I’m sure most of you have seen this already… I’m posting it here for posterity !
ForgeRock secures $7M in a series A funding from Accel Partners
Let’s pop up the volume now !!!
ForgeRock
OpenDJ 2.4.5 is now available
I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.4.5 is an update release of the OpenDJ project and improves reliability with SSL connections, replication meta-data indexes and Java 7. The full details about the release have been posted in the OpenDJ 2.4.5 Release Notes. Note that if you upgrade from a previous version, the ds-sync-hist index must be rebuilt, prior to restart the server.
The release is built out of revision 7743 of the b2.4 branch of the code repository.
As usual, you can find every thing on the OpenDJ Downloads page:
- The Java WebStart Installer
- The Zip package (the SHA signature is here).
- The SVR4 package for Solaris users.
- The DSML gateway for those who want to provide a web service access to their LDAP directory server.
The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.
Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.
Enjoy !
In the news…
I’ve been traveling a little bit last week, visiting a major customer in the UK (helping with their OpenDJ based directory service that has grown from 13 Millions entries to 17 Millions in a about 6 months).
Last week was also a busy week in term of news for ForgeRock. First, we’ve announced the release of OpenIDM 2.0, a major version of our real-time identity life-cycle management, provisioning and synchronization software product. OpenIDM 2.0 is a new release, but is already running in production at a few happy customers.
ForgeRock and Qubera Solutions have announced a partnership for the delivery of Standard-based Identity Services based on ForgeRock I3 Open Platform. Qubera Solutions offers workshops and migration tools to help former Sun Microsystems customers to move away legacy software solutions.
I’ve also came across a blog post from Martin Sandren, that positions ForgeRock as one of the challengers on the Identity and Access Management market. It’s an interesting reading and it looks like the previous announcement does start to address some of his concerns.
Martin was not the only one to talk about ForgeRock. Scott Mc Nealy has been nicely advertising about us on Twitter.
And finally, we’re expanding and therefore we’ve published a few job postings on our web site. I’m pretty confident that these are just a few to start with and we will have more, including some in our Grenoble Engineering Center.
Disabling Replication in OpenDJ 2.4.
Enabling replication between multiple instances of the OpenDJ LDAP directory server is pretty simple and straightforward. You can check for yourself in the Replication chapter of the Administration Guide.
But fully disabling replication can be tricky with OpenDJ 2.4, mostly because of a known issue with the dsreplication disable –disableAll command : OPENDJ-249 : Doing dsreplication disable –disableAll is throwing a javax.naming.CommunicationException when removing contents of “cn=admin data”.
We are fixing this issue in OpenDJ 2.5, but for those who have deployed OpenDJ 2.4 and want to know how to fully remove all references to a replica in the topology, here are the steps to manually disable replication :
Note, all these steps should be done using ldapmodify, or an LDAP browser such as OpenDJ Control-Panel’s Manage Entry or Apache Directory Studio.
- For each replica to be disabled connect to it on the admin port (4444) and:
- MANDATORY: set the “ds-cfg-enabled” property to “false” in “cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”
- OPTIONAL: recursively remove the entries beneath “cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config” using individual delete operations. Note that the configuration backend does not support the sub-tree delete control, so this has to be done iteratively. This step is also not mandatory, since replication was fully disabled in the previous step
- MANDATORY: remove each entry beneath “cn=Servers,cn=admin data” except the entry itself. I find the easiest way to do this is to perform a sub-tree delete and then add back the base entry
- OPTIONAL: remove (purge) unused instance keys from beneath “cn=instance keys,cn=admin data” *except* own key. This step is really independent of replication: administrators should periodically purge unused instance keys anyway when they are sure that they are no longer needed (e.g. used for signing backups, etc)
- MANDATORY: delete “uniqueMember” in “cn=all-servers,cn=Server Groups,cn=admin data”
- On one of the remaining enabled replicas, connect to it via the admin port and:
- MANDATORY: remove each disabled server beneath “cn=Servers,cn=admin data”
- OPTIONAL: remove (purge) each disabled instance key beneath “cn=Servers,cn=admin data” (see 1.4)
- MANDATORY: remove each disabled server from uniqueMember in “cn=all-servers,cn=Server Groups,cn=admin data”
- MANDATORY: get list of all remaining servers from “cn=all-servers,cn=Server Groups,cn=admin data”
- For each of the remaining enabled replicas obtained in step 2.4 connect to it via the admin port and:
- MANDATORY: remove each disabled server(rsPort) from ds-cfg-replication-server in “cn=replication server,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”
- MANDATORY: remove each disabled server(rsPort) from ds-cfg-replication-server in “cn=*,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config”
A limited special offer…
As I’ve posted last week, we organize a training on OpenDJ in Paris from Jan 24 to 27, 2012.
