PingDirectory

Release notes

Unless otherwise noted, all of the following enhancements, known issues, and resolved issues apply to the PingDirectory server, the PingDirectoryProxy server, and the PingDataSync server.

Subscribe to get automatic updates: PingDirectory Release Notes RSS feed

PingDirectory suite of products 11.0.0.0 (December 2025)

Converted the admin console to React

New DS-44421 PingDirectory, PingDirectoryProxy, PingDataSync

We replaced the AngularJS admin console with a restyled, redesigned front end that uses a React framework.

The React-based admin console only supports servers running version 11.0 or later.

Server administrators can now benefit from the following improvements:

  • Read-only access and monitoring: You can deploy the admin console in read-only mode to provide console access for sensitive environments.

  • Expert-level configuration: The admin console configuration.complexity property now defaults to expert, allowing you to view and create expert-level configuration objects.

  • Status page: This page is now more comprehensive, reflecting everything you would learn when running bin/status except for the server PID, license details, and the list of admin users.

Learn more in Signing on to and configuring the admin console.

Added distributed tracing using OpenTelemetry

New DS-50750 PingDirectory

We added the ability to perform distributed tracing for inbound LDAP requests to the PingDirectory server. This advancement simplifies troubleshooting by giving you better observability of server processing across request workflows.

This feature is provided as a Preview, which means that it isn’t supported and should not be used in production environments. Learn more in Feature status.

With distributed tracing, you can:

  • Reduce downtime and improve reliability: Quickly diagnose and resolve complex issues by visualizing the inbound server request flow, identifying bottlenecks and points of failure.

  • Streamline troubleshooting: Reduce the time, effort, and expertise required for troubleshooting, freeing up your teams to focus on important initiatives.

  • Optimize performance: Understand how your servers interact and identify areas for performance improvement to provide a more efficient user experience.

This implementation of distributed tracing uses the OpenTelemetry framework. Requests must include the W3C trace context LDAP control. Learn more in Distributed tracing.

Added the reference attribute mapping type

New DS-46581 PingDataSync

The server now supports reference attribute mapping, which significantly enhances the synchronization of entries with attributes that reference other entries.

This feature is provided as a Preview, which means that it isn’t supported and should not be used in production environments. Learn more in Feature status.

This capability reduces the need for custom configurations in some synchronization workflows, including the following:

  • Targeting PingOne and other SCIM destinations, which often requires the final attribute value to be a constructed JSON object

  • Synchronizing from a source where a group entry contains a list of members to a destination where a user entry contains a list of groups

  • Extracting manager data from a destination entry to populate the employee’s synchronized destination entry

Reference attribute mapping uses a key-value configuration pipeline to correlate entries and extract data from the destination referenced entry to construct the final attribute value. The feature allows the use of different types for the key-value properties, offering administrators powerful flexibility for complex synchronization use cases.

Learn more in Reference attribute mapping.

Added composite index backing for improved performance

Improved DS-50072, DS-50111 PingDirectory

We updated the server so that most newly created attribute indexes get backed by composite indexes. This offers better performance and scalability for index keys that match a large number of entries, especially in cases where portions of the index would be exploded.

To enable composite index backing for existing attribute indexes, export the backend to LDIF and reimport it.

As a result of this change:

  • There might be a slight reduction in cache capacity due to increased memory usage.

  • The index entry limit default value is higher.

  • Running an online dsreplication initialize to servers running older versions won’t work.

  • Low-level and monitor data include any backing composite indexes.

Optimized index selection for server-side sorting

Improved DS-50416, DS-50614 PingDirectory

We updated the server to prefer using an applicable VLV index over an applicable composite index for search requests including the server-side sort control. Although composite indexes can be used for sorting search results under limited circumstances, a matching VLV index is faster than a corresponding composite index.

Improved dsreplication initialize speed

Improved DS-48416 PingDirectory

To increase dsreplication initialize speed for high-latency connections, the operating system now automatically sets the optimal receive buffer size, allowing a larger TCP window for initialization.

To set the receive buffer manually, configure the following Java property to the desired size:

com.unboundid.directory.server.replication.protocol.SessionFactory.RECEIVE_BUFFER_SIZE

Supply a value of 1000000 to revert to the default buffer size before this change.

Improved concurrent bind request performance

Improved DS-50622 PingDirectory, PingDirectoryProxy

We improved concurrent bind request throughput for heavy authentication workloads passing through PingDirectoryProxy.

Optimized setup behavior for modern JVMs

Improved DS-50603 PingDirectory, PingDirectoryProxy, PingDataSync

For new installations, setup no longer sets the JVM option ConcGCThreads because modern JVMs can choose an optimal value.

Added server.out files to CSD archives

Improved SUPP-441 PingDirectory, PingDirectoryProxy, PingDataSync

To add details about the server state before shutdown, the collect-support-data tool now includes up to five of the latest timestamped server.out files in the CSD archive.

Enriched logging for sync errors to LDAP destinations

Improved DS-50764 PingDataSync

We improved the logged messages for certain types of errors encountered at LDAP sync destinations. Previously these errors would simply display as connection errors, but now contain more information if it’s available.

Expanded support for escaping special characters in email templates

Improved DS-50964 PingDirectory

Multipart email account status notification handlers can now use Velocity’s Escape Tool for special characters in variable values inserted in a template.

We also updated the HTML bodies of the template files so that they escape any HTML special characters in variables that are likely to contain them.

Fixed a critical LDAP request issue

Fixed DS-50632 PingDirectory

We fixed a critical server issue where some LDAP requests failed with a ConcurrentModificationException in the AuthenticationInfo module.

This issue was introduced in version 10.1.0.0. Update affected servers.

