Directory Masters will meet again this year…

View from Sun GECAs last year, Directory Experts from all over the world will meet again in the Grenoble Engineering Center, France, on April 1st – 2nd, 2009 and later in Sun facilities in Somerset, NJ, USA on April 29th – 30th, 2009.

The Directory Masters Event brings together a highly technical community of experts in the Directory space, to share the product knowledge and best practices, enabling sales and deployments of the Sun Directory Server Enterprise Edition and Sun OpenDS Standard Edition products. This event is opened to Sun employees and Sun partners, more specifically to those in Pre-Sales, Sales and Service Delivery who are involved in the design, the architecture and the deployment of large or mission critical Directory services solutions.

During the 2 days event, experts will be presented and discussing the Sun Directory Services roadmap, DSEE 7.0 new features, OpenDS present and future, best practices, experience reports and much more.

The event is free of charge but sitting is limited. So if you’re interested, eligible and not registered yet, do it now !

Send an email at dirMasters09 at sun dot com indicating your name, title, company and/or organization, and of course which event you would like to participate in.

Location Details

  • Event Date: April 1-2, 2009

Location: Grenoble, France

Address: Sun Microsystems

Grenoble Engineering Center

180 Avenue de l’europe, Inovallee

38334 Montbonnot cedex.


  • Event Date : April 29-30, 2009.

Location: Somerset, NJ, USA

Address: Sun Microsystems Inc.
400 Atrium Drive

Somerset, NJ 08873


Technorati Tags: , , ,

Introducing Matthew Swift, Lead developer for OpenDS Core

MattMatthew Swift, the lead developer for the core server of the OpenDS project has started a blog and his first post is already hitting a home run.

With illustrations and details, he explains the work he and his teammate Bo Li have done in the past couple of month, committed on the trunk of the project last Thursday and resulting in an impressive gain both in performance and reliability for the OpenDS server.

You can find even more details on the email he posted to the OpenDS developer mailing list.

Nice work Matt, keep posting on your blog but most importantly, keep bringing incredible features to the OpenDS project.

Technorati Tags: , , , , ,

OpenDS 1.2.0 has been released

 Opends LogoThe OpenDS development team is very please to announce the release of OpenDS 1.2.0, a new important milestone for the OpenDS project.

OpenDS 1.2.0 is a minor release of the OpenDS project but contains several new features and many enhancements.

You can find on OpenDS 1.2 documentation site a detailed Summary of Features, Enhancements and Fixes since the OpenDS 1.0 release, but here are some highlights:

  • A graphical control panel that enables basic server and data administration is available and replaces the OpenDS 1.0 status-panel
  • An administration connector manages all administration related traffic to the server. By separating user operations and administration operations, the administration connector ensure a better quality of service and simplify logging and monitotring
  • Connections can be secured and encrypted with SASL mechanisms
  • Access Control mechanism has been enhanced to control access based on the level of security of the connection
  • The ;binary transfert option is now supported
  • Standard schema files related to Solaris and OpenSolaris LDAP naming services are provided by default
  • Setup and tools provide an enhanced support for the JCEKS keystore and alternate security providers

OpenDS 1.2.0 will be available in OpenSolaris IPS package repository shortly, with an extensive support of SMF and RBAC.

The documentation for OpenDS 1.2.0 is located on

For the more information about OpenDS 1.2.0 please check the release notes.

And don’t forget to Join the OpenDS project and its mailing lists for more information and more interaction with its community

Technorati Tags: , , , , , ,

LDAP Referential Integrity

A thread of discussion on the subject of LDAP and referential integrity has surfaced this week. It started with James McGovern :

I also asked the question on How come there is no innovation in LDAP and was curious why no one is working towards standards that will allow for integration with XACML and SPML. I would be happy if OpenDS or OpenLDAP communitities figured out more basic things like incorporating referential integrity.

Pat Patterson pointed out that OpenDS and OpenLDAP have support for referential integrity and so has Sun Directory Server for the last decade:

For some reason, James has a bee in his bonnet over referential integrity and LDAP. I’m really not sure where he’s coming from here – both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?

Bavo De Ridder thinks that the so-called referential integrity is not integrity <>:

So it seems that Sun Directory Service let’s you delete a user but it promises to make sure that it will do it’s very best to delete any references to this user within a “update interval”.

This is partially true. Sun Directory Server can be configured to run the referential integrity processing immediately, in the same thread as the original delete operation. This still occurs as a post-operation plug-in, i.e. after the result was returned to the client application.

Bavo continues:

It does not mention what a read after the deletion but before the plug-in kicks in will see. Will it still see the user as a member in a group although the user is deleted? I am pretty sure it does. This is of course, at least for me, enough prove that this functionality does not offer referential integrity. At best it offers some kind of deferred cascading deletes (or updates) with no semantics for reads done during the time interval between the original operation and this cascaded deletes and updates.

