If you are using the NetBeans IDE, you can check out OpenDS code from the SVN repository and create immediately a free form project. Debugging OpenDS or Profiling it is then immediately available in a single click as all the necessary hooks are provided in the OpenDS build.xml file.

Simply click on the Debug Project icon in the NetBeans IDE toolbar to start a debugging session of the OpenDS server, or click on the “Profile Project ICon” for a profiling session.

If you want more advanced integration of OpenDS with the NetBeans IDE, you can download the sample nbproject.zip fiile from the OpenDS Documentation wiki and follow the instructions from this page.

Technorati Tags: developer, directory-server, ide, java, ldap, netbeans, opends, opensource, tip

Have you deployed OpenDS, for proof of concept, pilot or production use ? If so, read on !

We’re adding OpenDS to the “Stories” blog, highlighting real-world use of OpenDS. If you have deployed OpenDS and are using it, please take a look at our standard questionnaire (we now have a standard form to gather data) , and if possible fill it out and mail it to the following email address: stories@sun.com

Alternately, write down and publish on a blog, or create a video bout your implementation and send us the link. We want to show our appreciation for sharing, so for the top 30 stories we receive we will send you a free t-shirt (please include an address in your submission).

Thank for your continued participation in OpenDS !

OpenDS 1.2 was released last month and the goal of this release was to make it available as part of OpenSolaris.

And I’m happy to announce that starting with OpenSolaris build 107, you can now get and install OpenDS with the pkg(5) command from http://pkg.opensolaris.org/dev/

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource

One of the things we are very proud of with the OpenDS project, is its ease of use, and this is very well illustrated with the QuickSetup installer.

Based on our past experience, we’ve made sure that OpenDS server has no use of absolute paths.

For the developer, this is really handy. It allows you to move an installed OpenDS instance from one directory to another very easily: you just stop the server, move the instance to a larger or faster disk, and restart it.

Similarly, you can also create a new instance of the server by copying the installed server to a new location (instead of moving it). If you do this to run both instance, don’t forget to edit the dse.ldif file to change the port numbers (LDAP, LDAPS and Admin), and possibly the replication configuration if replication was enabled on the initial server.

In our daily tests with OpenDS, we use this capability a lot, especially when we run benchmarks. After having installed, configured and tuned the OpenDS instance, we make a copy that we start and run the tests against. When finished, we capture the desired results, and delete the instance. And we repeat the steps, making sure we have consistent results.

As all of our tests are done with multi-master replication enabled, we do tests with 2 instances on separated machines. So, we need to restore 2 instances to their initial state to reproduce a test. The ability to do “cp -r RefInstance/ TestInstance/” on both machine, is definitely a key advantage for us.

Note that if you install OpenDS 1.2 on OpenSolaris from the IPS package repository, there is a separation between the installation path (where the binaries and default configuration is stored) and the instance path (where the data and live configuration is stored). The instance path is stored in a file named instance.loc which is under /etc/opends/. Moving instances can be done, as long as the instance.loc file gets updated (manually).

Technorati Tags: directory-server, java, ldap, opends, opensource, tip

One of the things we are very proud of with the OpenDS project, is its ease of use, and this is very well illustrated with the QuickSetup installer.

Based on our past experience, we’ve made sure that OpenDS server has no use of absolute paths.

For the developer, this is really handy. It allows you to move an installed OpenDS instance from one directory to another very easily: you just stop the server, move the instance to a larger or faster disk, and restart it.

Similarly, you can also create a new instance of the server by copying the installed server to a new location (instead of moving it). If you do this to run both instance, don’t forget to edit the dse.ldif file to change the port numbers (LDAP, LDAPS and Admin), and possibly the replication configuration if replication was enabled on the initial server.

In our daily tests with OpenDS, we use this capability a lot, especially when we run benchmarks. After having installed, configured and tuned the OpenDS instance, we make a copy that we start and run the tests against. When finished, we capture the desired results, and delete the instance. And we repeat the steps, making sure we have consistent results.

As all of our tests are done with multi-master replication enabled, we do tests with 2 instances on separated machines. So, we need to restore 2 instances to their initial state to reproduce a test. The ability to do “cp -r RefInstance/ TestInstance/” on both machine, is definitely a key advantage for us.

Note that if you install OpenDS 1.2 on OpenSolaris from the IPS package repository, there is a separation between the installation path (where the binaries and default configuration is stored) and the instance path (where the data and live configuration is stored). The instance path is stored in a file named instance.loc which is under /etc/opends/. Moving instances can be done, as long as the instance.loc file gets updated (manually).

Technorati Tags: directory-server, java, ldap, opends, opensource, tip

As last year, Directory Experts from all over the world will meet again in the Grenoble Engineering Center, France, on April 1st – 2nd, 2009 and later in Sun facilities in Somerset, NJ, USA on April 29th – 30th, 2009.

The Directory Masters Event brings together a highly technical community of experts in the Directory space, to share the product knowledge and best practices, enabling sales and deployments of the Sun Directory Server Enterprise Edition and Sun OpenDS Standard Edition products. This event is opened to Sun employees and Sun partners, more specifically to those in Pre-Sales, Sales and Service Delivery who are involved in the design, the architecture and the deployment of large or mission critical Directory services solutions.

During the 2 days event, experts will be presented and discussing the Sun Directory Services roadmap, DSEE 7.0 new features, OpenDS present and future, best practices, experience reports and much more.

The event is free of charge but sitting is limited. So if you’re interested, eligible and not registered yet, do it now !

Send an email at dirMasters09 at sun dot com indicating your name, title, company and/or organization, and of course which event you would like to participate in.

Location Details

• Event Date: April 1-2, 2009

Location: Grenoble, France

Address: Sun Microsystems

Grenoble Engineering Center
180 Avenue de l’europe, Inovallee

38334 Montbonnot cedex.

France.

• Event Date : April 29-30, 2009.

Location: Somerset, NJ, USA

Address: Sun Microsystems Inc.
400 Atrium Drive

Somerset, NJ 08873

U.S.A

Technorati Tags: directory-proxy-server, directory-server, ldap, training

Matthew Swift, the lead developer for the core server of the OpenDS project has started a blog and his first post is already hitting a home run.

With illustrations and details, he explains the work he and his teammate Bo Li have done in the past couple of month, committed on the trunk of the project last Thursday and resulting in an impressive gain both in performance and reliability for the OpenDS server.

You can find even more details on the email he posted to the OpenDS developer mailing list.

Nice work Matt, keep posting on your blog but most importantly, keep bringing incredible features to the OpenDS project.

Technorati Tags: blog, developer, directory-server, java, ldap, opends

The OpenDS development team is very please to announce the release of OpenDS 1.2.0, a new important milestone for the OpenDS project.

OpenDS 1.2.0 is a minor release of the OpenDS project but contains several new features and many enhancements.

You can find on OpenDS 1.2 documentation site a detailed Summary of Features, Enhancements and Fixes since the OpenDS 1.0 release, but here are some highlights:

• A graphical control panel that enables basic server and data administration is available and replaces the OpenDS 1.0 status-panel
• An administration connector manages all administration related traffic to the server. By separating user operations and administration operations, the administration connector ensure a better quality of service and simplify logging and monitotring
• Connections can be secured and encrypted with SASL mechanisms
• Access Control mechanism has been enhanced to control access based on the level of security of the connection
• The ;binary transfert option is now supported
• Standard schema files related to Solaris and OpenSolaris LDAP naming services are provided by default
• Setup and tools provide an enhanced support for the JCEKS keystore and alternate security providers

OpenDS 1.2.0 will be available in OpenSolaris IPS package repository shortly, with an extensive support of SMF and RBAC.

The documentation for OpenDS 1.2.0 is located on https://docs.opends.org/1.2/

For the more information about OpenDS 1.2.0 please check the release notes.

And don’t forget to Join the OpenDS project and its mailing lists for more information and more interaction with its community

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource, Sun

A thread of discussion on the subject of LDAP and referential integrity has surfaced this week. It started with James McGovern :

I also asked the question on How come there is no innovation in LDAP and was curious why no one is working towards standards that will allow for integration with XACML and SPML. I would be happy if OpenDS or OpenLDAP communitities figured out more basic things like incorporating referential integrity.

Pat Patterson pointed out that OpenDS and OpenLDAP have support for referential integrity and so has Sun Directory Server for the last decade:

For some reason, James has a bee in his bonnet over referential integrity and LDAP. I’m really not sure where he’s coming from here – both OpenDS and OpenLDAP offer referential integrity (OpenDS ref int doc, OpenLDAP ref int doc), and Sun Directory Server has offered it for years (Sun Directory Server ref int doc). Does this answer your question, James, or am I missing something?

Bavo De Ridder thinks that the so-called referential integrity is not integrity <>:

So it seems that Sun Directory Service let’s you delete a user but it promises to make sure that it will do it’s very best to delete any references to this user within a “update interval”.

This is partially true. Sun Directory Server can be configured to run the referential integrity processing immediately, in the same thread as the original delete operation. This still occurs as a post-operation plug-in, i.e. after the result was returned to the client application.

Bavo continues:

It does not mention what a read after the deletion but before the plug-in kicks in will see. Will it still see the user as a member in a group although the user is deleted? I am pretty sure it does. This is of course, at least for me, enough prove that this functionality does not offer referential integrity. At best it offers some kind of deferred cascading deletes (or updates) with no semantics for reads done during the time interval between the original operation and this cascaded deletes and updates.

True. It does.

And I think we can argue on the notion of "referential integrity". It is true that this kind of server does not offer "transactional referential integrity" but it does the self tidying that removes dangling references and it helps and simplifies applications. Also, it is worth mentioning that if an LDAP application had to do the referential integrity itself (i.e. removing dangling references), it could not do it in a single transaction as there is no transaction mechanism in the LDAP protocol.

and he ask for an answer :

To Sun (and any other LDAP implementator): what would the impact be on read/write performance in LDAP if they would implement full referential integrity?

Maintaining full consistent referential integrity would definitely have some read/write performance impact, as a single delete could cause updates to thousands of entries, possibly in other branches of the Directory Information Tree. The LDAP operations usually apply on a single entry and all servers respect the ACID properties for those. There are very few LDAP operations that are applicable to multiple entries : the ModDN operation, the SubTree Delete Control… Those operations have not been implemented in all servers and if they are, they all contain some constraints and limitations because of the possible performance impact they can have on the server.

It’s worth noting that Directory Services are by nature distributed services and most of servers also support a loose consistency replication model. So supporting a full referential integrity would first require to support a full distributed transaction mechanism both in the LDAP protocol and the directory servers. As of today, no directory server has support for transactions, but it’s on the roadmap for the OpenDS project, and investigation has already been started.

We can expect to have the full referential integrity future release of OpenDS, and then we will really be able to measure the performance cost.

Meanwhile, Sun customers are quite happy with the current referential integrity service that matches their expectations.

Technorati Tags: blog, ldap, opends, performance

LDAP Controls are a way to change the default behavior of LDAP operations and thus enhance the service. Several controls have been defined and standardized at IETF. Because some of those controls are extending the service beyond the basic operations, you might want to restrict their use to specific users like the Directory Administrators.

The OpenDS LDAP directory server controls who can make use of the various LDAP controls through access control rules.

The default global ACIs contain a rule that list the controls that can be used by all users:

ds-cfg-global-aci: (targetcontrol=”2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16″) (version 3.0; acl “Anonymous control access”; allow(read) userdn=”ldap:///anyone”;)

This list allows the use of the Manage DSA IT Control (RFC 3296), the Real Attributes Only Control, the Virtual Attributes Only Control, the Password Policy Control (draft-behera-ldap-password-policy),the LDAP No-Op Control (draft-zeilenga-ldap-noop), and the Authorization dentity Control (RFC 3829).

If an application makes use of a control that is not allowed, the server returns an error like this one:

[LDAP: error code 50 – The request control with Object Identifier (OID) “1.2.840.113556.1.4.805” cannot be used due to insufficient access rights]

The control here is the SubTree Delete Control which extends the delete operation to operate over a complete subtree of entries.

To allow specific users to make use of the SubTree Delete Control, you will need to add a global ACI:

$ dsconfig -h localhost -p 4444 -D cn=”Directory Manager” -X -n \

set-access-control-handler-prop \

–add global-aci:”(targetcontrol=\”1.2.840.113556.1.4.805\”) \

(version 3.0; acl \”Data Administrator SubTree delete control access\”; allow(read) \

userdn=\”ldap:///cn=Data Administrator,dc=example,dc=com\”;)”

Password for user ‘cn=Directory Manager’: *********

The above ACI grants the use of the SubTree Delete control to a single user whose DN is “cn=Data Administrator,dc=example,dc=com“.

Note that even if the user has the permission to use the Control, other access controls are still enforced to verify that the user has the permission to delete all the entries targeted by the operation.

You can find on the OpenDS Documentation Wiki more information about OpenDS supported controls, about Managing Global ACI…

Technorati Tags: directory-server, ldap, opends, tip

In the previous tip for OpenDS, the LDAP directory server in Java, I’ve explained how to set default properties for the OpenDS client tools such as dsconfig, backup, restore…

One of the developers on the OpenDS project reminded me with 2 additional options related to those preferences:

When working with multiple instances of OpenDS, it’s convenient to store the specific properties for each instance in a file, and then use the –propertiesFilePath option.

$ dsconfig –propertiesFilePath ./opends-Master2 set-server-prop …

Alternately, it is possible to avoid using the default properties’ file, and use the OpenDS tools with a different and remote instance, with the –noPropertiesFile option.

$ dsconfig set-backend-prop —backend-name userRoot —add base-dn:dc=MyCompany,dc=com

—hostname localhost —port 4444 —bindDN cn=Directory\ Manager —bindPassword ******

—trustAll —noPropertiesFile —no-prompt

You can find more details on the tools.properties file on OpenDS documentation wiki.

Note: If you have OpenDS tips of your own, please share them with us. Send me a mail or leave a comment on this blog.

Technorati Tags: directory-server, ldap, opends, opensource, tip

In a previous tip, I’ve talked about troubleshooting index problems with OpenDS. Sometimes, one might need to get a better understanding of the OpenDS databases to troubleshoot some data or performance issue.

Here comes the little known OpenDS feature : dbtest.

dbtest is a command line utility that can be used to inspect the content of an OpenDS JE backend (which relies on the Oracle Berkeley Database Java Edition).

The command can be used to list the root container, the entry container, the database containers, get statistics on their content, see the status of index files and possibly dump the content of the database. While dumping the database is hardly useful for most people the tool still has a couple of features of general interest.

It can be used to list all database containers for the userRoot backend, including the index containers, their names and their current entry count.

$ bin/dbtest list-database-containers -b “dc=example,dc=com” -n “userRoot”