I’ve been told that there is a special one time offer on this training. If you book the training by Friday January 13th, there is a 20 % discount on the course fee, which bring down the price of the 4 days course down to 2350€.
Don’t wait and register today at training@forgerock.com.
And if you still hesitate, here’s a couple of quotes from the people involved in the review of the materials :
“Firstly, I’m pretty blown away by the quantity and quality of the material. It is extremely impressive, well done! :-)”
“Hell, this is going to be a GREAT directory server course!”
OpenDJ Training in Paris Jan 24-27 2012.
The OpenDJ Administration, Maintenance and Tuning (FR-462) training is taking place in Paris from Tuesday January 24th to Friday January 27th 2012.
The course is mix of lecture and labs and is designed for system administrators, integrators, consultants, architects and developers that will be installing, configuring, administering and maintaining ForgeRock OpenDJ LDAP directory server. I’ve been reviewing the course materials, and I must say I’m really excited by it. The amount of information available in the materials is huge, and the hands-on exercises are very detailed and practical.
The training is definitely a must for anyone who is or will be deploying and managing OpenDJ. And as this is the first training for OpenDJ in Europe, I will be attending it as an observer, gathering feedback on both product and course, also possibly as an assistant to the trainer Bill Nelson.
The session will be hosted in Astec training facilities, right in the heart of Paris, close to Gare Saint Lazare and Boulevard Haussmann.
There are still some slots available, so enroll quickly by email to training@forgerock.com.
OpenDJ success story : Ziggo
A few months ago, we worked with Ziggo in Netherland, to help them transition their legacy environment to ForgeRock I3 Open Platform. Part of the transition, they’ve replaced Sun Directory Server Enterprise Edition (DSEE) with OpenDJ, running in 3 data-centers (and different sites), and over 2.5 Million entries, in a very smooth and well controlled migration process.
They’ve now been running OpenDJ and OpenAM in production for a few months and we’re really happy to be able to share the details of the story with you. Get the Ziggo Case Study (PDF).
You can find more details about OpenDJ on ForgeRock web site.
OpenDJ 2.4.4 is now available
Months goes by, but the pace of releases remains. Today, I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.4.4 is an update release of the OpenDJ project and improves reliability by resolving issues found around the External Change Log, Replication, Password Policy and GSSAPI. It also resolves a memory leak that occurred with specific LDAP extended operations, such as the Password Modify Extended Operation. The full details about the release have been posted in the OpenDJ 2.4.4 Release Notes.
The release is built out of revision 7357 of the b2.4 branch of the code repository.
As usual, you can find every thing on the OpenDJ Downloads page:
- The Java WebStart Installer
- The Zip package (the SHA signature is here).
- The SVR4 package for Solaris users.
- The DSML gateway for those who want to provide a web service access to their LDAP directory server.
The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.
Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.
Enjoy !
Upcoming events
I’ve been pretty busy at ForgeRock and haven’t found much time to post here. I’ll try to improve in the coming weeks. Meanwhile, I’d like to share a number of events in which I’m participating:
October 10, 11. LDAPCon in Heidelberg, Germany. I have a couple of presentations on the first day, and will be around until the end of the conference. If you want to meet and discuss, drop me a note.
October 26, 27, 28. fOSSA in Lyon, France. I will be attending the 3 days of the conference, presenting on Thursday 27th in the Development track. FOSSa is a free conference, that focuses on open source communities and projects, without any marketing spin. Register now.
November 8th, OpenIDM Summit in Darmstadt, Germany. I won’t be able to attend that summit, but it’s a great opportunity to learn more about ForgeRock open source Identity Management solutions. Registration is already open, don’t wait !
We’re also working on a one day broader ForgeRock I3 Open Platform event, some time late November. I’ll let you know when it’s finalized, but I will be presenting OpenDJ along with the other ForgeRock product managers.
