We have just released the Ping Identity Directory Server version 220.127.116.11. It’s a pretty big release with several new features, enhancements, and bug fixes. You can keep reading (or see the release notes) for a pretty comprehensive overview of what’s included, but here are the highlights:
- Composed attributes, which are like constructed virtual attributes, except that their values are computed when the entry is created or updated, and they can be indexed for much faster searches.
- A new JSON-formatted virtual attribute that exposes all kinds of password policy state information.
- Alternative failure lockout actions, like delaying the bind response after too many failed authentication attempts instead of actually locking the account.
- Support for SASL integrity and confidentiality when using GSSAPI.
- Authentication support for the file servlet, and a default instance that allows administrators to access files below the server instance root over HTTPS.
- It’s easier to run collect-support-data and manage-profile generate-profile remotely without needing command-line access to the server.
- Improvements to the character set and attribute-value password validators, and significant updates to the banned password lists used by the dictionary password validator.
- Several command-line tool improvements.
- Performance improvements.
We added a new composed attribute plugin, which allows the server to generate values for an attribute from a combination of static text and the values of other attributes in the same entry. Composed attributes behave much like constructed virtual attributes, but the composed values are computed when the entry is created or updated, and they are stored in the database. This means that the values can be indexed, and it is possible to compose values for attributes that are required by one or more of the entry’s object classes. A new “populate composed attribute values” task allows you to generate composed values for entries that already existed at the time the composed attribute was enabled.
We added support for a new ds-pwp-state-json virtual attribute whose value is a JSON object with a comprehensive overview of the associated user’s password policy state and related configuration from their password policy. The UnboundID LDAP SDK provides enhanced support for extracting data from this virtual attribute, but any JSON API should be able to parse the value.
We updated the password policy to add support for alternative failure lockout actions. As an alternative to completely locking a user’s account after too many failed authentication attempts, it is now possible to delay the responses to subsequent bind operations as a way of imposing a rate limit on authentication attempts. It is also possible to use a “no-op” action that does not have any client-observable effect but can be used to make administrators aware of the issue through the server’s support for account status notifications.
We updated our support for the GSSAPI SASL mechanism to include support for the auth-int and auth-conf quality of protection (QoP) values. We previously supported GSSAPI for authentication only, but it is now possible to sign or encrypt all subsequent communication on the connection with a key negotiated during the authentication process.
We updated the file servlet to support HTTP basic authentication. If authentication support is enabled, you can optionally restrict access by group membership or with the new file-servlet-access privilege (which is included in the set of default privileges that can be automatically inherited by root users or topology administrators). The server is now configured with an instance of this file servlet at /instance-root that provides access to files within the server instance root to users with the file-servlet-access privilege. This servlet provides more convenient access to server files for instances running in containers or other environments where filesystem access is not readily available.
We made several improvements to the collect-support-data tool. They include:
- The server now supports an extended operation that a remote client can use to invoke the collect-support-data tool on the server and stream the resulting archive back to the client. This can be especially useful if the server is running in a container or other kind of environment without convenient command-line access. This extended operation can be requested by adding the --useRemoteServer argument to the command line, or it can be used programmatically through the UnboundID LDAP SDK for Java.
- The server now allows running collect-support-data as either a one-time task or a recurring task. The recurring task allows the server to automatically generate support data archives at regular intervals. The UnboundID LDAP SDK for Java has been updated to allow you to create an instance of the task programmatically.
- The tool now offers an --outputPath argument that allows you to specify the path for the resulting support data archive. The path can target either a file or a directory, and if you specify a directory, then the file will be created in that directory with a name that the tool generates.
- If the Delegated Admin application is configured in the server, collect-support-data will now capture its config.js configuration file, its version file, and any files used to create custom UI fields.
We made several improvements to the manage-profile tool, including:
- The server now allows running manage-profile generate-profile as either a one-time task or a recurring task. The recurring task allows the server to generate an up-to-date profile at regular intervals. The UnboundID LDAP SDK for Java has been updated to allow you to create an instance of the task programmatically.
- The manage-profile generate-profile subcommand now offers a --zip argument that will cause it to package the generated server profile in a zip file.
- The manage-profile generate-profile subcommand now excludes the contents of the server’s bak and ldif directories by default, which can make the resulting server profiles much smaller.
- We fixed an issue that could prevent the manage-profile replace-profile subcommand from creating new local DB backends through dsconfig batch files.
- We fixed an issue that could prevent the manage-profile replace-profile subcommand from correctly exporting and re-importing data from a server with multiple backends.
