balancing configuration (note that these fields are only ever logged in result log messages when log-forwards is turned off). For search result log messages, since only one target server is ever logged for an operation, one of the target servers that contributed search entries is logged in preference to one that did not contribute any search entries. Independently, all the servers accessed during the course of an operation are always logged to the serversAccessed field of the log message. Issue:3079
Change the default access logger configuration so that intermediate response messages will be suppressed rather than logged, although logging them can be enabled if desired. However, for operations that did send one or more intermediate response messages to the client, the result access log message will now include an intermediateResponsesReturned element that provides the number of intermediate response messages that were returned. Issue:3096
Update the proxy server so that it no longer retries operations that return ADMIN-LIMIT-EXCEEDED. The previous behavior could have unintended consequences for Subtree Delete operations. It is most unlikely that an operation returning ADMIN-LIMIT-EXCEEDED will succeed when retried on an alternate server. Issue:3132
Update tools which create scheduled tasks to display a message indicating that killing the tool will not interrupt the task. For tasks that can be interrupted, the tool will also display a manage-tasks command line that can be used to cancel that task. Issue:2954
These issues were resolved with version 3.0.3.0 of the Directory Proxy Server:
Fix an issue in the PingDirectoryProxy Server which could cause the Synchronization Server's resync command to fail when the base DN being synchronized had a single component (e.g. o=example). Issue:3220 SF#:1473
Fix a bug in web consoles where version mismatch warning was not being displayed on initial login. Issue:3146 SF#:1459
Add an option to collect-support-data for collecting data from expensive processes. These expensive operations will not be executed by default. Issue:3176
Fix an issue where debug messages logged by a command line tool (when using --enableDebug) might not be flushed to disk before the command exited. Issue:3218
Update the server's support for GSSAPI authentication to allow it to use a more flexible service principal. Previously, the service principal was hard-coded to be "ldap/" followed by the fully-qualified name of the system. This is still the default, but it is possible to override that in order to use a custom service principal. In addition, client tools which support GSSAPI authentication have been updated to support a "protocol" SASL option that can be used to specify the protocol for the service principal, and a "debug" SASL option that can enable GSSAPI debugging in the JVM. Issue:3262
These issues were resolved with version 3.0.2.0 of the Directory Proxy Server:
Modify the update tool to fix an issue where in some cases the tool would fail to migrate an older configuration, displaying errors related to duplicate LDIF change records. Issues:2942,2962,2967
Fix a regression with the stop-proxy command where the port argument was ignored. Issue:2925
Fix an issue where the status command would warn that the port argument was ignored even though the argument was not provided. Issue:3052 SF#:1447
The command-line tools now use the full terminal width for output on Windows platforms. Issue:1019
Fix a potential issue that could cause an exception if a client tried to establish a secure connection to a server that already had the maximum number of concurrent client connections established for the associated client connection policy. Issue:3072
The setup tool has been modified to correct an issue in which the presence of the --rootUserDN option, when specified with any of the "Set Up From Peer/Master Server Options", would cause setup to exit with an error. Issue:3084
Increase the default value for duplicate error messages (allow 2000 in 5 minutes) and alerts (allow 100 in 1 hour) before they are suppressed. Avoid duplicate suppression for certain types of alerts, such as configuration changes. Ensure that the severity of a duplicate alert summary message matches the severity of the duplicate messages being suppressed.
Address an issue that could affect the Synchronization Server synchronizing changes through the proxy when there was more than one dataset behind the proxy, for instance an entry balanced environment. In this scenario, if all directory servers were unavailable for one backend set, then no changes would be synchronized for the environment. This would delay any changes that were applied to the server sets that were available. Issue:3100
Address an issue where Server SDK extensions running within a command line tool could cause the process to run out of memory if they logged a high volume of error log messages. Issue:3173
These issues were resolved with version 3.0.1.0 of the Directory Proxy Server:
Change collect-support-data tool to prompt for missing LDAP connection arguments if needed. Issue:2461
Add statistics about the entry balancing global indexes to the status command output for the proxy server. Issue:2199
The script file for stopping the server on non-Windows operating systems have been modified so that when it is invoked with no arguments, the server is killed using the operating system's kill command, ensuring that the server will have stopped when the script returns. Issue:2821
The remove-defunct-server tool has been enhanced to allow the user to choose to continue processing of topology servers even if one of the servers is down. In non-interactive mode this is accomplished using the --continueOnError option. Issue:2856
Fix an issue where the Proxy Server could return duplicate entries in an entry balanced configuration where the PingDirectory Servers held both global and restricted replicated data. Issue:2781
Update the server so that some of the specialized access loggers (e.g., failed operations and expensive operations) do not include messages about intermediate responses. Issue:2822
Update the load-balancing algorithm configuration to add initial-connections and max-connections properties which can be used to specify the number of connections to establish for each backend server. If specified, these options will override the number of connections defined in the LDAP external server configuration for that load-balancing algorithm. Issue:2600
A new global-index-size tool is provided with the Proxy Server to estimate how much memory is required for a global index from the number of keys and the average key size. Issue:2462
Fix a bug that could prevent the use of object classes which reference attribute types whose name begins with a numeric digit or contains an underscore character. Although such names are technically invalid, the server may allow based on the value of the allow-attribute-name-exceptions global configuration property. Issue:2882
Fix a bug that could cause some command-line tools (including ldapsearch and ldapmodify) to fail when parsing DNs containing attributes whose names require the attribute-name-exceptions feature in the server, even if that feature was enabled. Issue:2883
Address an issue with collect-support-data when run on Windows where certain commands that were executed would timeout without reading the full output of the command.
