directory-server

OpenDJ : Visualizing the Replication Topology

Ludo5 Comments

My coworker Chris Ridd has spent a little bit of spare time writing a small utility that can parse the output of OpenDJ monitoring information to extract the details of the replication topology. Give the output to some graphical tool and here’s the result (based on one of our biggest customer -anonymized- data) :

ReplTopo

This is a worldwide deployment with many directory services in 4 regions and 8 replication services fully connected. Each directory service is connected to a single replication server, but can failover in matter of seconds, by priority in the same region.

If you want to give it a try on your own replication topology, it’s simple. The tool is open source and part of the OpenDJ utilities that Chris has pushed to GitHub. Just feed it with the output of ldapsearch on cn=monitor.

The 4th LDAP international conference will be in Paris…

LudoLeave a comment

ldapcon_2013_logo_line_dateLDAPCon, the LDAP international conference is taking place every other year. So, after 2007, 2009 and 2011, the 4th LDAP international conference has been announced and will take place on November 18-19, in Paris France.

LDAPCon brings together vendors, developers, active LDAP practitioners, system administrators to share their experiences about service operations, interoperability, application development and discuss LDAP at large, in a friendly and passionated atmosphere. It’s a unique occasion to discuss with the developers of most LDAP related projects, seed them with new ideas, learn the under-documented tips and tricks about your favorite server or library, or exchange with other users and system administrators about the best practices around LDAP directory services and applications.

Call for Papers have been raised. You have up to September 8th 2013 to submit your talk. You can find all details, important dates or topic ideas on the LDAPCon CFP page.

You can also track the event, the availability of tickets, the attendees, or indicate your participation on the LDAPCon page on  Lanyrd.

I hope to see you in Paris in November.

LDAPCon 2007 attendeesLDAPCon 2009 attendeesLDAPCon 2011 attendees

OpenDJ 2.6.0 is now available

Ludo2 Comments

OpenDJ-300x100I am really happy to announce the general availability of OpenDJ 2.6.0, a major update of ForgeRock  directory service product, built from the tag 2.6.0 (revision 9086 in our SVN repository).

OpenDJ 2.6.0 brings a lot of added value, including :

– A REST to LDAP service, allowing an easy access to directory data using HTTP/JSON. The service can be run either embedded in the server or as a standalone web application.

– A new upgrade process to ease transition from OpenDJ 2.4.5 or newer to 2.6.

– New Linux native packages (RPM and Debian) to facilitate the automatic deployment of OpenDJ in the private and public cloud.

– OpenDJ can be configured to delegate authentication to a Microsoft Active Directory service, providing tighter integration with Microsoft environment without the burden of synchronizing passwords.

– An optional extension to remove specific attributes from updates, making it more flexible and easier to deal with legacy applications and migration tasks.

– A way to synchronize SAMBA password attributes with the user’s password.

– Some improvements on the integrity of references, that is now enforced at creation or on update.

– More flexible and efficient audit logs.

– A Java based LDAP software development kit.

– An official stable documentation.

For the complete list of new features, enhancements and fixed defects, please read the release notes.

The binaries can be downloaded from ForgeRock Downloads.

Over the course of the development of OpenDJ, we’ve received many contributions, in form of code, issues raised in our JIRA, documentation… We address our deepest thanks to all the contributors and developers :

Aiman Tahboub, Alan Evans, Arturo V Sanchez, Auke Schrijnen, Bernhard Thalmayr, Brent Palmer, Bruno Vernay, Chris Dowey, Chris Ridd, Christophe Sovant, Dan Gardner, Danny Turner, Darin Perusich, Donal Duane, Elliot Kendall, Eswar Moorthy, Fred Voss, Gael Allioux, Gary Williams, German Parente, Göran Odmyr, Ian McGlothlin, Jamie Nelson, Jean-Noël Rouvignac, Jeff Blaine, Jeffrey Crawford, Jens Elkner, Lana Frost, Laurent Bristiel, Ludovic Poitou, Manuel Gaupp, Manuel Schallar, Mark Craig, Mark Gibson, Marko Harjula, Martin Sperle, Matthew Stevenson, Matthew Swift, Miroslav Fadrhonc, Mitch Silverstein, Nemanja Lukić, Nicholas Sushkin , Nikolay Belaevski, Per-Olov Sjoholm, Peter Major, Rauli Ikonen, Sachiko Wallace, Slavomir Katuscak, Tomas Forsman, Vanessa Richie, Violette Roche, Willi Burmeister

Happy 4th of July everyone !

