OpenDS 2.1.0-build002 is now available

Opends Logo TagWe have just uploaded OpenDS 2.1.0-build002, built from revision 5868 of our source tree, to our promoted builds folder.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.1.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.1.0-build002, including the detailed change log

Major changes incorporated since OpenDS 2.1.0-build001 include:

  • Multiple fixes to the new Import code and new Public ChangeLog feature.
  • Revision 5783 (Issue #4171) – Fixes a hang in replica initialization when the replication servers are unreachable.
  • Revision 5804 – Performance and scalability improvements with monitoring.
  • Revision 5842 (Issue #4194) – Resolves an issue where objectclasses would disappear when modified.
  • Revision 5843 – Upgrade the underlying Berkeley DB JE to version 3.3.87.
  • Revision 5847 (Issue #4164) – Fixes a decoding problem .
  • Revision 5848 (Issue #4229) – Resolves an issue where the connection handler thread hangs and cause potential DoS attack.
  • Revision 5849 (Issue #4226) – Improves the PartialDateOrTime matching rule to match on time as well as date.
  • Revision 5854 (Issue #4240) – Resolves an issue in the Control-Panel when displaying attributes with a syntax that has no name.
  • Revision 5863 & 5867 (Issue #4117) – Resolves an issue with MODDN operation that could impact ability to export and reimport from LDIF.
  • Revision 5865 (Issue #4060) – Prevents a new server process to start while OpenDS server is shutting down. Also preserves the server.pid when in-core restart is performed.

Technorati Tags: , , , , ,

LDAPCon 2009 summary

On Sunday September 20th and Monday 21st, I attended the 2nd LDAP International Conference, aka LDAPCon 2009, in Portland OR, USA.

The attendance was lower than expected initially but included most of the LDAP open source projects (Apache Directory, LSC Project, OpenDS, OpenLDAP) as well as directory server vendors (Apple, Isode, Sun, Symas, UnboundID) and some users of the technology.

All the slides for the presentations are now available, as well as the articles submitted for participation.

LP0_1859On Sunday, the conference was inaugurated by Mike Schwartz from GLUU, a Texas based start-up. GLUU intends to provide identity federation and single sign-on as a service and makes an intensive use of LDAP technologies : directory servers, directory proxy servers, virtual directories and DSML gateways for provisioning.

LP0_1860Stefan Seelman described the Apache Directory project and its toolchain, from the excellent Apache Directory Studio (you don’t know the Studio yet, go get it !) to its embedded directory server. Stefan demonstrated how to use Studio to create a staged directory server, and then role out the changes into the production one.

LP0_1865Later in the day, Emmanuel Lecharny explained how Apache Directory Server is supporting RFC 4533 to allow synchronization between an OpenLDAP server and the Apache Directory Server. As of today, Apache Directory Server is only supporting the consumer side of the protocol so it can act as a replica of an OpenLDAP master. Building the supplier side is next on their roadmap but it’s more complex, and then trying to do multi-master replication will require to implement conflict resolution procedures that have to be exactly identical to OpenLDAP ones. Based on our experience with Sun Directory Server and OpenDS, this will be the trickiest part. I got questioned on when OpenDS or Sun Directory Server will support this RFC. Honestly, this is not on our roadmap and we would be happy to add it if the community needs it and is willing to contribute. But today we already have a working multi-master replication feature that is much more scalable and powerful than what RFC 4533 allows to build.

LP0_1862Jonathan Clarke talked about LDAP Synchronization Connector, an open source project building synchronization tools between LDAP and other data sources such as RDBMs, flat files or alternate directories. LSC is written in Java and is already in production in a few french companies.

Terry Neely then presented how to do physical access control with LDAP. An interesting story about how to design schema, leverage replication to distribute access control information related to door and buildings. The OpenLDAP server running on an embedded hardware, with a 4GB compact flash !

Howard Chu, Chief Architect for OpenLDAP, and I did a joint presentation on how to store LDAP data in MySQL Cluster and we described the architecture of our respective implementations: OpenLDAP back-ndb and OpenDS ndb backends. Andrew Morgan from the MySQL Cluster team helped us describing MySQL Cluster. The question of having an in-memory distributed backend for LDAP server still raises a lot of questions and eyeballs, but people are starting to understand the value of scaling and getting simultaneous access to the data via LDAP, SQL or direct APIs.

LP0_1870Kurt Zeilenga presented his work in Isode directory to provide security label-based authorization. Security label based authorization is another flavor of authorization, in addition to identity based and role based authorization. The idea is to grant permission to access data based on the label presented by the authenticated user and the label of the data to be accessed. Which a lot of users in the directory, and many security levels (there can be up to 256 levels), this kind of authorization system scales better than Access controls. The Isode implementation has security labels at the entry level (not attribute). Clearance for a user is derived from an attribute in the user entry, from the user certificate in the directory or directly from the authentication level. While the presentation was mostly an overview of security labels and how they could be used in the context of a directory service, I found the presentation quite interesting as I’ve been asked a couple of time to add security label awareness to Sun Directory Server, especially in the context of Solaris Trusted Extensions.