The entry balancing request processor has a new log-index-duplicates property that may be enabled to get details on entries that are duplicated in the global index. Issue:2369
Add a new external server type for configuring SMTP servers. This can be used to provide secure connections and authentication to outgoing mail servers. Issue:1150
Fix an issue where entry balancing operations forwarded to backend directory servers were not canceled when the request to the proxy server was canceled. Issue:2789
The SNMP Master Agent Plugin is no longer exposed as configurable because it is not a supported component. It is only used for test purposes.
Fix a bug in the web console that prevented the creation of configuration objects with a slash character in the name. Issue:2836
Add the ability to log debug statements from server components that are running within the context of a command line tool. This also enables logging from third-party extensions developed with the Server SDK to be captured when run from the context of a command line tool. Issue:2834
The dsframework tool has been modified so that whenever a server is registered or updated with port values whose corresponding protocol enablement properties (ldapEnabled, ldapsEnabled) are not present, the tool will automatically set the value of the enablement property to "true". Issue:783
Add new configuration to entry balancing request processor called preferred-failure-result-codes. This is an ordered list, from highest to lowest priority, which is used to determine which result code to return when there are conflicting values received from more than one backend server. This list will also be used to determine if the failure should be reported instead of trying additional backend servers. Issue:2946 SF#:1428
These features were added for version 3.0.0.0 of the Directory Proxy Server:
Server SDK - Server-side SDK for extending the functionality of the core server.
Synchronization Through Proxy - Support for Synchronizing to or from an load-balanced or entry-balanced proxy server deployment.
Virtualization Support - Achieved "VMware Ready Status" for all of our server products, which we now support deploying in VMware environments.
These issues were resolved with version 3.0.0.0 of the Directory Proxy Server:
The default setting for the entry balancing prime-index-source property has been changed to 'ds' instead of 'ds,proxy'. Issue:2233 SF#:00001345
To prevent unexpected delays and errors while running create-initial-proxy-config, index priming is no longer done as soon as the tool applies an entry balancing configuration to the proxy server. Instead the tool warns that the proxy server must be restarted after the tool is run to have index priming take place. Issue:2227
Fix a bug that could cause a recursion loop resulting in a stack overflow when using aggregate connection criteria. Issue:2240
Expose version information for many of the libraries used by the server in both "status --fullVersion" and in the "cn=Version,cn=monitor" entry. It will always include the LDAP SDK version number, and if available may also include any or all of the Berkeley DB JE, JZlib, SNMP4J, SNMP4J Agent, and SNMP4J AgentX library versions strings.
Add a configuration option that may be used to indicate whether the server should shut down in the event that a severe error (e.g., out of memory) is raised within the JVM that indicates it may not be able to continue running properly. Issue:2265
Add a new "rebind" authorization method that can be used to forward authorization information to backend servers that don't support either the intermediate client control or the proxied authorization v1 or v2 controls. This is only supported for clients using simple authentication. Issue:2268
The dsjavaproperties tool now supports options for generating, regenerating, and updating the config/java.properties file. Issue:2280
Fix a bug in the timestamp-naming mechanism used in log file rotation which could cause log files that were manually renamed to still get rotated and eventually deleted if their names were still parsable as the original file name. Issue:1285
Update the stop script so that the "restart" option will correctly restart the server after a successful shutdown Issue:2329 SF#:1362
Update dsconfig to work correctly in environments with a server-group set. This issue only affected dsconfig when run in a partially interactive mode where some of the configuration arguments were provided on the command line. The user is now prompted whether the configuration change should be applied to the current server or all servers in the group. Issue:2373 SF#:1370
Allow the PingDirectoryProxy Server to dynamically read and incorporate schema elements from backend servers. The schema elements will be exposed in the PingDirectoryProxy Server schema subentry but will not be written to the local schema files. Issue:2300
Address an issue where the Unique Attribute Plugin incorrectly detected conflicts when under heavy. Issue:1873
Web Console displays a communication error alert when editing configurations objects if the server has been disconnected. Issue:2270 SF#:1239
Fix a bug in which the server and tool JVM configurations in java.properties would lack -Xms and/or -Xmx options if the amount of memory specified as the maximum heap size was not available when setup was run. Issue:890
Fix a bug in which setup fails if the 'locks' directory is missing, setup erroneously indicated that the server was running.
