Directory Server 5.2 patch 6…

As Mark already pointed out, Directory Server 5.2 patch 6 is now available either as a full partial download from the Directory Server Enterprise Edition Download page, or in the form of patches from Sun Solve.

5.2patch6

115610-25 – AS Solaris Sparc Native

115614-28 – DS Solaris Sparc Native

115611-25 – AS Solaris X86 Native

115615-28 – DS Solaris X86 Native

118079-12 – AS Linux Native

118080-13 – DS Linux Native

121392-04 – DS MSI Windows

121529-03 – AS MSI Windows

121393-03 – DS HPUX Native

121515-03 – AS HPUX Native

117665-05 – Solaris SPARC ZIP

117666-05 – Solaris X86 ZIP

117667-05 – Windows ZIP

117668-05 – Linux ZIP

117669-05 – HPUX ZIP

117670-05 – >AIX ZIP

Release notes :

Patch6 Release Notes

Update on October 1st 2007: I stand corrected, DS5.2patch6 is only available as a patch. On the download page, there is also a link to the most recent FULL package on which to apply the patches.

Technorati Tags: , , ,

DSEE 6.2

Sun Java System Directory Server Enterprise Edition 6.2 has been released with Sun Java Enterprise System 5 Update 1 about two weeks ago.

Now the full install and the Zip archives can be downloaded from the DSEE Download page.

On a side note, it has been reported a couple of times, that Directory Server failed to restart after installing the 6.2 patch. It seems that it is linked with a specific hot-fix being applied to the Directory Server binaries prior to install 6.2 patch. If you have applied a hot-fix to DS 6 and want to install DS 6.2 patches, make sure that in the /opt/SUNWdsee/ds6/lib and /opt/SUNWdsee/ds6/lib/sparcv9 directories, the libslapd.so is a symbolic link to libslapd.so.1 (and the later is in fact the real dynamic library).

Enjoy !

Technorati Tags: , , , ,

Directory Server 6.1 and Unix Crypt…

Sun Java System Directory Server has supported for many years the ability to hash the userPassword attribute with the crypt(3C) algorithm.

But the crypt function has evolved from the basic standard Unix crypt algorithm (which truncates password to 8 characters) to support MD5, Blowfish and other stronger algorithms.

Until Directory Server 6.1, there was very limited support for those algorithms (it happened that a password hashed with MD5 – outside DS – could be used for authentication, but the server itself would never hash a password this way).

Starting with Directory Server 6.1, there is now a way to tune the CRYPT password storage plugin to specify which crypt algorithm to use, and on Solaris only, it is even possible to delegate the choice of algorithm to the OS via the /etc/security/policy.conf (and the CRYPT_DEFAULT directive).

The way to configure with algorithm is used by the crypt library when hashing a userPassword to store in Directory Server is to add an argument to the "CRYPT password storage" plugin configuration entry.

# dsconf set-plugin-prop CRYPT argument:<Pattern>



where <Pattern> is a choice of (but not limited to):



%.2s – Default unix crypt algorithm (and the default

when no argument is defined)

$1$%.8s – bsd md5

$2a$04$%.22s – Blowfish

$md5$%.8s$ – Sun md5

If <Pattern> maps to an algorithm that is not supported by the OS (for example $2$, old variants of blowfish), then a warning message is logged and the hash will be done using the default Unix algorithm

This guarantee that the password is always hashed even if the configured salt does not match an existing algorithm.

On Solaris only, a special value of "auto" is allowed to specify that CRYPT will use the system’s default mechanism, as configured in /etc/security/policy.conf

Notes:

  • Changing the plugin configuration requires a restart of Directory Server to be taken into account.
  • You should use this new capability carefully, especially in a heterogeneous and replicated environment where some algorithms might not be present or enabled.
  • Make sure that CRYPT is the password Storage mechanism defined in the Password Policy configuration (the default is SSHA).

Example:

> dsconf set-plugin-prop -p 1389 CRYPT ‘argument=$md5$%.8s$’

Enter "cn=Directory Manager" password:

Directory Server must be restarted for changes to take effect.

> dsadm restart /local/demo/ds

> dsconf get-plugin-prop -p 1389 CRYPT

Enter "cn=Directory Manager" password:

argument : $md5$%.8s$

depends-on-named :

depends-on-type :

desc : Unix crypt algorithm (CRYPT)

enabled : on

feature : crypt-password-storage-scheme

init-func : crypt_pwd_storage_scheme_init

lib-path : /opt/SUNWdsee/ds6/lib/pwdstorage-plugin.so

type : pwdstoragescheme

vendor : Sun Microsystems, Inc.

version : 6.2

>

Technorati Tags: , ,

Glassfish v2 and Directory Services… with OpenDS

While on the same subject of the interaction between Glassfish and directory servers, Trey Drake posted a few months ago details on how to integrate OpenDS and Glassfish for authentication and authorization.

But there are other ways to leverage OpenDS and Glassfish. As OpenDS is a pure Java application, it can be embedded in other Java application or web application, running in the same JVM. And with its built-in multi-master replication, OpenDS can provide high-availability for users and groups within a cluster of Sun Java System Application Servers.

