by ldapdotcom
Bookmark

Ping Identity Directory Server 8.2.0.0

Ping Identity Directory Server version 8.2.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

  • Added single sign-on support to the Administration Console
  • Added a new ds-pwp-modifiable-state-json operational attribute
  • Added support for password validation during bind
  • Added support for a recent login history
  • Added sample dsconfig batch files
  • Added JSON-formatted variants for the audit, HTTP operation, and synchronization log files
  • Added support for logging to standard output or standard error
  • Added support for rotating the logs/server.out log file
  • Improved support for logging to syslog servers
  • Added support for the OAUTHBEARER SASL mechanism
  • Added support for the ($attr.attrName) macro ACI
  • Added a remove-attribute-type-from-schema tool
  • Added a validate-ldap-schema tool
  • Added a number of security-related improvements to setup
  • Added a number of improvements to the manage-profile tool
  • Added a number of improvements to the parallel-update tool
  • Added various improvements to several other command-line tools, including ldappasswordmodify, ldapcompare, ldifsearch, ldifmodify, ldif-diff, ldap-diff, and collect-support-data
  • Added various usability improvements to command-line tools
  • Added several improvements to the dictionary password validator
  • Added a new AES256 password storage scheme
  • Added an export-reversible-passwords tool
  • Create a 256-bit AES encryption settings definition in addition to the 128-bit AES definition
  • Added password information about password quality requirements to the ds-pwp-state-json virtual attribute
  • Added the ability to augment the default set of crypto manager cipher suites
  • Improvements in delaying bind responses
  • Require a minimum ephemeral Diffie-Hellman key size of 2048-bits
  • Switched to using /dev/urandom as a source of secure random data
  • Improved the way we generate self-signed certificates and certificate signing requests
  • Added support for using elliptic curve keys in JWTs
  • Added new administrative alert types for account status notification events, privilege assignment, and rejection of insecure requests
  • Added improvements to monitor data and the way it is requested by the status tool
  • Added identity mapper improvements, including filter support, an aggregate identity mapper, and an out-of-the-box mapper for administrative users
  • Improved uniqueness control conflict prevention and detection
  • Added support for re-sending an internal replication message if there is no response to a dsreplication initialize request
  • Added a --force argument to dsreplication initialize that can be used to force initialization even if the source server is in lockdown mode
  • Added options to customize the response code and body in availability servlets
  • Increased the number of RDN components that a DN may have from 50 to 100
  • Updated the SCIM servlet to leverage a VLV index (if available) to support paging through search result sets larger than the lookthrough limit
  • Added an --adminPasswordFile argument to the manage-topology add-server command
  • Added a password policy configuration property to indicate whether the server should return the password expiring or password expired based on whether the client also provided the password policy request control
  • Updated support for the CRAM-MD5 and DIGEST-MD5 SASL mechanisms so they are no longer considered secure
  • Improved Directory Proxy Server support for several SASL mechanisms
  • Improved Directory Proxy Server support for the LDAP join control
  • Updated manage-topology add-server to add support for configuring failover between Synchronization Server instances
  • Added a Synchronization Server configuration property for customizing the sync pipe queue size
  • Added a Synchronization Server configuration property for processing changes with REPLACE modifications rather than ADD and DELETE modifications
  • Fixed an issue that could prevent the installer from removing information about the instance from the topology registry
  • Fixed an issue that could cause replication to miss changes if a backend was reverted to an earlier state without reverting the replication database
  • Fixed an issue in which a replica could enter lockdown mode after initialization
  • Fixed an issue that could allow some non-LDAP clients to inappropriately issue requests without the server in lockdown mode
  • Fixed an issue in which restoring an incremental backup could cause dependencies to be restored out of order, leading to an incomplete intermediate database file
  • Fixed a backup retention issue in which the process of purging old backups could cause old backups to be removed out of order
  • Fixed an issue in which the server could leak a small amount of memory upon closing a JMX connection
  • Fixed an issue that could cause the server.status file to be corrupted on Windows systems after an unplanned reboot if the server is configured to run as a Windows service
  • Fixed an issue that could cause the server to return a password expired response control in a bind response when the user’s account is expired but the client provided incorrect credentials
  • Fixed an issue in which a search that relied on a virtual attribute provider for efficient processing could omit object classes from search result entries
  • Fixed an issue in which the server did not properly handle the matched values control that used an extensible match filter with both an attribute type and a matching rule (for example, in conjunction with the jsonObjectFilterExtensibleMatch matching rule)
  • Fixed an issue in which the server could incorrectly log an error message at startup if it was configured with one or more ACIs that grant or deny permissions based on the use of SASL mechanisms
  • Fixed an issue in which the remove-defunct-server tool to fail to remove certain replication attributes when the tool was run with a topology JSON file
  • Fixed an issue in which manage-profile replace-profile could fail to apply changes if the profile included dsconfig batch files without a “.dsconfig” extension
  • Fixed an issue in which the server could raise an internal error and terminate the connection if a client attempted to undelete a non-soft-deleted entry
  • Fixed an issue that could cause the REST API to fail to decode certain types of credentials when using basic authentication
  • Fixed an issue in which the encryption-settings tool could leave the server without a preferred definition after importing a set of definitions with the --set-preferred argument but none of the imported definitions is marked preferred
  • Fixed an issue in which the manage-profile generate-profile command could run out of memory when trying to generate a profile containing large files
  • Fixed an issue in which the manage-profile generate-profile command could display a spurious message when generating the profile in an existing directory
  • Fixed an issue that could interfere with cursoring through paged search results when using the REST API and the results included entries with long DNs
  • Fixed an issue that could cause an exception in SCIM 1.1 processing as a result of inappropriate DN escaping
  • Fixed an issue that could cause the isMemberOf and isDirectMemberOf virtual attributes to miss updates if the same group is updated concurrently by multiple clients
  • Fixed an issue that could cause the server to return an objectClassViolation result code instead of the more appropriate attributeOrValueExists result code when attempting to add an object class value to an entry that already has that object class
  • Fixed an issue that could cause loggers to consume more CPU processing time than necessary in an idle server
  • Fixed an issue in which the stats collector plugin could generate unnecessary I/O when it is used exclusively for sending metrics to a StatsD endpoint
  • Fixed an issue in which the periodic stats logger could include duplicate column headers
  • Fixed an issue that could cause the server to periodically log an error message if certain internal backends are disabled
  • Fixed a typo in the default template that the multi-part email account status notification handler uses to warn about an upcoming password expiration
  • Fixed an issue in which the dsconfig list command could omit certain requested properties
  • Fixed an issue in which the dsreplication tool could incorrectly suppress LDAP SDK debug messages even if debugging was requested
  • Fixed an issue that could cause the Directory Proxy Server to log information about an internal exception if an entry-balanced search encountered a timeout when processing one or more backend sets
  • Fixed an issue in which the Synchronization Server could get stuck when attempting to retry failed operations when it already has too many other operations queued up for processing
  • Fixed an issue in which Synchronization Server loggers were not properly closed during the server shutdown process
  • Fixed an issue in which the synchronization server could fail to synchronize certain delete operations from an Oracle Unified Directory because of variations in the format of the targetUniqueID attribute