Fix a bug that prevented the display in dsconfig and the web console of configuration objects whose name contained a slash character. Issue:2244 SF#:1373
Update the auto-generated single-server pass through load balancing algorithm with a name that indicates it's auto-generated. Issue:2337 SF#:1364
Modify the update tool to disallow the update tool from being used from a package in which setup has been run. Issue:2464
Provide a custom title renderer that escapes configuration object names in the web console. This avoids a theoretical security concern with configuration object names that contain embedded JavaScript. Issue:2454
The progress messages for global index priming now include the number of keys in the index to provide an indication of how long priming may take. Issue:2463
Fix a bug in the ldapmodify command-line tool that caused it to incorrectly treat a 'referral' result as success. Referrals are still not supported by this tool, but it will now treat them as a special kind of error and will provide a more useful message. Issue:1062
Update the UnboundID work queue configuration so that it is not possible to configure a value of zero for the number of write queues. Previously, if a nonzero number of write worker threads was configured with zero write queues, then the server would encounter an error and would be unable to start. Issue:2119
Update prepare-external-server so that the server is configured for access control regardless of whether the proxy user account exists.
Generate a warning message at startup if the server is unable to determine the IP address or hostname of the local system, or if the local system's hostname resolves to a different IP address. These conditions may indicate a problem with the system configuration that could cause certain server components to break or function abnormally. Issue:2318
Change the way that the serverUUID value is generated so that it is based on a combination of the system's primary IP address and the canonical server root path. This can be used to help detect cases in which a new server instance is created by copying the files associated with an existing server instance, which would have previously created two instances with the same serverUUID value. In the event that the stored serverUUID does not match the generated value, a log message will be generated to warn administrators of the change, and the newly-generated UUID will continue to be used. Issue:2470
Update the server to make it possible for proxy transformations to be configured with request criteria. If criteria are defined, then the transformation will only be invoked for operations in which the request matches that criteria. If no criteria are defined, then the transformation will be invoked for all operations. Issue:2321
Improve the output of the ldapsearch tool to mention that a password has expired when the bind occurs. Issue:1981 SF#:1227
Modify the updater so that the --ignoreWarnings option can be used to continue with update when there are warnings related to version compatibility issues. This allows an update to be run in a non-interactive environment, such as a script. Issue:2495
Set the autocomplete flag on the login form of the web console to be explicitly set to false. Issue:2496 SF#:1383
Update the audit logger to use the filtering criteria specified in the configuration. Issue:2443
The admin alerts list no longer includes alert types that are clearly not applicable to the product. Issue:1738
The proxy server no longer generates an alert at startup when an external server's health-check-state is explicitly configured as unavailable. Issue:2359
Update generated command line arguments (such as for dsconfig) to be quoted in a mechanism specific to the operating system where they are generated and to eliminate all escaping with \, which had caused problems when replaying certain commands. This is done with as much portability across systems as possible. Issue:2455
Change peer proxy index priming to respect the health check state if set. A proxy will not prime from a peer proxy in UNAVAILABLE or DEGRADED state. Issue:2201
Improved status command output to better inform the user of how the local server status was determined, based on the arguments provided. Issue:2487
Update cli documentation to include new commands for updating and reverting a server installation. Issue:2573 SF#:1390
Tools using a scope argument are now correctly documented in the CLI documentation. Issue:2594
Several enhancements to the Periodic Stats Logger: all columns in the output can now be turned on/off, many more built-in metrics are available to be logged, and additional custom metrics driven off of cn=monitor entries can be added by creating Custom Logged Status objects. Issue:2039
The proxy installer now supports the option of basing a new server's configuration on an existing proxy server. This feature is invoked when the user indicates during setup that they would like to add the proxy to an existing proxy server topology. Issue:2414
The Proxy Server now includes the 'remove-defunct-server' tool which can be used to remove a server from a set of servers each of which are registered with each other's administrative data. Issue:2640
Change the way abandon and cancel requests are run in order to prevent request handler threads from being detained while these operations wait to get back results. Issue:2631 SF#:1395
The server now issues an alert when it has begun the startup process. Issue:2642
The server now issues an alert when a JVM pause (possibly due to garbage collection) has been detected. Issue:2637
The web console now allows the specification of multiple LDAP servers to be used for authentication and discovery of topology servers. Issue:2466
The web console now supports specification of a server from its login page. Issue:2190
Provide a way to throttle proxy global index priming from Sun DS backend servers to reduce the impact of priming on those servers. This is accomplished through a new configuration property prime-search-entry-per-second and a new reload-index property --searchEntryPerSecond. Issue:2293 SF#:00001353
Fix an issue where global index background priming could produce duplicate values as seen in the monitor entry. Issue:2206
Update the ldappasswordmodify tool to supply the bind password as the user's current password when making a self-change. This is convenient when making a root user password change so that the current password does not have to be specified twice in the command line arguments. Issue:2525
Provide better descriptions in the MIB for SNMP trap variable bindings. Issue:2508
The file-based loggers now optionally support millisecond level precision. Issue:2603
Added a "invoke-gc-day-of-week" property to the Periodic GC Plugin so that it can be configured to run only on certain days of the week. Issue:2660
Update the Periodic Stats Logger so that on shutdown it logs stats from the final interval. Issue:2684
Improve output when JVM errors occur in scripts used to set up environment for command line tools. Issue:2172
Update the default JVM arguments to improve garbage collection tuning.
