Ping Identity Directory Server 9.1.0.0

Ping Identity Directory Server version 9.1.0.0 has just been released. I wrote about this release in detail on my personal blog, but here’s a summary of the changes:

  • Known issue: when reverting an update to the 9.1 release, updated Bouncy Castle cryptographic library files may remain in place.
  • Added support for controls to the Directory REST API.
  • Updated replace-certificate and the topology registry to streamline the process for replacing a listener certificate when the current and new certificates are signed by the same issuer.
  • Made it easier to replace a listener certificate after it has expired.
  • Added support for sanitizing access log messages as they are logged.
  • Added support for generifying message strings in access and error log messages.
  • Updated Synchronization Server support for PingOne to include multi-valued attributes and JSON-formatted attributes.
  • Improved the assured replication result used in the event that a replication conflict is detected.
  • Improved the sanitize-log tool and updated it to better align with sanitized logging support.
  • Updated sanitize-access-log to support JSON-formatted log files.
  • Added support for JSON-formatted controls in LDAP requests and responses.
  • Added a docker-pre-start-config tool that can help reduce startup time when running in a Docker container.
  • Added a –skipValidation argument to manage-profile replace-profile.
  • Added an –excludeSetupArguments argument to manage-profile generate-profile.
  • Increased the maximum value of the on-replay-failure-wait-for-dependent-ops-timeout replication property from one minute to five minutes.
  • Improved the Directory REST API support for PUT operations that alter a DN in conjunction with changes to other attributes in the entry.
  • Updated the active operations monitor to use millisecond precision for timestamps and to make operation strings more parseable.
  • Added the collect-support-data version to the output of status –fullVersion.
  • Updated several dependencies to improve functionality, address defects, and improve security.
  • Fixed an issue that could cause some replication protocol messages to be dropped.
  • Fixed an issue that could cause the server to report missing changes and go into lockdown mode if it is restarted immediately after running dsreplication initialize.
  • Fixed an issue that could prevent certain password policy functionality from being invoked for add operations in which the password policy is assigned by virtual attribute.
  • Fixed an issue that could cause privileges assigned by virtual attribute to be overlooked in some cases.
  • Updated the server to create the esTokenizer.ping file if it does not exist but is needed.
  • Fixed an issue that could have incorrectly applied minimum and maximum password age constraints to users without a password.
  • Updated the JSON-formatted access logger to include the requester IP address field in disconnect, security negotiation, and client certificate log messages when appropriate.
  • Fixed an issue that prevented the certificate monitor from recognizing replaced certificates.
  • Fixed issues that could prevent using the Amazon Secrets Manager, CyberArk Conjur, or HashiCorp Vault passphrase providers to obtain key and trust store PINs.
  • Fixed an issue that could cause the server to log negative operation processing times for certain operations.
  • Updated the server to prevent add and modify operations targeting ds-pwp-modifiable-state-json when the associated plugin is not enabled.
  • Updated the server to prevent a user from updating the ds-pwp-modifiable-state-json attribute for their own entry.
  • Updated the server to prevent a user from updating the ds-pwp-modifiable-state-json attribute in the same modification that also reset a user’s password.
  • Fixed an issue in which dsreplication failed to properly normalize base DN values.
  • Fixed an issue that could prevent the Directory REST API from retrieving entries with generalized time values in an unexpected format.
  • Fixed an issue that could cause manage-profile replace-profile to fail with an error about merging configuration.
  • Updated manage-profile setup and manage-profile replace-profile to prevent including a pre-populated encryption settings database in the pre-setup files.
  • Updated manage-topology add-server to be more consistent when adding additional Syncrhonization Servers to a failover topology.
  • Fixed an issue in which the server could ignore certain indexes that it believed to be redundant when evaluating search criteria.
  • Improved the SCIM error code for cases in which an update violated a unique attribute constraint.
  • Fixed an issue that could cause the server to incorrectly reject requests with non-critical controls that the requester did not have permission to use rather than ignoring those controls.
  • Fixed an issue that could allow the password policy state extended operation to create duplicate authentication failure time or grace login use time values.
  • Fixed an issue that could affect backward compatibility when using migrate-ldap-schema with the legacy –useSSL or –useStartTLS arguments.
  • Fixed an issue that could prevent the server from generating alerts to indicate that an outstanding alarm condition had been resolved.
  • Fixed an issue that could cause the server to reprt an internal error when attempting to obtain database statistics for a read-only backend.
  • Fixed an export-reversible-passwords issue that could cause it to time out while waiting for a response from the server.
  • Updated export-reversible-passwords to abort processing if the tool invoking it was terminated.
  • Fixed an issue that prevented encode-password from working if the AES256 scheme was enabled.
  • Disabled the index cursor entry limit by default.