DS servers now support Amazon AWS temporary credentials when backing up and restoring data using S3.
You set the AWS session token using the
s3.sessionToken.env.varstorage property. For example, first set the session token as the value of the
AWS_SESSION_TOKENenvironment variable, then use
--storageProperty s3.sessionToken.env.var:AWS_SESSION_TOKENin the
For additional examples, see Cloud storage.
DS servers now send an alert notification when backup task completes.
The new alert types are
org.opends.server.BackupFailure, and are documented in Alert types.
DS servers now support big indexes. A big index is a new kind of index optimized for high-cardinality attributes. High-cardinality attributes are those where many, many entries have the same attribute value. Big indexes let users more easily page through all the users in a US state, for example.
DS servers now let you monitor index use, so you can determine which indexes are unused.
For details, see Unused indexes.
DS servers now support a DN pattern matching rule that lets you index an attribute with DN values, and search with wildcard characters, so you can find matches for specific RDNs in the DN, for example.
For details, see DN patterns.
DS servers have improved output for debugging search indexes.
For examples, see Debug search indexes. (As explained there, the format of
debugsearchindexvalues is not a stable public interface, because it is intended for human beings, not scripts.)
The output for the
backendstat show-index-statuscommands is easier to read and to understand.
DS servers now optimize searches for unresolved conflicts.
DS servers now more efficiently optimize searches for initial substrings.
DS supports Java 17 (17.0.3 or later) in addition to Java 11:
In Java 17, the PCKS#12 keystore encryption/Mac algorithm has been upgraded to
HmacPBESHA256. Update to at least Java 11.0.12 if you have an application that runs Java 11 and must read the keystore.
Use G1 GC (the default) instead of parallel GC. The setting is shown in Java Settings. Use of ZGC or Shenandoah is not recommended for production deployments at this stage.
For details, see Java.
If you are upgrading, see Supported Java.
DS servers now include
entrySizein access log messages. You can filter access logs based on minimum entry size with the log filtering criteria setting,
For details, see About logs.
By default, DS servers are configured to manage log file retention and rotation. For details on configuring this, see Rotate and retain logs.
When an external program is also configured to manage DS log files, and moves or deletes log files in a way that a DS server does not expect, the DS now detects the change and logs an error message.
Either let the DS server manage its log files, or configure an external program to do so, not both.
DS monitoring now takes replication listener threads into account when calculating whether a server is healthy. Monitoring shows a server to be in a healthy state if the server is alive, the replication server is accepting connections on the configured port, and any replication delays are below the configured threshold.
DS servers now support histogram metrics, as described in Metric types reference.
DS servers now let the monitor user read monitoring information over HTTP when some backends are offline, as long as backend with the monitor user entry remains online.
DS servers now generate ETag attribute values more efficiently.
This improves the performance of REST to LDAP applications that use ETags for MVCC. The plugin generates real ETag attributes for adds and updates. The server relies on the existing virtual attribute implementation only when a real ETag is not available.
The implementation depends on a server plugin that is only configured for new servers. After upgrading all servers, configure the plugin on each server to use the new feature. For details, see Use the entity tag plugin for ETags.
DS servers now more efficiently verify passwords stored with PKCS5S2.
DS servers now run the
rebuild-indexcommand more efficiently when you identify specific indexes to rebuild.
They also now run the
rebuild-index --rebuildDegradedcommand more efficiently when there are no indexes to rebuild.
DS servers now start up more quickly when there are large numbers of groups.
When the server starts, it runs an internal search to find all groups. DS servers now maintain a big index for
objectClassthat is specific to groups.
In previous versions, the search for groups at startup could be unindexed. The workaround was to raise the index entry limit for the
objectClassindex, with the tradeoff of maintaining indexes for more object classes, and impacting write performance. The workaround is no longer necessary for new servers.
Upgrading does not change the server configuration, however, so the index is not present after you upgrade. If you have applied the workaround of raising
objectClass, and have upgraded your servers:
Install a new, throwaway server with the evaluation profile, as described in Install DS for evaluation.
Review the configuration for the
dsconfig get-backend-index-prop --backend-name dsEvaluation --index-name objectClass --offline
For your upgraded servers, consider adding a
big-equalityindex for the groups, lowering
objectClass, and rebuilding the
Server startup time should be just as good, and write performance might improve.
DS servers now support the Proxy Protocol from HAProxy.
For details, see Proxy Protocol.
The proxy backend settings to regularly contact remote LDAP servers now offer additional configuration for more fine-grained control when keeping connections alive and checking remote server availability.
For details, see Proxy Backend.
DS replication servers now check that the port is available when you change the configuration.
When you perform a paged results query whose corresponding LDAP search is indexed, the response now contains an estimated number of
"totalPagedResultsPolicy" : "ESTIMATE".
For an example, see Paged results.
When you perform a query, you can now request the resource count only, using the new
_countOnlyquery string parameter. REST to LDAP returns the count, and not the resources.
This parameter requires protocol version 2.2 or later. Use a header like
Accept-API-Version: protocol=2.2,resource=1.0, for example.
For details, see Query.
When converting JSON values, REST to LDAP now coerces:
Strings to booleans, integers, or JSON where possible.
Whole floating point numbers to integers.
REST to LDAP also returns helpful errors when coercion fails. This improves interoperability with client applications that do not or cannot perform the conversions before adding or updating resources.
The REST to LDAP gateway settings now let you configure:
Availability checks for load balancing.
The default heartbeat check settings have also been changed to check that pooled connections are alive every five minutes with a three-second keep-alive heartbeat timeout.
As many pools of failover servers as needed.
You specify the pools using the
"failoverLdapServers"field. The gateway still accepts
"secondaryLdapServers"settings for compatibility.
A connection timeout.
For details regarding these new settings, see LDAP Connection Factories.
Internally, REST to LDAP now simplifies search filters when possible. This can improve search performance in some cases.
REST to LDAP removes redundant
objectClassassertions from search filters, retaining specific classes, but removing the superclasses they inherit from. For example:
REST to LDAP now updates single-valued LDAP attributes by replacing the value, which reduces the network bandwidth and historical change data needed to replicate the update.
The schema definitions in the
db/schema/04-rfc2307bis.ldiffile now align with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.
PKCS#11 hardware security module now explains how to use an HSM for all asymmetric keys, including the shared master key, for data that is not (yet) encrypted.
If you plan to use an HSM for the shared master key, read the documentation carefully before you install DS. When you set up the server, you must avoid accidentally encrypting data while using the wrong shared master key.
For details, see Store the shared master key.
A new DS
bash-completioncommand generates a completion script for the Bash shell that makes it easier to write other DS commands.
The completion script depends on support for
bash-completion, which is not included by default on macOS.
To set up Bash completion for DS commands, source the output of the script:
# First, install bash-completion support. # Next: eval "$( /path/to/opendj/bin/bash-completion )"
You can make completion available in any new interactive shell by adding it to your
~/.bashrcfile if it is loaded by the new shell.
dskeymgr show-deployment-idcommand displays key information about a given deployment ID—formerly known as a deployment key—such as the expiration date for the derived CA certificate.
For details, see Show deployment ID information.
dsrepl status --showReplicascommand now displays an
The entry counts in each row reflect the number of entries in the specified replica under the specified base DN.
supportextractcommand now collects additional system information, including data to indicate whether the system is running in a virtual machine.
When collecting environment variable values, the
supportextractcommand now excludes environment variables whose names contain
DS now lets you create virtual attributes based on the values of non-virtual attributes.
For details, see Template-based virtual attributes.