The default directory superuser (Directory Manager) DN is now
uid=adminfor new servers.
The upgrade process does not change the directory superuser DN for existing servers.
This change makes it easier to manage the server configuration over REST, as the default identity mapper configuration maps the HTTP
adminusername to the LDAP DN
The replication service discovery mechanism now obtains some information by reading the
cn=monitorLDAP entry. As a result, the
bind-dnaccount must now have the
This affects accounts used by DS directory proxy servers to bind to DS replication servers. For an example showing the account with the
monitor-readprivilege, see "Try DS Directory Proxy".
DS backups taken with this release are not compatible with backups from earlier releases.
Scheduled backup tasks continue after upgrade.
Tasks created with the restore command in earlier releases are removed during upgrade.
The default backend ID for application data depends on the setup profiles.
The upgrade process does not change the backend ID for existing servers.
The server-side (plugin) Java API is continuing to evolve. See Interface Stability.
Server plugins written against this API must be adapted and recompiled to work with this version. For Java API reference documentation, see the Javadoc.
When matching strings in attributes with telephone number syntax, DS servers now behave as follows:
As in previous versions, a search for
"(telephoneNumber=1555123456)"matches entries with telephone number values
+1 555 123 456and
1 555 123456.
+s are ignored. In other words,
+is no longer significant when matching a telephone number syntax attribute.
A search for
"(telephoneNumber=*Flower*)"returns only entries with telephone numbers containing
A search for
"(telephoneNumber=15550102)"no longer matches entries with telephone numbers like
+15550102 - Home.
batchconfiguration for the JMS common audit handler for access logs has changed to support reconnection if the broker becomes unavailable.
This change adds a
batch.writeIntervalsetting. It removes the following settings:
For details on the JMS handler configuration, see "JMS".
The example JDBC audit handler configuration for logging to MySQL has changed.
The old configuration is not compatible with MySQL 8, supported in this release.
For details on the JDBC handler configuration, see "JDBC".
The global property
smtp-server has been replaced with a configuration object, "Mail Server".
Replication domain and replication server configurations no longer let you set
The following replication domain configuration properties have moved to the replication synchronization provider:
The following replication server properties have moved to the replication synchronization provider:
In addition to the property changes, the replication synchronization provider has changed:
A new property, bootstrap-replication-server, takes the addresses of one or more replication servers this server should contact to discover discover the rest of the topology.
The replication-purge-delay property has replaced the replication domain property,
In this release, the
replication-purge-delaysetting alone governs how long the replica retains data in the changelog and historical metadata necessary to solve conflicts in directory entries.
resourceTypeProperty field is no longer used in REST to LDAP configurations. The resource type is now inferred from the property with
Default security settings have been hardened.
For details, see "Default Security Settings".
The following configuration changes impact TLS-related settings:
The "Crypto Manager" no longer has the following properties:
The "Replication Synchronization Provider" configuration object now has the following properties:
The following configuration objects now have
The default fingerprint algorithm for the fingerprint certificate mapper is now SHA-256.
The setup command has changed:
--productionModeoption has been removed.
Default settings are now secure. For details, see "Default Security Settings".
The evaluation setup profile is compatible with other setup profiles. However, if you apply the evaluation setup profile last, it sets
unauthenticated-requests-policy:allow, granting global permission to perform operations over insecure connections.
Subcommands have been replaced by setup profiles.
The setup command no longer starts the server by default.
Before starting your new DS server, finish configuration. For details, see the examples in the Installation Guide.
If no further configuration is required, use the setup --start option.
For new servers, key pairs with self-signed certificates are no longer used. Instead, the setup process generates keys used for secure connections, and derives a shared master key to protect secret keys for data encryption. These keys depend on a deployment key and deployment key password. For details, see "Key Management".
The deployment key and deployment key password are required as part of the setup process:
If you do not provide your own keys, and do not provide a deployment key, the setup command generates one for you. After it generates the key, the setup displays it in the command output.
