Ping Identity Directory Server 9.0.0.0

Ping Identity Directory Server version 9.0.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

All server products:

  • Confirmed that none of the Directory Server, Directory Proxy Server, Synchronization Server, Metrics Engine, Admin Console, or LDAP SDK for Java use log4j or are affected by its vulnerability.
  • Added cipher stream providers for PKCS #11 tokens, Azure Key Vault, and CyberArk Conjur.
  • Added passphrase providers for Azure Key Vault and CyberArk Conjur.
  • Added password storage schemes for authenticating with passwords stored in external services, including AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault.
  • Added extended operations for managing server certificates.
  • Added the ability to redact the values of sensitive configuration properties when constructing the dsconfig representation for a configuration change.
  • Included the original requester DN and client IP address in log messages for mirrored configuration changes.
  • Added TLS configuration properties for outbound connections.
  • Updated the Admin Console to support using PKCS #12 and BCFKS trust stores.
  • Updated the file servlet to support authenticating with OAuth 2.0 access tokens and OpenID Connect ID tokens.
  • Fixed an issue that could cause degraded performance and higher CPU utilization for some clients using TLSv1.3.
  • Fixed an issue that prevented the manage-profile replace-profile tool from working properly for servers running in FIPS 140-2-compliant mode.
  • Updated export-ldif to always base64-encode attribute values containing any ASCII control characters.
  • Fixed an issue in which some tools that operate on the server’s configuration did not use the correct matching rule for attribute types configured to use case-sensitive matching.
  • Updated the Directory REST API to add support for attribute options.
  • Added the ability to recognize JVM builds from Eclipse Foundation, Eclipse Adoptium, and BellSoft.
  • Removed “-XX:RefDiscoveryPolicy=1” from the default set of options used to launch the JVM.

Directory Server changes:

  • Added support for pluggable pass-through authentication.
  • Fixed an issue that could interfere with the use of legacy reversibly encrypted passwords if an instance was removed from the topology.
  • Fixed an issue that prevented decoding proxied authorization v2 request controls with an authorization identity of a specific length.
  • Fixed an issue that could cause sporadic failures when attempting to back up a backend with data encryption enabled.
  • Added a replica-partial-backlog attribute to the replication summary monitor entry.
  • Fixed an issue in which the server could use incorrect resource limit values for users with custom limits who authenticated via pass-through authentication.
  • Fixed an issue in which the server did not properly update certain password policy state information for simple bind attempts targeting users without a password.
  • Fixed an issue in which the server may not handle other controls properly when processing an operation that includes the join request control.
  • Fixed an issue in which a newly initialized server could go into lockdown mode with a warning about missing changes if it was restarted immediately after initialization completed.
  • Fixed an issue that could prevent changes applied to non-RDN attributes in the course of processing a modify DN operation from being replicated.
  • Fixed an issue that could prevent composed attribute values from being properly updated for operations that are part of a muti-update extended operation.
  • Improved performance for modify operations that need to update a composite index to add an entry ID to the middle of a very large ID set.
  • Added limits for the maximum number of attributes in an add request and the maximum number of modifications in a modify request.
  • Updated the dsreplication initialize-all command to support initializing multiple replicas in parallel.
  • Fixed an issue in which an entry added with a createTimestamp attribute could lose the original formatting for that attribute when replicated to other servers.
  • Fixed an issue that could lead to long startup times in large topologies with data encryption enabled.
  • Updated the ldap-diff tool to add several new features.
  • Updated the migrate-ldap-schema tool to add several new features.

Directory Proxy Server changes:

  • Fixed an issue that could cause certain internal operations initiated in the Directory Proxy Server to fail when forwarded to a backend Directory Server.
  • Improved the logic used to select the best error result to return to the client for operations broadcast to all backend sets.
  • Updated the entry counter, hash DN, and round-robin placement algorithms to support excluding specific backend sets.

Synchronization Server changes:

  • Added the ability to synchronize certain password policy state information from Active Directory to the Ping Identity Directory Server.
  • Fixed an issue that could prevent synchronizing changes to entries that have multiple attributes with the same base attribute type but different sets of attribute options.
  • Added the ability to apply rate limiting when synchronizing changes to PingOne.
  • Fixed an issue in which the max-rate-per-second property was not properly applied when running the resync tool.

Metrics Engine changes:

  • Fixed an issue that could prevent dashboard icons from being properly displayed.