• DS 5.5.3 is the latest release targeted for DS 5.5.0, DS 5.5.1, or DS 5.5.2 deployments and can be downloaded from the ForgeRock Backstage website.

  The release can be deployed as an initial deployment or updated from an existing 5.5.x deployment. DS 5.5.0, DS 5.5.1, or DS 5.5.2 is available for download at the ForgeRock Backstage website.

• There are no new features introduced in DS 5.5.3, only bug fixes.

• There are no new features introduced in DS 5.5.2, only bug fixes.

• There are no new features introduced in DS 5.5.1, only bug fixes.

This release of Directory Services software includes the following new features:

• Backend Database Storage

  JE backend databases are upgraded to Berkeley DB Java Edition 7.4.5 in this release.

• Directory Proxy

  Directory proxy servers now automatically retry operations when they detect a temporary failure on the remote directory server.

  For details, see "Understanding How Failures Are Handled" in the Administration Guide.

• Simplified Replication Server Setup

  Use the new setup replication-server command to set up a server as a standalone replication server.

  You can use this command to install standalone replication servers without specifying the base DNs to replicate.

  For details, see "Installing a Replication Server" in the Installation Guide.

  After preparing standalone replication servers, install directory servers as described in "Installing a Directory Server" in the Installation Guide. Configure the directory servers as replicas that use the replication servers. For details, see "Configuring Replication Settings" in the Administration Guide.

• Linux 2.6 and later

• Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016

• No new changes to existing functionality were made in this release.

• No new changes to existing functionality were made in this release.

• No new changes to existing functionality were made in this release.

• The port-related options in "Options With No Default Values", and their short versions (such as -p for --port), no longer have default values when used in non-interactive mode.

  Options With No Default Values

  Commands Affected	Options Affected
  addrate authrate backup control-panel dsconfig export-ldif import-ldif ldapcompare ldapdelete ldapmodify ldappasswordmodify ldapsearch manage-account manage-tasks modrate rebuild-index restore searchrate stop-ds	--port
  dsreplication	--port --port1 --port2 --portDestination --portSource --replicationPort1 --replicationPort2

  
  

• The -t | --numThreads option for the following tools has changed to -t | --numConcurrentRequests:

  addrate

  authrate

  modrate

  searchrate

• The dsreplication command's --baseDn option is now only available where it is applicable.

  The reset-change-number, resume, status, and suspend subcommands no longer accept a --baseDn option.

• The product name has been aligned with the official name of the software release. The full product name starting with this release is ForgeRock Directory Services.

  This change impacts clients that depend on the product name.

  It also impacts the name used in product subcomponents. For example, in earlier releases the Syslog handler sent messages with the process name OpenDJ. The Syslog handler now sends messages with the process name ForgeRock.

• The server-side (plugin) Java API is continuing to evolve, as noted in "Release Levels and Interface Stability" in the Reference.

  Server plugins written against this API will have to be adapted and recompiled to work with this version. For Java API reference documentation, see the Javadoc.

• Manually changing the enabled property of an external change log domain will return incoherent results across the topology and as such is not supported.

• No new functionality was deprecated in this release.

• No new functionality was deprecated in this release.

• No new functionality was deprecated in this release.

• The PDB database backend type is deprecated and will be removed in a future release. Change your PDB backends to JE backends as described in "To Move a PDB Backend to a JE Backend" in the Installation Guide.

• The dsreplication subcommands enable and disable are deprecated and will be removed in a future release.

  The subcommands have been replaced with configure and unconfigure, which more accurately reflect the permanence of the configuration changes made by these subcommands.

  The configure subcommand updates the server configuration to replicate data under the specified base DN.

  The unconfigure subcommand removes the replication configuration settings for the specified base DN, and removes references to the current server on other replicas.

  The dsreplication disable --disableAll subcommand option is now dsreplication unconfigure --unconfigureAll. The dsreplication disable --disableReplicationServer subcommand option is now dsreplication unconfigure --unconfigureReplicationServer.

• The control-panel command is deprecated and will be removed in a future release.

