Paris Identity Management User Group (March 21st 2007)

Last week a Sun Identity Management User Group meeting was held in Paris. The attendance was really good, and in fact exceeded the room capacity as several customers turned out without pre-registering. I was really impressed by the diversity of customers, and the fact that they were coming from all over Europe (Czech republic, Slovakia, Lithuania, Poland, Greece, Italy, Portugal, Germany, Netherlands, Belgium, UK, France, …).

The Identity Marketing team came in force with Andy Land, Don Bowen and Etienne Remillon (left to right).

Identity Management Marketing Team

Etienne, Directory Senior product manager, presented Directory Server Enterprise Edition 6.0 and demoed the new graphical console : Directory Service Control Center, and Virtual Directory Server.

Overall it was a good day of interaction with our customers, trying to understand their needs and their issues with our identity management products. If you’re a Sun customer, using Directory Server or other Sun Identity product, I would strongly encourage you to participate. Your feedback is important for us.

Question and Ansers

Winter is still here at the Grenoble Engineering Center

Last week, flowers and trees were blossoming and we thought the spring had arrived. But the winter reminded us yesterday that it was not over yet. It snowed yesterday and today in Grenoble (even down in the valley for the first time this year).

This morning we woke up with a couple of inches of snow in the garden, but all the roads were cleared.

Here’s a picture of Grenoble Engineering Center as I arrived in the office this morning. No more snow on the ground, but the mountains around are covered. As the sun is supposed to reappear later this week, it might be a pretty good week-end of skiing 🙂

 Grenoble Engineering Center March 20th 2007

 

Directory Server and advanced certificate management

Directory Server 6.0 introduced many changes in its administration tools: a new GUI, new CLIs such as dsconf and dsadm.

dsadm has a set of commands to do certificate management for directory server instances, such as requesting new certificates, listing certificates, adding certificates. This feature has been added in Directory Server 6, because certutil, the utility available with the NSS library is not officially supported.

The dsadm utility does the work in most of the cases but there are some known limitations such as no support for the subjectAltName extension. For those advance use cases, the workaround is to use certutil (at your own risks).

One big difference between dsadm and certutil is the certificate store password. By default, the password is unknown to the administrators, and managed through a file. Certutil does require the password to be known.

To change the default password and be able to use certutil, you need to launch the following command as root or the owner of the directory server instance:

>  /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=on
Choose the new certificate database password:
Confirm the new certificate database password:
Certificate database password successfully updated.

From them, you will be able to run "certutil -d /local/demo/dstest/alias -P slapd- …" with the appropriate options.

When you’re done, you can store the password again in a text file for use by dsadm or Directory Server at restart with the following command:

>  /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=off
Enter the certificate database password:
Certificate database password has been successfully stored.

Directory bigots in a lively conversation…

Don BowenSteve ShoaffMy boss Steve Shoaff, Director of Engineering for Directory, and Don Bowen, Distinguished Marketing Director, are discussing the new release of Directory Server Enterprise Edition in a lively and passionate Identity Management Buzz podcast.

 Listen to this episode of the podcast.

You will understand why I really enjoy working with these two bright guys and the rest of the team.

DSEE 6.0 CLI made easier for /bin/bash users

Mark has published several posts on the new Directory Server
Enterprise Edition CLI: dsadm, dsconf for Directory Server and dpadm,
dpconf for Directory Proxy Server [1][2][3][4][5].

Here’s a little trick to facilitate the use of the command line utilities, at least when using  /bin/bash.