Update dsjavaproperties to validate that all java-home properties specified in config/java.properties reference valid Java installations. Issue:2719
Adds warning message when starting proxy server, if two external servers in the same load balancing algorithm are using the same unique id. Issue:2471
Fix an issue where the alerts backend could write an incomplete LDIF backing file if an error were to occur during the write. Also, if an error in the LDIF file is discovered when the server is started, the alerts backend will now read as much as it can from the file and preserve a copy of the bad file. Issue:2700
Add support for logging intermediate response messages that are returned to the client. Intermediate response logging will be enabled by default, but may be disabled if desired. Issue:2428
Fix a bug where the web-console's schema editor could write object class definitions to the server that did not include the object class's type. This occurred when no attempt to change the default value STRUCTURAL was made in the object class creation dialog. Issue:2749
Address an issue with the web console where it would not allow read-only configuration properties to be set when an object was initially created. Issue:2730
These issues were resolved with version 2.2.0.0 of the Directory Proxy Server:
Modify the command-line argument parsers to generate a warning message if an argument value is the same as the short or long form for another argument. This can help prevent users from forgetting to supply a value for an argument which requires one. Issue:944
Streamline the process for sending responses to LDAP clients to use a stream-based approach and avoid the creation of a number of intermediate objects.
Update the access log format so that result log messages for operations containing certain controls will include information about that control. For the assertion request control, the assertion filter will be provided. For the matched values request control, the matched values filter will be provided. For the pre-read, post-read, and get authorization entry request controls, the requested attributes will be provided. For the join request control, the join rule (including nested join rules) will be provided. For the server-side sort control, the sort order will be provided. For the virtual list view request control, the offset or assertion error, before count, and after count will be provided. For the simple paged results control, the page size will be provided.
Update MakeLDIF to add a "<random:timestamp>" tag that can be used to include a randomly-selected date from any time within the last ten years. It is also possible to use "<random:timestamp:min:max>" to specify the desired time range, where min and max should be given in the generalized time format. Issue:1083
Add support for the stream proxy values extended request, which may be used to prime the PingDirectoryProxy Server global index from another PingDirectoryProxy Server instance. Issue:902
Add a new configuration property for alert handlers that makes it possible to filter the types of alerts that should be processed based on the alert severity. By default, all types of alerts will be processed.
Modify the prepare-external-server tool so that it will look for trust store and password files in the default locations when using SSL or StartTLS and the locations of those files are not explicitly provided.
Provide a new alert handler that can be used to execute a specified command whenever an alert is generated within the server. The details of the alert notification will be provided as arguments when executing that command. The arguments will be provided in the following order: the name of the alert type, the OID for the alert type, the alert severity, the fully-qualified name of the Java class that generated the alert, the unique identifier assigned to that alert, and the text of the alert message. The alert handler will ensure that only one instance of the command may be invoked at a time to avoid problems from commands that aren't safe to run concurrently. If multiple alerts are generated concurrently, then they will be queued and the command will be executed sequentially for each of them. Issue:1146
Update the ldapsearch and ldapmodify tools so that in the event that an error response is received from the server, the diagnostic message from that error response will be displayed to the user rather than the generic error message that had previously been used.
Add a new error log alert handler, which makes it possible to control which types of alerts should be logged (based on either the alert severity or specific alert type). Further, the severity of the log message will reflect the severity of the alert notification.
Update the collect-support-data tool to archive information about the upgrade history of the server installation.
Generate administrative alerts for any operation which results in a change to the defined set of access control rules in the server, including global ACIs. Issue:1203
Modify the enter-lockdown-mode and leave-lockdown-mode tools to allow them to connect to any local address rather than requiring the request to be sent over the loopback address. Issue:1144
Provide the ability to force an explicit garbage collection on startup if the initialization of any request processor takes longer than a specified period of time. This can help improve garbage collection behavior in the PingDirectoryProxy Server when a global index is enabled and automatically primed on startup.
