In the last few weeks, I’ve been involved with giving lectures on LDAP to French students (in French).

On February 24th, I was at INSA Lyon for a 2 hours lecture introducing LDAP and Directory Services to an audience of approximately 120 students. The next day, Sylvain and 4 other engineers from the Sun Grenoble Engineering Center conducted 4 sessions of a 2 hours workshop on LDAP, Directory Services with OpenDS. Slides in French are available (and the English version as well).

On March 5th, invited by Julien Ponge, I was at ISIMA, the Engineering School from Clermont-Ferrand for a conference about LDAP and OpenDS. The talk was attended by about 30 students. Slides in French are here.

Technorati Tags: directory-server, France, ldap, opends, talk, training

We have just uploaded OpenDS 1.3.0-build001, built from revision 5050 of our source tree, to our promoted builds folder.

OpenDS 1.3.0-build001 is the first promoted build from the trunk past the 1.2.0 stable release, and the first of a series leading to OpenDS 2.0 sometime in June.

There are many updates in this build, some internal code refactoring (like the ASN1 library and support), some performance improvements, some new features. Code for a new backend has been committed, but is not built by default. This backend provides a remote access to the NDB database used by MySQL Cluster.

Happy testing…

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.3.0-build001/OpenDS-1.3.0-build001.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.3.0-build001/OpenDS-1.3.0-build001-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.3.0-build001/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more i

nformation.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.3.0-build001.

Major changes incorporated since OpenDS 1.2.0 include:

• Revision 4714 – L10n localization of generated files.
• Revision 4715 – Fix double extension loading when instance and install are in the same directory.
• Revision 4717 (Issue #3621) – Ensure that the import-ldif command uses the correct default port (4444).
• Revision 4718 – Upgrade the je.jar to verson 3.3.75.
• Revision 4719 (Issue #3644) – Fix an issue that caused dsconfig to fail without an error message.
• Revision 4722 – Change the TDES key size to use an effective key size of 112.
• Revision 4723 & 4776 (Issues #3640 and 497) – Refactor the replication code to make it more generic and provide the assured replication feature.
• Revision 4728 – Make the generic menu bar class public so that potential extensions of the control panel can use it.
• Revision (Issue #3639) – Fix an issue that prevented a restore from being applied to the correct backend when more than one backend was defined.
• Revision 4735 (Issue #3653) – Ensure that the status command displays the LDIF Connection Handler in its list of connection handlers.
• Revision 4748 – Provide the ability to create a monitor provider with hierarchical naming, modify the Network Monitor provider names to include hierarchical naming, provide basic monitoring objects, add monitoring instrumentation for connection handlers, and add the ability to do a subtree search in the monitor backend.
• Revision 4749 – Add two monitor objects.
• Revision 4753 (Issue #3641) – Register service tags from SVR4 pkg installs.
• Revision 4759 (Issue #274) – Provide support for recurring tasks.
• Revision 4764 (Issue #3668) – Ensure that the Control Panel displays connection handler listen addresses correctly.
• Revision 4765 – Improvements to the assured replication feature.
• Revision 4768 (Issue #3657) – Correct a problem with the “Save” button in the “Manage Entries” panel.
• Revision 4769 – Extend GenericDialog so that its extending classes can use a customized message for the title.
• Revision 4770 (Issue #262) – Provide a plug-in for Collation/Internationalization.
• Revision 4772 (Issue #3671) – Provide a configuration completed listener.
• Revision 4773 (Issue #3645) – Generate aggregation constraints correctly.
• Revision 4775 (Issue #3667) – Make dsconfig usage messages consistent.
• Revision 4779 – Improvements to the assured replication feature.
• Revision 4781 – Provide support for dynamic domain group id reconfiguration in replication servers.
• Revision 4782 (Issue #3674) Provide support for backup and export in the tasks back end.
• Revision 4783 – Allow for removal of backups in the schema back end.
• Revision 4788 – Replace Latin1 characters with valid escaped UTF-8 characters in DNs/RDNs.
• Revision 4791 – Implement support for click-through license approval in quicksetup.
• Revision 4792 (Issue #3676) – Fix a problem that prevented ldapmodify from processing the ;binary transfer option.
• Revision 4795 – Provide support for NULL back ends.
• Revision 4800 (Issue #3694) – Fix the BER encoding/decoding for negative integers.
• Revision 4803 (Issue #3689) – Fix an issue in which the Control Panel displayed the incorrect hostname.
• Revision 4804 (Issue #3688) – Remove unexpected html tags in the output of the status command and provide support for connection handlers with multiple listen addresses.
• Revision 4805 – Allow the extension of dsreplication userdata objects, extend the server descriptor used by the internal administrator, allow back ends to be disabled if the server is configured in manual mode.
• Revision 4807 (Issue #3685) – Correct a Swing repainting problem in the control panel.
• Revision 4808 (Issue #3695) – Improve the way in which the example plugin ant file handles message creation on Windows.
• Revision 4809 (Issue #3640) – Improvements to the generic replication service.
• Revisions 4810, 4811, 4817, 4818, 4819 & 4843 – Add support for client connection affinity.
• Revision 4814 – Improve the license acceptance mechanism.
• Revision 4815 – Enable OpenDS servers to load data from Directory Server Enterprise Edition servers.
• Revision 4820 (Issue #3700) – Correct the handling of failure of a workflow element creation.
• Revision 4822, 4842 – Fixes to the assured replication mechanism.
• Revision 4823 (Issue #3699) – Correct the way in which the server handled the password Expired Control during a BIND operation, if the password had been reset.
• Revision 4827 (Issue #3698) – Fix a problem that prevented changing the Directory Manager password with the Control Panel.
• Revision 4829 – Allow import-ldif to load VLV indexes.
• Revision 4830 (Issue #3701) – Correct the way in which setup manages back ends when replication involves multiple base-dns.
• Revision 4831 (Issue #3709) – In the Control Panel, change the value of the “Backup Path” to the instance path (rather than the installation path)
• Revision 4833 (Issue #2829) – Fix a problems that occurred when configuring and unconfiguring replication servers.
• Revision 4835 (Issue #3710) – Fix a Control Panel error that occurred when creating a new base DN with automatically generated data.
• Revision 4840 (Issue #3711) – Allow remote server debugging.
• Revision 4844 – Reduce replication overhead.
• Revision 4855 (Issue #3579) – Ensure that import-ldif countRejects works as expected.
• Revision 4856 (Issue #3640) – Refactor replication code to make it more generic.
• Revision 4858 & 4859 (Issue #3683) – Fix a problem that caused the replication conflict resolution code to assumes a conflict when replication replayed a DELETE on an entry with child entries.
• Revision 4861 – Enable assured replication monitoring.
• Revision 4862 (Issue #3716) – Fix a problem that caused start-ds.bat to use the wrong environment variable for passing arguments.
• Revision 4863 (Issue #3717) – Allow command line output and error stream to be changed.
• Revision 4870 & 4902 (Issue #3724) – Instead of using a hardcoded trust manager provider and algorithm, takes the default algorithm of the JVM.
• Revision 4872 (Issue #3723) – Fix the ACI SSF bind rule != operator.
• Revision 4874 (Issue #3718) – Correct a problem that caused the -A, –typesOnly option to be ignored by ldapsearch.
• Revision 4887 (Issue #3131) – Fix a problem that caused upgrades using the webinstaller to hang on Windows.
• Revision 4896 (Issue #3731) – Remove the status-panel command (which has been replaced by control-panel.
• Revision 4898 (Issue #3733) – When performing a search on the root DSE to retrieve the list of namingContexts, display only the public naming contexts visible through the current network group.