Tips: Do not index virtual attributes in OpenDJ

LudoLeave a comment

OpenDJ-300x100OpenDJ, the open source LDAP directory service in Java, offer some interesting services to reduce and optimize the size and usage of data.

One of them is the Virtual Attribute feature, which allow certain attributes and values to be computed as needed, either based on some of the server internals or other attributes. OpenDJ ships with a number of virtual attributes by default : entryDN, entryUUID, etag, gouverningStructureRule, hasSubordinate, isMemberOf, numSubordinate, password Expiration Time (ds-pwp-password-expiration-time), structuralObjectClass, subSchemaSubEntry, …

Since these attributes are virtual and thus not stored as part of the entries in the database backend, you must not define any index for them. When possible, the virtual attribute provider will make use of default system index (like entryDN uses the DN index), but most of the time, these attributes are for reading and consuming.

If you do configure an index for one of the virtual attribute, the server will repeatedly report that the index is degraded with an error message similar to the following :

[21/Jan/2013:09:16:07 +0000] category=JEB severity=NOTICE msgID=8847510 msg=Due to changes in the configuration, index dc_example_dc_com_entryDN is currently operating in a degraded state and must be rebuilt before it can be used

And then some seaches may fail to return entries. So you must delete this index to let the server behave properly.

Making OpenDJ easier for Linux, DevOps and the cloud…

LudoLeave a comment

packagerpm

I’ve recently made some changes on the OpenDJ nightly builds page and made available 2 new deliveries for OpenDJ : an RPM package and a Debian package.

The goal of providing native packages for OpenDJ is to make things much easier for the Linux system administrators and the DevOps  who want to deploy OpenDJ automatically, as well as for whoever wants to run OpenDJ in a VM in the cloud.

packagedeb

There has been several other efforts to build native packages for OpenDJ, here and there, but due to the structure of OpenDJ deliveries, you could not properly upgrade versions. The packages available with the nightly builds are taking advantage of the new upgrade mechanism that has been developed, allowing an easier and smoother migration from previous releases.

If you do use the packaged version, make sure you log any bugs you find in theOpenDJ issue tracker.

I’d like to thank Danny Turner for his great contributions to the OpenDJ native packaging.

OpenDJ Roadmap Update…

Ludo1 Comment

OpenDJ-300x100It took us some time to evaluate and refine the roadmap for OpenDJ, but it’s finally there. We’ve updated the Roadmap on the wiki, and set a date for the next release of OpenDJ.

The first change decided is that the next release will be versioned 2.6. We got the feedback that the versioning scheme with Xpress releases and final releases with the same version number is confusing. Moving forward, we will try to keep the following scheme : a stable release will have an even minor number and development releases will have an odd number.

We’ve also set the date for the release to end of Q2 of 2013 (end of June).

The REST to LDAP service has now been integrated in OpenDJ server, although not fully featured yet. The team is working really hard to deliver the remaining features by June, and closing the few remaining important defects. If you want to start evaluating the REST to LDAP service, just grab a recent nightly build. Mark is doing a great job of documenting the REST features as they become available.

We will soon make the RPM and Debian packages available for tests with the nightly builds, along with the new upgrade mechanism, and then enter a cycle of stabilization before the 2.6.0 release.

Feedback is important for us, so please download and test the nightly builds, report success via email or issues in our bug tracking tool.

Prehistory of LDAP by Colin Robbins

Ludo2 Comments

Colin Robbins has published on his blog a “Prehistory of LDAP“, which describes some of the origins of the standard.

All of this predates my involvement with LDAP, directory servers and even X.500, but I feel related to it, since the names, projects or people, he mentions are familiar to me and I had the chance to meet or even work with some of them.

Anyway, for the curious who want to understand the roots of LDAP, it’s definitely worth reading.

OpenDJ presented at the LavaJUG

LudoLeave a comment

As I mentioned last week, I was presenting OpenDJ and server performances in Java at the LavaJUG on Thursday.
Ludo@LavaJUG

The session was broadcasted live on Google Hangout, unfortunately due to a nice blue screen, in 2 parts. You can watch them here:

Part 1:

Part 2:

The slides are available on the LavaJUG Wiki

Thanks for the great reception to the whole LavaJUG and more specifically to its leaders Olivier Coupelon, Pierre Colomb, Sylvain Desgrais and Thomas Maurel.