Technorati Tags: , , , , ,

Glassfish v2 and Directory Services…

Glassfish v2 and its companion Sun branded product Sun Java System Application Server 9.1 are being released today, delivering enterprise grade application servers.

Glassfish and Sun Directory Server Enterprise Edition have been playing well with each other for a long time now.

On one side, Glassfish v2 delivers by default an LDAP realm allowing centralization of Users and Groups into Sun Directory Server, integrating the application server with enterprises identity management solutions.

On the other side, Directory Server Enterprise Edition 6.x contains a couple of web applications (the Directory Service Control Center and Directory Editor) that can be easily deployed in Glassfish v2. The following blog posts are providing the details:

Technorati Tags: , , , , , ,

DSCC deployed as war file for a Java ES Install…

Directory Server Enterprise Edition 6.1 main feature is the ability to deploy the Console GUI from a War file in your favorite Application Server (within a choice of Sun App Server or Tomcat 5.5).

In a previous post, I demonstrated how to do this with a Zip installation of DSEE. Here I am explaining how to obtain and install DSCC war file for a Java Enterprise System installation (also known as the Native package installation, depending on the OS either SVR4 packages, RPMs, Depot or MSI).

Because packages are providing a greater integration with Solaris system features, most of the commands must be run as "root" (or "Administrator" for Windows).

Once you have installed Directory Server Enterprise Edition 6.1 or 6.2, the console is probably already registered in Sun Web Console. You can leave it as is, or you can un-configure it using dsccsetup:

# pwd

/opt/SUNWdsee/dscc6/bin

# dsccsetup console-unreg

Unregistering DSCC Application from Sun Java(TM) Web Console…

This operation is going to stop Sun Java(TM) Web Console.

Do you want to continue ? [y,n] y

Stopping Sun Java(TM) Web Console…

Unregistration is on-going. Please wait…

/var/opt/SUNWdsee/dscc6/dcc has not been removed

DSCC Application has been unregistered from Sun Java(TM) Web Console

Restarting Sun Java(TM) Web Console

Please wait : this may take several seconds…

Sun Java(TM) Web Console restarted successfully

Now you can check the status and it should like this.

# dsccsetup status

***

DSCC Application is not registered in Sun Java (TM) Web Console

***

DSCC Agent is registered in Cacao

***

DSCC Registry has been created

Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads

Port of DSCC registry is 3998

***

To generate the DSCC war file, use the following command (note that this command is undocumented and unsupported for the time being. Still it works and produces the ).

# dsccsetup war-file-create /tmp/dscc.war

# ls -la /tmp/dscc.war

-rw-r–r– 1 root root 7303074 Jul 9 14:33 /tmp/dscc.war

You can now deploy the WAR file in your favorite Application Server, and follow the instructions for the zip deployment. There is one pitfall though. Because, DSEE and DSCC are installed as root, and so is the DSCC Registry, the WAR file should be deployed in an Application Server which as the ability to run commands with the root privileges. Otherwise, DSCC will not be able to access its registry and thus will not start properly.

Technorati Tags: , , ,

LDAPCon is over

The 1st International LDAP Conference ended on Friday afternoon. I had to leave a little early to catch my plane, and didn’t have the time to post the latest update. So here it is.

During the afternoon, Abdi Mohamadi (Sun) presented design and deployment considerations for scaling directories, Kostas Kalevras explained how Greek School Network centralized all LDAP data creation and modifications through Web services, and Felix Gaehtgens from Symlabs exposed in a fast and lively presentation some best practices when building LDAP based applications.

Overall it was a great conference, with interesting presentations and numerous long passionate bar discussions.

A toast to LDAP

Above members of 3 open-source Directory Server projects (OpenDS, OpenLDAP, Apache DS) raise their glasses in a toast to the LDAP community.

More photos

Technorati Tags: , , ,

Apache Directory Server, Stored Procedures and Triggers for LDAP.

Ersin Er from the Apache Software Foundation exposed his experimentations with Stored Procedures in LDAP and how they are used with Triggers.

Stored Procedures are code (java bytecode) stored in LDAP objects executed by a generic LDAP Extended request to pass parameters and get returned result and values.

Triggers are specifying an event, action,time and a scope in a single attribute definition, and leverage stored procedures for actions. Events are predefined, and triggers are run within an Administration domain (Subtree Specification). Pretty neat ! I think this is not a new idea, but it looks like a simplification in the use of the plugins and tasks that exist in Sun Directory Server and OpenDS. There might be value in a common representation of such LDAP directory server extensions, but I’m afraid this will not lead to better interoperability as Stored Procedures will be very specific to each implementation.

Technorati Tags: , ,

LDAPCon – Day 2

I’ve noticed that Jan-Piet Mens is also blogging live from LDAPCon. And yet we had a good evening with lively and hilarious discussions between the OpenLDAP, OpenDS, Isode, ApacheDS developers.

