Incompatible Changes

  • The default directory superuser (Directory Manager) DN is now uid=admin for new servers.

    The upgrade process does not change the directory superuser DN for existing servers.

    This change makes it easier to manage the server configuration over REST, as the default identity mapper configuration maps the HTTP admin username to the LDAP DN uid=admin.

  • The replication service discovery mechanism now obtains some information by reading the cn=monitor LDAP entry. As a result, the bind-dn account must now have the monitor-read privilege.

    This affects accounts used by DS directory proxy servers to bind to DS replication servers. For an example showing the account with the monitor-read privilege, see "Try DS Directory Proxy".

  • DS backups taken with this release are not compatible with backups from earlier releases.

  • Scheduled backup tasks continue after upgrade.

  • Tasks created with the restore command in earlier releases are removed during upgrade.

The default backend ID for application data depends on the setup profiles.

The upgrade process does not change the backend ID for existing servers.

The server-side (plugin) Java API is continuing to evolve. See Interface Stability.

Server plugins written against this API must be adapted and recompiled to work with this version. For Java API reference documentation, see the Javadoc.

When matching strings in attributes with telephone number syntax, DS servers now behave as follows:

  • As in previous versions, a search for "(telephoneNumber=1555123456)" matches entries with telephone number values +1 555 123 456 and 1 555 123456.

  • All +s are ignored. In other words, + is no longer significant when matching a telephone number syntax attribute.

  • A search for "(telephoneNumber=*Flower*)" returns only entries with telephone numbers containing Flower (case-insensitive match).

  • A search for "(telephoneNumber=15550102)" no longer matches entries with telephone numbers like +15550102 - Home.

  • The batch configuration for the JMS common audit handler for access logs has changed to support reconnection if the broker becomes unavailable.

    This change adds a batch.writeInterval setting. It removes the following settings:

    • batch.batchEnabled

    • batch.insertTimeoutSec

    • batch.pollTimeoutSec

    • batch.shutdownTimeoutSec

    • batch.threadCount

    For details on the JMS handler configuration, see "JMS".

  • The example JDBC audit handler configuration for logging to MySQL has changed.

    The old configuration is not compatible with MySQL 8, supported in this release.

    For details on the JDBC handler configuration, see "JDBC".

The global property smtp-server has been replaced with a configuration object, "Mail Server".

The resourceTypeProperty field is no longer used in REST to LDAP configurations. The resource type is now inferred from the property with "type": "resourceType".

The setup command has changed:

  • The --productionMode option has been removed.

    Default settings are now secure. For details, see "Default Security Settings".

    The evaluation setup profile is compatible with other setup profiles. However, if you apply the evaluation setup profile last, it sets unauthenticated-requests-policy:allow, granting global permission to perform operations over insecure connections.

  • Subcommands have been replaced by setup profiles.

  • The setup command no longer starts the server by default.

    Before starting your new DS server, finish configuration. For details, see the examples in the Installation Guide.

    If no further configuration is required, use the setup --start option.

  • For new servers, key pairs with self-signed certificates are no longer used. Instead, the setup process generates keys used for secure connections, and derives a shared master key to protect secret keys for data encryption. These keys depend on a deployment key and deployment key password. For details, see "Key Management".

    The deployment key and deployment key password are required as part of the setup process:

    • If you do not provide your own keys, and do not provide a deployment key, the setup command generates one for you. After it generates the key, the setup displays it in the command output.

    • If you do not provide your own keys, the generated keys and the signing CA certificate are stored in a PKCS#12 keystore file, config/keystore. The password is stored in a PIN file, config/ You can use the CA certificate as the root of trust for an entire deployment.

    • By default, replication now relies on the same key pairs as all other connection handlers to secure network communications.

      The Replication Key Manager and Replication Trust Manager providers now point to the providers chosen during the setup process.

    • The Default Key Manager is now named after its keystore format, such as PKCS12.

    For details, see "Key Management".

  • The following setup command options have been removed:

    • -a, --addBaseEntry

    • -b, --baseDn

    • --useJvmTrustStore

    • -l, --ldifFile

    • -O, --doNotStart

    • --productionMode

    • -R, --rejectFile

    • --skipFile

    Add your initial data before starting the server by creating a backend database, configuring indexes, and importing from LDIF. For details, see Data Storage.

  • The -d, --sampleData option has moved. It is now provided as the generatedUsers parameter of the ds-evaluation setup profile.

For examples using the command, see Installation Guide.

DS command line tools no longer support the -w - and --bindPassword - options to prompt interactively for a password.

Instead, provide the bind DN and omit the -w - or --bindPassword - option. The tools then prompt for a password unless you specify the --no-prompt option.

You can upgrade DS 3.0 and later servers directly to this release.

When starting from 2.6, first upgrade all servers to DS 6.5 before upgrading further. Direct upgrade from 2.6 is no longer supported.

For details, see "Supported Upgrades".

Default Security Settings

When you set up new DS servers, they are now configured with tighter security settings by default. These changes do not affect DS servers that you upgrade from earlier versions. If you require more lenient settings for compatibility, you must configure them after setting up the server:

  • All operations except bind requests and StartTLS requests, and base object searches on the root DSE, require secure connections.

    This behavior is governed by the global configuration property, unauthenticated-requests-policy, which is now set to allow-discovery, instead of allow, unless the last setup profile applied is the ds-evaluation profile.

  • The password storage scheme for the Default Password Policy and Root Password Policy is now PBKDF2-HMAC-SHA256 with 10 iterations. For stronger security, raise the number of iterations as shown in "Configure a NIST-Inspired Subentry Policy", and require users to change their passwords.


    PBKDF2-HMAC-SHA256 is a computationally intensive one-way hashing scheme. When used with a high number of iterations, it is intentionally orders of magnitude slower than the previous default for user passwords, which was Salted SHA-512.

    PBKDF2-HMAC-SHA256 and similar computationally intensive password storage schemes lower throughput and raise response times for some operations, including the following:

    • Importing plaintext passwords from LDIF; for example, during evaluation and testing with generated data.

    • Updating passwords.

    • Authenticating with passwords.

    Plan your deployment accordingly. For additional details, see "Password Storage".

    To migrate user passwords to a new storage scheme, see "Deprecate a Password Storage Scheme".

  • SASL mechanism handler configurations for CRAM-MD5 and DIGEST-MD5 are no longer present in the default configuration.

  • Password storage scheme configurations for MD5, RC4, and Salted MD5 are no longer present in the default configuration.

    Less secure and reversible password storage schemes have been disabled in the default configuration. You must therefore enable these password storage schemes if you intend to use them.

SettingNew Default
Crypto Manager digest-algorithm SHA-256
Crypto Manager key-wrapping-transformation RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
Crypto Manager mac-algorithm HmacSHA256
Global setting unauthenticated-requests-policy allow-discovery
Password storage scheme: 3DES enabled false
Password storage scheme: AES enabled false
Password storage scheme: Base64 enabled false
Password storage scheme: Blowfish enabled false
Password storage scheme: Clear enabled false
Password storage scheme: CRYPT enabled false
Password storage scheme: PBKDF2 enabled false
Password storage scheme: PKCS5S2 enabled false
Password storage scheme: Salted SHA-1 enabled false
Password storage scheme: Salted SHA-256 enabled false
Password storage scheme: Salted SHA-384 enabled false
Password storage scheme: Salted SHA-512 enabled false
Password storage scheme: SHA-1 enabled false
Pluggable (JE) backend cipher-transformation AES/GCM/NoPadding
Replication server cipher-transformation AES/GCM/NoPadding
Read a different version of :