Improved expired certificate handling for TLS negotiation

Fixed DS-49269, DS-49270 PingDirectory, PingDirectoryProxy, PingDataSync

We fixed an issue that could cause the server to select an expired certificate when performing TLS negotiation with an external server that has a key manager provider and requests a client certificate chain.

The server now presents an expired certificate only if the key store doesn’t include any certificate chains with currently valid certificates.

We also added the ssl-cert-nickname property to the external server configuration, which allows you to control which client certificate chain the server presents to that external server. If this property isn’t configured, the server attempts to automatically select an appropriate certificate chain.

Fixed an issue with unindexed searches

Fixed DS-50248 PingDirectory

We fixed an issue that could cause the server to incorrectly attempt an unindexed search if multiple indexes were applicable to the same set of filter components but the highest-priority index chosen couldn’t be used. The server now properly attempts to use an alternative index when possible.

Fixed an issue with internal connections in replicated topologies

Fixed DS-49563 PingDirectory

We fixed an issue in replicated topologies where internal connections between servers could be permanently lost if a client connection policy (such as maximum-connection-duration) was configured.

This could cause mirrored operations, like configuration changes, to fail indefinitely. We updated the server’s connection-handling logic to automatically detect and recover from this type of disconnection, re-establish the peer connection, and ensure the operation succeeds.

Fixed a Delegated Admin landing page error

Fixed DS-50473 PingDirectory

We fixed an issue that caused the Delegated Admin landing page to throw an error after server startup.

Fixed an issue with LDIF imports

Fixed DS-50286 PingDirectory

We fixed an issue with running an LDIF import as an administrative task. Previously, the import process didn’t verify that the source LDIF file existed before clearing the backend.

Fixed an issue with FIPS-compliant server upgrades

Fixed DS-50372 PingDirectory, PingDirectoryProxy, PingDataSync

We fixed an issue with server upgrades failing for FIPS-compliant servers running in a Linux environment with native FIPS mode enabled.

You can identify this upgrade failure by the following error message:

Error initializing update: Error determining build information for the server at /opt/PingDirectory: 1. Output from /opt/PingDirectory/bin/status -F was: .

Fixed an upgrade issue for servers without a userRoot backend

Fixed DS-50541 PingDirectory

We fixed an issue that caused upgrades for servers running version 10.0.0.x or later with no userRoot backend to fail.

During an upgrade, the update tool tried to delete some configuration entries for inverted static group support that didn’t exist.

Fixed an error type issue for locked accounts

Fixed DS-50994 PingDirectory

We fixed an issue where, under certain circumstances, a Password Policy Response Control value for a locked account would return an error type other than account locked.

Fixed an issue with the Changelog Password Encryption plugin

Fixed DS-50457 PingDirectory

We fixed an issue where the Changelog Password Encryption plugin didn’t add encrypted attributes to the changelog for entries created with the Generate Password request control.

Fixed an issue with invalid syntax for objectClass values

Fixed DS-50431 PingDirectory

We fixed an issue where replace operations for the objectClass attribute could allow values with invalid syntax.

Fixed an issue with work queue threads and old operations

Fixed DS-50432 PingDirectory, PingDirectoryProxy, PingDataSync

We fixed an issue where encountering certain unexpected errors could result in work queue thread names that would persist information about old operations.

Fixed an issue with invalid attribute names

Fixed DS-50253 PingDirectory

We fixed an issue where ldapmodify allowed invalid attribute names.

Fixed an issue with profile replacement in topologies

Fixed DS-50197 PingDirectoryProxy, PingDataSync

We fixed an issue where using the manage-profile tool to replace a profile would fail if the new profile and original profile each contained topology external servers with identical names.

Fixed a plugin issue with delete operations

Fixed DS-50377 PingDirectory

We fixed an issue where the Referential Integrity plugin rejected delete operations when the DN of the delete operation was out of scope.

Fixed an issue with SCIM attribute mappings

Fixed DS-50996 PingDirectory, PingDirectoryProxy

We fixed an issue where SCIM attribute mappings that map the type sub-attribute from the SCIM resource could cause the attribute to not map fully.

Fixed an issue with --performLocalCleanup in interactive mode

Fixed DS-48553 PingDirectory, PingDirectoryProxy, PingDataSync

Running remove-defunct-server --performLocalCleanup in interactive mode no longer attempts to establish a connection to another live server in the topology.

Fixed an issue with infinite retries for LDAP sync endpoints

Fixed DS-50255 PingDataSync

We fixed an issue where the server would infinitely retry operations that would never succeed. This issue specifically affected sync pipes syncing to or from LDAP endpoints and could have prevented the server from processing other operations.

Suppressed Kafka messages for some modify operations

Fixed DS-50763 PingDataSync

Kafka sync destinations no longer publish messages to Kafka endpoints if a modify operation doesn’t result in any attributes being modified.

Fixed issues for entries with DNs containing phone numbers

Fixed DS-50892 PingDataSync

For entries with phone numbers in their DNs, we fixed the following issues:

  • The synchronization process would unnecessarily attempt to rename these entries.

  • The resync tool would report different results for these entries when you provided or omitted the --dry-run argument.

HTTP requests to Velocity endpoints

Info DS-50301 PingDirectory, PingDirectoryProxy, PingDataSync

HTTP requests sent to endpoints handled by the Velocity servlet must now include an Accept header with a non-null value. For example:

Accept: */*

If this header is missing or has a null value, the servlet returns a 500 error code. This requirement affects /view/server-info and any other custom pages hosted by the Velocity servlet.

Removed the sync-pipe-view tool

Info DS-49737 PingDataSync

We removed the sync-pipe-view command-line tool, which was deprecated in a previous release.

Previous Releases

Learn more about enhancements and issues resolved in previous major and minor releases of PingDirectory products using the following links: