Author: Ludo

Directory Administrative Accounts – cont.

Ludo2 Comments

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Ludo6 Comments

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

Twitter 2.0 for Mac : good but not enough

Ludo2 Comments

With the arrival of the App Store for Mac OS X, the first application I installed and tried is Twitter 2.0.

Twitter is the client that I’m using on the iPhone and I’ve heard good things about the Tweetie, Mac version, and a lot of expectations for the 2.0 version.

Twitter 2.0 has an new user interface that is a different than other OS -X applications, but it’s very easy to get used to it. It’s a single column app, with an icon toolbar on the side giving access to the timeline, mentions, direct messages, lists, searches… It supports multiple accounts and fits really well on the side of the screen with smooth scrolling when new tweets arrive or when changing view. It’s very lightweight in memory and on the CPU, which is a good thing for apps that are opened all day long on the desktop.

Twitter 2.0 Mac Application screenshot

But Twitter 2.0 lacks some of the features that I’m used to with my other Twitter client application :  Nambu.

The biggest and most important missing feature for me is the lack of notification on Searches. I understand that this is probably a design choice to prevent overloading twitter service, but I have a set of predefined terms that I’m tracking and for which I want almost real time notification.

The other missing features I noticed are notifications for lists, the auto-completion of user names, the possibility to translate tweets written in Foreign language, and most importantly the indication that a tweet has been read or not, especially between restart of the application.

For those reasons, Nambu remains my preferred application for reading and posting to Twitter. But I can see the Twitter application quickly taking over the desktop of the regular users.

Happy New Year 2011

LudoLeave a comment

Here we are, already in 2011 ! I can’t believe how fast time has flown since mid September. The last 3 months have been extremely busy, with the release of OpenDJ 2.4.0, the customers already working with our products and the setup of ForgeRock France SAS.

Things are in place and we’re ready to grow the team, in the ForgeRock Grenoble engineering center. I’ll talk more about that when it happens.

Meanwhile, on behalf of ForgeRock France and overall, let me wish you a very Happy New Year. May all your projects be successful, especially the open source ones 🙂

A photo of the Alpes, near Grenoble

OpenDJ 2.4.0 has been released

Ludo6 Comments

I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.

Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

Choosing OpenDJ as an enterprise directory service has the following benefits :

  • Lower the cost of ownership : Delivers more performance while consuming less resources (disks, memory and CPUs). Simplifies the administrative tasks by automating them.
  • Platform independence : Runs on any platform that supports Java 6, including virtualized environments.
  • High Availability : Supports deployment of multiple servers in a multi-master replication topology, providing failover and disaster recovery.
  • Secure data store : Supports different levels of authentication and authorization. Protects passwords through encryption and extensive policies.
  • Monitoring and Alerts : Can be monitored by 3rd party applications using SNMP and JMX. Supports custom alerts to inform of specific events in the service.
  • Interoperability : Supports all LDAPv3 standard specifications, most of LDAPv3 standard and experimental extensions as well as some vendor specific extensions, easing integration with applications.

After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.

OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.

Enjoy !

And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.

A view from the ForgeRock French office

LudoLeave a comment

View on "Les 7 Laux"

I know this is a temporary office, but this is one of the many reasons for ForgeRock France to be located near Grenoble.

 

Hello ForgeRock !

Ludo4 Comments

ForgeRock logo

In my last post I said that I was moving to other ventures. My future has a name and the people who are following me on LinkedIn or Twitter have seen it already. I’ve been invited to join ForgeRock and drive the directory services products, complementing the I3 Open Platform.

So on October 1st, we have publicly announced the latest addition to ForgeRock portfolio : OpenDJ, the Open source Directory services in Java. OpenDJ is based on OpenDS, an open source project initiated by Sun Microsystems on which I’ve worked for 4 years.

You can download OpenDJ 2.4 beta 1 from the download repository, or install it directly using Java Web Start.
The source code is available on our SVN repository and you can browse through it with FishEye.
Please report any issue or request for new features in our issue tracking tool (Jira)
And if you want to join the project and participate, you’re more than welcome.

I will remain in the Grenoble area, France where we will soon be opening an engineering center.

Moving on from Oracle

Ludo7 Comments

After 15 years at Sun, I’ve decided to leave the company and pursue other ventures. My last day will be September 15th, 2010.

Sun had offered me the opportunity to do what I really like: build great products for and with customers, in a truly diverse and international environment. I’ve been lucky to work with highly talented people, from all over the world. I’ve enjoyed (almost) every minute of it and I’m really thankful for that.

A huge “Thank you” to the many readers of this blog, for your comments and encouragements. I do intend to continue writing (more than the last few months), and for that I have relocated the content at https://ludopoitou.wordpress.com

You can also find me on LinkedIn or Twitter.

Thanks again and talk to you soon.

OpenDS and Sun JVM 1.6.0_21

LudoLeave a comment

Sun^H^H^HOracle released an update to the Java Platform Standard Edition last month : JDK 6 Update 21.

Last week, both on #opends IRC channel and the users mailing list, we started to get questions on how to enable replication between 2 instances of OpenDS, because dsreplication was producing the following error message : “There are no base DNs available to enable replication between the two servers”.

This was affecting the latest stable release of OpenDS (2.2.0) as well as the latest promoted-build and daily-builds.

After several exchanges and attempts to reproduce the problem, we found that the root cause was some changes in JDK 6 update 21, and more specifically in the parsing of the LDAP filters in JNDI. The new code has a stricter parsing and will mess with LDAP filters not surrounded by parentheses. ” cn=Foo” is according to RFC 4515 not a valid filter whereas “(cn=Foo)” is.

