I’ve heard so many good things about Ecto, that I’ve decided to give it a try…
Still 20 days before the evaluation license expires.
Author: Ludo
Directory Server Enterprise Edition 6.1
Sun Java System Directory Server Enterprise Edition 6.1 is now publicly available, about 3 months after the release of DSEE 6.0.
In this update release, you will get 2 major enhancements over version 6.0.
- DSCC (the Graphical User Interface) is now available as a WAR file, that can be deployed either in Sun Application Server (8.2, ie the one available in JavaES R5) or Tomcat 5.5.
- dsadm has a new command “repack” that allows an administrator to “compact” the database files and optimized the database disk utilization.
It also includes other small changes that improved the ease of use and reliability of both Directory Server and Directory Proxy Server.
You can get it from the Directory Server Enterprise Edition Download page.
Since DSEE 6.0 was delivered on many platforms (Solaris sparc, Solaris x86, Solaris x64, Linux, HP-UX and Windows) and 2 flavors of each (the native package version also known as the Java ES 5 version, and the zip version), you need to make sure you get the right update version for your platform. The download wizard is a great help for this. One warning though, if you’re looking to update DSEE on a Solaris x86 system. We do make a difference between Solaris 9 x86 (ie a 32bit architecture, which is also supported on Solaris 10) and the Solaris 10 x64 (which is the 64bit version only supported on Solaris 10 with AMD or Intel 64-bit processors).
Make sure you install the required system patches first (for Native packages), the localization patches before the DSEE one. And if installing on Solaris 10 Containers (zones), the system patches are to be applied in the global zone.
The next release of DSEE is already being worked on (and mostly done), and will be available with Java Enterprise System 5 Update 1.
Future updates are also already in the works… Stay tuned.
Technorati Tags: directory-server, ldap, directory-proxy-server, java-enterprise-system
OpenDS introduction podcast
I’ve just located and listened again the OpenDS project introduction talk that Trey Drake and Don Bowen did as part of the JavaOne 2007 Community Corner Talks.
The MP3 is 21 minutes long and worth listening to.
I’m sure that Trey will post the reading materials for this talk on his blog soon !
Atom/OpenDS and some nice comments
Trey has released on Java.net the code of the Atom/APP service that he built for JavaOne and CommunityOne, bringing Identity, authentication and authorization to Atom Publishing Protocol.
It is now a sub-project of OpenDS and you can join it from https://atom.dev.java.net/
Trey has received very nice comments from James Governor from RedMonk as well as from other people… Sincerely, he deserves them.
http://openid.sun.com/Ludo
JavaOne is over, next is Jazoon
JavaOne is over and once again it has been so busy during the week that I did not have the time to turn on the laptop and post here.
On the OpenDS booth, we’ve been pretty busy, explaining the project, its goals and the two demos that we’ve built on top of the directory server: an OpenID Identity Provider and an Atom / APP server. Our 0.8 release got some interest as we’ve seen a serious increase in our downloads and page views.
The Atom / APP server will be released in open-source as a sub-project of OpenDS.
The OpenID identity provider specific code for OpenDS will be contributed back to openid.dev.java.net project.
I’ve been able to attend a few sessions: 
- "JMX : who does what ?" brilliantly presented by Eamonn McManus and Jean-Francois Denise.
- "High-Performance Java Technology in a Multicore World"
- "Garbage-Collection-Friendly Programming"
- "Beyond blogging: feeds in action" by Dave Johnson.
- "Identity 2.0 in Java"
The fun part of JavaOne is always James Gosling general sessions on Toys and fun stuff, and Java Real Time got a good share of it with Dancing Robots, an industrial-strength Robot arm and even an helicopter.
I’m going to take a few days off to recover from the May madness but not too long as I have to finalize the presentation that I will be giving on OpenDS at Jazoon 2007.
OpenDS 0.8 has been released…
It’s been a while since the 0.1 build of OpenDS was made available.
We’ve been doing so many improvements in the code that we jump to a 0.8 as we’re definitely aiming for a 1.0 release by the end of the year.
I can only encourage you to try it. It’s simple, it’s fast, it’s just a click away.
For the complete details of all the new features of build 0.8, read Neil’s post on the subject.
CommunityOne and now JavaOne
It was a busy day yesterday for the first CommunityOne.
The OpenDS, OpenSSO, OpenID booth drew lot of attention yesterday, with demos of an OpenID identity provider, an Atom Publishing Protocol server both leveraging OpenDS for storage, retrieval and authentication of users and blog posts.
We will be running the same demos every day of JavaOne in the Community Corner.
We also had a little bit of presence on stage as I did a presentation introducing OpenDS and Cool Stuff during the last session of the Glassfish track.
Staring on our booth yesterday:
- Trey Drake, Community leader for OpenDS
- Paul Bryan, contributor of the OpenID extension for OpenSSO
- Pat Patterson, OpenSSO and Identity guru.
Today is the real start of JavaOne with its set of announcements…
Heading to CommunityOne
I just arrived yesterday in San Francisco for a week full of events, starting with CommunityOne and the Glassfish Day and then JavaOne for the rest of the week.
I’m heading to the Moscone center now, and let’s the fun begin…
A view from my hotel room on my arrival.
