ForgeRock

Tab Sweep Summer Edition

LudoLeave a comment

Closing tabs and removing bookmarks in my browser before going on vacation, I ought to post a few links before :

ForgeRock is growing and I’m happy to count Chris Ridd as a new member of the OpenDJ team. Chris’ main focus will be support and sustaining, but he’s already started building knowledge information and posted an article on our wiki about using Eclipse for OpenDJ development; and has a new feature enhancement in progress.

Open source projects likes other open source projects. For the last few months, Silverpeas has been running demos, testing with the OpenDJ LDAP directory service. They’ve moved one step closer with integrating OpenDJ in their unit test framework, posted the JUnit module on GitHub, and documented the process. A French version of the article is also available.

Bill Nelson keeps on publishing snippets of the OpenDJ Administration, Maintenance and Tuning class, and this week posted an Architecture overview of the OpenDJ directory server.

Version 2.0 of the LDAP Synchronization Connector (LSC-Project) has been released. I need to give a try to the new version, as LSC has been proved to be helpful for migrating directory services.

Dave Koelmeyer wrote a simple article, yet very useful, describing how to enable LDAP secondary group memberships with Ubuntu 12.04 and OpenDJ.

Phil Lembo, alias ELDAPO, posted a short article to describe how to update the JVM version used by OpenDJ. There are some good reasons for enforcing some stickiness with the version of the JVM, but controlling the runtime environment for a service that can be critical is the major one.

Have I already mentioned that we’re hiring ? If you’re a developer, have some good object oriented programming experience with Java, and want to live close to the Alps, enjoying cycling, hiking or hand-gliding during summer time and skiing or snowboarding in winter, then you should apply now.

At Pipay, 15 km from ForgeRock Grenoble Engineering Center

OpenDJ 2.5.0-Xpress1 is now available

Ludo3 Comments

I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.5.0-Xpress1 is a new stable release of the main development branch of the OpenDJ project.

OpenDJ 2.5.0-Xpress1 brings you the latest features such as:

  • Capability to delegate authentication to Microsoft Active Directory (pass-through authentication)
  • Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members’ entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted
  • Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats
  • Optimistic concurrency control through ETag attributes
  • Synchronization of Samba and OpenDJ passwords

You can find more details about the OpenDJ 2.5.0-Xpress1 release in the OpenDJ Release Notes.

The release is built out of revision 8087 of the trunk of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for the final release of OpenDJ 2.5.0, due by the end of this year.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

What a week !

LudoLeave a comment

Big BenIt’s been one of these weeks, where you’re so busy that you hardly have the time to tweet, let even blog. The week started on Sunday morning with an early flight to London (after a very short night thanks to my daughter end of the year party). On Monday, I’ve been driven to Bristol, to see our new office, meet with Steve Ferris, head of ForgeRock UK, and meet with Chris Ridd who has just joined our company as a Support engineer, focusing mostly on OpenDJ, our open source LDAP directory services in Java.

After Oslo, this was my second stage of the tour of world-wide offices (*). Bristol office has opened a couple of weeks ago, and it’s really nice, located on Queen’s Square, in an old house and spread through 3 stores and a cellar.

Bristol officeBristol wall
Bristol break roomBristol meeting room

On Tuesday, we left the Bristol office around noon to come back to London for 2 meetings with customers, both using OpenDJ.On Wednesday morning I flew back to France, to prepare our Grenoble office warming party, planed for the Thursday at 5:30pm.

On Thursday I went and picked up Lasse Andresen our CEO, at the airport. He was just back from San Francisco and making a detour on his way home for the party. We had a little time for talking about the business, hiring, and a few other things, and already our first guests started to show up for the official opening of the new office for the ForgeRock Grenoble Engineering Center. Over an hour and half, we had the visit from some of our office neighbors, some ex-colleagues from Sun, the Chief Service Officer from BonitaSoft (another great startup from Grenoble, build on open source software), our external accountants, a few leaders from the AlpesJUG (the local Java User Group), guests from other software or services companies around, and even the future new hire who signed his contract yesterday. I was so busy with welcoming everyone, making sure glasses were not empty, that I realized afterwards I had not taken a single photo of the event, despite having my camera ready on my desk.

This morning, Lasse and I had another session of work before he started to head towards the airport to fly back home, and since then, I’ve been trying to catch up on emails, documents and all… This is my last action before I call it a week and go in the living room to sip a very fresh beer and relax !

The coming weeks should allow me more time for blogging and tweeting. Until then, enjoy the week-end !

(*) I don’t plan to continue my tour until September, and should see the San Francisco office when I’m coming to speak at JavaOne.

