What’s New

7.1.1

ForgeRock maintenance releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock’s maintenance and patch releases, see Maintenance and Patch Availability Policy.

DS 7.1.1 is the latest release targeted for DS 7.1.0 deployments, and can be downloaded from the ForgeRock Backstage website.

The release can be deployed as an initial deployment or updated from an existing DS 7.1.x deployment.

Java

DS 7.1.1 introduces support for Java 17 in addition to Java 11.

Java 17 was very recent at the release of DS 7.1.1. ForgeRock has successfully completed all DS functional testing with Java 17, but has not thoroughly performance- and stress-tested DS with Java 17:

  • In Java 17, the PCKS#12 keystore encryption/Mac algorithm has been upgraded to HmacPBESHA256. Update to at least Java 11.0.12 if you have an application that runs Java 11 and must read the keystore.

  • Use G1 GC (the default) or parallel GC, as suggested in Java Settings. Use of ZGC or Shenandoah is not recommended for production deployments at this stage.

7.1.0

Backup

  • The dsbackup command now lets you set a non-default storage provider endpoint.

    For details, see Cloud Storage.

Indexing

  • The online rebuild index process is now less intrusive, more effective, and more robust. When you run a rebuild-index command while the server is online, the backend database remains available for directory operations during the rebuild.

    Individual indexes do appear as degraded and unavailable while the server rebuilds them. A search request that relies on an index in this state may temporarily fail as an unindexed search.

Logging

  • DS log messages now include the authorization ID for every request.

  • DS servers now support logging the internal delete operations triggered by entry expiration.

    If you have set the ttl-age and ttl-enabled properties for a backend, use this feature by configuring an access log publisher to record messages about internal operations. When the server deletes an expired entry, it logs a message with "additionalItems":{"ttl": null} in the response.

    For background, see Entry Expiration.

Passwords

  • Password quality checks using the password quality advice control now ensure that proposed passwords are not in the password history.

    If the server finds the proposed password in the password history, this appears in the failing criteria returned with the advice response control.

    In addition, the REST to LDAP response over HTTP now includes the password attribute type.

Replication

  • DS servers now let you restrict which replicas you trust to send updates.

    By default, all directory servers in a replication topology trust all replicas. If a replica allows an update, then other servers relay and replay the update without further verification. This simplifies deployments where you control all the replicas.

    In deployments where you do not control all the replicas, you can configure replication servers to accept updates only from trusted replicas. The trust depends on the certificate that a replica presents to the replication server when connecting.

    For details, see Trusted Replicas.

  • DS servers now let you define replication group failover. This determines how a directory server selects the next group with replication servers to connect to when no replication server is available in the directory server’s own group.

    To activate replication group failover, set the global configuration property, group-id-failover-order.

    For details on how a directory server chooses a replication server, see Replication Connection Selection.

  • When a replica’s last change is older than the oldest change recorded in the replication server’s changelog, the replication server now records the problem in its log, and sends a message to the replica. When it receives the message, a 7.1 replica remains connected to the replication server, but refuses update operations, effectively becoming read-only. A pre-7.1 replica closes the connection.

    In any case, the replica no longer applies replication updates. Its data diverges more and more from other replicas' data.

    Should this happen in your deployment, reinitialize the replica. For details, see Manual Initialization.

  • DS servers now log more explicit messages when they discover duplicate server IDs.

REST to LDAP

  • This release introduces support for querying fields of reference or reverseReference resources that are subtypes of the resources you are searching.

    As an example, suppose that devices and users are both subtypes of a "managed object" type. Also, suppose that devices have a deviceType field, that users have a surname field, and that a basic managed object has neither of these fields. Now, your queries on a collection of managed objects can match properties of the referenced subtypes, such as /managedObjects?_queryFilter=deviceType+eq+phone, or /managedObjects?_queryFilter=surname+eq+Jensen.

Samples

  • The sample for building custom DS Docker images now has a USE_DEMO_KEYSTORE_AND_PASSWORDS setting that simplifies getting started with a basic Docker image on your computer.

    For details, see opendj/samples/docker/README.md.

Security

  • DS directory and proxy servers now allow access to the root DSE operational attribute subSchemaSubEntry. This attribute indicates the entry holding the LDAP schema definitions.

    Many applications retrieve this attribute, and the associated schema, to properly display or validate attribute values. If you cannot upgrade yet, update the configuration of your DS server to grant all users read access to subSchemaSubEntry at least on the root DSE:

    • For DS 7 directory servers, add subSchemaSubEntry to the attribute list in the "User-Visible Root DSE Operational Attributes" global ACI.

    • For DS 7 directory proxy servers, add allowed-attribute:subSchemaSubEntry on the Root DSE access configuration object.

    For details on granting access to subSchemaSubEntry on entries in directory data, see ACI: Access SubSchemaSubEntry Attribute.

  • DS servers now support text-based Privacy-Enhanced Mail (PEM) keys and certificates for server key pairs, master keys, and trusted certificates.

    For details, see Use PEM-Format Keys.

  • The DS Fingerprint Certificate Mapper now also supports fingerprints without colons.

    For example, the following SHA-256 fingerprints are equivalent:

    • 0555BDA5E14C35A6A54E78DD3EFDEA5A665DE0DC9CC5187EE9CAA91ECD874B78

    • 05:55:BD:A5:E1:4C:35:A6:A5:4E:78:DD:3E:FD:EA:5A:66:5D:E0:DC:9C:C5:18:7E:E9:CA:A9:1E:CD:87:4B:78

Tools

  • DS command options that have secrets as arguments now support :env and :file modifier suffixes.

    For example, if the bind password is stored in a ~/.pass file, use --bindPassword:file ~/.pass. If the password is stored in the environment variable PASS, use --bindPassword:env PASS.

    Use the modifiers with the following options to provide the secret in an environment variable (:env), or in a file (:file):

    • --bindPassword[:env|:file]

    • --deploymentKeyPassword[:env|:file]

    • --keyStorePassword[:env|:file]

    • --monitorUserPassword[:env|:file]

    • --rootUserPassword[:env|:file]

    • --set[:env|:file] (for setup profile parameters)

    • --trustStorePassword[:env|:file]

  • The supportextract command now uses the jcmd command, if available, for heap dumps. Otherwise, it uses the jmap command.

  • The addrate, authrate, modrate, and searchrate commands now include connection time as part of the response time for a request.