The dsconf –help list all available sub-commands, plus a few messages. The first command extract the list of sub-commands and store it in a variable.

ludo:bin > DSC=`dsconf --help | cut -d' ' -f1 | grep -v '^-' | grep -- '-'`

Then we define the list of words to use for completion for the dsconf tool.

ludo:bin > complete -W "`echo $DSC`" dsconf

And we checked that we have a proper completion wordlist for the command. 

ludo:bin > complete -p dsconf
complete -W 'accord-repl-agmt change-repl-dest create-encrypted-attr
create-index create-plugin create-repl-agmt create-repl-priority
create-suffix delete-encrypted-attr delete-index delete-plugin
delete-repl-agmt delete-repl-priority delete-suffix demote-repl
disable-plugin disable-repl disable-repl-agmt enable-plugin enable-repl
enable-repl-agmt get-index-prop get-log-prop get-plugin-prop
get-repl-agmt-prop get-server-prop get-suffix-prop help-properties
init-repl-dest list-encrypted-attrs list-indexes list-plugins
list-repl-agmts list-repl-priorities list-suffixes promote-repl
pwd-compat rotate-log-now set-index-prop set-log-prop set-plugin-prop
set-repl-agmt-prop set-server-prop set-suffix-prop
show-repl-agmt-status show-task-status update-repl-dest-now' dsconf

Use is very simple: type a few characters, hit the [TAB] key, and the command will complete if possible. Hitting [TAB][TAB] will show all available possibilities.

ludo:bin > dsconf create-[TAB][TAB]
create-encrypted-attr  create-plugin          create-repl-priority
create-index           create-repl-agmt       create-suffix
ludo:bin > dsconf create-

The same commands can also work for Directory Proxy Server’s tool: dpconf.

ludo:bin > DPC=`dpconf --help | cut -d' ' -f1 | grep -v '^-' | grep -- '-'`
ludo:bin > complete -W "`echo $DPC`" dpconf
ludo:bin > complete -p dpconf
complete -W 'add-jdbc-attr add-virtual-transformation
attach-jdbc-data-source attach-ldap-data-source
create-connection-handler create-custom-search-size-limit
create-jdbc-data-source create-jdbc-data-source-pool
create-jdbc-data-view create-jdbc-object-class create-jdbc-table
create-join-data-view create-ldap-data-source
create-ldap-data-source-pool create-ldap-data-view
create-ldif-data-view create-request-filtering-policy
create-resource-limits-policy create-search-data-hiding-rule
create-user-mapping delete-connection-handler
delete-custom-search-size-limit delete-jdbc-data-source
delete-jdbc-data-source-pool delete-jdbc-data-view
delete-jdbc-object-class delete-jdbc-table delete-join-data-view
delete-ldap-data-source delete-ldap-data-source-pool
delete-ldap-data-view delete-ldif-data-view
delete-request-filtering-policy delete-resource-limits-policy
delete-search-data-hiding-rule delete-user-mapping
detach-jdbc-data-source detach-ldap-data-source get-access-log-prop
get-attached-ldap-data-source-prop get-connection-handler-prop
get-custom-search-size-limit-prop get-error-log-prop get-jdbc-attr-prop
get-jdbc-data-source-pool-prop get-jdbc-data-source-prop
get-jdbc-data-view-prop get-jdbc-object-class-prop get-jdbc-table-prop
get-join-data-view-prop get-ldap-data-source-pool-prop
get-ldap-data-source-prop get-ldap-data-view-prop
get-ldap-listener-prop get-ldaps-listener-prop get-ldif-data-view-prop
get-request-filtering-policy-prop get-resource-limits-policy-prop
get-search-data-hiding-rule-prop get-server-prop get-user-mapping-prop
get-virtual-aci-prop get-virtual-transformation-prop help-properties
list-attached-jdbc-data-sources list-attached-ldap-data-sources
list-connection-handlers list-custom-search-size-limits list-jdbc-attrs
list-jdbc-data-source-pools list-jdbc-data-sources list-jdbc-data-views
list-jdbc-object-classes list-jdbc-tables list-join-data-views
list-ldap-data-source-pools list-ldap-data-sources list-ldap-data-views
list-ldif-data-views list-request-filtering-policies
list-resource-limits-policies list-search-data-hiding-rules
list-user-mappings list-virtual-transformations remove-jdbc-attr
remove-virtual-transformation rotate-log-now set-access-log-prop
set-attached-ldap-data-source-prop set-connection-handler-prop
set-custom-search-size-limit-prop set-error-log-prop set-jdbc-attr-prop
set-jdbc-data-source-pool-prop set-jdbc-data-source-prop
set-jdbc-data-view-prop set-jdbc-object-class-prop set-jdbc-table-prop
set-join-data-view-prop set-ldap-data-source-pool-prop
set-ldap-data-source-prop set-ldap-data-view-prop
set-ldap-listener-prop set-ldaps-listener-prop set-ldif-data-view-prop
set-request-filtering-policy-prop set-resource-limits-policy-prop
set-search-data-hiding-rule-prop set-server-prop set-user-mapping-prop
set-virtual-aci-prop set-virtual-transformation-prop' dpconf
ludo:bin > dpconf set-ldap[TAB][TAB]
set-ldap-data-source-pool-prop  set-ldap-listener-prop
set-ldap-data-source-prop       set-ldaps-listener-prop
set-ldap-data-view-prop
ludo:bin > dpconf set-ldap 