A visit to the new Oslo offices

LudoLeave a comment

Entrance of ForgeRock Oslo officeI’m just leaving Oslo after a short visit to our new Oslo offices and meetings with my colleagues from Sales and Business Development.

It was nice finally meeting with many of the ForgeRock employees I’ve been working with through Skype, phone and email. And also meeting with some visitors from other ForgeRock locations. Working in Oslo office feels very similar than working in the Grenoble ones : there is a friendly and relaxed atmosphere, although with a deep concentration and intense work going on.

I’ll be coming back to Oslo on a more regular pace starting from September, but as I’m leaving, I wish I could come back with my whole family during the summer time, as it’s probably the best season to come to Norway : the light is incredible, the weather great and it feels so relaxing. Hmmm, this sounds like a plan for family vacation for next year !?

Assigning a Custom Password policy to a subTree

Ludo4 Comments

OpenDJ supports defining password policies that are quite complete in term of security measures to reduce the risks associated with textual passwords. It also defines 2 default policies, one for the administrators such as “cn=Directory Manager”, and one for all other users : the “Default Password Policy”. But it is possible to define additional password policies and assign them to individual users or group of users. Today, we are considering how to assign a password policy to all users under a specific subtree. In the article below, I first define a new custom password policy and then I demonstrate 2 ways of assigning that password policy to all persons under the ou=people,dc=example,dc=com subtree.

Defining a custom password policy using dsconfig:

$ dsconfig create-password-policy \
 --set default-password-storage-scheme:Salted\ SHA-256 \
 --set password-attribute:userpassword \
 --type generic \
 --policy-name Custom\ PP \
 --hostname lpmac.local \
 --port 4444 \
 --bindDN cn=Directory\ Manager \
 --bindPassword ****** \
 -X -n

1- Assigning the password policy through a Virtual Attribute.

$ dsconfig create-virtual-attribute \
 --set attribute-type:ds-pwp-password-policy-dn \
 --set enabled:true \
 --set value:cn=Custom\ PP,cn=Password\ Policies,cn=config \
 --set base-dn:ou=people,dc=example,dc=com \
 --set filter:\(objectClass=person\) \
 --type user-defined \
 --name Custom\ PP\ Assignment \
 --hostname lpmac.local \
 --port 4444 \
 --bindDN cn=Directory\ Manager \
 --bindPassword ****** \
 -X -n

Check that the password policy is assigned properly:

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' '+' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA}u+52Ld6iaTvFoNlQvqTHrn1BBW9IjjT2/I25hg==
numSubordinates: 0
ds-pwp-password-policy-dn: cn=Custom PP,cn=Password Policies,cn=config
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=Custom PP,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=user.1,ou=people,dc=example,dc=com
entryUUID: 4e9b7847-edcb-3791-b11b-7505f4a55af4

Change the user password, the new password should be encoded with the scheme specified (SSHA-256)

$ ldappasswordmodify -p 1389 -D uid=user.1,ou=People,dc=example,dc=com -w password -A -n newPassword
 The LDAP password modify operation was successful

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA256}vjIdZEtF1AIiM0EgY9unZUXXublwQwlOCoe4RYEIHtpzumW1hYyvNg==

2 – Assigning the password policy using Collective Attributes :

$ ldapmodify -D cn=directory\ manager -w secret12 -p 1389
dn: cn=Pwp for Users,dc=example,dc=com
changetype: add
objectclass: collectiveAttributeSubEntry
objectclass: extensibleObject
objectclass: subentry
objectclass: top
ds-pwp-password-policy-dn;collective: cn=Custom PP,cn=Password Policies,cn=config
subtreeSpecification: { base "ou=people", specificationFilter "(objectclass=person)"}

Processing ADD request for cn=Pwp for Users,dc=example,dc=com
ADD operation successful for DN cn=Pwp for Users,dc=example,dc=com

Now we can check that the password policy is well assigned, and that it’s used when changing password for example.

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' '+' userPassword
dn: uid=user.1,ou=People,dc=example,dc=com
userPassword: {SSHA}6tHBLHh2C25UpAsKX0eq0d6LEXYGX+Jcm4dh7g==
numSubordinates: 0
ds-pwp-password-policy-dn: cn=Custom PP,cn=Password Policies,cn=config
structuralObjectClass: inetOrgPerson
etag: 000000008211ac6a
pwdPolicySubentry: cn=Custom PP,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
collectiveAttributeSubentries: cn=Pwp for Users,dc=example,dc=com
entryDN: uid=user.1,ou=people,dc=example,dc=com
entryUUID: 4e9b7847-edcb-3791-b11b-7505f4a55af4

$ ldappasswordmodify -p 1389 -D uid=user.1,ou=People,dc=example,dc=com -w password -A -n newPassword
 The LDAP password modify operation was successful

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "" 'uid=user.1' userPassword
 dn: uid=user.1,ou=People,dc=example,dc=com
 userPassword: {SSHA256}WswyH9ANoKcxQWlSn/eL8h/dNk532K/e5zGlJcwiwMLsCQqw+cAX0Q==

So which method to assign a password policy to specific users is best ?