Upcoming events: LavaJUG & Devoxx France

Ludo2 Comments

I will be at the LavaJUG (Java User Group from Clermont-Ferrand, France) this Thursday from 19:00 to 21:00, presenting our experience with the OpenDJ project with building a highly scalable and high performance server in Java. The presentation is based on what I’ve already presented in a few JUG in France (AlpesJUG, MarsJUG, PoitouCharentesJUG,…) and Switzerland (JUG Lausanne), but has been updated with regards to GarbageFirst GC and the most recent HotSpot JVM.

 

And next week, from  March Wednesday 27th to Friday 29th, you will find ForgeRock at the Devoxx France conference.

Come to our conference session about “Enterprise Security in a Cloudy and Mobile World” (the session is in French). The session is on Friday 29th, from 11:45 to 12:35, in Miles Davis room. Mark it on your calendar, and if you miss it, make sure you stop by our booth (B3) to say hello and talk with some of our engineers. We will also be present at the HackerGarten on Wednesday from 14:00 to 18:00, should you want to have fun with one of our open source projects : OpenAM, OpenDJ or OpenIDM.

DevoxxFR-2013-banniere-texte-600-232

OpenDJ scripts and utilities on github

Ludo1 Comment

Following the exemple of my colleague Chris, I’ve pushed a set of OpenDJ scripts and utilities for that I’ve wrote and used in the past to github.

You will find script for log statistics, converting schema, …

Feel free to use, and if you have suggested enhancements, patches, I’ll be looking for pull request !

OpenDJ 2.4.6 is now available

LudoLeave a comment

As few days after an important milestone for OpenDJ, the open source LDAP directory server in Java, I’m happy to announce that a new bug fix release of  the 2.4 series has just been made available. OpenDJ 2.4.6 is an update release of the OpenDJ project and improves reliability and performances with large groups and entries, as well as very large databases. The full details about the release have been posted in the OpenDJ 2.4.6 Release Notes. Upgrading to this release is recommended for everyone running earlier versions. For additional features and bug fixes, please use OpenDJ 2.5.0-Xpress1.

The release is built out of revision 8102 of the b2.4 branch of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

Tab Sweep Summer Edition

LudoLeave a comment

Closing tabs and removing bookmarks in my browser before going on vacation, I ought to post a few links before :

ForgeRock is growing and I’m happy to count Chris Ridd as a new member of the OpenDJ team. Chris’ main focus will be support and sustaining, but he’s already started building knowledge information and posted an article on our wiki about using Eclipse for OpenDJ development; and has a new feature enhancement in progress.

Open source projects likes other open source projects. For the last few months, Silverpeas has been running demos, testing with the OpenDJ LDAP directory service. They’ve moved one step closer with integrating OpenDJ in their unit test framework, posted the JUnit module on GitHub, and documented the process. A French version of the article is also available.

Bill Nelson keeps on publishing snippets of the OpenDJ Administration, Maintenance and Tuning class, and this week posted an Architecture overview of the OpenDJ directory server.

Version 2.0 of the LDAP Synchronization Connector (LSC-Project) has been released. I need to give a try to the new version, as LSC has been proved to be helpful for migrating directory services.

Dave Koelmeyer wrote a simple article, yet very useful, describing how to enable LDAP secondary group memberships with Ubuntu 12.04 and OpenDJ.

Phil Lembo, alias ELDAPO, posted a short article to describe how to update the JVM version used by OpenDJ. There are some good reasons for enforcing some stickiness with the version of the JVM, but controlling the runtime environment for a service that can be critical is the major one.

Have I already mentioned that we’re hiring ? If you’re a developer, have some good object oriented programming experience with Java, and want to live close to the Alps, enjoying cycling, hiking or hand-gliding during summer time and skiing or snowboarding in winter, then you should apply now.

At Pipay, 15 km from ForgeRock Grenoble Engineering Center

OpenDJ 2.5.0-Xpress1 is now available

Ludo3 Comments

I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.5.0-Xpress1 is a new stable release of the main development branch of the OpenDJ project.