Join me at CommunityOne and JavaOne 2007.
I’m going to be at JavaOne this year, to present with a few other colleagues what we’re doing with OpenDS and also on the Java LDAP API front. And I will be supporting my co-workers from the Grenoble Engineering Center who had the chance to get their presentation accepted: Eamonn and Jean-Francois, Luis-Miguel, Christophe and Frederic, Paul, Bertrand…
I will also be present at the CommunityOne as OpenDS is part of the Glassfish track.
See you there. And if you have not registered, it is not too late.
Join me at CommunityOne and JavaOne 2007.
I’m going to be at JavaOne this year, to present with a few other colleagues what we’re doing with OpenDS and also on the Java LDAP API front. And I will be supporting my co-workers from the Grenoble Engineering Center who had the chance to get their presentation accepted: Eamonn and Jean-Francois, Luis-Miguel, Christophe and Frederic, Paul, Bertrand…
I will also be present at the CommunityOne as OpenDS is part of the Glassfish track.
See you there. And if you have not registered, it is not too late.
Directory Server 6 and ldappasswd
Sun Java System Directory Server 6.0 now supports RFC 3062 : LDAP Password Modify Extended Operation, and a new tool is delivered as part of Directory Server Enterprise Edition 6.0 to take advantage of it: ldappasswd.
ldappasswd allows a user or an administrator to change the password of any account. Of course, by default a set of restrictions is configure to prevent malicious use of this feature.
In order to be usable by users other than administrators, the Password Modify Extended Operation requires to add some specific ACI under cn=config.
An example of ACI for the Password Modify Extended operation is presented in the Directory Server Enterprise Edition Administration Manual.
But to allow any authenticated user to change its own password with this tool, the Directory Administrator must add the following entry and ACI, in addition to the usual ACI that allows self write on the userPassword attribute:
dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
cn: Password Modify Extended Op Access Control
aci: (targetattr != "aci")(version 3.0; acl "Allow Password Change
Extended Op to all auth users"; allow( read , search, compare, proxy )
(userdn = "ldap:///all" and authmethod = "SSL");)
Note that this ACI will require that ldappasswd be used with SSL (which is a good thing if you want to avoid passwords being transfered in cleartext on the network).
Now I can change my own password in LDAP with the tool:
ldappasswd -h <host> -p <port> -D "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=Com" -A -S -Z \
-P /home/ludo/security -N "LudoCert" -W keypasswd "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=com"
Old Password: myOldPasswd
New Password: aNewOne
Re-enter new Password: aNewOne
ldappasswd: password successfully changed
Paris Identity Management User Group (March 21st 2007)
Last week a Sun Identity Management User Group meeting was held in Paris. The attendance was really good, and in fact exceeded the room capacity as several customers turned out without pre-registering. I was really impressed by the diversity of customers, and the fact that they were coming from all over Europe (Czech republic, Slovakia, Lithuania, Poland, Greece, Italy, Portugal, Germany, Netherlands, Belgium, UK, France, …).
The Identity Marketing team came in force with Andy Land, Don Bowen and Etienne Remillon (left to right).
Etienne, Directory Senior product manager, presented Directory Server Enterprise Edition 6.0 and demoed the new graphical console : Directory Service Control Center, and Virtual Directory Server.
Overall it was a good day of interaction with our customers, trying to understand their needs and their issues with our identity management products. If you’re a Sun customer, using Directory Server or other Sun Identity product, I would strongly encourage you to participate. Your feedback is important for us.
Winter is still here at the Grenoble Engineering Center
Last week, flowers and trees were blossoming and we thought the spring had arrived. But the winter reminded us yesterday that it was not over yet. It snowed yesterday and today in Grenoble (even down in the valley for the first time this year).
This morning we woke up with a couple of inches of snow in the garden, but all the roads were cleared.
Here’s a picture of Grenoble Engineering Center as I arrived in the office this morning. No more snow on the ground, but the mountains around are covered. As the sun is supposed to reappear later this week, it might be a pretty good week-end of skiing 🙂
Directory Server and advanced certificate management
Directory Server 6.0 introduced many changes in its administration tools: a new GUI, new CLIs such as dsconf and dsadm.
dsadm has a set of commands to do certificate management for directory server instances, such as requesting new certificates, listing certificates, adding certificates. This feature has been added in Directory Server 6, because certutil, the utility available with the NSS library is not officially supported.
The dsadm utility does the work in most of the cases but there are some known limitations such as no support for the subjectAltName extension. For those advance use cases, the workaround is to use certutil (at your own risks).
One big difference between dsadm and certutil is the certificate store password. By default, the password is unknown to the administrators, and managed through a file. Certutil does require the password to be known.
To change the default password and be able to use certutil, you need to launch the following command as root or the owner of the directory server instance:
> /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=on
Choose the new certificate database password:
Confirm the new certificate database password:
Certificate database password successfully updated.
From them, you will be able to run "certutil -d /local/demo/dstest/alias -P slapd- …" with the appropriate options.
When you’re done, you can store the password again in a text file for use by dsadm or Directory Server at restart with the following command:
> /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=off
Enter the certificate database password:
Certificate database password has been successfully stored.
Ludo Sketches 