The first method should be preferred when the password policy is defined in the configuration (as we’ve done in the example). Both configuration entries, the password policy and its assignment, are under the “cn=config” tree,  but need to be defined in all replicas.

The second method defines the assignment of a policy to users as an subentry collocated with the data, and will be replicated. It should be preferred if the password policy is also defined as a subEntry, along with its assignment. Such way of configuring a password policy is documented in the Administration Guide, Configuring Password Policies section, procedure 10.3 – To Create a Subentry Based Password Policy.

More secure passwords !

Ludo8 Comments

I’ve received an intriguing request from a customer last week :  he wanted to know if we’ve done benchmarks of the password hashing schemes that are available in OpenDJ, our LDAP directory service. Their fear was that with stronger schemes, they could not sustain a high authentication rate.

In light of the LinkedIn leak of several millions of passwords, hashed with a simple unsalted SHA1, I decided to run a quick and simple test.

SSHA1 is the default hashing scheme for password in OpenDJ. The salt is an 8 bytes (64-bit) random string and is used with the password to produce the 20 bytes message digest. But OpenDJ directory server supports a wide range of password hashing scheme and salted SHA512 is currently the most secure hashing algorithm we support (and the salt here is also an 8 bytes (64-bit) random octet string).

So for the test, I generated a sample directory data set with 10 000 users, and imported it in the OpenDJ directory (a 2.5 development build) with the default settings, on my laptop (MacBook Pro, 2.2 GHz intel Core i7).

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "dc=example,dc=com" 'uid=user.10' dn userPassword
dn: uid=user.10,ou=People,dc=example,dc=com
userPassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==

I then ran an “authrate” which is a small benchmark tool that allows to stress an LDAP server with a high number of authentications (LDAP Bind requests) and let it run to 5 minutes.

authrate -h localhost -p 1389 -g 'rand(0,10000)' -D "uid=user.%d,ou=people,dc=example,dc=com" -w password -c 32 -f
-----------------------------------------------------------------
 Throughput     Response Time
 (ops/second)   (milliseconds)
 recent average recent average 99.9% 99.99% 99.999% err/sec
 -----------------------------------------------------------------
 ...
 26558.0  26148.9   1.179    1.195  10.168  19.431  156.421      0.0

I then stopped the server, changed the import default password encryption scheme to Salted SHA512, and reimported the data.

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "dc=example,dc=com" 'uid=user.10' dn userPassword
 dn: uid=user.10,ou=People,dc=example,dc=com
 userPassword: {SSHA512}eTGiwtTM4niUKNkEBy/9t03UdbsyYTL1ZXhy6uFnw4X0T6Y9Zf5/dS7hDIdx3/UTlUQ/9JjNV9fOg2BkmVgBhWWu5WpWKPog

And then re-run the “authrate”

$ authrate -h localhost -p 1389 -g 'rand(0,10000)' -D "uid=user.,ou=people,dc=example,dc=com" -w password -c 32 -f
 -----------------------------------------------------------------
 Throughput     Response Time
 (ops/second)   (milliseconds)
 recent average recent average 99.9% 99.99% 99.999% err/sec
 -----------------------------------------------------------------
 ...
 25481.7 25377.6 1.222 1.227 10.470 15.473 158.234 0.0

As you can see, there is not much of a difference in throughput or response time, when using the strongest algorithm to hash user password. So do not hesitate to change the default settings and make use of the strongest password hashing schemes with OpenDJ. It could save you from the embarrassment of, one day, contacting each of your users or customers to ask them to change their compromised password.

The default password hashing schemes are in 2 locations :

  • The default password policy for all passwords that are changed online.
dn: cn=Default Password Policy,cn=Password Policies,cn=config
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config
  • In the Import Password Policy
dn: cn=Password Policy Import,cn=Plugins,cn=config
ds-cfg-default-user-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config

Both properties can be changed with dsconfig while the OpenDJ server is running, and the new scheme will be used for all subsequent operations.

We’ve moved office !

Ludo1 Comment

As we’re growing the team in the Grenoble area, we’ve finally moved office to the “Silvaco” building in the Montbonnot tech area.