If you do not provide your own keys, the generated keys and the signing CA certificate are stored in a PKCS#12 keystore file,
config/keystore. The password is stored in a PIN file,
config/keystore.pin. You can use the CA certificate as the root of trust for an entire deployment.
By default, replication now relies on the same key pairs as all other connection handlers to secure network communications.
Replication Key Managerand
Replication Trust Managerproviders now point to the providers chosen during the setup process.
Default Key Manageris now named after its keystore format, such as
For details, see "Key Management".
The following setup command options have been removed:
Add your initial data before starting the server by creating a backend database, configuring indexes, and importing from LDIF. For details, see Data Storage.
-d, --sampleDataoption has moved. It is now provided as the
generatedUsersparameter of the
For examples using the command, see Installation Guide.
DS command line tools no longer support the
-w - and
--bindPassword - options to prompt interactively for a password.
Instead, provide the bind DN and omit the
-w - or
--bindPassword - option. The tools then prompt for a password unless you specify the
You can upgrade DS 3.0 and later servers directly to this release.
When starting from 2.6, first upgrade all servers to DS 6.5 before upgrading further. Direct upgrade from 2.6 is no longer supported.
For details, see "Supported Upgrades".
Default Security Settings
When you set up new DS servers, they are now configured with tighter security settings by default. These changes do not affect DS servers that you upgrade from earlier versions. If you require more lenient settings for compatibility, you must configure them after setting up the server:
All operations except bind requests and StartTLS requests, and base object searches on the root DSE, require secure connections.
This behavior is governed by the global configuration property, unauthenticated-requests-policy, which is now set to
allow-discovery, instead of
allow, unless the last setup profile applied is the
The password storage scheme for the Default Password Policy and Root Password Policy is now
PBKDF2-HMAC-SHA256with 10 iterations. For stronger security, raise the number of iterations as shown in "Configure a NIST-Inspired Subentry Policy", and require users to change their passwords.
PBKDF2-HMAC-SHA256is a computationally intensive one-way hashing scheme. When used with a high number of iterations, it is intentionally orders of magnitude slower than the previous default for user passwords, which was
PBKDF2-HMAC-SHA256and similar computationally intensive password storage schemes lower throughput and raise response times for some operations, including the following:
Importing plaintext passwords from LDIF; for example, during evaluation and testing with generated data.
Authenticating with passwords.
Plan your deployment accordingly. For additional details, see "Password Storage".
To migrate user passwords to a new storage scheme, see "Deprecate a Password Storage Scheme".
SASL mechanism handler configurations for
DIGEST-MD5are no longer present in the default configuration.
Password storage scheme configurations for
Salted MD5are no longer present in the default configuration.
Less secure and reversible password storage schemes have been disabled in the default configuration. You must therefore enable these password storage schemes if you intend to use them.
|Crypto Manager digest-algorithm|| |
|Crypto Manager key-wrapping-transformation|| |
|Crypto Manager mac-algorithm|| |
|Global setting unauthenticated-requests-policy|| |
|Password storage scheme: 3DES enabled|| |
|Password storage scheme: AES enabled|| |
|Password storage scheme: Base64 enabled|| |
|Password storage scheme: Blowfish enabled|| |
|Password storage scheme: Clear enabled|| |
|Password storage scheme: CRYPT enabled|| |
|Password storage scheme: PBKDF2 enabled|| |
|Password storage scheme: PKCS5S2 enabled|| |
|Password storage scheme: Salted SHA-1 enabled|| |
|Password storage scheme: Salted SHA-256 enabled|| |
|Password storage scheme: Salted SHA-384 enabled|| |
|Password storage scheme: Salted SHA-512 enabled|| |
|Password storage scheme: SHA-1 enabled|| |
|Pluggable (JE) backend cipher-transformation|| |
|Replication server cipher-transformation|| |