Update the LDAP connection handler to disable TLS renegotiation by default, which can eliminate a vulnerability in which a man-in-the-middle could potentially inject arbitrary cleartext between TLS negotiation and initial data from the client.
Avoid setting the "-XX:ParallelCMSThreads" JVM argument on systems containing a single CPU. This option has been observed to cause the JVM to fail to run properly, particularly in virtualized environments. Issue:1300
Update the active operations monitor entry to include attributes which provide the number of operations and persistent searches currently in progress within the server.
Add a configuration option to the PingDirectoryProxy Server which can be used to control what types of operations should be re-tried in the event of a failure which indicates the operation might succeed on an alternate server. By default, it will not attempt to re-try operations for add operations, as that could potentially introduce a replication conflict in the event that the initial add operation actually succeeds on the first server (but the Directory Proxy Server considers a failure, e.g., because of a timeout) and the re-try succeeds on a second.
Add configuration options to the PingDirectoryProxy Server that make it possible to have different response timeouts for read and write operations, as well as potentially using a longer timeout for the last server to be tried than was used for earlier attempts.
Update the entry-balancing request processor to provide the ability to search all servers in each backend set to determine if an entry already exists when performing an add. This can help prevent duplicate entries when a client attempts to add the same entry multiple times in quick succession.
Add a new entry placement algorithm which can be used to select an appropriate backend set based on an MD5 digest of the normalized representation for the DN of the entry to be added. This can be used to ensure that repeated attempts to add an entry will always be sent to the same backend set.
Update the UnboundID work queue to change the default capacity from unlimited to 1000 operations, and to add the ability to block for a specified period of time (up to 60 seconds by default) if the work queue is full before giving up and rejecting the operation. This can help prevent clients using asynchronous requests from being able to continually enqueue requests without bound.
Update the server to provide the ability to keep track of the length of time that an operation was required to wait on the work queue before being picked up for processing by a worker thread. This can be used to identify cases in which client threads were forced to wait for a long time for a worker thread to become available, which may indicate a configuration problem or problems due to an inefficient client. It is also possible to define the maximum length of time that an operation may be allowed to wait on the work queue before being rejected with a "busy" response. If queue time monitoring is enabled, then it will appear in access log messages and in the processing time histogram monitor entry, and it may be used in simple result criteria objects.
Update the work queue monitor entry to include a num-busy-worker-threads attribute which indicates the number of worker threads that are in the process of actively processing a request rather than waiting for new work to do.
Add a new Periodic Stats Logger plugin, which can be used to write various server statistics to a file in CSV format with detailed information about processing that occurred within the Directory Server or PingDirectoryProxy Server, as well as the JVM in which the server is running, within the interval since the last update.
Update the PingDirectoryProxy Server to provide support for failing over to an alternate server in the course of priming the entry balancing global index.
Update the server so that it will return a result of "unavailable" rather than "unwilling to perform" for operations from unauthorized clients when operating in lockdown mode.
Add a number of new access loggers to the server configuration which may be used to troubleshoot problems in the server. One will log information about any operation which did not complete successfully to the logs/failed-ops log file. Another will log information about any operation which takes more than 1000 milliseconds to complete to the logs/expensive-ops file. Another will log information about search operations which did not return any entries to the logs/searches-returning-no-entries file. Of these new loggers, only the one writing to the logs/failed-ops file is enabled by default.
Add the ability to configure the set of result codes that will cause a connection to be considered defunct by the PingDirectoryProxy Server so that a new connection will be created and the existing connection terminated.
Update the UnboundID work queue to add support for maintaining separate pools of worker threads for read and write operations, which can help minimize the performance impact for read operations in the event that write operations are temporarily blocked by expensive processing (e.g., database contention, I/O backlog, etc.). It is also possible to split worker threads across multiple internal queues for reduced contention. This has been observed to provide significantly improved performance on systems with large numbers of CPUs.
Add a new load-balancing algorithm which will select the backend server to use for an operation by choosing the server with the fewest number of operations already in progress (it will also take the location and health of the server into account). This can help avoid excessive backlogs on one server if something causes it to behave more slowly than the other servers in the environment. This is the new default load-balancing algorithm used when creating an initial proxy configuration.
Update the system information monitor entry to include information about the system account being used to run the server and a list of all system properties defined in the JVM.
Update the UnboundID work queue to provide the ability to select the type of queue to be used. Also, update the LDAP connection handler to provide the ability to create a separate request handler thread for each connection, rather than allowing request handlers to potentially read requests from multiple clients.
Add support for a number of different types of resource limits within the server, including: the maximum number of connections that may be established at any given time, the maximum number of concurrent connections from any client (based on either IP address or bind DN) or group of related clients, the maximum number of operations that may be processed over the life of a client connection, the maximum number of operations that may be processed concurrently for a single client connection, the maximum rate at which a single client or a group of related clients may request operations, the maximum length of time that a client connection may remain established, the types of request controls which may be used, the types of search filters which may be used, the minimum number of characters required in substring filters, and caps on resource consumption allowed during search operations.
Add a new global configuration option which makes it possible to specify the maximum length of time that the server shutdown process may take before it attempts to interrupt threads which have not yet completed their processing. In most cases, server threads will react to a shutdown in a timely manner and no interrupt is needed.
Add the ability for a proxy transformation to return entries and/or search result references which would not have otherwise been returned to the client (e.g., entries generated within the proxy transformation or obtained from some other source).
Update the failover request processor so that it has the ability to re-try a search operation using an alternate request processor if that search completed successfully but did not return any entries. This may be useful in cases in which servers may not always have an identical set of content.
Add a new proxy transformation which can be used to supply default values for a specified attribute in add request and/or search result entries. It can be configured to only supply default values if the target attribute is missing, or to always use the default values instead of or in addition to any existing values that were already present. Issue:1589
Make a change to the UnboundID work queue in order to provide a small performance improvement.
Update the PingDirectoryProxy Server so that if a backend server is explicitly configured to have a health check state of "unavailable", no attempt will be made to communicate with that server. Issue:1512
Update the PingDirectory Server so that access log messages for extended operations now include human-readable names for the operation type in addition to the numeric OID when possible.
Fix a bug in the parallel-update tool that could cause operations to be retried even when the --neverRetry argument was provided. Also, when the tool is configured to retry operations, the reject file will now include the result code and diagnostic message received from the last failure after no more progress can be made, rather than providing a generic message.
Update the PingDirectoryProxy Server so that it will adhere to the client-requested size limit in an entry-balancing configuration. Issue:877
Fix a bug in the collect-support-data tool that could cause it to make incorrect use of a password file when capturing the output of the status command. Issue:1593
Update the SNMP alert handler so that the traps it creates have a more sensible value for the uptime field. Previously, the uptime value was always zero, but it will now reflect the length of time that the PingDirectory Server has been online.
Update the PingDirectoryProxy Server so that the connection pools associated with an LDAP external server will be closed and recreated whenever the health of that server transitions from unavailable to either available or degraded. This will ensure that the server does not contain any references to connections that may have been established before the server was initially classified as unavailable. Issue:1599
Fix a bug in which LDAP request handlers might not properly close the selectors used to read requests from clients. This could cause a memory leak over time, particularly in servers configured to use the request-handler-per-connection option.
Improve the access log message generated whenever a connection is terminated because of a decoding error encountered while reading data from the client. The message will now include the contents of the packet received from the client, indicating the point at which the problem was encountered.
Fix a bug in the LDAP connection handler in which the server could incorrectly handle a request in which the ASN.1 length of the LDAP message was encoded using multiple bytes that were split across separate packets.
Improve the process for stopping threads when the server is shutting down, and provide additional debugging information that may be useful if any threads are slow to stop running. Issue:900
Update the ldap-diff tool to take advantage of the stream directory values extended operation when it is available. This can dramatically improve the performance of the tool when attempting to identify the set of all entries in the server. Issue:794
Update the ldap-diff tool to provide support for reading the DNs of all the entries in one or both directories from files instead of obtaining them over LDAP. In directories which do not support the stream directory values extended operation, this may provide a significantly faster way to obtain this information if it is already available in some form.
Fix a bug in the ldap-diff tool that could cause it to report incorrect percent complete values when comparing data sets of more than 20 million entries.
Change the default access log format to log only a single line per operation containing details of both the request and response rather than separate lines for requests and responses. In the case of the PingDirectoryProxy Server, that single line will also include information about the backend server to which the request was forwarded, although forward failure messages will still be logged as separate lines by default. Issue:1677
Update the PingDirectory Server to add support for interrupting the stream directory values extended operation in the event that the client connection is terminated or the request is abandoned or canceled.
Update a number of password storage schemes using salted digests to provide support for salts of arbitrary length rather than requiring them to use a fixed length. This can be useful for encoded passwords imported from external sources.
Fix a bug in the upgrade tool that could cause the same warning message multiple times if the version obtained from the server was different from what was expected (e.g., because a server jar file had previously been replaced without using the upgrade tool). Issue:1640
Modify the default work queue to make use of multiple queues by default, which can improve performance and scalability on multi-CPU systems.
Update the PingDirectoryProxy Server to increase the number of worker threads that will be used by default on systems reporting the presence of at least eight CPUs.
Update the parallel-update tool to add the ability to use the permissive modify request control, which may be used to request that the server ignore attempts to add attribute values which are already present or remove attribute values which are not present.
Update the ldap-diff tool to make it more likely that its output can be replayed without any alteration. The order of operations has been updated so that all deletes are listed first, followed by all modifies, and finally all adds. In addition, all delete operations are ordered such that subordinate entries will always be removed before their ancestors.