Database Name Database Type JE Database Name Entry Count

————————————————————————————————–

dn2id DN2ID dc_example_dc_com_dn2id 102

id2entry ID2Entry dc_example_dc_com_id2entry 102

referral DN2URI dc_example_dc_com_referral 0

id2children Index dc_example_dc_com_id2children 2

id2subtree Index dc_example_dc_com_id2subtree 2

state State dc_example_dc_com_state 19

uniqueMember.equality Index dc_example_dc_com_uniqueMember.equality 0

sn.equality Index dc_example_dc_com_sn.equality 100

sn.substring Index dc_example_dc_com_sn.substring 541

objectClass.equality Index dc_example_dc_com_objectClass.equality 6

entryUUID.equality Index dc_example_dc_com_entryUUID.equality 102

ds-sync-hist.ordering Index dc_example_dc_com_ds-sync-hist.ordering 0

aci.presence Index dc_example_dc_com_aci.presence 0

cn.equality Index dc_example_dc_com_cn.equality 100

cn.substring Index dc_example_dc_com_cn.substring 1137

telephoneNumber.equality Index dc_example_dc_com_telephoneNumber.equality 100

telephoneNumber.substring Index dc_example_dc_com_telephoneNumber.substring 956

givenName.equality Index dc_example_dc_com_givenName.equality 100

givenName.substring Index dc_example_dc_com_givenName.substring 396

uid.equality Index dc_example_dc_com_uid.equality 100

mail.equality Index dc_example_dc_com_mail.equality 100

mail.substring Index dc_example_dc_com_mail.substring 525

member.equality Index dc_example_dc_com_member.equality 0

Total: 23

Or dbtest can be used to retrieve the system and user indexes and their status.

$ bin/dbtest list-index-status -b “dc=example,dc=com” -n “userRoot”

Index Name Index Type JE Database Name Index Status

————————————————————————————————

id2children Index dc_example_dc_com_id2children true

id2subtree Index dc_example_dc_com_id2subtree true

uniqueMember.equality Index dc_example_dc_com_uniqueMember.equality true

sn.equality Index dc_example_dc_com_sn.equality true

sn.substring Index dc_example_dc_com_sn.substring true

objectClass.equality Index dc_example_dc_com_objectClass.equality true

entryUUID.equality Index dc_example_dc_com_entryUUID.equality true

ds-sync-hist.ordering Index dc_example_dc_com_ds-sync-hist.ordering true

aci.presence Index dc_example_dc_com_aci.presence true

cn.equality Index dc_example_dc_com_cn.equality true

cn.substring Index dc_example_dc_com_cn.substring true

telephoneNumber.equality Index dc_example_dc_com_telephoneNumber.equality true

telephoneNumber.substring Index dc_example_dc_com_telephoneNumber.substring true

givenName.equality Index dc_example_dc_com_givenName.equality true

givenName.substring Index dc_example_dc_com_givenName.substring true

uid.equality Index dc_example_dc_com_uid.equality true

mail.equality Index dc_example_dc_com_mail.equality true

mail.substring Index dc_example_dc_com_mail.substring true

member.equality Index dc_example_dc_com_member.equality true

Total: 19

An index status of true means it’s a trusted index, a status of false means the index is no longer trusted and needs

rebuilding.

You can find more details on the dbtest tool on the OpenDS documentation wiki.

Technorati Tags: directory-server, ldap, opends, opensource, tip

The OpenDS development team is very pleased to announce the immediate availability of OpenDS 1.2.0-RC2 which is the second and probably last release candidate for OpenDS 1.2.0. The main goal of the OpenDS 1.2.0 version is to be integrated in the coming release of OpenSolaris.

The purpose of the Release Candidate is to solicit one last round of testing before the final release.

So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 1.2.0-RC2 is built from revision 4920 of the b1.2 branch of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.2.0-RC2/OpenDS-1.2.0-RC2.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.2.0-RC2/OpenDS-1.2.0-RC2-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.2.0-RC2/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.2.0-RC2.

Major changes incorporated since OpenDS 1.2.0-RC1 include:

• Revision 4771 (Issue #3668) – Fix a problem that prevented the Control Panel from correctly displaying a connection handler’s listen addresses.
• Revision 4785 – Fix broken unit tests when attempting to port OpenDS to IBM JVM.
• Revision 4793 (Issue #3676) – Fix an issue in ldapmodify when processing the ;binary option.
• Revision 4806 (Issue #3694) – Fix an error that prevented the ASN.1 package from correctly BER encoding/decoding negative integers.
• Revision 4813 (Issue #3685) – Fix a Swing repainting problem in the control panel.
• Revision 4821 (Issue #3699) – Fix an issue that prevented OpenDS from sending the password Expired Control during a bind operation, if the password had been reset.
• Revision 4828 (Issue #3417) – Allow the import-ldif command to load VLV indexes.
• Revision 4834 (Issue #3710) – Fix a Control Panel error that occurred when creating a new base DN with automatically generated data.
• Revision 4836 (Issue #3705) – Fix a Control Panel problem with the “Save” button in the “Manage Entries” panel.
• Revision 4837 (Issue #3704) – Include the LDIF Connection Handler in the list of connection handlers displayed by the status command.
• Revision 4838 (Issue #3709) – In the Control Panel, change the value of the “Backup Path” field to the instance path rather than the installation path in the Backup/Restore panels.
• Revision 4839 (Issue #3672) – Make it possible to remotely debug the server.
• Revision 4852 (Issue #3511) – Allow password encoding using the schemes 3DES, BLOWFISH, AES, and RC4.
• Revision 4854 (Issue #3579) – Fix an issue that caused the import-ldif countRejects option not to work as expected.
• Revision 4865 (Issue #3683) – Fix an issue with replication conflict resolution for the DELETE operations for entries that have children entries.
• Revision 4866 (Issue #3716) – Fix an issue where start-ds.bat was using the wrong environment variable for passing arguments.
• Revision 4869 (Issue #3707) – Check the validity of all parameters passed to the unconfigure script before starting the unconfiguration.
• Revision 4875 (Issue #3718) – Fix an issue that caused the -A, –typesOnly option to be ignored by the ldapsearch command.
• Revision 4879 (Issue #3723) – Fix an issue that caused the ACI SSF bind rule “!=” operator not to work as expected.
• Revision 4883 (Issue #3725) – Fx an issue with HTML tags incorrectly displayed in the output of the status command.
• Revision 4904 (Issue #3735) – Fix an issue where OpenDS failed to start if the build number contained a version qualifier.
• Revision 4913 (Issue #3750) – Fix an issue in which forcing a password change after an administration reset caused unexpected behavior.
• Revision 4919 (Issue #3621) -Fix an issue that caused the import-ldif, backup and other commands to use the wrong default port.
• Revision 4920 (Issue #3751) – Fix a problem that caused dsreplication initialize-all to fail.

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource, Sun

LDAP Directory servers are designed to process search queries at the speed of light (almost).

But sometimes, the search queries issued by a client application are not as fast as expected. This often comes from an indexing misconfiguration or problem, but finding the root cause is not easy. I should say WAS not easy.

The OpenDS LDAP directory server supports a “magic” operational attribute that allows an administrator to get from the server information about the processing of indexes for a specific search query: debugsearchindex.

If the attribute is set in the requested attributes in a search operation, the server will not return all entries as expected, but a single result entry with a fixed distinguished name and a single valued attribute debugsearchindex that contains the information related to the index processing, including the number of candidate entries per filter component, the overall number of candidate, and whether any or all of the search is indexed.

$ bin/ldapsearch -h localhost -p 1389 -D “cn=Directory Manager” -b “dc=example,dc=com” “(&(uid=user*)(mail=joe*))” debugsearchindex

Password for user ‘cn=Directory Manager’: *********

dn: cn=debugsearch

debugsearchindex: filter=(&(uid=user*)[COUNT:100](mail=joe*)[INDEX:mail.equality][COUNT:0])[COUNT:0] final=[COUNT:0]

$ bin/ldapsearch -h localhost -p 1389 -D “cn=Directory Manager” -b “dc=example,dc=com” “objectclass=*” debugsearchindex

Password for user ‘cn=Directory Manager’: *********

dn: cn=debugsearch

debugsearchindex: filter=(objectClass=*)[NOT-INDEXED] scope=wholeSubtree[COUNT:102] final=[COUNT:102]

./ldapsearch -h localhost -p 1389 -D “cn=Directory Manager” -b “dc=example,dc=com” “mail=user.1*” debugsearchindex

Password for user ‘cn=Directory Manager’: *********

dn: cn=debugsearch

debugsearchindex: filter=(mail=user.1*)[INDEX:mail.substring][COUNT:11] scope=wholeSubtree[COUNT:102] final=[COUNT:11]

Technorati Tags: directory-server, ldap, opends, opensource, tip