ForgeRock France new office building

We now have enough space for the whole team, interns and for the coming new hires (and yes, we still have positions opened). The facilities include a small cafeteria, some showers for the cyclers, soccer players or runners, and a well air-conditioned machine room that we haven’t fully taken advantage yet. Here are a few photos:

ForgeRock France office buildingInside office
ForgeRock France Office meeting room

We’re still in the progress of decorating the office, adding a more relaxed and friendly atmosphere, with certainly some “Rock attitude”.

If you’re in the neighborhood or you plan to pay us a visit, here’s the google map to come:


Don’t hesitate to drop by, we have coffee and may be more, especially if you are a developer with a passion for code and Java.

Finally, I’d like to have a special thank Mancala Networks and its CEO Marc Rozier for having hosting us for the last year, as we were building the team.

Mexico, Mexiiiiico !

Ludo2 Comments

I’m just back from a week of business trip to Mexico City. This was my first time in Mexico and I’ve heard all the rumors of it being a very dangerous city. I must say that I’ve seen a very very big city, vibrant, busy, with a lot of car trafic, but at no point I had any fear of being robbed or molested.

Two things have marked me during my stay. First, the city is very green. There are lots of trees, plants, flowers everywhere. All main avenues are borded by trees. It’s like mother nature is trying to tell us that she still exists despite the concrete and buildings.

Trees in AvenuesTree in flower

The other thing is that at any time of the day or the night, there are people in the street, trying to earn a little bit of money, selling water, tissues or balloons.

Globero


The food was amazing. I enjoyed tacos, fresh fruits, some argentinian bife, jalapeños… Spicy, but not “mucho picante”. As well as beers like Victoria, Bohemia, Dox Equis, Modelo… And tequila of course !

Other photos from my trip are on Google+

By the way, we did work this week in Mexico.

Below is a photo of the screen as we’ve finished importing the customers’ data in OpenDJ (the data includes a few hundreds of groups, each averaging 40 000 members). I like this kind of performance number ! And I will probably say more about the hardware and settings to achieve that in a future post.

I shall say a big thank you to our partner in Mexico and Latin America : NoLogin. They’ve made everything to make my stay safe and comfortable, including with jalapeños and tequila !

I hope the few companies I visited will turn into customers. I’d like to come back again in Mexico. These 5 days have just gone to0 fast. And I’ve just started to get into lutta libre 😉

Mexican Wrestler

A timeline of LDAP directory services…

Ludo1 Comment

Bill Nelson,  has published the “The Most Complete History of Directory Services You Will Ever Find” (until the next one comes along), a detailed history of LDAP based directory services and products. Expect a few updates as people find about this and ask for adding new data points. But this is the most complete summary I’m aware of. I had a timeline of Sun directory products a few years ago, but Bill’s has more details.

His post includes a visual timeline of the directory service products and their heritage, linked here under, for your convenience.

Click on the picture for a full size image.

Personally, I’ve been involved with the Sun and derived lines since 1996, and now drive the ForgeRock one: OpenDJ !

OpenAM 10.0.0 is now available…

LudoLeave a comment

This is a big milestone for ForgeRock and the OpenAM project, an open source WebSSO, Authentication, Authorization, Federation and Entitlements solution. After months of development (a few more than we anticipated), we’ve finally released OpenAM 10.0.0, a major version of the product.

OpenAM 10 brings a set of new features, including support for OAuth 2.0 client authentication, the ForgeRock Identity Gateway (built out of project OpenIG), enhanced SAML 2 identity provider capabilities, a new Risk Based Authentication module, …  It also now relies on OpenDJ 2.4.5, the latest stable release of OpenDJ the open source LDAP directory server, and supports the internet-draft based LDAP password policy. You can find more details  in the press announcement, or the product release notes. The documentation of the OpenAM 10 release can be read at http://docs.forgerock.org/en/index.html?product=openam&version=10.0.0.

The OpenAM 10 release owes a lot to the OpenAM community, for the issues raised : a total of 41 issues fixed in OpenAM 10 were raised by 26 different persons, and for the generous patches offered to fix over a dozen of these issues.
To each and every contributor : THANK YOU !

Tab Sweep for Friday April 13th

LudoLeave a comment

Another week goes by, and it’s time for another tab sweep.

Syntegrity Networks, one of our major partners in the US, has launched a campaign to encourage their customers to migrate from Sun Directory Server to OpenDJ.

Silverpeas, a Collaborative Platform, built as open source under the GNU Affero license by the eponym company, has been supporting LDAP for authentication and authorization for some time. The documentation for setting up the LDAP domain has been updated using OpenDJ as the recommended server.