• The configuration expression implementation is deprecated, and expected to change in a future release. This mechanism is described in "Using Configuration Expressions" in the Administration Guide.

• No new functionality was removed in this release.

• No new functionality was removed in this release.

• No new functionality was removed in this release.

• Support for Java 7 has been removed.

  Before upgrading to this version, you must follow the instructions in "Upgrading Java" in the Installation Guide.

• Support for Solaris has been removed.

• The setup command no longer supports addition of an instance.loc file to specify the instance path during server setup.

  If you do create an instance.loc file prior to setting up the server, the setup command fails with an error indicating either that the server has already been set up (when the instance.loc file references a valid server instance path), or that the instance.loc file (when the path it references does not exist, yet).

  Use the setup --instancePath option instead.

• The uninstall command has been removed.

  For details on removing server software, see "Removing Server Software" in the Installation Guide.

• The advanced JE backend properties, db-evictor-lru-only and db-evictor-nodes-per-scan, have been removed. When you upgrade a directory server, the upgrade command removes these properties from the configuration.

• OPENDJ-4625: Changelog range searches miss entries

• OPENDJ-5002: 200s timeout when stopping a replication server

• OPENDJ-5423: Incorrectly reported missing parent entries cause import-ldif and index rebuilds to fail

• OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers

• OPENDJ-5582: LdapClientSocket connection leaked when handshake fails

• OPENDJ-5607: Update third party libraries

• OPENDJ-6377: Replication replay: issues with ReplaySynchronizer

• OPENDJ-6447: NullPointerException: formatString was null

• OPENDJ-6464: isMemberOfVirtualAttributeProvider does not process subordinate nested groups

• OPENDJ-6474: REST: some requests fail when stressing embedded http endpoint with Gatling

• OPENDJ-4590: Replication: cursor aborted on high write throughput

• OPENDJ-4598: Replication Server cursoring through obsolete replica ID's causing high CPU spin

• OPENDJ-4934: Replication: changelog not in sync when restarting a server in a topology

• OPENDJ-4947: SASL DIGEST-MD5: bind request failed with protocol error

• OPENDJ-4983: IllegalStateException in change number indexer

• OPENDJ-5137: Reading compressed entries fails to close the InflaterInputStream

• OPENDJ-5210: Possible memory-leak if request received while bind in progress

• OPENDJ-5260: Grizzly pre-allocates a useless MemoryManager

• OPENDJ-5272: "idle-time-limit" global configuration property has no effect

• OPENDJ-5274: Upgrade of RS fails on rebuild indexes phase

• OPENDJ-5320: Build fails if the code is build outside the sustaining repo

• OPENDJ-4624: Changelog search filter optimizations fail when there are leading unrelated terms

• OPENDJ-4295: Syslog data is not fully RFC compliant

• OPENDJ-4341: setup with production mode with java 9

• OPENDJ-4316: HTTP Connector leaks Session objects

• OPENDJ-4275: Changelog searches cursor through inappropriate replica DBs

• OPENDJ-4234: Poor changelog search performance using changenumber ranges

• OPENDJ-4228: status command with keystore options throws ArrayIndexOutOfBoundsException

• OPENDJ-4178: Performance drop with complex subtree searches between 2.x and 3.5.1/4.0.0

• OPENDJ-4125: Extremely poor performance under connect/disconnect load and eventual port exhaustion

• OPENDJ-4115: build and publish missing changes gets confused with non-local changes

• OPENDJ-4011: Setup requires TLS to be enabled when using --productionMode

• OPENDJ-4007: Referential Integrity plugin checks all modifications when run as preModifyOperation

• OPENDJ-4006: forgerock-je included in releases does not work with Azul Zulu

• OPENDJ-3966: The Bcrypt storage scheme displays the wrong syntax Range and default for the bcrypt-cost

• OPENDJ-3963: JMXClientConnections are leaked

• OPENDJ-3931: Replication fails to propagate all changes added after a backup/restore to a newly created instance