OpenDJ 2.5.0-Xpress1 brings you the latest features such as:

  • Capability to delegate authentication to Microsoft Active Directory (pass-through authentication)
  • Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members’ entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted
  • Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats
  • Optimistic concurrency control through ETag attributes
  • Synchronization of Samba and OpenDJ passwords

You can find more details about the OpenDJ 2.5.0-Xpress1 release in the OpenDJ Release Notes.

The release is built out of revision 8087 of the trunk of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for the final release of OpenDJ 2.5.0, due by the end of this year.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

Assigning a Custom Password policy to a subTree

Ludo4 Comments

OpenDJ supports defining password policies that are quite complete in term of security measures to reduce the risks associated with textual passwords. It also defines 2 default policies, one for the administrators such as “cn=Directory Manager”, and one for all other users : the “Default Password Policy”. But it is possible to define additional password policies and assign them to individual users or group of users. Today, we are considering how to assign a password policy to all users under a specific subtree. In the article below, I first define a new custom password policy and then I demonstrate 2 ways of assigning that password policy to all persons under the ou=people,dc=example,dc=com subtree.

Defining a custom password policy using dsconfig:

$ dsconfig create-password-policy \
 --set default-password-storage-scheme:Salted\ SHA-256 \
 --set password-attribute:userpassword \
 --type generic \
 --policy-name Custom\ PP \
 --hostname lpmac.local \
 --port 4444 \
 --bindDN cn=Directory\ Manager \
 --bindPassword ****** \
 -X -n

1- Assigning the password policy through a Virtual Attribute.

$ dsconfig create-virtual-attribute \
 --set attribute-type:ds-pwp-password-policy-dn \
 --set enabled:true \
 --set value:cn=Custom\ PP,cn=Password\ Policies,cn=config \
 --set base-dn:ou=people,dc=example,dc=com \
 --set filter:\(objectClass=person\) \
 --type user-defined \
 --name Custom\ PP\ Assignment \
 --hostname lpmac.local \
 --port 4444 \
 --bindDN cn=Directory\ Manager \
 --bindPassword ****** \
 -X -n

Check that the password policy is assigned properly:

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' '+' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA}u+52Ld6iaTvFoNlQvqTHrn1BBW9IjjT2/I25hg==
numSubordinates: 0
ds-pwp-password-policy-dn: cn=Custom PP,cn=Password Policies,cn=config
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=Custom PP,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=user.1,ou=people,dc=example,dc=com
entryUUID: 4e9b7847-edcb-3791-b11b-7505f4a55af4

Change the user password, the new password should be encoded with the scheme specified (SSHA-256)

$ ldappasswordmodify -p 1389 -D uid=user.1,ou=People,dc=example,dc=com -w password -A -n newPassword
 The LDAP password modify operation was successful

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA256}vjIdZEtF1AIiM0EgY9unZUXXublwQwlOCoe4RYEIHtpzumW1hYyvNg==

2 – Assigning the password policy using Collective Attributes :

$ ldapmodify -D cn=directory\ manager -w secret12 -p 1389
dn: cn=Pwp for Users,dc=example,dc=com
changetype: add
objectclass: collectiveAttributeSubEntry
objectclass: extensibleObject
objectclass: subentry
objectclass: top
ds-pwp-password-policy-dn;collective: cn=Custom PP,cn=Password Policies,cn=config
subtreeSpecification: { base "ou=people", specificationFilter "(objectclass=person)"}

Processing ADD request for cn=Pwp for Users,dc=example,dc=com
ADD operation successful for DN cn=Pwp for Users,dc=example,dc=com

Now we can check that the password policy is well assigned, and that it’s used when changing password for example.

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' '+' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA}6tHBLHh2C25UpAsKX0eq0d6LEXYGX+Jcm4dh7g==
numSubordinates: 0
ds-pwp-password-policy-dn: cn=Custom PP,cn=Password Policies,cn=config
structuralObjectClass: inetOrgPerson
etag: 000000008211ac6a
pwdPolicySubentry: cn=Custom PP,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
collectiveAttributeSubentries: cn=Pwp for Users,dc=example,dc=com
entryDN: uid=user.1,ou=people,dc=example,dc=com
entryUUID: 4e9b7847-edcb-3791-b11b-7505f4a55af4

$ ldappasswordmodify -p 1389 -D uid=user.1,ou=People,dc=example,dc=com -w password -A -n newPassword
 The LDAP password modify operation was successful

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' userPassword
 dn: uid=user.1,ou=People,dc=example,dc=com
 userPassword: {SSHA256}WswyH9ANoKcxQWlSn/eL8h/dNk532K/e5zGlJcwiwMLsCQqw+cAX0Q==

So which method to assign a password policy to specific users is best ?