• Revision 4905 (Issue #3736) – Correct a problem that prevented replication dynamic purge delay changes from being taken into account.
• Revision 4909 (Issue #3750) – Improve the behaviour when forcing a password change after admin reset.
• Revision 4912 – Extend the directory server so that other tools launching it can impose their own usage message.
• Revision 4921 – Allow overwriting classes to specify whether the schema should be read.
• Revision 4922 (Issue #3726) – Fix a problem that prevented the RealAttributesOnly Control from working when the types-only search option was enabled.
• Revision 4923 – Add 508 compliance to the Browse Schema panels on the Control Panel.
• Revision 4925 – Update the ServiceTag data configuration with an optional configuration directory.
• Revision 4926 & 4928 (Issue #3760 & 3761) – Fix a problem that caused dsconfig to exit abruptly when creating a component with a missing parent or when creating a component with the same name.
• Revision 4931 (Issues #3446 & 3726) – Introduce comprehensive unit tests for checking attribute filtering in search operations, add improvements to the virtual attribute provider API, add improvements to virtual attribute processing during Entry duplication.
• Revision 4932 (Issues #3682 & 3643) – Addition of localized resource files with new translations.
• Revision 4937 (Issue #3561) – Fix an issue that prevented aliased attributes from being returned properly.
• Revision 4941 (Issue #3763) – Provide a dsconfig error message if a type of object does not exist.
• Revision 4942 – Fix a problem that prevented entry locks from being released.
• Revision 4944 – Update the SVR4 factory to avoid conflict with the IPS factory.
• Revision 4946 – Provide support for collation indexing.
• Revision 4949 – Fix a problem with IPv4 wild card pattern matching that prevented address masks of the form “*.*.*.*” from ever matching an IPv4 address.
• Revision 4950 (Issue #3734) – Make network group policies extensible.
• Revision 4956, 4957 & 4961 – ASN1 refactoring.
• Revision 4958 – Make it possible for users to configure the Control Panel refresh period.
• Revision 4962 (Issue #3391) – Fix a problem that prevented custom DIT Structure Rules from being added to 99-user.ldif.
• Revision 4963 (Issue #3606) – Fix a problem that prevented the isMemberOf attribute from working for dynamic groups.
• Revision 4964 – Add a user interface to display global monitoring information and connection handler monitoring information.
• Revision 4969 (Issue #3775) – Fix an intermittent unit test failure in the NetworkGroupTest and add support for finalizing the NetworkGroupConfigManager.
• Revision 4972 – Add the displayCommand and commandFilePath options to the dsreplication command. Also, fix an issue that prevented some passwords passed in the command-line as file arguments from being taken into account in interactive mode.
• Revision 4981 – Add a check for a null SASL Context and fix an error message in the EXTERNAL Digest Handler.
• Revision 4986 – First phase of support for an NDB backend.
• Revision 4991 (Issue #3795) – Fix a problem that caused TLS to fail when adding or modifying a large attribute.
• Revision 4993 (Issue #3797) – Ensure that the directory server logs it’s instance path at startup.
• Revision 4998 (Issue #3774) – Fix a problem that prevente the sort control from working with collation matching rules.
• Revision 4999 (Issue #3801) – If a connection handler has no address defined in its configuration, only show the port of the connection handler, rather than a fictitiuos address.
• Revision 5004 (Issue #3805) – Support for SASL Connection Security (Phase2).
• Revision 5006 (Issue #3806) – Fix a problem that caused an ldapsearch operation on the rootDSE to return error 255 if no back end was defined.
• Revision 5008 (Issue #3800) – Redesign the Monitoring General Information panel to handle the display of a large number of operations.
• Revision 5009 (Issue #3806) – Prevent schema elements in 06-compat.ldif from being deleted by a user.
• Revision 5010 (Issue #3803) – Correct ASN.1 encoding of VLVResponseControl so it sends the result code as a BER Enumerated instead of Integer.
• Revision 5011 (Issue #3809) – Add a flush() call to the ASN1Writer to make sure that all bytes are sent out.
• Revision 5017 (Issue #3812) – Display a warning if the user provides the wrong replication port for an existing replication server.
• Revision 5018 (Issue #3804) – Improve replication monitoring.
• Revision 5023 (Issue #3815) – Declare NS password expire and expiring in the SupportControl in the RootDSE.
• Revision 5024 (Issue #3820) – Fix an issue that prevented the removal of spaces at the end of string with Non-ASCII characters.
• Revision 5025 (Issues #3687 & 3690) – Fix a problem that caused incorrect SNMP values to be displayed.
• Revision 5027 (Issue #3817) – Fix a problem that caused a the configuration to break if a 2nd workflow with cn=config baseDn can break the configuration.
• Revision 5029 & 5030 (Issue #3802) – Fix incorrect script launcher return codes.
• Revision 5031 & 5035 (Issue #3826) – ix a problem that prevented ldapsearch from prompting for a bind password if the option -w was not provided.
• Revision 5032 (Issue #3798) – Fix a problem that prevented the server from using more than 50% of machine memory.
• Revision 5033 (Issues #3808 & 3810) – Fix the hasSubordinates attribute under cn=monitor and prevent a Parent DN entry from being returned when using a child entry as the search base DN.
• Revision 5036 (Issue #3765) – Correct the way in which export-ldif handles relative paths.
• Revision 5038 (Issue #3834) – Fix a problem that caused an exception when dsconfig was used to configure a Network Group QOS Policy in interactive mode.
• Revision 5040 (Issue #3840) – Fix a problem in the license file that broke the Java Web Start installer.
• Revision 5042 (Issue #3849) – Allow read-only properties to be modified at component creation time.
• Revision 5043 (Issue #3846) – Provide routines in the WorkflowElement class to retrieve child workflow elements.
• Revision 5044 (Issue #3841) – Fix performance degradations observed when using LDAPWriter.
• Revision 5045 (Issue #3852) – Fix a problem that caused dsconfig to exit when parent component did not exist, if run in interactive mode.
• Revision 5046 (Issue #3844) – Ensure that replication changes are not lost when ReplicationDomain.publish is called by several threads.
• Revision 5050 (Issue #3845) – Fix an IllegalStateException that occurred during Schema Backend initialization.