We ended day one with a panel open discussion with the various directory projects and vendors. After briefly discussing areas where progress is to be made (see Mathias summary for details), we looked at the LDAP community and try to find ideas to increase it or make it more active. One area we (Sun) have been active is education. For the last couple of years, we’ve been involved in giving LDAP trainings in Universities, or helping teachers with projects involving LDAP instead of RDBMs. Another area is client APIs and code examples. The work that we’re doing with the Apache Directory team is a good step. It was also quite interesting that Howard Chu came to me in the after hours and discussed about Java for servers. Obviously, getting fresh blood in projects in getting harder with C based projects than Java based projects, as most of students are no longer learning C programming but Java programming (and other modern languages).

LP0_1867On Monday September 21st, the day started with an analyst view on the LDAP directory landscape. Felix Gaehtgens, analyst and partner at Kuppinger Cole, talked about the various market segments of the directory markets and the third generation of LDAP directory products that have emerged in the last couple of years.

Kurt Zeilenga gave a status of LDAP standardization efforts, occurring at IETF and at ISO/IEC. The hottest topic is the password policy which is evolving in both standard bodies. Howard Chu and I have published an update on the Password Policy for LDAP internet-draft. We intend to post additional changes and get it through to RFC status in the coming months.

Other topics being worked on through IETF are LDAP Transaction draft, currently under editors’ review, the LDAP schema for NIS (rfc 2307-bis), schema for VCard, schema for Kerberos and for NFS v4.

Kurt suggested that there is still some work to be done at IETF on the LDAP front, but it would be better conducted through a working group. He also encouraged people to join the standardization effort and bring some new blood to it, recognizing that he would be happy to participate but not lead a new working group. He suggested a list of topics that could be covered by the working group :

  • Chaining Operations
  • Access Controls based on X.500 model
  • LDIF update
  • Complex Transactions
  • Schema versioning and management
  • Password Policies

The next 3 presentations were about APIs for LDAP Java developers. Emmanuel Lecharny and I described the work we’ve done in the last few months collaborating on a common LDAP API for the Java platform, and we discussed what is required to move this work to standardization. Our presentation was mostly areas of work and a call for participation on that effort. We’ve moved our discussion to the Apache Directory API public mailing list (api (a) directory (dot) apache (dot) org).
LP0_1871Right after, Neil Wilson, chief architect at UnboundID, showed some slick slides about UnboundID’s products, focusing mainly on their new LDAP client Java SDK, demonstrating it’s use on the Android platform. UnboundID SDK is already available as opposed to Apache Directory or OpenDS ones. But it would definitely need to be polished and cleaned so that it could be used by our project for our needs, i.e. use the same SDK for both the server and client tools.

Following these 2 SDK presentations, Stefan Seelman demonstrated how to leverage the DataNucleus project and more specifically its support of LDAP to the standard JDO interface.

LP0_1872Howard Chu gave an overview of the new overlays developed in OpenLDAP related to user authentication and authorization. Based on the work from nss-ldapd the nssov overlay provides integration with the nss and the pam stacks. Another interesting module is an integrated certification authority overlay where user certificates and keys are generated magically based on the query filters. While this looks smart, it raises a lot of questions with regards to the security levels associated with generating and using certificates over LDAP, and it’s current implementation (only search parameters are used to generate the certificate) is messing a lot with the semantics of searches. Both Kurt and I think it should be implemented as an extended operation or at least a search control.

Finally but not least, I closed the LDAPCon with my presentation on the innovations that have been done in the OpenDS project. My presentation was articulated in 2 parts, innovations that directory administrators benefit from like the Assured Multi-Master replication model and the scheduled and recurrent tasks. And the innovations for the developers, basically new LDAP syntaxes and matching rules to ease application developments. You can find the details in the slides or the paper that I wrote for the conference.

Overall, this conference was really good for us and for meeting with some of the OpenDS community members, but as well for raising the awareness on what we’ve been doing in the last couple of years. I really enjoyed the discussions with all attendees, the beers in the evening and the fun of trying to connect the iPhone LDAP clients to the OpenLDAP server running on Howard’s G1 phone.

LP0_1874 LP0_1876 LP0_1878

All photos that I took during the conference are publicly available, and free of use for non commercial purpose.

Technorati Tags: , , , , , , ,

Jack and Pat on OpenSSO and OpenDS…

Pat Patterson reminded me of a conversation he had at OSCON 2009 with Jack Adams about OpenSSO. Luckily, the discussion was captured in video.



During the conversation, they talk about OpenDS as well. Thanks for the plug, Pat !

 

 

Technorati Tags: , , , , , ,

OpenDS 2.1.0-build001 is now available

Opends Logo TagWe have just uploaded OpenDS 2.1.0-build001, built from revision 5775 of our source tree, to our promoted builds folder. This is the first development build past 2.0, on the path to the 2.2 release planned for October 2009.