Steven Legg (eB2Bcom.com) exposed his work on XML enabled Directories also known as XLDAP. Most of the protocol and data model has been conducted through IETF. So far Steven has been the only one to produce an implementation. It’s not really surprising: one need to be both an expert in LDAP and XML processing to get an idea of what XLDAP is. But I recently got a question indirectly from a customer about XLDAP and whether we had any plan to implemented. Could it be that XLDAP is starting to raise interest ?

Andre Posner from Sun showed the use cases and added value of Sun Directory Proxy Server 6.x for security, availability, integration of different Directory Servers, migration of services.

Technorati Tags: , , , , , ,

LDAPCon day 1, afternoon

It was a long afternoon at the LDAPCon with presentations until nearly 8pm. Thanks to the organizers it was followed by a social event with food and free drinks. A good occasion to relax, taste the local beer, recall the old LDAP stories and redo the world until exhaustion of fuel :-).

Frank Tröger exposed his work on a Reference Schema for Identity Management, searching, sort and linking all of the LDAP schema that have been defined in that area (with a focus on higher education).

Daniel Pluta from Munich University of Technology talked about Access controls for Group and Role management.

Giovanni Baruzzi from Syntlogo presented his thought on Designing a Directory Tree. In a nutshell, keep it simple:

"As flat as possible, as deep as needed"

Hilla Reynolds, Director of Development at CA revealed in a very animated and humorous presentation her secrets for a "Seamless Directory Backbone service": Standards, distribution, failover… Applications access front-ends that deal with the real sources of information.

Other sessions I did not attend (split sessions) included a presentation of the Apache Directory Studio (formelly known as LDAP studio). Impressive tool and progress since I last downloaded it. And a presentation on Spring LDAP.

Technorati Tags: , ,

LDAPCon day 1, afternoon

It was a long afternoon at the LDAPCon with presentations until nearly 8pm. Thanks to the organizers it was followed by a social event with food and free drinks. A good occasion to relax, taste the local beer, recall the old LDAP stories and redo the world until exhaustion of fuel :-).

Frank Tröger exposed his work on a Reference Schema for Identity Management, searching, sort and linking all of the LDAP schema that have been defined in that area (with a focus on higher education).

Daniel Pluta from Munich University of Technology talked about Access controls for Group and Role management.

Giovanni Baruzzi from Syntlogo presented his thought on Designing a Directory Tree. In a nutshell, keep it simple:

"As flat as possible, as deep as needed"

Hilla Reynolds, Director of Development at CA revealed in a very animated and humorous presentation her secrets for a "Seamless Directory Backbone service": Standards, distribution, failover… Applications access front-ends that deal with the real sources of information.

Other sessions I did not attend (split sessions) included a presentation of the Apache Directory Studio (formelly known as LDAP studio). Impressive tool and progress since I last downloaded it. And a presentation on Spring LDAP.

Technorati Tags: , ,

Directory Server Enterprise Edition 6.2…

DSEE 6.2 is out.

It has been released as part of Java Enterprise System 5 Update 1.

The patches are in the process of being made available through SunSolve.

Here’s a quick overview of the patch numbers

126748-02 Solaris9-sparc, Solaris10-sparc

126749-02 Solaris9-x86

126750-02 Solaris10-x86, Solaris10-AMD64

126751-02 Red Hat Enterprise Linux AS 3 UP4, Red Hat Enterprise Linux AS 4 UP2, SuSE 9UP3

126753-02 Windows 2000 AS SP4, Windows 2003 EE/SE SP2 (32&64-bits), Windows XP

The full download will soon be available from the DSEE Download page.

As Deepak already mentioned, the Documentation has been published

.

DSEE 6.2 is mostly a bug fix release, aligns with the other Java ES products and components, but does also contain one specific performance improvement.

Enjoy !

Technorati Tags: , , , , ,

Live from LDAPCon (Cologne)

I’m now in Cologne Germany participating in the 1st International LDAP Conference.

This morning, Kurt Zeilenga (Isode) started the conference with a Directory Standards Report, presenting the history of Directory Standards, LDAPv3 status and the current on-going effort.

I then presented the OpenDS project, the rational behind the project and its goals (I’ll make the preso available later).

After lunch, Howard Chu (Symas, Chief Architect for OpenLDAP) introduced his talk with his traditional fiddle play and then presented the OpenLDAP 2.4 server. I must say that I’ve been impressed by the list of enhancements introduced such as N-way MultiMaster Replication.

Alex Karasulu (Apache Directory Project) presented his view of the LDAP community and his vision for the Apache Directory Server: a playground for experimentation and bridging LDAP and RDBMs.

More after the break.

Update on Sep. 10 2007.

Kurt’s presentation was posted on Isode blog.

Technorati Tags: , , ,

Back but busy…

I haven’t been updating this place since my return from vacation.

I’ve quite busy, mostly preparing the presentation for the 1st International LDAPv3 Conference.

I’m about to head to the airport and will try to post some details of the conference from Cologne (Germany).

There are a few other news in the pipe regarding Java ES 5 Update 1 availability, and thus Directory Server Enterprise Edition 6.2.

More in the coming days…

Technorati Tags: , , , ,