Technorati Tags: directory-server, java, ldap, opends, opensource, Sun

If you are using the NetBeans IDE, you can check out OpenDS code from the SVN repository and create immediately a free form project. Debugging OpenDS or Profiling it is then immediately available in a single click as all the necessary hooks are provided in the OpenDS build.xml file.

Simply click on the Debug Project icon in the NetBeans IDE toolbar to start a debugging session of the OpenDS server, or click on the “Profile Project ICon” for a profiling session.

If you want more advanced integration of OpenDS with the NetBeans IDE, you can download the sample nbproject.zip fiile from the OpenDS Documentation wiki and follow the instructions from this page.

Technorati Tags: developer, directory-server, ide, java, ldap, netbeans, opends, opensource, tip

Have you deployed OpenDS, for proof of concept, pilot or production use ? If so, read on !

We’re adding OpenDS to the “Stories” blog, highlighting real-world use of OpenDS. If you have deployed OpenDS and are using it, please take a look at our standard questionnaire (we now have a standard form to gather data) , and if possible fill it out and mail it to the following email address: stories@sun.com

Alternately, write down and publish on a blog, or create a video bout your implementation and send us the link. We want to show our appreciation for sharing, so for the top 30 stories we receive we will send you a free t-shirt (please include an address in your submission).

Thank for your continued participation in OpenDS !

OpenDS 1.2 was released last month and the goal of this release was to make it available as part of OpenSolaris.

And I’m happy to announce that starting with OpenSolaris build 107, you can now get and install OpenDS with the pkg(5) command from http://pkg.opensolaris.org/dev/

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource

One of the things we are very proud of with the OpenDS project, is its ease of use, and this is very well illustrated with the QuickSetup installer.

Based on our past experience, we’ve made sure that OpenDS server has no use of absolute paths.

For the developer, this is really handy. It allows you to move an installed OpenDS instance from one directory to another very easily: you just stop the server, move the instance to a larger or faster disk, and restart it.

Similarly, you can also create a new instance of the server by copying the installed server to a new location (instead of moving it). If you do this to run both instance, don’t forget to edit the dse.ldif file to change the port numbers (LDAP, LDAPS and Admin), and possibly the replication configuration if replication was enabled on the initial server.