OpenAM universal gateway presentation at RMLL 2011
Last month, just before the French national day, I was in Strasbourg to participate in the RMLL.
On the occasion, I did a presentation in the security track, about OpenAM Universal Gateway, another piece in the complex puzzle of Web Single Sign-On. The Universal Gateway solves an important problem in Access Management: allowing single sign-on for applications that are usually left out because they are based on legacy or non standard based technology.
The Universal Gateway comes from ApexIdentity, an acquisition that ForgeRock did in the spring. It’s been released in open source as part of the OpenAM source code repository.
The presentation I did was in French, and so are the slides.
You can find more about the Universal Gateway on ApexIdentity web site, and soon on OpenAM documentation.
OpenDJ 2.4.3 is now available
Another revision of OpenDJ has just been released. OpenDJ 2.4.3 is an update release of the OpenDJ project and resolves several issues found around the External Change Log and the bundled database version. The version is built out of revision 7007 of the b2.4 branch of the code repository.
The full details about the release have been posted in the OpenDJ 2.4.3 Release Notes.
As usual, you can find every thing on the OpenDJ Downloads page:
- The Java WebStart Installer
- The Zip package.
- The SVR4 package for Solaris users.
- The DSML gateway for those who want to provide a web service access to their LDAP directory server.
In addition, some draft documentation for OpenDJ, and more specifically the Administration Guide, are now published (and regularly updated) on the OpenDJ project site.
Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.
Enjoy !
OpenDJ: Quick Replication setup
As we develop OpenDJ, we spend a lot of time testing, whether it’s a new feature or a correction to an existing one. We usually write some unit tests to validate the code and then some functional tests to check the feature from a “user” point of view. While the unit tests are typically run with a single server, the functional or integration tests are run with configurations that match our customers deployment. And one of the given fact for any directory service deployment with OpenDJ that I’m aware of, is that the service is made of two or more OpenDJ directory servers with Multi-Master Replication enabled between them.
Setting up Multi-Master Replication with OpenDJ is quite easy and I’m going to demonstrate it here:
Lets assume we want to install 2 OpenDJ servers on the following hosts : ldap1.example.com and ldap2.example.com. For simplicity and because for test we avoid running tests with root privileges, we will configure the server to use port 1389 and 1636 for LDAP and LDAPS respectively.
On ldap1.example.com
$ unzip OpenDJ-2.4.2.zip $ cd OpenDJ-2.4.2 $ ./setup -i -n -b "dc=example,dc=com" -d 20 -h ldap1.example.com -p 1389 \ --adminConnectorPort 4444 -D "cn=Directory Manager" -w "secret12" -q -Z 1636 \ --generateSelfSignedCertificate
Do the same on ldap2.example.com, the parameters being the same except for the -h option that should be ldap2.example.com
Now, you have 2 instances of OpenDJ configured and running with 20 sample entries in the suffix “dc=example,dc=com”. Let’s enable replication:
$ bin/dsreplication enable --host1 ldap1.example.com --port1 4444\ --bindDN1 "cn=directory manager" \ --bindPassword1 secret12 --replicationPort1 8989 \ --host2 ldap2.example.com --port2 4444 --bindDN2 "cn=directory manager" \ --bindPassword2 secret12 --replicationPort2 8989 \ --adminUID admin --adminPassword password --baseDN "dc=example,dc=com" -X -n
And now make sure they both have the same data:
$ bin/dsreplication initialize --baseDN "dc=example,dc=com" \ --adminUID admin --adminPassword password \ --hostSource ldap1.example.com --portSource 4444 \ --hostDestination ldap2.example.com --portDestination 4444 -X -n
For my daily tests I’ve put the commands in a script that I can run and will deploy 2 servers, enable replication between them and initialize them, all on a single machine (using different ports for LDAP and LDAPS).
Now if you want to add a 3rd server in the replication topology, install and configure it like the first 2 ones. And join it to the replication topology by repeating the last 2 commands above, replacing ldap2.example.com with the hostname of the 3rd server. Need a 4th one ? Repeat again, keeping ldap1.example.com as the server of reference.
More OpenDJ Tips…
I’ve already mentioned that Mark Craig has joined ForgeRock and started to blog about OpenDJ.
