DS 7.2.0

What’s new


  • DS servers now support Amazon AWS temporary credentials when backing up and restoring data using S3.

    You set the AWS session token using the s3.sessionToken.env.var storage property. For example, first set the session token as the value of the AWS_SESSION_TOKEN environment variable, then use --storageProperty s3.sessionToken.env.var:AWS_SESSION_TOKEN in the dsbackup commands.

    For additional examples, see Cloud storage.

  • DS servers now send an alert notification when backup task completes.

    The new alert types are org.opends.server.BackupSuccess and org.opends.server.BackupFailure, and are documented in Alert types.


  • DS servers now support big indexes. A big index is a new kind of index optimized for high-cardinality attributes. High-cardinality attributes are those where many, many entries have the same attribute value. Big indexes let users more easily page through all the users in a US state, for example.

  • DS servers now let you monitor index use, so you can determine which indexes are unused.

    For details, see Unused indexes.

  • DS servers now support a DN pattern matching rule that lets you index an attribute with DN values, and search with wildcard characters, so you can find matches for specific RDNs in the DN, for example.

    For details, see DN patterns.

  • DS servers have improved output for debugging search indexes.

    For examples, see Debug search indexes. (As explained there, the format of debugsearchindex values is not a stable public interface, because it is intended for human beings, not scripts.)

  • The output for the backendstat list-indexes and backendstat show-index-status commands is easier to read and to understand.

  • DS servers now optimize searches for unresolved conflicts.

  • DS servers now more efficiently optimize searches for initial substrings.


DS supports Java 17 (17.0.3 or later) in addition to Java 11:

  • In Java 17, the PCKS#12 keystore encryption/Mac algorithm has been upgraded to HmacPBESHA256. Update to at least Java 11.0.12 if you have an application that runs Java 11 and must read the keystore.

  • Use G1 GC (the default) instead of parallel GC. The setting is shown in Java Settings. Use of ZGC or Shenandoah is not recommended for production deployments at this stage.

For details, see Java.

If you are upgrading, see Supported Java.


  • DS servers now include entrySize in access log messages. You can filter access logs based on minimum entry size with the log filtering criteria setting, response-entry-size-greater-than.

    For details, see About logs.

  • By default, DS servers are configured to manage log file retention and rotation. For details on configuring this, see Rotate and retain logs.

    When an external program is also configured to manage DS log files, and moves or deletes log files in a way that a DS server does not expect, the DS now detects the change and logs an error message.

    Either let the DS server manage its log files, or configure an external program to do so, not both.


  • DS monitoring now takes replication listener threads into account when calculating whether a server is healthy. Monitoring shows a server to be in a healthy state if the server is alive, the replication server is accepting connections on the configured port, and any replication delays are below the configured threshold.

  • DS servers now support histogram metrics, as described in Metric types reference.

    As indicated in LDAP metrics reference and Prometheus metrics reference, DS servers expose the following histogram monitoring metrics:





  • DS servers now let the monitor user read monitoring information over HTTP when some backends are offline, as long as backend with the monitor user entry remains online.

Password storage

  • DS servers now support hashing passwords with Argon2 for password storage.

    For details, see Password Storage.


  • DS servers now generate ETag attribute values more efficiently.

    This improves the performance of REST to LDAP applications that use ETags for MVCC. The plugin generates real ETag attributes for adds and updates. The server relies on the existing virtual attribute implementation only when a real ETag is not available.

    The implementation depends on a server plugin that is only configured for new servers. After upgrading all servers, configure the plugin on each server to use the new feature. For details, see Use the entity tag plugin for ETags.

  • DS servers now more efficiently verify passwords stored with PKCS5S2.

  • DS servers now run the rebuild-index command more efficiently when you identify specific indexes to rebuild.

    They also now run the rebuild-index --rebuildDegraded command more efficiently when there are no indexes to rebuild.

  • DS servers now start up more quickly when there are large numbers of groups.

    When the server starts, it runs an internal search to find all groups. DS servers now maintain a big index for objectClass that is specific to groups.

    In previous versions, the search for groups at startup could be unindexed. The workaround was to raise the index entry limit for the objectClass index, with the tradeoff of maintaining indexes for more object classes, and impacting write performance. The workaround is no longer necessary for new servers.

