Ping Identity Directory Server version 9.0.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:
All server products:
- Confirmed that none of the Directory Server, Directory Proxy Server, Synchronization Server, Metrics Engine, Admin Console, or LDAP SDK for Java use log4j or are affected by its vulnerability.
- Added cipher stream providers for PKCS #11 tokens, Azure Key Vault, and CyberArk Conjur.
- Added passphrase providers for Azure Key Vault and CyberArk Conjur.
- Added password storage schemes for authenticating with passwords stored in external services, including AWS Secrets Manager, Azure Key Vault, CyberArk Conjur, and HashiCorp Vault.
- Added extended operations for managing server certificates.
- Added the ability to redact the values of sensitive configuration properties when constructing the dsconfig representation for a configuration change.
- Included the original requester DN and client IP address in log messages for mirrored configuration changes.
- Added TLS configuration properties for outbound connections.
- Updated the Admin Console to support using PKCS #12 and BCFKS trust stores.
- Updated the file servlet to support authenticating with OAuth 2.0 access tokens and OpenID Connect ID tokens.
- Fixed an issue that could cause degraded performance and higher CPU utilization for some clients using TLSv1.3.
- Fixed an issue that prevented the manage-profile replace-profile tool from working properly for servers running in FIPS 140-2-compliant mode.
- Updated export-ldif to always base64-encode attribute values containing any ASCII control characters.
- Fixed an issue in which some tools that operate on the server’s configuration did not use the correct matching rule for attribute types configured to use case-sensitive matching.
- Updated the Directory REST API to add support for attribute options.
- Added the ability to recognize JVM builds from Eclipse Foundation, Eclipse Adoptium, and BellSoft.
- Removed “-XX:RefDiscoveryPolicy=1” from the default set of options used to launch the JVM.
Directory Server changes:
- Added support for pluggable pass-through authentication.
- Fixed an issue that could interfere with the use of legacy reversibly encrypted passwords if an instance was removed from the topology.
- Fixed an issue that prevented decoding proxied authorization v2 request controls with an authorization identity of a specific length.
- Fixed an issue that could cause sporadic failures when attempting to back up a backend with data encryption enabled.
- Added a replica-partial-backlog attribute to the replication summary monitor entry.
- Fixed an issue in which the server could use incorrect resource limit values for users with custom limits who authenticated via pass-through authentication.
- Fixed an issue in which the server did not properly update certain password policy state information for simple bind attempts targeting users without a password.
- Fixed an issue in which the server may not handle other controls properly when processing an operation that includes the join request control.
- Fixed an issue in which a newly initialized server could go into lockdown mode with a warning about missing changes if it was restarted immediately after initialization completed.
- Fixed an issue that could prevent changes applied to non-RDN attributes in the course of processing a modify DN operation from being replicated.
- Fixed an issue that could prevent composed attribute values from being properly updated for operations that are part of a muti-update extended operation.
- Improved performance for modify operations that need to update a composite index to add an entry ID to the middle of a very large ID set.
- Added limits for the maximum number of attributes in an add request and the maximum number of modifications in a modify request.
- Updated the dsreplication initialize-all command to support initializing multiple replicas in parallel.
- Fixed an issue in which an entry added with a createTimestamp attribute could lose the original formatting for that attribute when replicated to other servers.
- Fixed an issue that could lead to long startup times in large topologies with data encryption enabled.
- Updated the ldap-diff tool to add several new features.
- Updated the migrate-ldap-schema tool to add several new features.
Directory Proxy Server changes:
- Fixed an issue that could cause certain internal operations initiated in the Directory Proxy Server to fail when forwarded to a backend Directory Server.
- Improved the logic used to select the best error result to return to the client for operations broadcast to all backend sets.
- Updated the entry counter, hash DN, and round-robin placement algorithms to support excluding specific backend sets.
Synchronization Server changes:
- Added the ability to synchronize certain password policy state information from Active Directory to the Ping Identity Directory Server.
- Fixed an issue that could prevent synchronizing changes to entries that have multiple attributes with the same base attribute type but different sets of attribute options.
- Added the ability to apply rate limiting when synchronizing changes to PingOne.
- Fixed an issue in which the max-rate-per-second property was not properly applied when running the resync tool.
Metrics Engine changes:
- Fixed an issue that could prevent dashboard icons from being properly displayed.