The OpenDS LDAP directory service has been designed to work well for hosted services. A single directory server can be used to store information for multiple companies either sharing the same database backend, or in separated database backends. The OpenDS tools such as dsconfig or dsreplication focus on the user visible aspect: the Naming Context, also known as the “Base DN”, the starting point of the directory information tree for a given company.

But the backends are not exposed by default, and several users have asked the question “How do I know the backend name for my suffix ?”.

The list-backends command line tool is a handy tool that you can find in the bin directory that can list the backends and suffixes of a Directory Server instance.

Below are a couple of example of use of the list-backends tool:

$ bin/list-backends

Backend ID : Base DN

—————:——————–

adminRoot : cn=admin data

ads-truststore : cn=ads-truststore

backup : cn=backups

config : cn=config

monitor : cn=monitor

schema : cn=schema

tasks : cn=tasks

userRoot : “dc=example,dc=com”

$ bin/list-backends -b “dc=example,dc=com”

The provided DN ‘dc=example,dc=com’ is a base DN for backend ‘userRoot’

You can find more details and examples on the OpenDS documentation wiki’s list-backends reference page.

Technorati Tags: directory-server, ldap, opends, opensource, tip

In the previous tips for OpenDS, the LDAP directory server in Java, I’ve shown the long and exhaustive dsconfig commands. As you may have noticed, there are many properties to specify to reference the server: the hostname, the port number, the authentication DN… Those properties are used by most OpenDS command line tools and repeating them all the time can be tedious.

Fortunately, it is possible to set the default values for the OpenDS command line tools in a property file, stored either in a .opends directory in your home, or in the instance config directory.

Here’s a sample file :

$ cat ~/.opends/tools.properties

port=1389

dsconfig.port=4444

stop-ds.port=4444

hostname=localhost

bindDN=cn=Directory Manager

bindPassword=secret12

If you’re storing passwords in the file, make sure you’re not allowing other users to read the file.

You can find more details on the tools.properties file on OpenDS documentation wiki.

Technorati Tags: directory-server, ldap, opends, opensource, tip

When you install OpenDS LDAP directory server, the server is configured to verify that newly-written or added entries conform to the directory server’s schema (and therefore conform to the LDAP standards).

If you intend to run a reliable service with OpenDS, and provide interoperability between multiple LDAP clients, you should not change this setting. But sometime, developers need to quickly test LDAP with existing data and don’t have the complete definition of the schema, or don’t have time to deal with loading the proper schema. Then, the quick option is to disable schema checking.

This can be done using the dsconfig advanced mode, and the global configuration option check-schema.

dsconfig set-global-configuration-prop \

–set check-schema:false \

–hostname localhost \

–trustAll \

–port 4444 \

–bindDN cn=Directory\ Manager \

–bindPassword ****** \

–no-prompt

There are 2 other properties that can be tuned for a finer grain control of schema checking:

• invalid-attribute-syntax-behavior: controls whether the syntax of the attribute values are checked when adding, modifying entries.
• single-structural-objectclass-behavior: controls how the server should behave if an attempt is made to add or modify an entry with more than one structural objectclass.

You can find more details on schema checking on the OpenDS documentation wiki and more specifically at https://www.opends.org/wiki/page/HowToExtendTheLDAPSchema#section-HowToExtendTheLDAPSchema-ConfiguringSchemaChecking

Technorati Tags: directory-server, ldap, opends, tip

The article published by Gary Williams, QA lead for the OpenDS project, and Marina Sum, technical writer for Sun Developers Network, has been picked by Java.net and promoted on the front page.

Nice work Gary and Marina !

Technorati Tags: developer, directory-server, java, ldap, opends, opensource, QA, quality

When installing OpenDS, you’re asked to define a Base DN (aka Suffix, aka Naming Context) for your directory instance. A default is proposed : dc=example,dc=com.

OpenDS supports multiple suffixes per backend and multiple backends.

The Control Panel allows you to easily add suffixes to the current backend or to a new backend.

You can also do it through the dsconfig command line tool.