In addition to many corrections, the build includes the following new features:

  • Scalable import
  • External changelog compliant with the Internet-Draft “Definition of an Object Class to Hold LDAP Change Records”, draft-good-ldap-changelog-04.txt
  • Fractional replication
  • Extensible matching rules for time base attributes
  • Support for custom syntaxes based on substitution, regular expressions or enumeration
  • Remote server management in control panel
  • Recurrent tasks in control Panel
  • Default automatic Backup in the control panel
  • Separation of LDAP Servers and Replication Servers for replication
  • Ability to merge disjoint replication topologies
  • Dsconfig script friendly mode

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.1.0-build001/OpenDS-2.1.0-build001.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.1.0-build001/OpenDS-2.1.0-build001-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.1.0-build001/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.1.0-build001, including the detailed change log

Technorati Tags: , , , , ,

Another new feature in OpenDS Control Panel

Opends Logo TagOpenDS 2.0 has been out for a couple of months now but the development team kept on the pace of development.

Beside its ability to manage remote OpenDS servers, the Control Panel has been enhanced to support the Recurrent Tasks introduced in the OpenDS 2.0 server, and both Export LDIF and Backup can be scheduled to happen at a later time or on a regular basis.

OpenDS control panel Backup screen

Notice the "Change" button in the Backup Options.

OpenDS Control Panel, Choice for scheduling a backup

You can then choose the proper kind of scheduling and tune it very simply as illustrated below.

OpenDS Control Panel, scheduling a weekly backupOpenDS Control Panel, Scheduling a backup with Cron like notation

Technorati Tags: , , , ,

Managing multiple OpenDS servers

Opends Logo Tag
Up until now, to manage an OpenDS server, one would need to log onto the machine and starts the Control Panel.

In the next release of OpenDS (OpenDS 2.2), the Control Panel can now connect to remote servers, allowing an administrator to remotely monitor and tune any running instance of OpenDS.

Let’s see what has changed in the Control Panel for the remote access, and what are the limitations.

The first thing you will notice when starting the Control Panel is a new dialog which allows you to choose between the local server or a remote server.

OpenDS Control Panel, connection dialogOpenDS Control Panel new connection dialog

Once you’ve selected the server to administer, you will see the usual Control Panel window with its left action bar and information on the right.

OpenDS Control Panel remote server view

You can change server while the Control Panel is running. It’s in the File menu, when you are on the Main window of the Control Panel.

OpenDS Control Panel, Changing Server to Administer
OpenDS Control Panel,  Changing Server to Administer

There is very little difference between managing a local server and managing a remote server.

One thing you will notice when administering a remote server is that you can’t stop or restart it. Also, you cannot use the Control Panel to configure the Java properties of a remote server. That’s it.

The Control Panel cannot be installed as a standalone tool, it’s a part of the OpenDS server installation, and it can only manage one server at a time, local or remote. But the ability to manage remote servers will reduce the need to logon to each host and run the Control Panel on each instance either physically or using a remote display, simplifying the task of the directory administrators.

If you want to check this capability, you can download and install one of the recent OpenDS daily builds, or wait for next promoted build (2.1.0-build001).

Technorati Tags: , , , ,

Everything has an end…

And so do vacations, and blog silence.

I’ve been back in the office for over a week now but I was trying to catch up with emails, irc, blogs and news, too busy to find the time to blog again.

There’s a lot to say on the LDAP and OpenDS front.

While I was happily riding the Mont Ventoux and around with friends and family, the project kept on moving on the path to OpenDS 2.2 and several new features have been committed by the team in the code repository:

  • The Control Panel can now be used to manage remote server instances.
  • OpenDS now publishes all changes in a public ChangeLog accessible (subject to access control) under the cn=changelog naming context.
  • Replication now supports a Fractional mode allowing to exclude or include only specific attributes of all replicated entries.
  • dsreplication utility has been improved to allow separating the replication service from the replicated OpenDS instance.
  • The import feature has been rewritten and optimized, reducing the time and memory required to import very large set of data.
  • The server now supports 2 new MatchingRules to better deal with Time and Dates (GeneralizedTime syntax).
  • The server now supports the ability to declare a new syntax but default it’s implementation to an existing one.
  • The server now supports the ability to declare new Regular Expression based syntaxes and attributes.
  • The server now supports the ability to declare new Enumeration based syntaxes and attributes.

Most of the new features are already documented as part of the User Documentation of the OpenDS documentation wiki. You can test these features in recent daily builds, or you can wait for the next promoted build (2.1.0-build001) that should come pretty soon.

I will be starting a series of articles to describe with illustrations and details those new features, in the coming days and weeks.

Also in a separated branch, Matt and Bo have been working on an LDAP Client API, which is getting in a good shape to be released for beta testing soon (probably along with OpenDS 2.2).

LDAPCon 2009
The 2nd. International conference on LDAP, LDAPCon 2009 will be held on September 20th and 21st at Waterfront Marriot Hotel , Portland OR, USA. If you haven’t registered yet, please register now ! The registration fee includes access to the LinuxCon 2009 (Sep 21 – 23), and if you still need to be convinced that it’s worth attending, you can check the agenda. I hope to see you there.

Also noticed in the blogosphere and the websphere :

Finally I know the title of this post may have alarmed some of you. I don’t know what’s going to happen in the coming days, but I just hope I won’t have to write another post with the same title on the subject of OpenDS or myself.

Technorati Tags: , , , , , ,