• OPENDJ-3904: Delivery includes QuickSetup.app and Uninstall.app files for commands that were removed

• OPENDJ-3886: Modifying Json File-Based Access Logger configuration can cause a corrupt log record

• OPENDJ-3868: Proxied persistent searches are not cancelled/abandoned when the client abandons them or disconnects

• OPENDJ-3825: Spring daylight savings change can break recurring tasks

• OPENDJ-3645: SASL DIGEST-MD5: "digest-uri" parameter is not taken into account

• OPENDJ-3643: On Windows "java.properties" does not support values containing "=" character

• OPENDJ-3507: After upgrading a 2.6.2 server to 3.5.1 server is spinning at 93% CPU

• OPENDJ-3471: ldifsearch command fails to consume @objectclass notation in attribute list

• OPENDJ-3380: Creating a backend with null base DN can render the instance unusable

• OPENDJ-2850: OpenDJ SDK SASL integrity/confidentiality violates protocol

• OPENDJ-2842: Load balancing algorithms are not optimum after failure of a connection factory

• OPENDJ-2190: Replicas cannot always keep up with sustained high write throughput

• OPENDJ-1135: DS sometimes fails to connect to RS after server restart

• OPENDJ-609: Replicas out of sync after add/delete operations in sustained stress testing

• There are no new limitations in functionality in this release.

• There are no new limitations in functionality in this release.

• There are no limitations in functionality in this release.

Directory Services 5.5 has the following limitations:

• Work around issues with hostname verification of local server certificates for administrative connections by doing the following:

  • When starting the Control Panel, select Remote Server and provide the hostname and administration port number, even when connecting to a local server.

  • When running the status command, use the --trustAll to bypass hostname verification.

• Configuring a server with both local backends and proxy backends is not supported.

  As described in "Configuring Privileges and Access Control" in the Administration Guide, access control models for directory servers and proxy servers cannot function at the same time in the same server.

• OpenDJ servers provide full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

• Directory servers store passwords prefixed with the storage scheme in braces, as in {scheme}. For details, see "Configuring Password Storage" in the Administration Guide.

  To prevent users from effectively attempting to choose their own password storage scheme, directory servers do not support passwords that strictly match this format. Specifically, directory servers do not support passwords that match {string}*.

  Requests to update userPassword values with such passwords fail with result code 19 (Constraint Violation) and an additional message indicating that passwords may not be provided in pre-encoded form.

• When you configure account lockout as part of password policy, an OpenDJ server locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Global account lockout occurs as soon as the authentication failure times have been replicated.

• When configuring replication between servers of different versions, use the dsreplication command installed with the newer version.

  The dsreplication enable command in versions 3.5 and earlier is not compatible with Directory Services 5.5 and later servers.

• When creating additional database backends, adjust the database cache settings to avoid allocating all memory available to the JVM to database cache. Over-allocating memory to database cache leads to out of memory errors.

  By default, a new database backend has db-cache-percent set to 50. When creating a new database backend, you can raise or lower this value by using the --set db-cache-percent:value option, where value is the percentage of JVM memory to allocate to the new backend.

• The policy-based access control handler used in proxy servers:

  • Does not support the Get Effective Rights control.

  • Does not check the modify-acl privilege when global access control policies are changed. The config-write privilege is sufficient to change global access control policies.

  • Does not send alert notifications when global access control policies change.

• The Password Policy control (OID: 1.3.6.1.4.1.42.2.27.8.5.1) is supported for add, bind, and modify operations. It is not supported for compare, delete, search and modify DN operations.

• Prevent antivirus and intrusion detection systems from interfering with OpenDJ software.

  Before using OpenDJ software with antivirus or intrusion detection software, consider the following potential problems:

  Interference with normal file access

  Antivirus and intrusion detection systems that perform virus scanning, sweep scanning, or deep file inspection are not compatible with OpenDJ file access, particularly database file access.

  Antivirus and intrusion detection software can interfere with the normal process of opening and closing database working files. They may incorrectly mark such files as suspect to infection due to normal database processing, which involves opening and closing files in line with the database's internal logic.