$ dsconfig set-backend-prop --backend-name userRoot --add base-dn:dc=MyCompany,dc=com
--hostname localhost --port 4444 --bindDN cn=Directory\ Manager --bindPassword ********
--trustAll --noPropertiesFile --no-prompt

Technorati Tags: directory-server, ldap, opends, tip

 In a previous OpenDS Tip, I talked about dsconfig interactive mode saying that it’s the default mode. When starting with OpenDS and dsconfig, my guess is that the first command tried is dsconfig –help (or -?), and then a more complete command such as dsconfig -h localhost -p 4444 …

But the easiest way to start with dsconfig is just dsconfig with no option… The interactive mode will start querying all parameters to connect to the server before proposing a menu of configuration areas.

$ dsconfig

>>>> Specify OpenDS LDAP connection parameters

Directory server hostname or IP address [dhcp-egnb07-211-104.France.Sun.COM]:

How do you want to trust the server certificate?

1) Automatically trust
2) Use a truststore
3) Manually validate
Enter choice [3]: 1

Directory server administration port number [4444]:

Administrator user bind DN [cn=Directory Manager]:

Password for user 'cn=Directory Manager':

>>>> OpenDS configuration console main menu

What do you want to configure?

1) Access Control Handler      24) Monitor Provider
2) Account Status Notification 25) Network Group Handler
3) Administration Connector    26) Network Group Criteria
4) Alert Handler               27) Network Group Request Filtering Policy
5) Attribute Syntax            28) Network Group Resource Limits
6) Backend                     29) Password Generator
7) Certificate Mapper          30) Password Policy
8) Connection Handler          31) Password Storage Scheme
9) Crypto Manager              32) Password Validator
10) Debug Target               33) Plugin
11) Entry Cache                34) Plugin Root
12) Extended Operation Handler 35) Replication Domain
13) Extension                  36) Replication Server
14) Global Configuration       37) Root DN
15) Group Implementation       38) Root DSE Backend
16) Identity Mapper            39) SASL Mechanism Handler
17) Key Manager Provider       40) Synchronization Provider
18) Local DB Index             41) Trust Manager Provider
19) Local DB VLV Index         42) Virtual Attribute
20) Log Publisher              43) Work Queue
21) Log Retention Policy       44) Workflow
22) Log Rotation Policy        45) Workflow Element
23) Matching Rule
q) quit
Enter choice:

Also, if one of your goal is to be able to script configuration of OpenDS, use the –displayCommand option with the interactive mode: when an configuration setting is done to the server, dsconfig will display the command to use in a script to execute exactly the same configuration setting.

...
 
Enter choice: 14

>>>> Global Configuration management menu
What would you like to do?
1) View and edit the Global Configuration
b) back
q) quit
Enter choice [b]: 1

>>>> Configure the properties of the Global Configuration

Property Value(s)
----------------------------------------------------------------------
1) bind-with-dn-requires-password true
2) default-password-policy Default Password Policy
3) disabled-privilege If no values are defined, then
   the server enforces all privileges.
4) entry-cache-preload false
5) etime-resolution milliseconds
6) idle-time-limit 0 ms
7) lookthrough-limit 5000
8) max-allowed-client-connections 0
9) proxied-authorization-identity-mapper Exact Match
10) reject-unauthenticated-requests false
11) return-bind-error-messages false
12) save-config-on-successful-startup true
13) size-limit 1000
14) smtp-server If no values are defined, then the server cannot
    send email via SMTP.
15) time-limit 1 m
16) workflow-configuration-mode auto
17) writability-mode enabled

?) help
f) finish - apply any changes to the Global Configuration
c) cancel
q) quit
Enter choice [f]: 13

>>>> Configuring the "size-limit" property

Specifies the maximum number of entries that the Directory Server should
return to the client during a search operation.

A value of 0 indicates that no size limit is enforced. Note that this is
the default server-wide limit, but it may be overridden on a per-user
basis using the ds-rlim-size-limit operational attribute.
Syntax: 0 <= INTEGER

Do you want to modify the "size-limit" property?