In our daily tests with OpenDS, we use this capability a lot, especially when we run benchmarks. After having installed, configured and tuned the OpenDS instance, we make a copy that we start and run the tests against. When finished, we capture the desired results, and delete the instance. And we repeat the steps, making sure we have consistent results.

As all of our tests are done with multi-master replication enabled, we do tests with 2 instances on separated machines. So, we need to restore 2 instances to their initial state to reproduce a test. The ability to do “cp -r RefInstance/ TestInstance/” on both machine, is definitely a key advantage for us.

Note that if you install OpenDS 1.2 on OpenSolaris from the IPS package repository, there is a separation between the installation path (where the binaries and default configuration is stored) and the instance path (where the data and live configuration is stored). The instance path is stored in a file named instance.loc which is under /etc/opends/. Moving instances can be done, as long as the instance.loc file gets updated (manually).

Technorati Tags: directory-server, java, ldap, opends, opensource, tip

One of the things we are very proud of with the OpenDS project, is its ease of use, and this is very well illustrated with the QuickSetup installer.

Based on our past experience, we’ve made sure that OpenDS server has no use of absolute paths.

For the developer, this is really handy. It allows you to move an installed OpenDS instance from one directory to another very easily: you just stop the server, move the instance to a larger or faster disk, and restart it.

Similarly, you can also create a new instance of the server by copying the installed server to a new location (instead of moving it). If you do this to run both instance, don’t forget to edit the dse.ldif file to change the port numbers (LDAP, LDAPS and Admin), and possibly the replication configuration if replication was enabled on the initial server.

In our daily tests with OpenDS, we use this capability a lot, especially when we run benchmarks. After having installed, configured and tuned the OpenDS instance, we make a copy that we start and run the tests against. When finished, we capture the desired results, and delete the instance. And we repeat the steps, making sure we have consistent results.

As all of our tests are done with multi-master replication enabled, we do tests with 2 instances on separated machines. So, we need to restore 2 instances to their initial state to reproduce a test. The ability to do “cp -r RefInstance/ TestInstance/” on both machine, is definitely a key advantage for us.

Note that if you install OpenDS 1.2 on OpenSolaris from the IPS package repository, there is a separation between the installation path (where the binaries and default configuration is stored) and the instance path (where the data and live configuration is stored). The instance path is stored in a file named instance.loc which is under /etc/opends/. Moving instances can be done, as long as the instance.loc file gets updated (manually).

Technorati Tags: directory-server, java, ldap, opends, opensource, tip

As last year, Directory Experts from all over the world will meet again in the Grenoble Engineering Center, France, on April 1st – 2nd, 2009 and later in Sun facilities in Somerset, NJ, USA on April 29th – 30th, 2009.

The Directory Masters Event brings together a highly technical community of experts in the Directory space, to share the product knowledge and best practices, enabling sales and deployments of the Sun Directory Server Enterprise Edition and Sun OpenDS Standard Edition products. This event is opened to Sun employees and Sun partners, more specifically to those in Pre-Sales, Sales and Service Delivery who are involved in the design, the architecture and the deployment of large or mission critical Directory services solutions.

During the 2 days event, experts will be presented and discussing the Sun Directory Services roadmap, DSEE 7.0 new features, OpenDS present and future, best practices, experience reports and much more.

The event is free of charge but sitting is limited. So if you’re interested, eligible and not registered yet, do it now !

Send an email at dirMasters09 at sun dot com indicating your name, title, company and/or organization, and of course which event you would like to participate in.

Location Details

• Event Date: April 1-2, 2009

Location: Grenoble, France

Address: Sun Microsystems

Grenoble Engineering Center
180 Avenue de l’europe, Inovallee

38334 Montbonnot cedex.

France.

• Event Date : April 29-30, 2009.

Location: Somerset, NJ, USA

Address: Sun Microsystems Inc.
400 Atrium Drive

Somerset, NJ 08873

U.S.A

Technorati Tags: directory-proxy-server, directory-server, ldap, training

Matthew Swift, the lead developer for the core server of the OpenDS project has started a blog and his first post is already hitting a home run.