- We fixed an issue that could cause the server to warn about unexpected offline configuration changes the first time it was started after running manage-profile setup or manage-profile replace-profile.
- We updated the manage-profile replace-profile subcommand so that it always requires a license file in the profile to apply. It is now easier to install a new license when updating the server to a new version.
- We updated the manage-profile replace-profile subcommand so that it will check for any encryption-related arguments in the setup-arguments.txt file. If they are present, it will export the data to LDIF before applying the new profile, and it will re-import it after applying the profile.
- We fixed an issue in which manage-profile replace-profile could fail to update recurring task chains.
- We fixed an issue in which manage-profile replace-profile would not allow you to enable the LDAP changelog backend.
We made several updates to our SCIM support, including:
- The server now allows you to join separate objects that will be returned as a single SCIM 2 resource object.
- We updated our support for SCIM 2 PATCH operations so that they now require the schemas request attribute to be “urn:ietf:params:scim:api:messages:2.0:PatchOp” as per RFC 7644.
- We updated SCIM 1.1 to use JSON-formatted responses by default when the request does not specify the expected content type.
- We fixed a potential memory leak that could arise when processing SCIM requests.
The server now uses the 5.1.0 release of the UnboundID LDAP SDK for Java. In addition to several behind-the-scenes improvements, this also includes several improvements that are reflected in command-line tools, like:
- Better default certificate trust settings for many of the tools that are provided with the server. In most cases, if you want to use a secure connection but don’t specify any trust-related arguments, the tool will automatically trust the certificates for any server in the topology.
- Many of the tools that offer an interactive mode now use a more streamlined flow for obtaining the information needed to connect and authenticate to the server. It will prefer secure communication over insecure, and it can read the server configuration to determine the default port to suggest for the connection.
- We updated ldapsearch to improve its usefulness in shell scripts. It is easier to extract attribute values to assign to script variables, and you can optionally have the tool exit with an error if the search completes successfully but does not return any entries.
- We made several updates to the summarize-access-log tool so that it can now report on a lot of additional things like the use of TLS protocols and cipher suites, the most common authentication and authorization DNs, and information about the most expensive or biggest searches.
We improved performance for index-related processing when importing data from LDIF.
We improved the server’s performance when updating a composite index key that matches a very large number of entries.
We added support for caching password policies defined in user data rather than in the configuration, which can improve performance for password policy-related processing for entries making use of those policies.
We updated the character set password validator to make it possible to indicate that passwords must include characters from at least a specified number of character sets. For example, if you define sets that include lowercase letters, uppercase letters, digits, and symbols, you can require passwords to contain characters from at least three of those sets.
We updated the attribute-value password validator to make it possible to specify a minimum substring length when checking to see if the password contains the value for any other attribute in the user’s entry. This can help avoid problems with entries that have attributes with short values (especially values that are just one or two characters long).
We added a new “Replication Purge Delay” gauge that can help prevent administrators from setting a replication purge delay that is too low. If a server instance is offline for longer than the purge delay, it can be unable to re-join the replication topology when it is started because it missed changes that are no longer available in any of the other replicas.
We improved the logic that the server uses to automatically select an appropriate set of TLS cipher suites. It now does a better job of prioritizing the order for the cipher suites it selects, including preferring TLSv1.3-specific suites if they are available. This logic will also be used when creating LDAP client connections in command-line tools or server components that establish secure connections to other servers. This automatic selection can still be overridden by explicitly specifying the set of TLS cipher suites that should be used.
We updated the create-systemd-script tool so that it generates a forking service file, which is a better fit for the server because the process ultimately used to run the server is different from the start-server script used to launch it.
We updated the installer to require a minimum Java heap size of 768 megabytes when setting up the server.
We improved the logic used to automatically select the cache size for the replication database. The previously selected cache size could be too small under certain circumstances, which could cause the replication database to have an unnecessarily large on-disk footprint.
We updated the status tool to use more efficient search requests when retrieving replication state information.
We changed the behavior of the bypass-pw-policy privilege. It could previously allow a user to exempt themselves from certain password policy restrictions, but it will now only apply for operations against other users. A user with this privilege will be permitted to do the following:
- Set a pre-encoded password for another user, even if that user’s password policy does not allow pre-encoded passwords.
- Set a password for another user that does not satisfy all of the password validators in that user’s password policy.
- Set a password for another user that is already in that user’s password history.
We updated the server to add an option to enter lockdown mode and report itself as unavailable if an error occurs while attempting to write to a log file.
We added a consent REST API that allows users to create and store consents, and to allow users to search for consents that have been granted to them.