There was one occurrence of an invalid filter in OpenDS internals, exercised when enabling replication for the first time. We fixed the issue (#4575) yesterday and starting with today’s daily-build, you can use the latest version of the Java run-time with OpenDS.

We’re looking at providing an updated version of the 2.2 version to solve this issue as well as a few other important corrections. No ETA for this though.

Update:
OpenDJ, a fork of OpenDS, has a complete resolution for this issue. You can find more about OpenDJ on ForgeRock web site : http://forgerock.com/opendj.html

OpenDS 2.3.0-build003 is now available…

LudoLeave a comment

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build003, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build003 is built from revision 6502 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build003/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build003, including the detailed change log

Major changes since OpenDS 2.3.0 build002 include :

  • Provides support for the MS Permissive Modify control (#4238)
  • Adds support for multiple superior objectclasses in schema (#615)
  • Updated Berkeley DB Java Edition to version 4.0.103
  • Several enhancements and fixes in the External Changelog: Reliability in special cases like disabling replication domains, naming entries by ChangeNumber (Issue #4537), performance of searches with bounded filters (#4507), supporting operational attributes…
  • Resolves an issue (#4546) during shutdown that could cause deadlock in replication
  • Resolves an issue (#4554) on Windows with the Windows services
  • Some enhancements in the GUI look and feel and in 508 compliance
  • Resolves some issues (#4529, #3891, #3404, #3402) with specific replication conflict resolution
  • Improves the startup time of the server and detection of services tags
  • Resolves an issue (#4553) with the referential integrity plugin when several attributes are configured but only one is in a user entry
  • Fixes an issue (#4386) when adding an entry with duplicate values, resulting in a NPE
  • Fixes an issue (#4468) with the way values in filters and indexes are normalized
  • Resolves some performance issue (#4384) in replication monitoring
  • Improves reliability of replication initialization protocol (Issues #3395 #3998)
  • Resolves several issues (#3966, #4406, #4536 with clients tools and control panel when the server disconnect on error
  • Fixes some issues with MakeLDIF utility
  • Resolves a few issues (#4520) within Import
  • Improves the SSHA password storage scheme to be compatible with hashes from other servers (#4558)
  • Resolves an issue (#4232) with Windows specific LDIF files during Import
  • Adds an option to log replications CSNs in the Access Logs, like Sun Directory Server does
  • Resolves an issue (#4556) with the Password Modify extended operation when some validation must be skipped for administrators
  • Resolves an issue (#2748)with the order of message logged in the access logs
  • Resolves an issue where password policies subentries are not applied after replicated

Technorati Tags: , , , , , , ,

OpenDS 2.3.0-build002 is now available…

Ludo3 Comments

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build002, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build002 is built from revision 6400 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build002, including the detailed change log

Major changes since OpenDS 2.3.0 build001 include :

  • Multiple improvements on the Control Panel and the Setup
  • Multiple incremental improvements with the External Changelog, including reliability and performance (Issue #4478)
  • Upgraded the version of the Berkeley DB Java Edition to 4.0.95
  • Final fix for issue #4367, removing the need for BDB logging configuration via properties
  • Fixes some memory leaks with lots of connects and disconnects (Issue #4491)
  • Resolves a NPE when using Extensible Matching filters without matching rule OID (Issue #4385)
  • Fixes an issue (#4539) with the DSML gateway with JAXB and some Application Servers
  • Fixes an issue (#4492) in ACI where an NPE would occur when the base entry contains a single RDN component
  • Improves the reliability of the OpenDS Windows Services (Issues #4084 and #4381)
  • Resolves issue #4523 where ACI and sub-entry caches were not updated on replicas
  • Resolves issue #4538 where Virtual attributes would not be retrieved when the entry cache is configured
  • Fixes an issue with access controls that would give different results for cn=Directory Manager and plain user (Issue #4547)
  • Enhances the support and compliance of LDAP subentry, Collective attributes and Password Policy
  • Resolves several issues with Replication including Issues #4514, #4533 and #4534, and enhance the way Replication servers are electing servers they connect to (Issue #4343)
  • Renamed the extensions directory to “experimental”. The only experimental extension is the ArisID privacy control
  • Fixes several issues related to building OpenDS, especially on Windows.

Technorati Tags: , , , , , , ,

Subversion authorization through LDAP with OpenDS

Ludo1 Comment

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.

Update on March 18th.

Wooter has also posted a copy of the article on OpenDS documentation wiki.

I’ve also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.

Technorati Tags: , , , , , ,

OpenDS Tab Sweep

LudoLeave a comment

It’s been a while since I last posted an OpenDS tab sweep. So here’s a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

IconcurldapintegrationiConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

SOPERA ASF ToolSuite partial screenshot

Also in the recent days a couple of new LDAP browsers appeared.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: , , , , ,

Directory Service Performance Optimization Strategy: Data Priming

LudoLeave a comment

Directory servers usually run for long period of times and have stable performances as all caches are warmed by the traffic. But how to get optimum performances as fast as possible right after starting the server ? Brad Diggs has published Directory Data Priming Strategies, another blog post added to the series of articles on Sun (now Oracle) Directory Server Enterprise Edition 7, ZFS and Flash Technologies.

Technorati Tags: , , , ,

The basics of Flash Memory

LudoLeave a comment

These days, everybody get excited with Solid State Disks, flash memory and the performance improvements they have over other mass storage solutions.

Sun F20 Flash accelerator boardWe’ve been running some benchmarks of Sun Oracle Directory Server 7.0 leveraging new Sun flash based hardware modules. Before we go in details about their benefits, my colleague Brad Diggs posted a very educational article on the basics of Flash Memory to set a common understanding of the technology.

Read on and get ready for more data points on how ZFS and Flash Memory can improve Directory Server performances and scalability.

Technorati Tags: , , , ,