1) Keep the default value: 1000
2) Change the value
?) help
q) quit

Enter choice [1]: 2

Enter a value for the "size-limit" property [continue]: 2000
Press RETURN to continue

>>>> Configure the properties of the Global Configuration
Property Value(s)
----------------------------------------------------------------------
1) bind-with-dn-requires-password true
2) default-password-policy Default Password Policy
3) disabled-privilege If no values are defined, then
   the server enforces all privileges.
4) entry-cache-preload false
5) etime-resolution milliseconds
6) idle-time-limit 0 ms
7) lookthrough-limit 5000
8) max-allowed-client-connections 0
9) proxied-authorization-identity-mapper Exact Match
10) reject-unauthenticated-requests false
11) return-bind-error-messages false
12) save-config-on-successful-startup true
13) size-limit 2000
14) smtp-server If no values are defined, then the server cannot
    send email via SMTP.
15) time-limit 1 m
16) workflow-configuration-mode auto
17) writability-mode enabled

?) help
f) finish - apply any changes to the Global Configuration
c) cancel
q) quit
Enter choice [f]:

The Global Configuration was modified successfully
The equivalent non-interactive command-line is:

dsconfig set-global-configuration-prop \
 --set size-limit:2000 \
 --hostname dhcp-egnb07-211-104.France.Sun.COM \
 --trustAll \
 --port 4444 \
 --bindDN cn=Directory\ Manager \ 
 --bindPassword ****** \ 
 --no-prompt

Press RETURN to continue

Technorati Tags: directory-server, ldap, opends, tip

OpenDS LDAP directory service comes with a command-line user interface to manage every configuration parameter of the server: dsconfig.

The dsconfig tool can be run in interactive mode (and this is the default) or non interactive mode for use in scripts. Because there are many properties, and most of them would not be changed, some properties are hidden by default.They can still be managed through dsconfig, but with the Advanced mode :

$ dsconfig –advanced

The list-properties command displays the properties sorted by category. You can filter out all properties for a given category with the –category option (-c). And have the advanced properties displayed with the –advanced option.

$ dsconfig list-properties –category global

or with the advanced properties:

$dsconfig list-properties –category global –advanced

Technorati Tags: ldap, opends, tip

This week the spotlights are turned on Gary Williams, the lead test engineer for the OpenDS project. He published a great article with Marina Sum on the topic the OpenDS open source project and Quality Assurance: Perspectives on Quality Assurance for OpenDS.

Gary and the quality assurance team develops tests, ran them on regular basis (over 30.000 unit tests and 2000 functional tests are run daily) and they are key in the reputation and the success of the OpenDS project:

"Our main goal is to deliver a quality product on schedule. As widely acclaimed as OpenDS is for its robust capabilities, we constantly strive for a better-performing product with more user-oriented features."

All tests are part of the project code repository or project documentation. You too can join the project and participate.

You can find more information about OpenDS quality assurance and the "Spirit of Testing" on OpenDS Wiki.

And to paraphrase the conclusion of the article : I feel fortunate and proud to be associated with Gary and his quality team, and look forward to the continued success of OpenDS as a superior global directory service.

Technorati Tags: developer, directory-server, java, opends, opensource, QA, quality

The OpenDS development team is very pleased to announce the immediate availability of OpenDS 1.2.0-RC1 which is the first release candidate for OpenDS 1.2.0. The main goal of the OpenDS 1.2.0 version is to be integrated in the coming release of OpenSolaris.

The purpose of the Release Candidate is to solicit one last round of testing before the final release.

So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 1.2.0-RC1 is built from revision 4762 of the b1.2 branch of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.2.0-RC1/OpenDS-1.2.0-RC1.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.2.0-RC1/OpenDS-1.2.0-RC1-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.2.0-RC1/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.2.0-RC1.

Major changes incorporated since OpenDS 1.1.0-build003 include:

• Revision 4726 (Issue 3646) – Fixes the configure script to properly retrieve user and group information for the OpenDS instance (Applies to SVR4 package only).
• Revision 4730 (Issue 3642) – Fixes an issue where extensions would be loaded twice.
• Revision 4731 (Issue 3639) – Fixes an issue where two separated backends could not be backed-up in the same folder.
• Revision 4736 (Issues 3650 – 3651) – Add the ldap tools and an unconfigure command to the SVR4 package.
• Revision 4740 (Issue 3658) – Delivers Man Pages for OpenDS and a few commands (Applies to SVR4 package only).
• Revision 4754 (Issue 3663) – Fixes an issue where OpenDS could not be started if the user had no home directory (Applies to SVR4 package only).
• Revision 4756 (Issue 3641) – Fixes an issue where the ServiceTag for OpenDS would not be registered at installation time (Applies to SVR4 package only).
• Revision 4758 (Issue 3665) – Defines Solaris specific authorizations to start/stop OpenDS with SMF (Applies to SVR4 package only).