True. It does.

And I think we can argue on the notion of "referential integrity". It is true that this kind of server does not offer "transactional referential integrity" but it does the self tidying that removes dangling references and it helps and simplifies applications. Also, it is worth mentioning that if an LDAP application had to do the referential integrity itself (i.e. removing dangling references), it could not do it in a single transaction as there is no transaction mechanism in the LDAP protocol.

and he ask for an answer :

To Sun (and any other LDAP implementator): what would the impact be on read/write performance in LDAP if they would implement full referential integrity?

Maintaining full consistent referential integrity would definitely have some read/write performance impact, as a single delete could cause updates to thousands of entries, possibly in other branches of the Directory Information Tree. The LDAP operations usually apply on a single entry and all servers respect the ACID properties for those. There are very few LDAP operations that are applicable to multiple entries : the ModDN operation, the SubTree Delete Control… Those operations have not been implemented in all servers and if they are, they all contain some constraints and limitations because of the possible performance impact they can have on the server.

It’s worth noting that Directory Services are by nature distributed services and most of servers also support a loose consistency replication model. So supporting a full referential integrity would first require to support a full distributed transaction mechanism both in the LDAP protocol and the directory servers. As of today, no directory server has support for transactions, but it’s on the roadmap for the OpenDS project, and investigation has already been started.

We can expect to have the full referential integrity future release of OpenDS, and then we will really be able to measure the performance cost.

Meanwhile, Sun customers are quite happy with the current referential integrity service that matches their expectations.

Technorati Tags: , , ,

OpenDS Tips: Control the controls…

LDAP Controls are a way to change the default behavior of LDAP operations and thus enhance the service. Several controls have been defined and standardized at IETF. Because some of those controls are extending the service beyond the basic operations, you might want to restrict their use to specific users like the Directory Administrators.

The OpenDS LDAP directory server controls who can make use of the various LDAP controls through access control rules.

The default global ACIs contain a rule that list the controls that can be used by all users:

ds-cfg-global-aci: (targetcontrol=”2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || || || 2.16.840.1.113730.3.4.16″) (version 3.0; acl “Anonymous control access”; allow(read) userdn=”ldap:///anyone”;)

This list allows the use of the Manage DSA IT Control (RFC 3296), the Real Attributes Only Control, the Virtual Attributes Only Control, the Password Policy Control (draft-behera-ldap-password-policy),the LDAP No-Op Control (draft-zeilenga-ldap-noop), and the Authorization dentity Control (RFC 3829).

If an application makes use of a control that is not allowed, the server returns an error like this one:

[LDAP: error code 50 – The request control with Object Identifier (OID) “1.2.840.113556.1.4.805” cannot be used due to insufficient access rights]

The control here is the SubTree Delete Control which extends the delete operation to operate over a complete subtree of entries.

To allow specific users to make use of the SubTree Delete Control, you will need to add a global ACI:

$ dsconfig -h localhost -p 4444 -D cn=”Directory Manager” -X -n \

set-access-control-handler-prop \

–add global-aci:”(targetcontrol=\”1.2.840.113556.1.4.805\”) \

(version 3.0; acl \”Data Administrator SubTree delete control access\”; allow(read) \

userdn=\”ldap:///cn=Data Administrator,dc=example,dc=com\”;)”

Password for user ‘cn=Directory Manager’: *********

The above ACI grants the use of the SubTree Delete control to a single user whose DN is “cn=Data Administrator,dc=example,dc=com“.

Note that even if the user has the permission to use the Control, other access controls are still enforced to verify that the user has the permission to delete all the entries targeted by the operation.

You can find on the OpenDS Documentation Wiki more information about OpenDS supported controls, about Managing Global ACI

Technorati Tags: , , ,

OpenDS Tips: More on preferences for OpenDS tools

Opends Logo Tag In the previous tip for OpenDS, the LDAP directory server in Java, I’ve explained how to set default properties for the OpenDS client tools such as dsconfig, backup, restore…

One of the developers on the OpenDS project reminded me with 2 additional options related to those preferences:

When working with multiple instances of OpenDS, it’s convenient to store the specific properties for each instance in a file, and then use the –propertiesFilePath option.

$ dsconfig –propertiesFilePath ./opends-Master2 set-server-prop …

Alternately, it is possible to avoid using the default properties’ file, and use the OpenDS tools with a different and remote instance, with the –noPropertiesFile option.

$ dsconfig set-backend-prop —backend-name userRoot —add base-dn:dc=MyCompany,dc=com

—hostname localhost —port 4444 —bindDN cn=Directory\ Manager —bindPassword ******

—trustAll —noPropertiesFile —no-prompt

You can find more details on the file on OpenDS documentation wiki.

Note: If you have OpenDS tips of your own, please share them with us. Send me a mail or leave a comment on this blog.

Technorati Tags: , , , ,