directory

OpenDJ: Quick Replication setup

Ludo48 Comments

OpenDJ Servers Replication

As we develop OpenDJ, we spend a lot of time testing, whether it’s a new feature or a correction to an existing one. We usually write some unit tests to validate the code and then some functional tests to check the feature from a “user” point of view. While the unit tests are typically run with a single server, the functional or integration tests are run with configurations that match our customers deployment. And one of the given fact for any directory service deployment with OpenDJ that I’m aware of, is that the service is made of two or more OpenDJ directory servers with Multi-Master Replication enabled between them.

Setting up Multi-Master Replication with OpenDJ is quite easy and I’m going to demonstrate it here:

Lets assume we want to install 2 OpenDJ servers on the following hosts : ldap1.example.com and ldap2.example.com. For simplicity and because for test we avoid running tests with root privileges, we will configure the server to use port 1389 and 1636 for LDAP and LDAPS respectively.

On ldap1.example.com

$ unzip OpenDJ-2.4.2.zip
$ cd OpenDJ-2.4.2
$ ./setup -i -n -b "dc=example,dc=com" -d 20 -h ldap1.example.com -p 1389 \
  --adminConnectorPort 4444 -D "cn=Directory Manager" -w "secret12" -q -Z 1636 \
  --generateSelfSignedCertificate

Do the same on ldap2.example.com, the parameters being the same except for the -h option that should be ldap2.example.com

Now, you have 2 instances of OpenDJ configured and running with 20 sample entries in the suffix “dc=example,dc=com”. Let’s enable replication:

$ bin/dsreplication enable --host1 ldap1.example.com --port1 4444\
  --bindDN1 "cn=directory manager" \
  --bindPassword1 secret12 --replicationPort1 8989 \
  --host2 ldap2.example.com --port2 4444 --bindDN2 "cn=directory manager" \
  --bindPassword2 secret12 --replicationPort2 8989 \
  --adminUID admin --adminPassword password --baseDN "dc=example,dc=com" -X -n

And now make sure they both have the same data:

$ bin/dsreplication initialize --baseDN "dc=example,dc=com" \
  --adminUID admin --adminPassword password \
  --hostSource ldap1.example.com --portSource 4444 \
  --hostDestination ldap2.example.com --portDestination 4444 -X -n

For my daily tests I’ve put the commands in a script that I can run and will deploy 2 servers, enable replication between them and initialize them, all on a single machine (using different ports for LDAP and LDAPS).

Now if you want to add a 3rd server in the replication topology, install and configure it like the first 2 ones. And join it to the replication topology by repeating the last 2 commands above, replacing ldap2.example.com with the hostname of the 3rd server. Need a 4th one ? Repeat again, keeping ldap1.example.com as the server of reference.

LDAP Advanced Administration for Enterprises…

Ludo12 Comments

OpenDJ directory server has one default administrator that can manage all aspects of the server.

In an earlier post, I’ve described how to create multiple administrative accounts in OpenDJ, and in another one, I’ve talked about the Privilege system and how it can be used to tailor the administrative roles of each account.

In most enterprises, administrators are usually employees and therefore have their own entries and password. For auditing purpose, security processes require that a change or an administrative task on the directory be done as the true person and not the administrative account. But often there are multiple administrators, and they can change role frequently. So what is the best practice for granting employees some administrative privileges ?

An efficient and manageable way  is to create an Administrators’ group and grant the privileges to all members of that group. When an employee, is no longer administrator, simply remove him from the group and he will loose all privileges associated. Likewise, adding a new administrator is just adding a member in the group.

With OpenDJ, this can be done with 2 simple entries : a group and a privilege collective attribute subentry.

The Group :

dn: cn=Administrators,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
description: LDAP Administrators Group
cn: Administrators
member: uid=ludo,ou=People,dc=example,dc=com
member: uid=Matt,ou=people,dc=example,dc=com

The Collective Attribute Subentry :

dn: cn=Administrators Privilege,dc=example,dc=com
objectClass: extensibleObject
objectClass: collectiveAttributeSubentry
objectClass: top
objectClass: subentry
cn: Administrators Privilege
ds-privilege-name;collective: config-read
ds-privilege-name;collective: config-write
ds-privilege-name;collective: ldif-export
ds-privilege-name;collective: modify-acl
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Administrators,ou=groups,dc=example,dc=com)" }

How does it work ?