Technorati Tags: directory-server, java, ldap, opends, opensolaris, opensource, Sun

We have just uploaded OpenDS 1.1.0-build003, built from revision 4709 of our source tree, to our promoted builds folder.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.1.0-build003/OpenDS-1.1.0-build003.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.1.0-build003/OpenDS-1.1.0-build003-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.1.0-build003/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more i

nformation.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.1.0-build003.

Major changes incorporated since OpenDS 1.1.0-build002 include:

• Revision 4591 (Issue #3571) – Adjust the Control Panel to reflect changes to the windows service configuration.
• Revision 4592 (Issue #3566) – Increase the timeout of the windows service and make it configurable.
• Revision 4593 (Issue #3564) – Fix a problem that caused make-ldif to fail with a “Permission denied” message.
• Revision 4594 (Issue #3569) – Amend the dsconfig command to handle multi-valued properties correctly.
• Revision 4595 (Issue #3567) – Various fixes to the persistent search mechanism.
• Revision 4598 (Issue #3580) – Fix a Java exception in the control panel when accessing cn=backup.
• Revision 4601 (Issue #3572) – Fix an issue where adding a local backend with dsconfig resulted in a number of erroneous messages printed to the error log.
• Revision 4602 (Issue #3582) – Fix a failure in the –revert option of the upgrade.
• Revision 4605 (Issue #3585) – Change the network group time/size limits to have no default value.
• Revision 4616 (Issue #3567) – Additional fixes to the persistent search mechanism.
• Revision 4621 (Issue #3587) – Refresh the index tab of the control panel after rebuilding indexes.
• Revision 4622 (Issue #3588) – Control Panel : make all Base DNs available for VLV index creation.
• Revision 4623 (Issue #3589) – Control Panel : fix an error raised at new vlv index creation.
• Revision 4632 (Issue #3596) – Control Panel : reset data fields when opening the New Base DN window.
• Revision 4633 (Issue #3599) – Control Panel : new schema object panels were not refreshed.
• Revision 4634 (Issue #3603) – Control Panel : the manage schema function included other files.
• Revision 4637 (Issue #3611) – Control Panel : fix an exception raised when refreshing the backups directory.
• Revision 4638 (Issue #3612) – Control Panel : fix the value of the “Java Home” variable in the “Java Settings” panel.
• Revision 4639 (Issue #3613) – Control Panel : fix incorrect output messages when deleting a subtree.
• Revision 4641 (Issue #3614) – Control Panel : fix restore failure when the available backup was a directory.
• Revision 4643 (Issue #3616) – Control Panel : add the missing –useSSL option.
• Revision 4645 (Issue #3620) – Control Panel : add the missing –noPropertiesFile option to the command-line equivalents.
• Revision 4647 – Add the standard schema files necessary for OpenSolaris LDAP naming services.
• Revision 4648 (Issue #3622) – Control Panel : change the object class sort to be case insensitive
• Revision 4649 (Issue #3622) – Control Panel : sort all the elements in the schema panels without taking case into account.
• Revision 4650 (Issue #3623) – Control Panel : refresh the Matching Rules used by the attributes panel.
• Revision 4652 (Issue #3618) – Control panel : View All Base DS’s generated SEVERE ERRORS.
• Revision 4659 (Issue #3547) – Fix an issue that prevented persistent searches from being abandoned.
• Revision 4682 (Issue #3481) – Change the permissions on the password file generated by setup/quicksetup.
• Revision 4697 – Implement a new ACI bind rule keyword “ssf” that allows users to control the level of access based on the security level of the connection.
• Revision 4703 – Provide suppport for SMF for SVR4 packages.

Technorati Tags: directory-server, java, ldap, opends, opensource, Sun

We have just uploaded OpenDS 1.1.0-build002, built from revision 4590 of our source tree, to our promoted builds folder.

The direct link to download the core server is: http://www.opends.org/promoted-builds/1.1.0-build002/OpenDS-1.1.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/1.1.0-build002/OpenDS-1.1.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/1.1.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more i

nformation.

