DS release notes


The following limitations are inherent to the design, not bugs to be fixed.

Account lockout

When you configure account lockout as part of password policy, DS servers lock an account after the specified number of consecutive authentication failures.

Account lockout is not transactional across all replicas in a deployment. Global account lockout occurs as soon as the authentication failure times have been replicated.


  • When patching a json syntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.

    As a workaround, perform an update of the entire object, changing only the desired fields in your copy.

  • For referrals, HDAP returns HTTP 404 Not Found. HDAP does not return the equivalent of LDAP continuation references.

  • HDAP does not support query filters for equality matching (eq) with address fields like postalAddress.


  • DS servers provide full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.

  • When the global server property invalid-attribute-syntax-behavior is set to accept or warn, a search on group membership using a value with invalid syntax returns nothing.


  • Directory servers store passwords prefixed with the storage scheme in braces, as in {scheme}.

    To prevent users from effectively attempting to choose their own password storage scheme, directory servers do not support passwords that strictly match this format.

    Specifically, directory servers do not support passwords that match {string.*.

    Requests to update userPassword values with such passwords fail with result code 19 (Constraint Violation), and an additional message that passwords may not be provided in pre-encoded form.

  • The Password Policy control (OID: is supported for add, bind, and modify operations.

    It is not supported for compare, delete, search, and modify DN operations.

Proxy services

  • Configuring a server with both local backends and proxy backends is not supported.

    Access control models for directory servers and proxy servers do not function at the same time in the same server.

  • The policy-based access control handler used in proxy servers:

    • Does not support the Get Effective Rights control.

    • Does not check the modify-acl privilege when global access control policies are changed.

      The config-write privilege is sufficient to change global access control policies.

    • Does not send alert notifications when global access control policies change.

  • When using ACIs or collective attributes with the proxy server data distribution feature, the ACI and entries having collective attribute values must be located at or above the partition-base-dn. When changing this data, make the change behind the proxy to one directory server replica in each shard. Your changes are not replicated outside the shard.

    The proxy server data distribution feature does not currently support the following:

    • Importing distributed data with the import-ldif command.

    • Changes to the number of partitions after data has been deployed.

    • Modify DN operations to distributed entries.

    • Updates to entries at or above the partition-base-dn.

    • Virtual static groups.

    • Data distribution does not support these virtual attributes:


      The isMemberOf virtual attribute works as expected as long as you replicate the group entries on every shard.

    • Data distribution does not support these LDAP controls:

      Server-Side Sort controls


      Simple Paged Results control


      Virtual List View controls



  • The dsrepl status command cannot read status information from DS 6.5 and earlier servers.

    During upgrade, use the dsreplication status command for 6.5 and earlier servers, and the dsrepl status command for 7.0 and later servers.

  • Pre-7.0 DS servers cannot create a new symmetric key in mixed version topologies.

    When a DS 6.5 or earlier server generates a new symmetric key, it displays an error, such as the following:

    Cannot encode entry for writing on storage:
     CryptoManager failed to encode symmetric key attribute value:
      InvalidKeyException(Wrong key usage) base dn : dc=com

    To work around this limitation, upgrade the pre-7.0 DS servers and use the new security model.


  • REST to LDAP on a DS proxy server does not support authentication as a remote user.

    Access REST to LDAP through the gateway or directly on a DS directory server.

  • REST to LDAP does not support modify RDN operations.

  • REST to LDAP query filters do not work with properties of subtypes.

    For example, the default example configuration describes a user type, and a POSIX user type. If your query filter is based on a POSIX user type property that is not a property of the user type, such as loginShell or gidNumber, the filter always evaluates to false, and the query returns nothing.

  • When applying a Common REST patch operation to a Json syntax attribute, you cannot patch individual fields of the JSON object. You must change the entire JSON object instead.

    As a workaround, perform an update of the entire object, changing only the desired fields in your copy.


Due to a Java issue on Windows systems (JDK-8057894), when configuring DS servers with data confidentiality enabled, DS might display an error message containing the following text:

Unexpected CryptoAPI failure generating seed

If this happens, try running the command again.

Copyright © 2010-2024 ForgeRock, all rights reserved.