Here’s a few tips he’s recently posted about OpenDJ :
- Start OpenDJ at boot time on Linux
- JSPWiki/Tomcat using LDAP auth
- LDAP Account Manager and OpenDJ
- XWiki LDAP authentication with OpenDJ
- …
I’m sure there are more to come.
If you’re not following Mark’s blog feed yet, you should !
LDAP Advanced Administration for Enterprises…
OpenDJ directory server has one default administrator that can manage all aspects of the server.
In an earlier post, I’ve described how to create multiple administrative accounts in OpenDJ, and in another one, I’ve talked about the Privilege system and how it can be used to tailor the administrative roles of each account.
In most enterprises, administrators are usually employees and therefore have their own entries and password. For auditing purpose, security processes require that a change or an administrative task on the directory be done as the true person and not the administrative account. But often there are multiple administrators, and they can change role frequently. So what is the best practice for granting employees some administrative privileges ?
An efficient and manageable way is to create an Administrators’ group and grant the privileges to all members of that group. When an employee, is no longer administrator, simply remove him from the group and he will loose all privileges associated. Likewise, adding a new administrator is just adding a member in the group.
With OpenDJ, this can be done with 2 simple entries : a group and a privilege collective attribute subentry.
The Group :
dn: cn=Administrators,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: top description: LDAP Administrators Group cn: Administrators member: uid=ludo,ou=People,dc=example,dc=com member: uid=Matt,ou=people,dc=example,dc=com
The Collective Attribute Subentry :
dn: cn=Administrators Privilege,dc=example,dc=com
objectClass: extensibleObject
objectClass: collectiveAttributeSubentry
objectClass: top
objectClass: subentry
cn: Administrators Privilege
ds-privilege-name;collective: config-read
ds-privilege-name;collective: config-write
ds-privilege-name;collective: ldif-export
ds-privilege-name;collective: modify-acl
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
"(isMemberOf=cn=Administrators,ou=groups,dc=example,dc=com)" }
How does it work ?
Collective Attributes is a standard based LDAP functionality that allows to define attributes and value that are defined once and appear in all entries that match the subtreeSpecification. Collective Attributes are defined in RFC 3671. For those who are familiar with Sun Directory Server’s Class Of Service, Collective Attributes provide a similar function, but based on industry approved standard.
OpenDJ collective attributes feature supports a few extensions to facilitate their use.
First, the standard way to define a collective attribute is to define it in the schema with a “c–” prefix. With OpenDJ, any existing attribute can be defined as collective with the ;collective attribute option.
Second, the scope of a Collective Attribute subentry as defined by the standard is a subtree, but the only filter possible is to specify the object class it applies to. We’ve extended the specificationFilter to accept an arbitrary LDAP filter, allowing a finer grained control of which entries are targeted.
In the example above, the filter is used to restrict the Privilege Collective Attribute subentry to apply only to entries that have the isMemberOf attribute with the value “cn=Administrators,ou=Groups,dc=example,dc=com”.
IsMemberOf is an operational read-only attribute (virtual) that is a back-link to the groups a user belongs to. OpenDJ does support the isMemberOf attribute for static groups, nested static groups and dynamic groups.
The subtreeSpecification also contains a base “ou=people” to restrict the targeted entries to the ou=people subtree. There are additional field allowed in the subtreeSpecification to indicate a depth in the tree for example.
As a result, collective attribute subentries, combined with groups, provide a flexible way to “inject” attributes and values to a specified set of entries, either to grant them specific privileges like in our example, or to decorate entries based on some common properties.
This said, remember that privileges are set in addition to the Access Controls. So giving a user the password-reset privilege for example, will be useless if there is no ACI allowing him or her to modify the userPassword attribute of other users. Granting access through an ACI to a group is as simple as using groupdn=”ldap:///cn=Administrators,dc=example,dc=com”; to designate the authorized identities.
A new release of OpenDJ : 2.4.2
We’ve just pushed another consolidation release of OpenDJ, the open source Directory services in Java, resolving a number of issues around the External Changelog and multi-master Replication, resulting in a more efficient and more reliable service, especially after network outages.
The full details about the release have been posted in the OpenDJ 2.4.2 Release Notes.
As usual, you can find every thing on the OpenDJ Downloads page:
- The Java WebStart Installer
- The Zip package.
- The SVR4 package for Solaris users.
- The DSML gateway for those who want to provide a web service access to their LDAP directory server.
Enjoy !
Ludo Sketches 