Add the 4 lines below to your .bashrc to have the completion available in your shells and terminals:

DSC=`dsconf --help | cut -d' ' -f1 | grep -v '^-' | grep -- '-'`
complete -W "`echo $DSC`" dsconf
DPC=`dpconf --help | cut -d' ' -f1 | grep -v '^-' | grep -- '-'`
complete -W "`echo $DPC`" dpconf

Of course, similar commands could be used for dsadm and dpadm as well.

Community events in Paris on Wednesday March 21st

Sun Tech Days are coming to Paris on March 19th, 20th and 21st. As part of this event, there will be a GlassFish Community User Group where we will be presenting OpenDS. Alexis has posted the complete agenda of the meeting as well as other ancillary events.

The same day, still in Paris but at the Sun Customer Briefing Center (Av de Iéna), there is an Identity Management User Group. It seems that pre-registration is very successful, but if you’re a Sun customer and are interested in participating, it is still time.

 See you in Paris in about 2 weeks.

Directory Server 6 HA with Sun Cluster

Directory Server availability is usually obtained with setting up several instances in a  Multi-Master Replication (MMR) topology, but we do also support deployments in a Sun Cluster environment. For the pros and cons of using MMR vs Cluster, you may want to read Neil’s post on the subject.

Before You Start

This cookbook describes how to install
Directory Server as a data service for Sun Cluster 3.1 (or higher) on Solaris 9 or
10 systems, for SPARC, x86, and x64 platforms. You install Directory
Server from native packages by using the Java ES installer.

You must be familiar with Sun Cluster and Directory Server technology in order to find this cookbook useful.
A
detailed How-to guide for setting up a 2 node cluster can be found here.

In following the instructions here, you create one resource group per Directory Server instance.

The example assumes that the machines are in the example.com domain. 

To Prepare Sun Cluster

Start
by preparing the cluster. Directory Service requires an IP address, and
also disk space. Configure the disks in failover mode with affinity set
to on.

Note: You execute cluster commands scrgadm and scswitch only on one node of the cluster.

  1. /etc/hosts and /etc/nsswitch.conf
    • Make sure the logical host name you intend to use is in /etc/hosts (in this example: sun-ldap).
    • Make sure you have "files" before "nis" or "dns" in /etc/nsswitch.conf:
      hosts:      cluster files nis [NOTFOUND=return]
  2. Disks
    • Make
      sure the shared disks that used for the Directory Server instance do
      not have the global option set. Use the "no logging" option, rather
      than the "yes global,logging" in /etc/vfstab:
      /dev/md/sc1/dsk/d50 /dev/md/sc1/rdsk/d50 /clusteredfs/sunds ufs 2 no logging
  3. umount the disks:
    • umount /clusterdisks/sunds
  4. Create the resource group, and the logical hostname:
    • scrgadm -a -g ds-ldap1
    • scrgadm -a -L -g ds-ldap1 -l sun-ldap
  5. Create and configure the disks (HAStoragePlus in failover mode)
    • scrgadm -a -t SUNW.HAStoragePlus
    • scrgadm -a -j disks -g ds-ldap1 -t SUNW.HAStoragePlus -x FilesystemMountPoints=/clusteredfs/sunds -x AffinityOn=TRUE
  6. Enable the resource group
    • scswitch -Z -g ds-ldap1

