It’s the happy hour, with a double release day at ForgeRock.
OpenAM 9.5.2 has just been released, along with the J2EE Agents 3.0.3 and are now available for downloads from ForgeRock. You can find the release details in the Release Notes.
OpenDJ 2.4.1 has also been released today. The patch release can be found on the Downloads page in various forms: Java WebStart Installer, Zip package or SVR4 package. The Release Notes have been posted on the Documentation wiki.
The OpenDJ development team has its own blog now. You will find news, tips and other information about the Open source ldapv3 Directory services in Java.
On the same topic, there is now an aggregator of news feeds related to ForgeRock that has been set and you can read all the news from a single place : http://blogs.forgerock.org/aggregator/
As we’re working towards releasing a micro-release of OpenDJ 2.4, fixing a few issues that have been raised by our customers and adopters, we’ve made another important move towards increasing the quality of ForgeRock products :
Gary Williams has started at ForgeRock today, growing the forces at the ForgeRock Grenoble Engineering Center, and will lead our quality assurance engineering efforts. Gary comes from Sun (Oracle) where he was Principal Quality Assurance Engineer, driving the testing efforts for OpenDS and previously for Sun Directory Server Enterprise Edition. He brings almost 20 years of experience in QA and testing software applications and servers.
Welcome to ForgeRock, Gary !
OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.
It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.
First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.
Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.
Go in the directory of the instance to upgrade:
cd /local/OpenDS2.2/
From that place, run the OpenDS 2.2 upgrade command :
./upgrade
The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key
The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip
And then continue with the Upgrade program.
Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.
If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.
And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency. To do so, stop the upgraded server and run the rebuild-index command :
bin/rebuild-index <some options> -i dn2id -b "<suffix>"
If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.
Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.
Enjoy.
Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.
Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.
ForgeRock is exactly ONE year old today. As we’re a distributed and quite global company, we’re not going to blow the candle on the cake today. But I’m sure next time we meet, we’ll have one as nice as the one we had during our last company meeting in Faro, Portugal.
Also today is the first day at ForgeRock of Matthew Swift, as Architect for the OpenDJ project, growing the forces at the ForgeRock Grenoble Engineering Center. Matthew comes from Sun (Oracle) where he was leading the development of the core of OpenDS, as well as the LDAP Client API. He has been doing interesting work with regards to performances with the OpenDS server (he’s the one who provided me with nice numbers to present), and its reliability. Matthew has several years of experience building LDAP and Directory related products as well as Java development, for Sun, Bloomberg and Isode. He’s bringing his talent and energy back to the open source project and will help make OpenDJ an even stronger and better product.
I’m really delighted to work with Matthew again.
And what a great day today !
One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.
And what’s more natural to integrate a Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.
Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!
In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.
In the OpenDJ directory service, there are 2 types of authorization systems :
Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.
The Privilege SubSystem
Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.
That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.
To list the current default privileges assigned to all RootDN users :
bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop
Property : Value(s) ----------------------------:-------------------------------------------------- default-root-privilege-name : backend-backup, backend-restore, bypass-acl, : bypass-lockdown, cancel-request, config-read, : config-write, disconnect-client, ldif-export, : ldif-import, modify-acl, password-reset, : privilege-change, server-lockdown, : server-restart, server-shutdown, subentry-write, : unindexed-search, update-schema
To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :
bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search
Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…
Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.
For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :
Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:
dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl
–
And then apply it to the directory service with the following command :
bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif
Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.
But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.
The complete list of privileges supported in OpenDJ 2.4 is below:
Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …
OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.
The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.
Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.
Create a file newAdmin.ldif
dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f newAdmin.ldif
Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config
If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :
$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful
Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.
Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.
So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.
In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.
I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.
Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.
Choosing OpenDJ as an enterprise directory service has the following benefits :
After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.
OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.
Enjoy !
And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.
Sun^H^H^HOracle released an update to the Java Platform Standard Edition last month : JDK 6 Update 21.
Last week, both on #opends IRC channel and the users mailing list, we started to get questions on how to enable replication between 2 instances of OpenDS, because dsreplication was producing the following error message : “There are no base DNs available to enable replication between the two servers”.
This was affecting the latest stable release of OpenDS (2.2.0) as well as the latest promoted-build and daily-builds.
After several exchanges and attempts to reproduce the problem, we found that the root cause was some changes in JDK 6 update 21, and more specifically in the parsing of the LDAP filters in JNDI. The new code has a stricter parsing and will mess with LDAP filters not surrounded by parentheses. ” cn=Foo” is according to RFC 4515 not a valid filter whereas “(cn=Foo)” is.
There was one occurrence of an invalid filter in OpenDS internals, exercised when enabling replication for the first time. We fixed the issue (#4575) yesterday and starting with today’s daily-build, you can use the latest version of the Java run-time with OpenDS.
We’re looking at providing an updated version of the 2.2 version to solve this issue as well as a few other important corrections. No ETA for this though.
Update:
OpenDJ, a fork of OpenDS, has a complete resolution for this issue. You can find more about OpenDJ on ForgeRock web site : http://forgerock.com/opendj.html
We have just uploaded OpenDS 2.3.0-build003, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.
OpenDS 2.3.0-build003 is built from revision 6502 of our source tree.
The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003.zip
The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003-DSML.war
We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build003/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.
Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build003, including the detailed change log
Major changes since OpenDS 2.3.0 build002 include :
Technorati Tags: build, directory-server, java, ldap, opends, opensource, performance, quality
We have just uploaded OpenDS 2.3.0-build002, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.
OpenDS 2.3.0-build002 is built from revision 6400 of our source tree.
The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002.zip
The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002-DSML.war
We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.
Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build002, including the detailed change log
Major changes since OpenDS 2.3.0 build001 include :
Technorati Tags: build, directory-server, java, ldap, opends, opensource, performance, quality
If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.
Update on March 18th.
Wooter has also posted a copy of the article on OpenDS documentation wiki.
I’ve also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.
Technorati Tags: developer, directory-server, java, ldap, opends, opensource, tip
It’s been a while since I last posted an OpenDS tab sweep. So here’s a list of news and pointers related to our open source LDAP directory server.
PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.
The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.
iConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.
Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !
Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.
Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.
Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)
Also in the recent days a couple of new LDAP browsers appeared.
Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.
Technorati Tags: directory-server, identity, ldap, opends, opensource, software
Directory servers usually run for long period of times and have stable performances as all caches are warmed by the traffic. But how to get optimum performances as fast as possible right after starting the server ? Brad Diggs has published Directory Data Priming Strategies, another blog post added to the series of articles on Sun (now Oracle) Directory Server Enterprise Edition 7, ZFS and Flash Technologies.
Technorati Tags: directory-server, dsee, ldap, performance, zfs
Ludo Sketches 