Ubuntu documentation with regards to LDAP client authentication has been available for a while but is limited to a few directory servers. As more and more companies are looking for a replacement of their legacy Sun Directory Server, I’m happy to relay that Dave Koelmeyer has just posted a very detailed and step by step guide on how to do LDAP authentication with Ubuntu 10.04 and OpenDJ 2.4.1. A nice complement to the official docs. And a nice contribution to the OpenDJ community.
Enjoy !
It’s been a few very busy weeks and I haven’t found the time to properly introduce a new member of the ForgeRock Grenoble Engineering Center : Mark Craig.
Mark comes from Sun Microsystems (and a few months at Oracle) where he has played different roles, from technical writer, to manager for all technical writers in the Identity Management BU, to managing the Directory Integration Team responsible for customer interactions and audits, performance benchmarks and assisting POCs. At ForgeRock, Mark goes back to his roots and things he enjoys and excels in: writing.
You can read Mark’s prose on his new blog (Margin Notes 2.0), OpenDJ blog or already on ForgeRock documentation wiki.
For many years, I’ve been working in collaboration with the Sun access management product team, as it started working on the Directory Server Access Management Edition (DSAME) product that years later became Sun Access Manager and OpenSSO. And now that I’m at ForgeRock, I have the pleasure to keep working with some members of that team, on OpenAM, the continuation of the OpenSSO open source project.
My knowledge of the product is rather shallow as I’ve worked on several case studies or issues related to customers and LDAP directory servers, but I never had a chance to deploy a service for production use or even extensive testing.
So when I learnt that Packt Publishing was releasing a book on “OpenAM”, writen by Indira Thangasamy, an ex-colleague of mine and manager of the Quality Assurance team, I asked if I could get a copy for review, which Packt kindly agreed to.
I haven’t finished the book yet, as it’s over 250 pages of content, covering all aspects of the OpenAM software, from its history, its components and services, to its integration with Google Apps or SalesForce… But from what I’ve read (about 2/3 of the book), I can say that the book is easy to read and well organized. It helps a beginner to grasp the concepts and starts using the product, thanks to the detailed explanations and diagrams. As the chapters advance and dive into specific technical areas, Indira uses real-world examples and simple code or commands, followed by detailed description to illustrate what OpenAM does or does not, giving a comprehensive picture of the fully featured product.
Some of the features of OpenAM are not covered in the book, like Federation or the most recent Entitlement Services or Secure Token Services. I hope they will be covered in a revised edition or may be another book, as these features are becoming more used and important to enterprise security and access management.
In summary, if you’re about to, or have just started to engage on a project with OpenAM, this book will help you understand the technology and ease your ramping up. But even for the more experienced users of OpenAM, the book contains full of details, tips and example that will save you time and make you more efficient.
You can find the book on Pack-Publishing web site or Amazon.
It’s the happy hour, with a double release day at ForgeRock.
OpenAM 9.5.2 has just been released, along with the J2EE Agents 3.0.3 and are now available for downloads from ForgeRock. You can find the release details in the Release Notes.
OpenDJ 2.4.1 has also been released today. The patch release can be found on the Downloads page in various forms: Java WebStart Installer, Zip package or SVR4 package. The Release Notes have been posted on the Documentation wiki.
IzPack, the open source, Java based, cross-platform packager installer project is celebrating its 10th birthday with 2 releases and an impressive list of companies using the technology.
In OpenDJ, we have our own Java based (Java WebStart based) installer, but if I had to redo it, I would definitely pick IzPack to build it, for its easiness, cross-platform support and great look and feel.
Long live to IzPack !
The OpenDJ development team has its own blog now. You will find news, tips and other information about the Open source ldapv3 Directory services in Java.