  Prevent antivirus and intrusion detection systems from scanning database and changelog database files.

  At minimum, configure antivirus software to whitelist the OpenDJ server database files. By default, exclude the following file system directories from virus scanning:

  • /path/to/opendj/changelogDb/ (if replication is enabled)

    Prevent the antivirus software from scanning these changelog database files.

  • /path/to/opendj/db/

    Prevent the antivirus software from scanning database files, especially *.jdb files.

  Port blocking

  Antivirus and intrusion detection software can block ports that OpenDJ uses to provide directory services.

  Make sure that your software does not block the ports that OpenDJ software uses. For details, see "Limiting System and Administrative Access" in the Security Guide.

  Negative performance impact

  Antivirus software consumes system resources, reducing resources available to other services including OpenDJ servers.

  Running antivirus software can therefore have a significant negative impact on OpenDJ server performance. Make sure that you test and account for the performance impact of running antivirus software before deploying OpenDJ software on the same systems.

• REST to LDAP query filters do not work with properties of subtypes.

  For example, the default example configuration describes a user type, and a POSIX user type that inherits from the user type. If your query filter is based on a POSIX user type property that is not a property of the user type, such as loginShell or gidNumber, the filter always evaluates to false, and the query returns nothing.

• When applying a Common REST patch operation, described in "Patching Resources" in the Developer's Guide, to a Json syntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.

  As a workaround, you can perform an update of the entire object, changing only the desired fields in your copy.

• When the global server property invalid-attribute-syntax-behavior is set to accept or warn, a search on group membership using a value with invalid syntax returns nothing.

• Due to a Java issue on Windows systems (JDK-8057894), when configuring an OpenDJ directory server with data confidentiality enabled you might see an error message containing the following text:

  Unexpected CryptoAPI failure generating seed

  If this happens, try running the command again.

• When running on a Linux or UNIX system without X11, the status command fails with an exception message such as the following:

  Exception in thread "main" java.awt.AWTError: Can't connect to X11 window server using ':99' as the value of the DISPLAY variable.

  To work around this issue, set the Java property, -Djava.awt.headless=true.

• There are no new known issues in this release.

• There are no new known issues in this release.

• There are no new known issues in this release.

The following important issues were known to exist in Directory Services 5.5.3:

• OPENDJ-4008: dsconfig exits with error when listing global access control policy

• OPENDJ-4059: dsconfig --bindDN should default to "cn=Directory Manager"

• OPENDJ-4106: Incorrect error when importing bad LDIF on setup

• OPENDJ-4109: The ldappasswordmodify command fails when requested through a directory proxy server

• OPENDJ-4185: Changelog not populated with new changes if an RS+DS goes down and replication fails to catch up when it's restarted

• OPENDJ-4226: Online list backups command throws error

• OPENDJ-4229: status command with keystore options throws NullPointerException

• OPENDJ-4243: Replication status's Age of Oldest Missing Change (AOMC) is not reset even if Missing Changes (MC) is 0

• OPENDJ-4312: addrate raises NoSuchElementException when using numusers

• OPENDJ-4325: Changelog searches requesting changelogCookie are very slow

• OPENDJ-4851: Exception when uninstalling/stopping replication topology

• OPENDJ-5070: Over allocation of db-cache-percent for existing backend results in empty error

• OPENDJ-5115: ldappasswordmodify fails, NPE in PasswordPolicyState updatePasswordHistory()

• OPENDJ-5140: PersistentSearch heap usage grows

• OPENDJ-5474: java.awt.AWTError when running status command on system without X11

ForgeRock publishes comprehensive documentation online:

• The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

  While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

• ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

• Description of the problem, including when the problem occurs and its impact on your operation

• Description of the environment, including the following information:

  • Machine type

  • Operating system and version

  • Storage type and version

  • Java version

  • Web container and version (if applicable)

  • Directory Services release version

  • Any patches or other software that might be affecting the problem

• Steps to reproduce the problem

• Any relevant access and error logs, stack traces, or core dumps