Collective Attributes is a standard based LDAP functionality that allows to define attributes and value that are defined once and appear in all entries that match the subtreeSpecification. Collective Attributes are defined in RFC 3671. For those who are familiar with Sun Directory Server’s Class Of Service, Collective Attributes provide a similar function, but based on industry approved standard.

OpenDJ collective attributes feature supports a few extensions to facilitate their use.

First, the standard way to define a collective attribute is to define it in the schema with a “c–” prefix. With OpenDJ, any existing attribute can be defined as collective with the ;collective attribute option.

Second, the scope of a Collective Attribute subentry as defined by the standard is a subtree, but the only filter possible is to specify the object class it applies to. We’ve extended the specificationFilter to accept an arbitrary LDAP filter, allowing a finer grained control of which entries are targeted.

In the example above, the filter is used to restrict the Privilege Collective Attribute subentry to apply only to entries that have the isMemberOf attribute with the value “cn=Administrators,ou=Groups,dc=example,dc=com”.

IsMemberOf is an operational read-only attribute (virtual) that is a back-link to the groups a user belongs to. OpenDJ does support the isMemberOf attribute for static groups, nested static groups and dynamic groups.

The subtreeSpecification also contains a base “ou=people” to restrict the targeted entries to the ou=people subtree. There are additional field allowed in the subtreeSpecification to indicate a depth in the tree for example.

As a result, collective attribute subentries, combined with groups, provide a flexible way to “inject” attributes and values to a specified set of entries, either to grant them specific privileges like in our example, or to decorate entries based on some common properties.

This said, remember that privileges are set in addition to the Access Controls. So giving a user the password-reset privilege for example, will be useless if there is no ACI allowing him or her to modify the userPassword attribute of other users. Granting access through an ACI to a group is as simple as using groupdn=”ldap:///cn=Administrators,dc=example,dc=com”;  to designate the authorized identities.

A new release of OpenDJ : 2.4.2

Ludo1 Comment

We’ve just pushed another consolidation release of OpenDJ, the open source Directory services in Java, resolving a number of issues around the External Changelog and multi-master Replication, resulting in a more efficient and more reliable service, especially after network outages.

The full details about the release have been posted in the OpenDJ 2.4.2 Release Notes.

As usual, you can find every thing on the OpenDJ Downloads page:

Enjoy !

The 3rd international LDAP Conference is coming this year

LudoLeave a comment

The conference is happening once every other year, so with the plethora of conferences here and there, it’s quite easy to forget about it. But LDAPCon 2011, the 3rd international Conference on LDAP has been announced and will take place in October 10-11 2011 in Heidelberg, Germany.

LDAPCon brings together vendors, developers, active LDAP practitioners, system administrators to share their experiences about service operations, interoperability, application development and discuss LDAP at large, in a friendly and passionated athmosphere. It’s a unique occasion to discuss with the developers of most LDAP related projects, seed them with new ideas, learn the under-documented tips and tricks about your favorite server or library, or exchange with other users and system administrators about the best practices around LDAP directory services and applications.

A Call for Papers have been raised. You have up to July 8th 2011 to submit your talk. You can find all details, important dates or topic ideas on the LDAPCon CFP page.

Don’t miss the conference, it’s only happening every 2 years. I hope I’ll see you in Heidelberg.

Ubuntu 10.04 LDAP naming service with OpenDJ

LudoLeave a comment

Ubuntu documentation with regards to LDAP client authentication has been available for a while but is limited to a few directory servers. As more and more companies are looking for a replacement of their legacy Sun Directory Server, I’m happy to relay that Dave Koelmeyer has just posted a very detailed and step by step guide on how to do LDAP authentication with Ubuntu 10.04 and OpenDJ 2.4.1. A nice complement to the official docs. And a nice contribution to the OpenDJ community.

Enjoy !