The first method should be preferred when the password policy is defined in the configuration (as we’ve done in the example). Both configuration entries, the password policy and its assignment, are under the “cn=config” tree,  but need to be defined in all replicas.

The second method defines the assignment of a policy to users as an subentry collocated with the data, and will be replicated. It should be preferred if the password policy is also defined as a subEntry, along with its assignment. Such way of configuring a password policy is documented in the Administration Guide, Configuring Password Policies section, procedure 10.3 – To Create a Subentry Based Password Policy.

An Optimized solution for directory services ?

Ludo4 Comments

I was recently pointed to a white paper published by Oracle called : Oracle Optimized Solution for Oracle Unified Directory — Implementation Guide.

Because Oracle Unified Directory and OpenDJ have a common root (both derive from the Sun initiated OpenDS project), I was curious about that optimized solution, and if there was anything that might be applicable for our customers. And after reading the 45 pages white-paper, honestly, the Oracle Optimized Solution is not something I would recommend to any of our customers (*).

The white paper describes the hardware used for the solution : 3 SPARC T4-1 systems with 128GB of RAM and 6 300GB internal disks each. A Sparc T4-1 machine is an 8 core machine with each core supporting up to 8 threads. Each T4-1 system has 10GbE add-on network card. And each T4-1 machine is attached to a Sun Storage 2500-M2 array (with 2540 controllers) through two fiber channel cards, and each storage has 12 disks.

Let’s see the average price for this solution : The SPARC T4-1 with 128 GB of RAM has an estimated public price of $24,344, but with only 2 internal disks. So add another $1,660 for the additional 4 disks. The lowest price for a 10GbE card for that system is $2,000 and the cheapest storage array with the same amount of disks roughly $27,000. A total cost per system over $55,000, not including the cost of the Operating System, and a total cost for the “Optimized Solution” of approximately $165,000 (estimated public price).

So what do we get in performance for this price ? Well the white paper will not tell you what the solution is optimized for. The only number that appears, is the time it took to import the 15 Million entries on one of the systems :

[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847569 msg=Total import time was 3790 seconds. Phase one processing completed in 2868 seconds, phase two processing completed in 922 seconds
[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847454 msg=Processed 15000001 entries, imported 15000001, skipped 0, rejected 0 and migrated 0 in 3790 seconds (average rate 3957.0/sec)
[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds

Last week, I was in Mexico with a partner of ours, demonstrating the capabilities of OpenDJ with the customer’s data (exported from a week ago, and which also contains several hundreds of very large static groups). We used x.86 based machines, with 96GB of memory, although we only used 16GB for the instance of OpenDJ.

And here’s the output of the import command :

[25/Apr/2012:20:10:44 +0200] category=JEB severity=NOTICE msgID=8847538 msg=DN phase two processing completed. Processed 21654508 DNs
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847569 msg=Total import time was 2002 seconds. Phase one processing completed in 1137 seconds, phase two processing completed in 865 seconds
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847454 msg=Processed 21654508 entries, imported 21654508, skipped 0, rejected 0 and migrated 0 in 2002 seconds (average rate 10815.3/sec)
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds

I don’t have the price for the servers we used (but our partner can get in touch with you if you’re interested in the solution), but I doubt that it tops half of the price of the Oracle optimized solution !

So before you drink the Oracle cool-aid, think twice about what an optimized solution should be, and how much it should cost. Oh, by the way, there is no cost in license for OpenDJ, it’s open source, it’s available now and you can try it free of charge. Of course, we do appreciate if you subscribe to one of our support offering to protect your investment and ensure some Service Level Agreement.

(*) I would not recommend a directory solution on SPARC Tx machine ever. While the machines have a good capacity for load, the performance for any write activity is really bad, especially as soon as access controls are in use. Most of our partners who have been deploying directory services on these machines will agree with me. As a matter of fact, I don’t recall any recent customer mentioning SPARC nor Solaris when renewing their directory service infrastructure.