OpenDJ LDAP server for Snow Leopard Server and Unix

One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.

And what’s more natural to integrate a ¬†Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.

Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!

Sun directory products documentation

Last week-end all Sun products documentation got moved from docs.sun.com to Oracle.com domain, with new IDs. So all URLs and bookmarks have been “lost in translation” !

On this blog, I had numerous references to Sun directory product documentations, pointing to specific commands or chapters for configuring and managing the service… All are now redirecting to the main Oracle’s documentation page. ūüė¶

But I managed to find the place where the Sun Directory Server documentation is listed, from iPlanet Directory Server 4.11 to the latest Oracle Directory Server Enterprise Edition 11g : the Legacy Sun Identity Management Documentation. There are link for both the online and the PDF versions.

Here, you will also find access to the OpenSSO enterprise 8.0 documentation as well as Sun OpenDS one.

Pfew! I was afraid everything disappeared.

On a side note, classifying the so called “strategicOracle Directory Server Enterprise Edition 11g in the legacy products seems to say a lot about its future !

A year after sunset…

My ex-colleague Eduardo Pelegri has been collecting and posting interesting data about the ex-Sun people and the Sun initiated open source projects, a year after the Sun-set. I find interesting to see how the Sun heritage is disseminating and creating a larger ecosystem of new companies.

 

Week-end photos : BMX

Where is the winter ? Today was bright sunny, clear blue sky and unusually warm for winter. It would have been a great day for skiing, although the snow would have been complete slush. So, with a friend and kids, we walked to the skate park, and we ended up spending most of the afternoon taking pictures. Here a couple of them. The remaining are on the Picasa web album.

An unexpected gift!

Yesterday, there was a package in my mailbox, the size of letter, thick with a bump protuding.

Nearly 4 months after my last day at Oracle, I’ve received my 15 Years @ Sun pin and plate (the anniversary date was July 17th). Somehow, receiving this feels weird. First because technically Sun was no more (in France) on July 17th. Then the plate holds the signature of Jonathan Schwartz who was long gone by then. Finally, the date was almost 6 months ago; since I’ve packed and moved on ! But I’m thankful to Oracle for following up and sending them to me, instead of trashing them.

I still haven’t received the gift I ordered before I left, though: a silver made Caran D’Ache ballpen. May be it’s also on its way ! I’d hoped to receive it in time to sign in ForgeRock France new employees’ contract !

The First OpenAM Book

OpenAM Book CoverThe first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.

I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).

However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.

The book is already available for Pre-Order.

Directory Administrative Accounts – cont.

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com”¬†-N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute¬†in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

Twitter 2.0 for Mac : good but not enough

With the arrival of the App Store for Mac OS X, the first application I installed and tried is Twitter 2.0.

Twitter is the client that I’m using on the iPhone and I’ve heard good things about the Tweetie, Mac version, and a lot of expectations for the 2.0 version.

Twitter 2.0 has an new user interface that is a different than other OS -X applications, but it’s very easy to get used to it. It’s a single column app, with an icon toolbar on the side giving access to the timeline, mentions, direct messages, lists, searches… It supports multiple accounts and fits really well on the side of the screen with smooth scrolling when new tweets arrive or when changing view. It’s very lightweight in memory and on the CPU, which is a good thing for apps that are opened all day long on the desktop.

Twitter 2.0 Mac Application screenshot

But Twitter 2.0 lacks some of the features that I’m used to with my other Twitter client application : ¬†Nambu.

The biggest and most important missing feature for me is the lack of notification on Searches. I understand that this is probably a design choice to prevent overloading twitter service, but I have a set of predefined terms that I’m tracking and for which I want almost real time notification.

The other missing features I noticed are notifications for lists, the auto-completion of user names, the possibility to translate tweets written in Foreign language, and most importantly the indication that a tweet has been read or not, especially between restart of the application.

For those reasons, Nambu remains my preferred application for reading and posting to Twitter. But I can see the Twitter application quickly taking over the desktop of the regular users.

Happy New Year 2011

Here we are, already in 2011 ! I can’t believe how fast time has flown since mid September. The last 3 months have been extremely busy, with the release of OpenDJ 2.4.0, the customers already working with our products and the setup of ForgeRock France SAS.

Things are in place and we’re ready to grow the team, in the ForgeRock Grenoble engineering center. I’ll talk more about that when it happens.

Meanwhile, on behalf of ForgeRock France and overall, let me wish you a very Happy New Year. May all your projects be successful, especially the open source ones ūüôā

A photo of the Alpes, near Grenoble