Quality Matters

Ludo2 Comments

As we’re working towards releasing a micro-release of OpenDJ 2.4, fixing a few issues that have been raised by our customers and adopters, we’ve made another important move towards increasing the quality of ForgeRock products :

Gary Williams has started at ForgeRock today, growing the forces at the ForgeRock Grenoble Engineering Center, and will lead our quality assurance engineering efforts. Gary comes from Sun (Oracle) where he was Principal Quality Assurance Engineer, driving the testing efforts for OpenDS and previously for Sun Directory Server Enterprise Edition. He brings almost 20 years of experience in QA and testing software applications and servers.

Welcome to ForgeRock, Gary !

Upgrading from OpenDS to OpenDJ

LudoLeave a comment

OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.

It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.

First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.

Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.

Go in the directory of the instance to upgrade:

cd /local/OpenDS2.2/

From that place, run the OpenDS 2.2 upgrade command :

./upgrade

The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key

The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip

And then continue with the Upgrade program.

Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.

If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.

And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency.  To do so, stop the upgraded server and run the rebuild-index command :

bin/rebuild-index <some options> -i dn2id -b "<suffix>"

If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.

Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.

Enjoy.

Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.

Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.

1 Year Old and 1 New Architect

Ludo1 Comment

ForgeRock is exactly ONE year old today. As we’re a distributed and quite global company, we’re not going to blow the candle on the cake today. But I’m sure next time we meet, we’ll have one as nice as the one we had during our last company meeting in Faro, Portugal.

Also today is the first day at ForgeRock of Matthew Swift, as Architect for the OpenDJ project, growing the forces at the ForgeRock Grenoble Engineering Center. Matthew comes from Sun (Oracle) where he was leading the development of the core of OpenDS, as well as the LDAP Client API. He has been doing interesting work with regards to performances with the OpenDS server (he’s the one who provided me with nice numbers to present), and its reliability. Matthew has several years of experience building LDAP and Directory related products as well as Java development, for Sun, Bloomberg and Isode. He’s bringing his talent and energy back to the open source project and will help make OpenDJ an even stronger and better product.

I’m really delighted to work with Matthew again.

And what a great day today !

Directory Administrative Accounts – cont.

Ludo2 Comments

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Ludo6 Comments

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

OpenDJ 2.4.0 has been released

Ludo6 Comments

I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.

Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

Choosing OpenDJ as an enterprise directory service has the following benefits :

  • Lower the cost of ownership : Delivers more performance while consuming less resources (disks, memory and CPUs). Simplifies the administrative tasks by automating them.
  • Platform independence : Runs on any platform that supports Java 6, including virtualized environments.
  • High Availability : Supports deployment of multiple servers in a multi-master replication topology, providing failover and disaster recovery.
  • Secure data store : Supports different levels of authentication and authorization. Protects passwords through encryption and extensive policies.
  • Monitoring and Alerts : Can be monitored by 3rd party applications using SNMP and JMX. Supports custom alerts to inform of specific events in the service.
  • Interoperability : Supports all LDAPv3 standard specifications, most of LDAPv3 standard and experimental extensions as well as some vendor specific extensions, easing integration with applications.

After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.

OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.

Enjoy !

And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.

OpenDS 2.3.0-build002 is now available…

Ludo3 Comments

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build002, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build002 is built from revision 6400 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build002, including the detailed change log

Major changes since OpenDS 2.3.0 build001 include :

  • Multiple improvements on the Control Panel and the Setup
  • Multiple incremental improvements with the External Changelog, including reliability and performance (Issue #4478)
  • Upgraded the version of the Berkeley DB Java Edition to 4.0.95
  • Final fix for issue #4367, removing the need for BDB logging configuration via properties
  • Fixes some memory leaks with lots of connects and disconnects (Issue #4491)
  • Resolves a NPE when using Extensible Matching filters without matching rule OID (Issue #4385)
  • Fixes an issue (#4539) with the DSML gateway with JAXB and some Application Servers
  • Fixes an issue (#4492) in ACI where an NPE would occur when the base entry contains a single RDN component
  • Improves the reliability of the OpenDS Windows Services (Issues #4084 and #4381)
  • Resolves issue #4523 where ACI and sub-entry caches were not updated on replicas
  • Resolves issue #4538 where Virtual attributes would not be retrieved when the entry cache is configured
  • Fixes an issue with access controls that would give different results for cn=Directory Manager and plain user (Issue #4547)
  • Enhances the support and compliance of LDAP subentry, Collective attributes and Password Policy
  • Resolves several issues with Replication including Issues #4514, #4533 and #4534, and enhance the way Replication servers are electing servers they connect to (Issue #4343)
  • Renamed the extensions directory to “experimental”. The only experimental extension is the ArisID privacy control
  • Fixes several issues related to building OpenDS, especially on Windows.

