We have just released version 10.3.0.0 of the Ping Identity Directory Server. See the release notes for a complete overview of changes, but here’s my summary:

Summary of Deprecated Functionality and Potential Compatibility Impacts

• Removed support for Java 11. The server must now be run using Java 17 or Java 21.

Summary of New Features and Enhancements

• Updated the Directory Proxy Server to add a new “forward-authorization-entry-control” authorization method for LDAP external servers. This can be particularly useful in entry-balanced topologies in which clients may need to process operations that target entries in backend sets that do not contain the requester’s entry, and when the existing authorization mapping mechanism is insufficient.
• Added support for LDAP client connections passing through a software load balancer that adds an HAProxy PROXY protocol header (v1 or v2) to the communication. The source address and port contained in the PROXY protocol header will then be used for all subsequent processing for that client connection.
• Updated the Directory REST API to add support for the soft delete, hard delete, undelete, and soft-deleted entry access controls.
• Updated manage-profile replace-profile to make it possible to change the value of the --fips-provider argument between BCFIPS and BCFIPS2. This makes it possible to update an existing instance running in FIPS 140-2-compliant mode to use FIPS 140-3-compliant mode. It is still not possible to enable or disable FIPS compliance for an existing instance.
• Updated the server’s default configuration so that it will not attempt to update the user’s recent login history in cases where the user’s account is unavailable (e.g., because it is locked or disabled, or because the user’s password is expired). This can help reduce performance impact of login history tracking in cases where an authentication attempt cannot possibly succeed.
• Improved the encoded password cache (which can dramatically improve performance of repeated authentication when using expensive password encoding schemes) to use an LRU algorithm instead of a FIFO algorithm if the cache became full and it was necessary to purge existing records.
• Added an option to allow LDAP external servers to create their connection pools without any initial connections so that all of the pool’s connections will be created on demand. This can help make it faster to initialize components that interact with LDAP external servers, and it can also reduce contention that may result from concurrent attempts to authenticate multiple connections as the same user.
• Updated the processing time histogram plugin to add an option to expose the histogram information in an alternate manner, using a separate attribute for each histogram bucket, and making it easier to parse the histogram bucket boundaries and the associated value.
• Updated the file-based audit logger to make it possible to exclude virtual attribute values from delete records. By default, they will continue to be included in the regular audit log file, but they will now be excluded from the data recovery log. Excluding virtual attribute values can improve performance and reduce the resulting audit log size.
• Added support for synchronizing the bypassMFA attribute to and from PingOne endpoints.
• Added the ability to skip LDIF import processing when running manage-profile setup.
• Updated the version and SSL context monitor entries so that they always include the fips-compliant-mode, fips-140-2-compliant-mode, and fips-140-3-compliant-mode attributes. They were previously only present when the server was actually running in a FIPS-compliant mode.
• Exposed the values of the fips-compliant-mode, fips-140-2-compliant-mode, and fips-140-3-compliant-mode attributes in the “Version” monitor entry in the administration console’s Status section.

Summary of Bug Fixes

• Fixed an issue in which the remove-defunct-server tool could leave a Synchronization Server topology in a state where it was not possible to add new servers.
• Fixed the default behavior for the resync tool to avoid inadvertently removing unicodePwd values when synchronizing from Active Directory sources, or to avoid removing password values when synchronizing from PingOne sources.
• Fixed an issue in which a SCIMv2 PUT operation could incorrectly remove some of the values of a multivalued complex attribute.
• Fixed an issue that could prevent using the server in FIPS-compliant mode when running on Oracle Java 17 or later. This issue did not affect other OpenJDK variants.
• Fixed an issue that could prevent the server from operating on RHEL on Java 17 or later if the operating system was configured to use FIPS-compliant mode.
• Fixed issues in which a failed dsreplication initialize attempt could interfere with subsequent initialization attempts.
• Fixed an issue that prevented the Synchronization Server from properly logging changes that only affected password policy state attributes.
• Fixed an issue that could cause password synchronization to fail when attempting to synchronize changes from multiple Active Directory subdomains through multiple sync pipes.
• Fixed an issue in which the monitor history plugin could incorrectly remove files earlier than expected when using the retain-files-sparsely-by-age configuration option.
• Fixed an issue that could prevent a password reset performed by a user with the bypass-pw-policy privilege from honoring the password policy’s force-change-on-reset property.
• Fixed an issue that prevented password resets using the password modify extended operation from being subject to replication assurance processing.
• Fixed an issue that could cause changes to the modifiable password policy state plugin’s filter property to be ignored until the plugin was disabled and re-enabled, or until the server was restarted.
• Fixed an issue in which the Directory REST API would reject attempts to use attribute values that violated the associated syntax even if the server was configured to permit such violations.
• Fixed an issue in which the replication server did not properly honor the listen-on-all-addresses configuration property.
• Fixed an issue in which the Delegated Admin application could cause a memory leak in the server.
• Fixed an issue in which replace-certificate replace-listener-certificate didn’t honor the --trust-store-update-type argument.
• Fixed an issue that prevented using the JVM-default trust store when replacing a listener certificate using the replace-certificate tool’s interactive mode.
• Fixed an issue that prevented SCIM clients from altering the ds-pwp-modifiable-state attribute.
• Fixed an issue with inconsistent id-attribute values in SCIM responses.
• Fixed an issue that could cause a 404 response to a SCIM GET request.
• Fixed an issue in which the Directory REST API could return a 500 response when attempting to replace values of a virtual attribute.
• Fixed an issue in which the entry counter plugin may not have properly evaluated criteria that is based on a virtual attribute with require-explicit-request-by-name set to true.
• Fixed an issue that could prevent altering the configuration for an enabled entry counter plugin.
• Fixed an issue that prevented capturing connection pool debug messages in the LDAP SDK debug log.
• Fixed an issue in which dsreplication enable did not properly honor the --noPropertiesFile argument.
• Fixed an internal error that could arise upon restarting a server instance that had been configured with support for Delegated Admin.
• Fixed an issue that prevented the Synchronization Server from properly persisting state information for third-party change detectors.
• Fixed an issue in the Server SDK’s example LDAP sync destination plugin in which it did not properly handle processing for modify DN operations that didn’t affect the destination entry’s RDN.
• Suppressed spurious warning messages that could be logged during server startup.