This week I stumbled upon this presentation done by Pieter Baele, about the integration of Linux, Microsoft AD and OpenDJ, to build a secure efficient naming and security enterprise service.
The presentation covers the different solutions to provide integrated authentication and naming services for Linux and Windows, and described more in depth one built with OpenDJ. Overall, it has very good information for the system administrators that need to address this kind of integration between the Linux and the Windows world.
Outre notre présence dans l’espace coworking pendant les 2 jours, Lasse Andresen, CTO de ForgeRock, animera un workshop avec ARM et Schneider sur la place de l’Identité dans l’Internet des Objets, le Mercredi 8 à 13h30.
N’hésitez pas à venir nous rendre visite dans l’espace coworking.
Meet the Security and Identity rockstars and thought leaders at The Identity Summit, May 27-29th 2015 !
In addition to the two full days of sessions, this year at The Identity Summit, all ForgeRock customers are invited to participate in a pre-event community day where you will be able to interact with ForgeRock product development and other customers.
The event will take place at the Ritz in Half Moon Bay, California.
Register today. Sign-up for the customer user group is part of The Identity Summit registration process. Make sure to add the Customer User Group as an “Additional Item” before submitting your information.
The call for speakers is opened until April 13th.
At ForgeRock, I have multiple reasons to enjoy what I do. I have the responsibility for two products: OpenDJ, the LDAP directory services and OpenIG the Identity Gateway, and I also manages the French subsidiary. But what really gets me excited in the morning is that I get to work with very smart and passionate people!
Jean-Noël, one of the engineers of the OpenDJ development team, has a passion for beautiful code and he loves refactoring, cleaning existing code. On his personal time, he started to automate his process in Eclipse, and then turn it into an Eclipse plugin, and finally made the code available as an open source project: AutoRefactor. Now, in the office, most of the engineers using Eclipse are also using the AutoRefactor plugin.
So when Jean-Noël got to present his work at our local Java User Group (the AlpesJUG), the rest of the team went along and supported him. As one of the other engineers has a passion for photography (which I share), it gives this amazing picture gallery and set of souvenirs for everyone:
PS: It also helps that we are working in a great environment where we can afford to do this⬇︎ (sometime to time) during our lunch break!
Many years ago, when I’ve started working on LDAP directory services, we needed to have some auditing of the operations occurring on the server. So, the server had a “Access” log which contained a message when an operation was received, and one when it was returned to the client, which included the processing time on the server side (the etime parameter). On Netscape and Sun directory servers, the etime was measured in seconds. This format allowed us to detect requests that were taking a long time, or were started but not finished.
In OpenDJ, we switched the etime resolution to milliseconds, but there’s an option to set it to nano-seconds. Yet, with millisecond resolution, there are still a number of log entries with an etime value of 0. The truth is that the server is faster, but so are the machines and processors.
At a rate of 50 000 operations per seconds (which can easily be sustained on my laptop), having two messages per operation does generate a lot of data to write to disk. That’s why we have introduced a new audit log format, not well advertised I must say, in OpenDJ 2.6.0. To enable the new format, use the following dsconfig command:
dsconfig set-log-publisher-prop -h localhost -p 4444 -X -n \ -D "cn=directory manager" -w password \ --publisher-name File-Based\ Access\ Logger --set log-format:combined
And now instead of having 2 lines per operations, there is a single one.
[23/Feb/2015:08:56:31 +0100] SEARCH REQ conn=0 op=4 msgID=5 base="cn=File-Based Access Logger,cn=Loggers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="1.1" [23/Feb/2015:08:56:31 +0100] SEARCH RES conn=0 op=4 msgID=5 result=0 nentries=1 etime=0 [23/Feb/2015:08:56:31 +0100] SEARCH REQ conn=0 op=5 msgID=6 base="cn=File-Based Access Logger,cn=Loggers,cn=config" scope=baseObject filter="(objectClass=*)" attrs="objectclass" [23/Feb/2015:08:56:31 +0100] SEARCH RES conn=0 op=5 msgID=6 result=0 nentries=1 etime=0
After, in combined mode:
[23/Feb/2015:13:00:28 +0100] SEARCH conn=48 op=8215 msgID=8216 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=user.1)" attrs="ALL" result=0 nentries=1 etime=0 [23/Feb/2015:13:00:28 +0100] SEARCH conn=60 op=10096 msgID=10097 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=user.6)" attrs="ALL" result=0 nentries=1 etime=0
The benefits of enabling the combined log format are multiple. Less data is written to disk for each operation, less I/O operations are involved, resulting in overall better throughput for the server. And it allows to keep more history of operations with the same volume of log files.
Do you think that OpenDJ 3.0 access log files should use the combined format by default ?
Today marks the 5 years anniversary of ForgeRock !
5 years and the company counts over 250 employees, over 500 customers, and more than half a billion of identities protected by our ForgeRock Identity Stack ! By the way, this is just the beginning… Feeling like you want to be part of it ? We’re growing and hiring !
I do remember celebrating the 1st anniversary, with less than 20 people and a cake, in a small hotel south of Portugal…
What an amazing journey ! Thanks Hermann,Jonathan, Lasse, Steve and Victor for bootstrapping the company and giving us the opportunity to join, work hard and have fun ! Happy anniversary to the 5 of you !
OpenDJ, the LDAP directory services in Java, is supported on multiple platforms and has been for many years. We’re testing on Linux, Windows, Solaris, Mac OS X, but also different JVMs: Oracle JRE, OpenJDK, Azul Zulu, IBM JVM…
With OpenDJ 2.6, we’ve made it easier for people to install it on Linux machines by providing RPM and Debian packages.
We are now also providing a MSI package to ease the installation and removal on Windows machines. The MSI package is available for nightly builds here.