Update the scripts used to stop the server to prevent them from falling through to try to stop the server over LDAP if the attempt to kill the process fails or times out, since the attempt to stop the server over LDAP would fail without at least the appropriate authentication credentials, and could potentially be dangerous in some contexts.
Update the system information monitor entry to include information about all environment variables defined in the server process. In addition, it will now attempt to determine and report the process ID of the JVM in which the server is running.
Update the logic for sending an e-mail message from the server so that it will always attempt to determine the fully-qualified name of the system to include in the HELO/EHLO request. In the event that the fully-qualified name cannot be determined, then the IP address of the server will be used rather than using an unqualified name. Issue:1337
Update the server to make it possible to configure the length of time that name-to-IP address mappings may be cached within the server. This may be useful in environments in which the addresses associated with a particular hostname may change frequently. Issue:941
Update the upgrade and revert-upgrade tools to ignore directories that contain backup files. Issue:1143
Update the PingDirectory Server to change the implementation of the show-all-attributes configuration option in the schema and root DSE backends to be more robust, particularly for clients requests explicitly requesting a specific set of attributes. Issue:1590
Updated the logic used to identify previous log files that had been rotated so that only files with names that might have been created by the rotation process will be candidates for removal by the retention policy. Issue:1285
Update the PingDirectory Server to add a search shutdown plugin which can be used to perform a specified internal search when the server is shutting down and have the results of that search written to a specified file. This may be useful, for example, to automatically dump the contents of the monitor backend on shutdown. Issue:1334
Update the server so that when creating a duplicate of an existing configuration object, some key properties may be excluded from the clone so that they must be explicitly configured by the administrator rather than automatically using the same value as the object being duplicated. This can help prevent problems in which a duplicated value was inadvertently used. Issue:1675
Add support for a new CLIENT-CERTIFICATE access log message type which can be used to log information about any certificate presented by a client when negotiating a secure communication channel. Issue:1756
Update the PingDirectory Server to provide an option to automatically authenticate clients that have presented their own certificate during SSL or StartTLS negotiation. This option is disabled by default. Issue:1748
Update the PingDirectoryProxy Server so that it provides the ability to recognize and react to configuration changes made to single-server load-balancing algorithms without the need to restart the server or disable and re-enable the load-balancing algorithm. Issue:1770
Update the PingDirectoryProxy Server to add a new proxy transformation that may be used to intercept a simple bind request and attempt to process it instead as a SASL EXTERNAL bind if the client had already presented a certificate during SSL or StartTLS neotiation. In the event that the SASL EXTERNAL bind attempt fails, then the simple bind may optionally be processed instead. Issue:1749
Update the PingDirectoryProxy Server to return an unavailable result to clients in the event that a search request needs to use entry balancing but one or more of the backend sets needed for processing that request does not have any servers which may be used to process that operation. Previously, the server may have incorrectly returned a success response with no matching entries. Issue:1733
Fix a bug that may cause intermittent failures for search operations with large result sets when SSL or StartTLS is in use. Issue:1330
Add a plugin which may be used to allow the server to act as an SNMP sub-agent rather than requiring it to always operate only as a master agent. Issue:1723
Update the PingDirectoryProxy Server to detect and properly configure Red Hat PingDirectory Server instances for use as backend servers, including the related open source Fedora and 389 PingDirectory Server instances. Issue:1751
Update the PingDirectoryProxy Server to add the ability to define a number of reserved worker threads that will only be enabled for use if no local servers are available for use so that all communication will target remote servers. In such cases, additional worker threads may be needed to compensate for the increased latency of communication with remote servers. Issue:1857
Update the setup process so that the server will be configured without an LDAP connection handler if the "--no-prompt" argument is provided without an "--ldapPort" argument. This option is only available for use when using the non-interactive setup mechanism. Issue:1759
Update the server to improve logging performance under heavy load, particularly on systems with relatively slow single-threaded performance.
Change the behavior of the dsconfig tool when creating a new configuration object so that the user will first be prompted about whether to create a completely new configuration object or clone an existing object. This simplifies the interface and makes it less likely that an administrator will incorrectly attempt to clone an existing object rather than creating a new one. Issue:1747
Update a number of access log retention policies to make them more robust and to fix bugs that could prevent old log files from being removed when the appropriate conditions were met. Over long periods of time, this could potentially cause available disk space to run low and necessitate the manual removal of files to avoid running out of space. Issues:1867,1867
Modify the upgrade process so that schema definitions are always migrated before the configuration. In some rare cases, attempting to migrate the configuration before the schema could lead to failures in the upgrade process. Issue:1812
Update the server to include more useful information in access log messages reporting the closure of a client connection as a result of an I/O error.