To Install Directory Server With the Java ES Installer

Install
Directory Server packages on all nodes of the cluster in their default
locations (using the default BASEDIR). Do not use the Java ES installer
to create or to configure a Directory Server instance. Instead, use
dsadm as described in the section "To Create a Directory Server Instance" of this cookbook.

  1. Install Directory Server on all nodes of the cluster:
    • Use JES installer
    • Install all Directory Server software, including the configuration tools.
    • Do not create an instance. Do not configure anything ("configure later" in the Java ES installer).
    • Install Cluster Agents. (This is a specific checkbox in the installer).

To Create a Directory Server Instance

Create
the Directory Server instance on the failover file system. Once
created, manage the instance using Sun Cluster commands. Perform this
procedure on only one node of the cluster.

  1. Make sure the failover filesystem is mounted on the local node:
    • scswitch -z -g ds-ldap1 -h `uname -n`
  2. Create the Directory Server instance:
    • echo secret12 > /tmp/me/password.txt
    • chmod 700 /tmp/me/password.txt
    • dsadm create -w /tmp/me/password.txt -h sun-ldap.example.com /clusteredfs/sunds/myds
      Notes:

    • The logical hostname must be specified when creating the instance,
      otherwise the server will use the node name. This name is used for
      referrals, mostly by the replication feature.
    • If you
      install DS as a non-root user, you need to specify port numbers higher
      than 1024 and make sure you have write permissions in
      /global/sc1/sunds/:

      dsadm create -p 1389 -P 1636 -w /tmp/me/password.txt -h sun-ldap.example.com /clusteredfs/sunds/myds
  3. Make sure the Directory Server instance is properly working:
    • Start the Directory Server instance manually on the node1:
      dsadm start /clusteredfs/sunds/myds
    • Test with an LDAP client to connect to the Directory Server instance:
      ldapsearch -h sun-ldap.example.com -b "" -s base ‘(objectclass=*)’
    • Stop the Directory Server instance:
      dsadm stop /clusteredfs/sunds/myds
    • Switch the Cluster to the other node:
      scswitch -z -g ds-ldap1 -h node2
    • Start the Directory Server instance manually on the other node:
      dsadm start /clusteredfs/sunds/myds
    • Test with an LDAP client:
      ldapsearch -h sun-ldap.example.com -b "" -s base ‘(objectclass=*)’
    • Stop the Directory Server instance:
      dsadm stop /clusteredfs/sunds/myds
  4. Enable the newly created Directory Server instance as a Cluster resource:
    • (as root) scrgadm -a -t SUNW.ds6ldap
    • (as root) dsadm enable-service –type CLUSTER /clusteredfs/sunds/myds ds-ldap1
    • Note: The previous command names the resource with a predefined
      format which is later used to retrieve the DS instance. As a result,
      any attempt to change the resource name will cause the start and stop
      commands to fail. Also, dashes and spaces should be avoided in the
      installation path of the Directory Server instances. These limitations
      may be removed in future versions of DS 6 and its cluster agent.

  5. Work-around bug 6478568 – Missing dependency on disks in dsadm enable-service –type CLUSTER:
    • scrgadm -c -j ds–clusteredfs-sunds-myds -y Resource_dependencies=disks

To Manage a Directory Server Instance

At
this point, only root can stop and start the Directory Server instance,
either with the cluster commands (scswitch -e|-n|-z) on any node of the
cluster, or with the dsadm command:

  • scswitch -e -j ds–clusteredfs-sunds-myds
  • dsadm start /clusteredfs/sunds/myds