opendj

Quality Matters

Ludo2 Comments

As we’re working towards releasing a micro-release of OpenDJ 2.4, fixing a few issues that have been raised by our customers and adopters, we’ve made another important move towards increasing the quality of ForgeRock products :

Gary Williams has started at ForgeRock today, growing the forces at the ForgeRock Grenoble Engineering Center, and will lead our quality assurance engineering efforts. Gary comes from Sun (Oracle) where he was Principal Quality Assurance Engineer, driving the testing efforts for OpenDS and previously for Sun Directory Server Enterprise Edition. He brings almost 20 years of experience in QA and testing software applications and servers.

Welcome to ForgeRock, Gary !

Upgrading from OpenDS to OpenDJ

LudoLeave a comment

OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.

It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.

First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.

Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.

Go in the directory of the instance to upgrade:

cd /local/OpenDS2.2/

From that place, run the OpenDS 2.2 upgrade command :

./upgrade

The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key

The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip

And then continue with the Upgrade program.

Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.

If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.

And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency.  To do so, stop the upgraded server and run the rebuild-index command :

bin/rebuild-index <some options> -i dn2id -b "<suffix>"

If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.

Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.

Enjoy.

Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.

Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.

1 Year Old and 1 New Architect

Ludo1 Comment

ForgeRock is exactly ONE year old today. As we’re a distributed and quite global company, we’re not going to blow the candle on the cake today. But I’m sure next time we meet, we’ll have one as nice as the one we had during our last company meeting in Faro, Portugal.

Also today is the first day at ForgeRock of Matthew Swift, as Architect for the OpenDJ project, growing the forces at the ForgeRock Grenoble Engineering Center. Matthew comes from Sun (Oracle) where he was leading the development of the core of OpenDS, as well as the LDAP Client API. He has been doing interesting work with regards to performances with the OpenDS server (he’s the one who provided me with nice numbers to present), and its reliability. Matthew has several years of experience building LDAP and Directory related products as well as Java development, for Sun, Bloomberg and Isode. He’s bringing his talent and energy back to the open source project and will help make OpenDJ an even stronger and better product.

I’m really delighted to work with Matthew again.

And what a great day today !

OpenDJ LDAP server for Snow Leopard Server and Unix

Ludo1 Comment

One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.

And what’s more natural to integrate a  Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.

Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!

The First OpenAM Book

Ludo1 Comment

OpenAM Book CoverThe first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.

I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).

However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.

The book is already available for Pre-Order.

Directory Administrative Accounts – cont.

Ludo2 Comments

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Ludo6 Comments

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

OpenDJ 2.4.0 has been released

Ludo6 Comments

I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.

Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

Choosing OpenDJ as an enterprise directory service has the following benefits :

  • Lower the cost of ownership : Delivers more performance while consuming less resources (disks, memory and CPUs). Simplifies the administrative tasks by automating them.
  • Platform independence : Runs on any platform that supports Java 6, including virtualized environments.
  • High Availability : Supports deployment of multiple servers in a multi-master replication topology, providing failover and disaster recovery.
  • Secure data store : Supports different levels of authentication and authorization. Protects passwords through encryption and extensive policies.
  • Monitoring and Alerts : Can be monitored by 3rd party applications using SNMP and JMX. Supports custom alerts to inform of specific events in the service.
  • Interoperability : Supports all LDAPv3 standard specifications, most of LDAPv3 standard and experimental extensions as well as some vendor specific extensions, easing integration with applications.

After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.

OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.

Enjoy !

And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.