With illustrations and details, he explains the work he and his teammate Bo Li have done in the past couple of month, committed on the trunk of the project last Thursday and resulting in an impressive gain both in performance and reliability for the OpenDS server.

You can find even more details on the email he posted to the OpenDS developer mailing list.

Nice work Matt, keep posting on your blog but most importantly, keep bringing incredible features to the OpenDS project.

Technorati Tags: blog, developer, directory-server, java, ldap, opends

The OpenDS development team is very please to announce the release of OpenDS 1.2.0, a new important milestone for the OpenDS project.

OpenDS 1.2.0 is a minor release of the OpenDS project but contains several new features and many enhancements.

You can find on OpenDS 1.2 documentation site a detailed Summary of Features, Enhancements and Fixes since the OpenDS 1.0 release, but here are some highlights:

• A graphical control panel that enables basic server and data administration is available and replaces the OpenDS 1.0 status-panel
• An administration connector manages all administration related traffic to the server. By separating user operations and administration operations, the administration connector ensure a better quality of service and simplify logging and monitotring
• Connections can be secured and encrypted with SASL mechanisms
• Access Control mechanism has been enhanced to control access based on the level of security of the connection
• The ;binary transfert option is now supported
• Standard schema files related to Solaris and OpenSolaris LDAP naming services are provided by default
• Setup and tools provide an enhanced support for the JCEKS keystore and alternate security providers

OpenDS 1.2.0 will be available in OpenSolaris IPS package repository shortly, with an extensive support of SMF and RBAC.

The documentation for OpenDS 1.2.0 is located on https://docs.opends.org/1.2/

For the more information about OpenDS 1.2.0 please check the release notes.

And don’t forget to Join the OpenDS project and its mailing lists for more information and more interaction with its community

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource, Sun

A thread of discussion on the subject of LDAP and referential integrity has surfaced this week. It started with James McGovern :

I also asked the question on How come there is no innovation in LDAP and was curious why no one is working towards standards that will allow for integration with XACML and SPML. I would be happy if OpenDS or OpenLDAP communitities figured out more basic things like incorporating referential integrity.

Pat Patterson pointed out that OpenDS and OpenLDAP have support for referential integrity and so has Sun Directory Server for the last decade:

For some reason, James has a bee in his bonnet over referential integrity and LDAP. I’m really not sure where he’s coming from here – both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?

Bavo De Ridder thinks that the so-called referential integrity is not integrity <>:

So it seems that Sun Directory Service let’s you delete a user but it promises to make sure that it will do it’s very best to delete any references to this user within a “update interval”.

This is partially true. Sun Directory Server can be configured to run the referential integrity processing immediately, in the same thread as the original delete operation. This still occurs as a post-operation plug-in, i.e. after the result was returned to the client application.

Bavo continues:

It does not mention what a read after the deletion but before the plug-in kicks in will see. Will it still see the user as a member in a group although the user is deleted? I am pretty sure it does. This is of course, at least for me, enough prove that this functionality does not offer referential integrity. At best it offers some kind of deferred cascading deletes (or updates) with no semantics for reads done during the time interval between the original operation and this cascaded deletes and updates.

True. It does.

And I think we can argue on the notion of "referential integrity". It is true that this kind of server does not offer "transactional referential integrity" but it does the self tidying that removes dangling references and it helps and simplifies applications. Also, it is worth mentioning that if an LDAP application had to do the referential integrity itself (i.e. removing dangling references), it could not do it in a single transaction as there is no transaction mechanism in the LDAP protocol.

and he ask for an answer :

To Sun (and any other LDAP implementator): what would the impact be on read/write performance in LDAP if they would implement full referential integrity?