Detailed information about this build is available at http://www.opends.org/promoted-builds/1.1.0-build002.

Major changes incorporated since OpenDS 1.1.0-build001 include:

• Revision 4513 (Issue #3501) – Fix the upgrade process from OpenDS 1.0 to OpenDS 1.1.
• Revision 4518 (Issue #3514) – Make the DSML server multi-thread safe.
• Revision 4524 (Issue #3527) – Fix the –log-file and –ldif-file options of all command-line utilities.
• Revision 4528 (Issue #3504) – Add support for JCEKS keystore in the setup.
• Revision 4530 – Upgrade the svnkit to version 1.2.0.
• Revision 4531 – Major code commit including the following new features:
  
  – An updated version of the underlying database. BDB JE 3.3 is now used.
  
  – Attribute API refactoring providing better abstraction and improved performance.
  
  – A new GUI called the Control-Panel to replace the Status-Panel.
  
  – Some changes in the replication protocol to implement “Assured Replication Mode”.
  
  – Support for Service Tags on the platforms where the functionality is available and enabled.
  
  – The new Administration Connector service, including updates to the various command line tools.
  
  – Some internal re-architecting of the server.
• Revision 4543 (Issue #3534) – Provide native Solaris packages.
• Revision 4544 – Implement a network group dedicated to the admin connector.
• Revision 4555 (Issue #3543) – Fix a replication protocol incompatibility between OpenDS 1.0 and OpenDS 1.1.
• Revision 4560 (Issue #3525) – Attribute modifications were not replicated for modDN operations.
• Revision 4564 (Issue #3553) – Enable the creation of multiple workflows with the same base DN.
• Revision 4575 (Issue #3563) – Fix an ldapdelete error that occurred when using a properties file.
• Revision 4580 – Add confidentiality/integrity to the SASL GSSAPI and DIGEST-MD5 mechanisms.
• Revision 4582 (Issue #3565) – Fix a problem that prevented setup from creating a baseDN if there was a tools.properties file in the user environment.
• Revsion 4588 – Implement statistics for network groups. The stats are available under cn=monitor.

Technorati Tags: directory-server, java, ldap, opends, opensource, Sun

Last week a major piece of code was committed in the OpenDS project. A new GUI named Control Panel is now part of the OpenDS daily-builds (or in the source code repository).

The OpenDS Control Panel makes it trivial for Administrators to manage the OpenDS server as well as manage the entries stored in the LDAP server. Our technical writers have been working intensively to make the documentation available on the OpenDS Documentation wiki… The ink is still wet and the content has not gone under quality review yet, but you can get a real feel of how easy it is to take control of OpenDS LDAP directory server.

Below are screenshots of the main windows and administrative tasks of the Control Panel. Click on an image for the full size display.

The Control Panel

Managing Entries

Managing the Schema

Managing Indexes

Give the tool a try and let us know what you think. You can join the OpenDS project and leave a message on the user mailing list, or on the Forum. You can get in touch with some of us on the #opends IRC channel on freenode.net. Or you can leave comments on this blog.

Technorati Tags: developer, directory-server, java, ldap, opends, opensource

Captured on Sun BigAdmin front page today :

A nice reminder for an article that was written some time ago. Using OpenDS with OpenSolaris will get even easier in a few months when the OpenDS server will be available in the OpenSolaris IPS package repository.

Technorati Tags: directory-server, ldap, naming, opends, opensolaris, opensource

A few tabs and URLs related to OpenDS that I need to share:

• Dominic Cleal from CDO2, a company based in UK, tried to raise a bit of attention on the OpenDS project. We noticed it, and the dicussion with Dominic turned into the first Adoption story for OpenDS published on the Stories blog.
• Do-under, a Geek Diva, is getting Ruby to talk LDAP and for that recommends ruby-net-ldap and OpenDS.
• Open ESB project provides an updated Binding Component for LDAP, which has been primarily developed and tested against OpenDS.
• Via Twitter, Pamela Dingle shared her first experience with OpenDS.

Last but not the least, if you haven’t checked the OpenDS new Control Panel GUI yet, grab a recent daily build and play with it… And tell us what you think about it.

Technorati Tags: directory-server, ldap, opends, opensource