    Upgrading does not change the server configuration, however, so the index is not present after you upgrade. If you have applied the workaround of raising index-entry-limit for objectClass, and have upgraded your servers:

    1. Install a new, throwaway server with the evaluation profile, as described in Install DS for evaluation.

    2. Review the configuration for the big-equality index for objectClass.

      For example:

      dsconfig get-backend-index-prop --backend-name dsEvaluation --index-name objectClass --offline
    3. For your upgraded servers, consider adding a big-equality index for the groups, lowering index-entry-limit for objectClass, and rebuilding the objectClass indexes.

      Server startup time should be just as good, and write performance might improve.


  • DS servers now support the Proxy Protocol from HAProxy.

    For details, see Proxy Protocol.

  • The proxy backend settings to regularly contact remote LDAP servers now offer additional configuration for more fine-grained control when keeping connections alive and checking remote server availability.

    For details, see Proxy Backend.


  • DS replication servers now check that the port is available when you change the configuration.


  • When you perform a paged results query whose corresponding LDAP search is indexed, the response now contains an estimated number of "totalPagedResults", and "totalPagedResultsPolicy" : "ESTIMATE".

    For an example, see Paged results.

  • When you perform a query, you can now request the resource count only, using the new _countOnly query string parameter. REST to LDAP returns the count, and not the resources.

    This parameter requires protocol version 2.2 or later. Use a header like Accept-API-Version: protocol=2.2,resource=1.0, for example.

    For details, see Query.

  • When converting JSON values, REST to LDAP now coerces:

    • Strings to booleans, integers, or JSON where possible.

    • Whole floating point numbers to integers.

    REST to LDAP also returns helpful errors when coercion fails. This improves interoperability with client applications that do not or cannot perform the conversions before adding or updating resources.

  • The REST to LDAP gateway settings now let you configure:

    • Availability checks for load balancing.

      The default heartbeat check settings have also been changed to check that pooled connections are alive every five minutes with a three-second keep-alive heartbeat timeout.

    • As many pools of failover servers as needed.

      You specify the pools using the "failoverLdapServers" field. The gateway still accepts "primaryLdapServers" and "secondaryLdapServers" settings for compatibility.

    • A connection timeout.

    For details regarding these new settings, see LDAP Connection Factories.

  • Internally, REST to LDAP now simplifies search filters when possible. This can improve search performance in some cases.

    REST to LDAP removes redundant objectClass assertions from search filters, retaining specific classes, but removing the superclasses they inherit from. For example:



  • REST to LDAP now updates single-valued LDAP attributes by replacing the value, which reduces the network bandwidth and historical change data needed to replicate the update.


  • The schema definitions in the db/schema/04-rfc2307bis.ldif file now align with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.

    The change does not affect directory data, but when upgrading you may need to rebuild degraded indexes. For details, see When adding new servers and Update LDAP schema.


  • PKCS#11 hardware security module now explains how to use an HSM for all asymmetric keys, including the shared master key, for data that is not (yet) encrypted.

    If you plan to use an HSM for the shared master key, read the documentation carefully before you install DS. When you set up the server, you must avoid accidentally encrypting data while using the wrong shared master key.

    For details, see Store the shared master key.


  • A new DS bash-completion command generates a completion script for the Bash shell that makes it easier to write other DS commands.

    The completion script depends on support for bash-completion, which is not included by default on macOS.

    To set up Bash completion for DS commands, source the output of the script:

    • Bash 4

    • Bash 3.2 macOS

    source <(/path/to/opendj/bin/bash-completion)
    # First, install bash-completion support.
    # Next:
    eval "$( /path/to/opendj/bin/bash-completion )"

    You can make completion available in any new interactive shell by adding it to your ~/.bash_profile file, or ~/.bashrc file if it is loaded by the new shell.

  • The new dskeymgr show-deployment-id command displays key information about a given deployment ID—​formerly known as a deployment key—​such as the expiration date for the derived CA certificate.

    For details, see Show deployment ID information.

  • The dsrepl status --showReplicas command now displays an Entry count column.

    The entry counts in each row reflect the number of entries in the specified replica under the specified base DN.

  • The supportextract command now collects additional system information, including data to indicate whether the system is running in a virtual machine.

  • When collecting environment variable values, the supportextract command now excludes environment variables whose names contain PASS, PWD, and _PW.

Virtual attributes

Copyright © 2010-2022 ForgeRock, all rights reserved.