Technorati Tags: , , , , , , ,

Subversion authorization through LDAP with OpenDS

Ludo1 Comment

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.

Update on March 18th.

Wooter has also posted a copy of the article on OpenDS documentation wiki.

I’ve also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.

Technorati Tags: , , , , , ,

OpenDS Tab Sweep

LudoLeave a comment

It’s been a while since I last posted an OpenDS tab sweep. So here’s a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

IconcurldapintegrationiConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

SOPERA ASF ToolSuite partial screenshot

Also in the recent days a couple of new LDAP browsers appeared.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: , , , , ,

OpenDS 2.3.0-build001 is now available…

LudoLeave a comment

In December, the team had released OpenDS 2.2.0, a stable release of the LDAP directory server written for the Java platform. While the quality assurance team was testing and making sure the level of quality and reliability was there, the developers continued to add features on the trunk.

So today, I’m happy to announce the promotion of OpenDS 2.3.0-build001, the first development build on the path to OpenDS 2.4, a stable release currently planned for Summer 2010.

OpenDS 2.3.0-build001 is built from revision 6353 of our source tree and contains 2 major features :

  • The import code has been refined to improve performances, especially with very large data set. Tests have been run with 1,000,000,000 entries and the file imported in about 40 hours.
  • This version of OpenDS provides support for Subentries in LDAP [RFC 3672] and Collective Attributes for LDAP [RFC 3671]. In addition to the support of the Collective attribute standard, OpenDS supports a more user friendly notation, allowing to make use of Collective attribute definitions with standard attributes. More on this subject in a future article, although if you want to understand how to use it, Anton already wrote a description on the OpenDS Wiki.

These 2 features are just started to be seriously tested by the OpenDS team, so they cannot be considered as fully stable yet. There are already some issues being investigated, with the rebuild-index and verify-index commands. If you do find an issue with this OpenDS build, please report it in Issue Tracker.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build001/OpenDS-2.3.0-build001.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build001/OpenDS-2.3.0-build001-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build001/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build001, including the detailed change log

Major changes since OpenDS 2.2.0 include :

  • Multiple improvements on the Control Panel and the Setup including display of equivalent command-line commands, cosmetic aspects, messages, referral handling…
  • Multiple incremental improvements with the External Changelog, including reliability and performance
  • Revision 6190 – Upgraded the version of the Berkeley DB Java Edition to 4.0.73
  • Revision 6192 (Issue #4360) – Improves responsiveness of the OpenDS server when hammered with large searches and slow clients
  • Revisions 6198, 6209 (Issue #4371) – Solves an issue with PKCS12 certificates that do not have alias
  • Revision 6208 (Issue #4373) – Improves time to start the replication service
  • Revision 6292 (Issue #3601) – Adds the ability to update or delete schema attribute types and object classes definitions in the Control Panel
  • Revision 6332 (Issue #4472) – Fixes the way a Workflow element is checked to be a parent of another Workflow element
  • Revision 6334 (Issue #4464) – Solves an issue where reading the RootDSE could take too long when External Changelog is enabled
  • Revision 6336 (Issue #4477) – Increases the maximum size of DB log files from 10MB to 100MB
  • Revision 6351 – Support for localization in Catalan (ES_CA)
  • Revision 6353 (Issue #4489) – Resolve an issue where Java would not be detected even though JAVA_HOME variable was set

Technorati Tags: , , , , , , ,