ForgeRock OpenIDM capabilities are growing. After getting OpenIDM to work with Activity to provide workflows, the team posted a experimental tutorial to integrate Jasper with OpenIDM to produce nice reports. You can find more of these tutorials in the OpenIDM How To Collection.

Tab sweep, Easter edition, and upcoming events

LudoLeave a comment
cc by http://www.flickr.com/photos/noukorama/

Articles and links

Action Identity has posted a couple of articles about ForgeRock products:

Our friends at ProfiQ have posted an article describing how to use OpenDJ with Red-Hat Certificate System.

While talking about using OpenDJ with LDAP enabled applications, we try to maintain a page on OpenDJ documentation wiki with different tutorials on how to configure OpenDJ client applications.

Upcoming Events

ForgeRock will be present at the European Identity and Cloud Conference (EIC), April 17-20 in Munich.

We will also be participating to Devoxx France, April 18 to 20 in Paris. I will be co-speaking on Thursday 19, 7pm about Open Source in France, and will be available for individual meetings from Thursday morning to Friday end of afternoon. So, if you want to discuss about ForgeRock products or job opportunities, send me a mail, or leave a comment.

Cache strategy for OpenDJ LDAP directory server

Ludo3 Comments

System administrators that are familiar with legacy LDAP directory servers know that one of the key for the best performance is caching the data. With Sun Directory Server or OpenLDAP, there are 3 levels of caching that could be done : the filesystem level, the database level and the entries level. The filesystem level cache is managed by the OS and cannot be controlled by the application. Using the filesystem cache is good when the directory server is the only process on the machine, and/or for initial performance. The database level cache allows faster read or write operations, and also includes the indexes. The later cache is the higher level cache, and usually the one that provides the best performances as it requires the least processing from the server to return entries to the applications, and it has the least contention.

OpenDJ has a different design for its database and core server, and thus the caching strategy needs to be different.

By default, OpenDJ does have a database cache enabled, and 3 different kind of entry caches, all disabled. The reason for the 3 entry caches is that they are implementing for different needs and access patterns. But all have in common a specific filter to select which entries to cache, and some settings as to how much memory to use. During our stress and performance tests, we noticed that using an entry cache for all accessed entries added a lot of pressure on the garbage collector, and also caused more garbage collection from the old generation, often leading to either fragmentation of the memory, or more frequent full GC (also known as “Stop the world GC”). This resulted in an overall lower consistent average response time and throughput.

So, we recommend that you favor the database cache, and do not setup an entry cache, except for specific needs (and do not try to activate all 3 entry caches, this may lead to some really strange behavior).

The default settings with OpenDJ 2.4 is that 10 % of the JVM heap space will be used for the database cache. With OpenDJ 2.5 (soon to be released), we have bumped the default to 50% of the heap space. If you’re tuning the heap size and make it larger than 2GB, we recommend that you keep that 50% ratio or even increase it if the heap size exceeds the 3GB.

If you do have a few very specific entries that are very often accessed, like large static groups that are constantly used for ACI or group membership by application, then the entry cache becomes handy, and then you want to set a filter so only these specific entries are cached.

For example, if you want to cache at most 5 entries, that are groupOfNames, you can use the following dsconfig command:

bin/dsconfig set-entry-cache-prop --cache-name FIFO
 --set include-filter:\(objectclass=GroupOfNames\)
 --set max-entries:5 --set max-memory-percent:90 --set enabled:true
 -h localhost -p 4444 -D "cn=Directory Manager" -w secret12 -X -n

Otherwise, you’d better of running with no entry cache. OpenDJ read performance are such that the directory server can respond to tens of thousands if not hundred of thousands searches per second with average response time in the order of a milli-second. This should be good enough for most applications !

Open positions at ForgeRock

LudoLeave a comment

In the Grenoble officeDo you want to work with open source projects, build highly scalable identity middleware products, enjoy an international environment in a fast growing company and have fun ?

Check out our open positions.

We are seeking for a number of highly motivated and skilled software professionals to grow our engineering team, in Development, Quality and Technical writing. Our engineering teams are based in the Bay Area and Portland (USA), Bristol (UK) and Grenoble (France). We also have positions opened in Support, Sales, Account Management and Business Development.

View of Grenoble

A view of Grenoble, France. (c) January 2012, Ludovic Poitou.

Rocking @ForgeRock !

LudoLeave a comment

I’m a great fan of @gapingvoid, and if you haven’t done it yet, I’d recommend you read his books.

Most of the times, his cartoons are hitting so right on that you’d want to believe they’ve been made specially for you. Like this one:

A @GapingVoid cartoon