On the same topic, there is now an aggregator of news feeds related to ForgeRock that has been set and you can read all the news from a single place : http://blogs.forgerock.org/aggregator/
As we’re working towards releasing a micro-release of OpenDJ 2.4, fixing a few issues that have been raised by our customers and adopters, we’ve made another important move towards increasing the quality of ForgeRock products :
Gary Williams has started at ForgeRock today, growing the forces at the ForgeRock Grenoble Engineering Center, and will lead our quality assurance engineering efforts. Gary comes from Sun (Oracle) where he was Principal Quality Assurance Engineer, driving the testing efforts for OpenDS and previously for Sun Directory Server Enterprise Edition. He brings almost 20 years of experience in QA and testing software applications and servers.
Welcome to ForgeRock, Gary !
OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.
It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.
First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.
Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.
Go in the directory of the instance to upgrade:
cd /local/OpenDS2.2/
From that place, run the OpenDS 2.2 upgrade command :
./upgrade
The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key
The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip
And then continue with the Upgrade program.
Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.
If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.
And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency. To do so, stop the upgraded server and run the rebuild-index command :
bin/rebuild-index <some options> -i dn2id -b "<suffix>"
If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.
Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.
Enjoy.
Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.
Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.
ForgeRock is exactly ONE year old today. As we’re a distributed and quite global company, we’re not going to blow the candle on the cake today. But I’m sure next time we meet, we’ll have one as nice as the one we had during our last company meeting in Faro, Portugal.
Also today is the first day at ForgeRock of Matthew Swift, as Architect for the OpenDJ project, growing the forces at the ForgeRock Grenoble Engineering Center. Matthew comes from Sun (Oracle) where he was leading the development of the core of OpenDS, as well as the LDAP Client API. He has been doing interesting work with regards to performances with the OpenDS server (he’s the one who provided me with nice numbers to present), and its reliability. Matthew has several years of experience building LDAP and Directory related products as well as Java development, for Sun, Bloomberg and Isode. He’s bringing his talent and energy back to the open source project and will help make OpenDJ an even stronger and better product.
I’m really delighted to work with Matthew again.
And what a great day today !
One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.
And what’s more natural to integrate a Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.
Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!
Last week-end all Sun products documentation got moved from docs.sun.com to Oracle.com domain, with new IDs. So all URLs and bookmarks have been “lost in translation” !
On this blog, I had numerous references to Sun directory product documentations, pointing to specific commands or chapters for configuring and managing the service… All are now redirecting to the main Oracle’s documentation page. 😦
But I managed to find the place where the Sun Directory Server documentation is listed, from iPlanet Directory Server 4.11 to the latest Oracle Directory Server Enterprise Edition 11g : the Legacy Sun Identity Management Documentation. There are link for both the online and the PDF versions.
Here, you will also find access to the OpenSSO enterprise 8.0 documentation as well as Sun OpenDS one.
Pfew! I was afraid everything disappeared.
On a side note, classifying the so called “strategic” Oracle Directory Server Enterprise Edition 11g in the legacy products seems to say a lot about its future !
My ex-colleague Eduardo Pelegri has been collecting and posting interesting data about the ex-Sun people and the Sun initiated open source projects, a year after the Sun-set. I find interesting to see how the Sun heritage is disseminating and creating a larger ecosystem of new companies.
Where is the winter ? Today was bright sunny, clear blue sky and unusually warm for winter. It would have been a great day for skiing, although the snow would have been complete slush. So, with a friend and kids, we walked to the skate park, and we ended up spending most of the afternoon taking pictures. Here a couple of them. The remaining are on the Picasa web album.
Yesterday, there was a package in my mailbox, the size of letter, thick with a bump protuding.
Nearly 4 months after my last day at Oracle, I’ve received my 15 Years @ Sun pin and plate (the anniversary date was July 17th). Somehow, receiving this feels weird. First because technically Sun was no more (in France) on July 17th. Then the plate holds the signature of Jonathan Schwartz who was long gone by then. Finally, the date was almost 6 months ago; since I’ve packed and moved on ! But I’m thankful to Oracle for following up and sending them to me, instead of trashing them.
I still haven’t received the gift I ordered before I left, though: a silver made Caran D’Ache ballpen. May be it’s also on its way ! I’d hoped to receive it in time to sign in ForgeRock France new employees’ contract !
The first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.
I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).
However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.
The book is already available for Pre-Order.
Ludo Sketches 