We updated the commonly-used-passwords.txt file to include lots of additional values, especially from studies released at the end of 2019. We also updated wordlist.txt to add many additional English words, as well as words from several other languages. Both of these files can be used by the dictionary password validator to reject passwords that are likely to be guessed by attackers.
We added a global ACI that allows clients to use the pre-read and post-read controls by default. The server will only process these controls if the requester has permission to perform the associated write operation, and it will only include attributes in the pre-read or post-read entry that the client has permission to access.
We added an “--addBaseEntry” argument to dsreplication enable. If provided, the server will create the base entry in the target backend if it does not already exist. The base entry must be present in the backend when enabling replication for that backend.
We updated the general monitor entry to include locationName and locationDN attributes that can be used to determine the server’s location.
We updated the server so that it will log a warning if it is running on a Linux system with a memory control group that may allow portions of the process memory to be swapped out to disk.
We updated the HTTP connection handler to make it possible to require clients to present their own certificates to the server.
We added a new HTTP Processing (Percent) gauge that can be used to help monitor the server’s capacity for processing additional HTTP requests.
We updated the server to make information in the general monitor entry (that is, the “cn=monitor” entry itself) available over JMX. Previously, the server exposed information about monitor entries that exist below the general monitor entry, but not the general monitor entry itself.
We updated the LDAP external server configuration so that the use-administrative-operation-control property is only offered for specific types of server instances that support that control.
We updated the StatsD monitoring endpoint so that it no longer uses spaces, commas, or colons in metric names. Those characters are now replaced with underscores. We also remove single and double quotes from metric names.
We updated the Server SDK to provide methods for retrieving the name or DN of the client connection policy from a ClientContext or OperationContext.
We updated the server to provide support for additional debug logging when invoking Server SDK extensions.
We updated the server so that it will not allow changes to data below “cn=Cluster,cn=config” if the cluster contains servers with different versions.
We updated the server so that it will now warn if there are multiple different versions of the same library in the server classpath.
We fixed an issue in which retrieving the “cn=version,cn=monitor” entry could cause the underlying JVM to leak a small amount of memory.
We fixed a potential memory leak that could arise when processing SCIM requests.
We fixed an issue that could prevent changing the password for a topology administrator unless their password policy was configured to allow pre-encoded passwords.
We fixed an issue that could cause mirrored subtree polling to create unnecessary files in the server’s configuration archive.
We fixed an issue that could prevent the server from generating certificates for systems with hostnames containing non-ASCII characters.
We fixed an issue that could interfere with the ability to install custom extensions that require additional libraries.
We fixed a rare issue that could cause a delay during TLS handshake processing.
We fixed an issue that could cause the server to raise an administrative alert about an uncaught exception when the server tried to send data over a TLS-encrypted connection that is no longer valid.
We fixed an issue that could cause certain tools (including collect-support-data, dsreplication, and rebuild-index) from being able to use a tools.properties file if that file was encrypted.
We fixed an issue that could delay the shutdown process if the server was configured to communicate with an unresponsive StatsD endpoint over TCP.
We fixed an issue that caused exec recurring tasks to ignore the configured working directory.
We fixed an issue that could prevent the server from generating an “account updated” account status notification for a modify operation that matched the associated criteria but did not include a password update.
We fixed an issue that could cause the value of the load-balancing-algorithm-name property to be lost when adding using the manage-topology add-server command to add an instance to an existing topology.
We fixed a replication issue that could arise when re-initializing a replica with data containing changes that are older than the replica previously had.
We fixed a replication issue that could cause initialization to stall if an error occurred while trying to send an internal replication message.
We fixed an issue that could cause the server to consider obsolete replicas when attempting to determine the total replication backlog.
We fixed an issue that could cause the server to incorrectly report how much memory it is using after performing an explicitly requested garbage collection.
We fixed a rare replication issue that could arise when upgrading from a pre-7.3 release in an environment where servers had been removed from the topology. The server could incorrectly detect a backlog that it would never see as resolved.
We fixed an issue with the dsjavaproperties tool that allowed you to request both aggressive and semi-aggressive tuning options at the same time.
We fixed an issue that could cause the server to report a spurious error message when disabling the PingOne pass-through authentication plugin.
We fixed an issue that could cause the server to return an attribute with the name formatted in all lowercase characters if the attribute was present in an entry but not defined in the server schema, and if the client explicitly requested that attribute to be returned. The server will now format the attribute name using the same capitalization the client used when requesting that attribute.
We fixed an issue that could prevent certain command-line tools from reporting the correct error if a problem occurred and the server was configured with a custom result code map.