Maintaining full consistent referential integrity would definitely have some read/write performance impact, as a single delete could cause updates to thousands of entries, possibly in other branches of the Directory Information Tree. The LDAP operations usually apply on a single entry and all servers respect the ACID properties for those. There are very few LDAP operations that are applicable to multiple entries : the ModDN operation, the SubTree Delete Control… Those operations have not been implemented in all servers and if they are, they all contain some constraints and limitations because of the possible performance impact they can have on the server.

It’s worth noting that Directory Services are by nature distributed services and most of servers also support a loose consistency replication model. So supporting a full referential integrity would first require to support a full distributed transaction mechanism both in the LDAP protocol and the directory servers. As of today, no directory server has support for transactions, but it’s on the roadmap for the OpenDS project, and investigation has already been started.

We can expect to have the full referential integrity future release of OpenDS, and then we will really be able to measure the performance cost.

Meanwhile, Sun customers are quite happy with the current referential integrity service that matches their expectations.

Technorati Tags: blog, ldap, opends, performance

LDAP Controls are a way to change the default behavior of LDAP operations and thus enhance the service. Several controls have been defined and standardized at IETF. Because some of those controls are extending the service beyond the basic operations, you might want to restrict their use to specific users like the Directory Administrators.

The OpenDS LDAP directory server controls who can make use of the various LDAP controls through access control rules.

The default global ACIs contain a rule that list the controls that can be used by all users:

ds-cfg-global-aci: (targetcontrol=”2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16″) (version 3.0; acl “Anonymous control access”; allow(read) userdn=”ldap:///anyone”;)

This list allows the use of the Manage DSA IT Control (RFC 3296), the Real Attributes Only Control, the Virtual Attributes Only Control, the Password Policy Control (draft-behera-ldap-password-policy),the LDAP No-Op Control (draft-zeilenga-ldap-noop), and the Authorization dentity Control (RFC 3829).

If an application makes use of a control that is not allowed, the server returns an error like this one:

[LDAP: error code 50 – The request control with Object Identifier (OID) “1.2.840.113556.1.4.805” cannot be used due to insufficient access rights]

The control here is the SubTree Delete Control which extends the delete operation to operate over a complete subtree of entries.

To allow specific users to make use of the SubTree Delete Control, you will need to add a global ACI:

$ dsconfig -h localhost -p 4444 -D cn=”Directory Manager” -X -n \

set-access-control-handler-prop \

–add global-aci:”(targetcontrol=\”1.2.840.113556.1.4.805\”) \

(version 3.0; acl \”Data Administrator SubTree delete control access\”; allow(read) \

userdn=\”ldap:///cn=Data Administrator,dc=example,dc=com\”;)”

Password for user ‘cn=Directory Manager’: *********

The above ACI grants the use of the SubTree Delete control to a single user whose DN is “cn=Data Administrator,dc=example,dc=com“.

Note that even if the user has the permission to use the Control, other access controls are still enforced to verify that the user has the permission to delete all the entries targeted by the operation.

You can find on the OpenDS Documentation Wiki more information about OpenDS supported controls, about Managing Global ACI…

Technorati Tags: directory-server, ldap, opends, tip

In the previous tip for OpenDS, the LDAP directory server in Java, I’ve explained how to set default properties for the OpenDS client tools such as dsconfig, backup, restore…

One of the developers on the OpenDS project reminded me with 2 additional options related to those preferences:

When working with multiple instances of OpenDS, it’s convenient to store the specific properties for each instance in a file, and then use the –propertiesFilePath option.

$ dsconfig –propertiesFilePath ./opends-Master2 set-server-prop …

Alternately, it is possible to avoid using the default properties’ file, and use the OpenDS tools with a different and remote instance, with the –noPropertiesFile option.

$ dsconfig set-backend-prop —backend-name userRoot —add base-dn:dc=MyCompany,dc=com

—hostname localhost —port 4444 —bindDN cn=Directory\ Manager —bindPassword ******

—trustAll —noPropertiesFile —no-prompt

You can find more details on the tools.properties file on OpenDS documentation wiki.

Note: If you have OpenDS tips of your own, please share them with us. Send me a mail or leave a comment on this blog.

Technorati Tags: directory-server, ldap, opends, opensource, tip