Update the repeated characters password validator to provide the ability to reject a password if it contains multiple consecutive characters from the same character set, rather than only rejecting passwords with the same character repeated too many times. Issue:1940
Update the PingDirectory Server to fix potential problems in its support for SSL or StartTLS communication if the server was not able to access a complete block of encrypted information at once. Issue:1330
Update the PingDirectoryProxy Server to prevent the administrator from attempting to configure a client connection policy with multiple subtree views that have the same base DN. Issue:1650
Fix a bug that could prevent a disabled access logger from being removed from the server configuration.
Update the server to prevent multiple loggers from being configured with the same target log file. Issue:1676
Significantly revise the upgrade tool in an attempt to make it more robust and minimize the amount of work required for performing an upgrade. Issues:1927,1931,2031,2037
Add support for a new search-and-mod-rate command line tool which operates in a manner similar to the searchrate tool but that will also modify any entries returned from the search.
Fixed a potential bug in the way that the search time limit is enforced that could cause a time limit exceeded result to be returned too soon in a rare corner case.
Rename the upgrade tool to be "update", and rename the revert-upgrade tool to be "revert-update".
Update the PingDirectoryProxy Server to generate an adminstrative alert if an error occurs while attempting to communicate with a backend server while a proxy component is being initialized. Previously, that server would not be used and would be listed as unavailable in the server monitor information, but no alert would be generated. Issue:1761
Update the PingDirectoryProxy Server to add the ability to limit the rate at which expired connections will be closed to prevent a large number of connections from being closed and re-established in a short period of time. Also, add the ability to invoke some level of health checking on connections which are part of the connection pool rather than only performing health checking on separate connections.
Update the PingDirectory Server to make the lockdown-mode privilege usable by non-root users. Issue:1109
Update the server so that it includes a patch version number in addition to the existing major, minor, and point version numbers. This can help better distinguish versions with the same major, minor, and point version numbers which differ only based on patches applied.
Update the PingDirectory Server to abort the startup process with an error message if the admin data backend includes a malformed entry. Previously, malformed entries in the admin data backend would be silently ignored. Issue:2049
Update the PingDirectoryProxy Server to immediately return an error to the client if a failure occurs while processing a search operation that has already returned one or more entries. Previously, the search might have been re-tried on an alternate server, which could cause duplicate entries to be returned.
Update the collect-support-data tool to change the way that the jstack tool is invoked to dramatically reduce the impact that it has on the running process. Issue:2038
Update the PingDirectoryProxy Server so that the create-initial-proxy-config correctly creates an entry balancing request processor. Issue:2121
Update the PingDirectoryProxy Server to add the ability to collect high-precision timing for proxy-related processing components.
Update the export-ldif and verify-index tools so that they can be used against a server whose database files are contained on a read-only file system, including a ZFS snapshot. Issue:71
Update the alert backend to be able to handle entries with unrecognized alert types. This is unlikely to occur in normal conditions, but could cause a problem in deployments in which the server was upgraded and subsequently reverted, and an alert was generated in the upgraded server that uses an alert type not defined in the older version. Issue:2126
Change the way that the worker thread percent busy values are calculated in the work queue monitor entry to make them more accurate. Also, add new recent-average-queue-size and current-worker-thread-percent-busy monitor attributes. Issue:1982
Update the PingDirectoryProxy Server to ensure that any controls configured to be passed through the proxying request processor also appear in the list of supported controls in the root DSE.
Modify the update process to require that the system user performing the update is the same as the system user used to run the server. This will help prevent files from being created or altered during the update process with permissions that would prevent the server from being able to access them when the server is started as the appropriate user. Issue:2158
Update the PingDirectoryProxy Server so that the create-initial-proxy-config and prepare-external-server tools will provide a better error message if a problem occurs while trying to update the target server (e.g., to add a proxy user account or modify the set of defined access controls). The error message will include an LDIF representation of the changes that may need to be manually applied to ensure correct operation. Issue:1699
The SNMP MIB files have been moved to resource/mib. There are now no differences in the alert MIB provided with PingDirectory Server and PingDirectoryProxy Server. Issue:2170
Modify the update tool to ensure that the documentation is updated for the new release if appropriate. Issue:2178
Update the PingDirectoryProxy Server to fix problems around priming the global index, including reporting the incorrect time and throwing an exception if priming against another PingDirectoryProxy Server whose external server definition does not include a location. A fix was also included for a problem that could cause the Directory Proxy Server an excessive lenght of time to shut down. Issues:1283,2112,2113,2183
Update the dsconfig tool and the Web administration console so that they inform the administrator of any administrative action (e.g., disabling and re-enabling the specified component, or restarting the server) that may be required as a result of a configuration change to be made. Issues:211,2132
Update the subject attribute to user attribute certificate mapper to provide support for VeriSign certificates whose subject contained an emailAddress attribute with an unusual encoding. Issue:2177
Fix a bug in the PingDirectoryProxy Server that could cause global index priming to fail against a backend server that did not support the stream directory values extended operation. Issue:2224