Upgrading from OpenDS to OpenDJ

OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.

It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.

First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.

Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.

Go in the directory of the instance to upgrade:

cd /local/OpenDS2.2/

From that place, run the OpenDS 2.2 upgrade command :


The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key

The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip

And then continue with the Upgrade program.

Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.

If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.

And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency.  To do so, stop the upgraded server and run the rebuild-index command :

bin/rebuild-index <some options> -i dn2id -b "<suffix>"

If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.

Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.


Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.

Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.

Sun directory products documentation

Last week-end all Sun products documentation got moved from docs.sun.com to Oracle.com domain, with new IDs. So all URLs and bookmarks have been “lost in translation” !

On this blog, I had numerous references to Sun directory product documentations, pointing to specific commands or chapters for configuring and managing the service… All are now redirecting to the main Oracle’s documentation page. 😦

But I managed to find the place where the Sun Directory Server documentation is listed, from iPlanet Directory Server 4.11 to the latest Oracle Directory Server Enterprise Edition 11g : the Legacy Sun Identity Management Documentation. There are link for both the online and the PDF versions.

Here, you will also find access to the OpenSSO enterprise 8.0 documentation as well as Sun OpenDS one.

Pfew! I was afraid everything disappeared.

On a side note, classifying the so called “strategicOracle Directory Server Enterprise Edition 11g in the legacy products seems to say a lot about its future !

OpenDS and Sun JVM 1.6.0_21

Sun^H^H^HOracle released an update to the Java Platform Standard Edition last month : JDK 6 Update 21.

Last week, both on #opends IRC channel and the users mailing list, we started to get questions on how to enable replication between 2 instances of OpenDS, because dsreplication was producing the following error message : “There are no base DNs available to enable replication between the two servers”.

This was affecting the latest stable release of OpenDS (2.2.0) as well as the latest promoted-build and daily-builds.

After several exchanges and attempts to reproduce the problem, we found that the root cause was some changes in JDK 6 update 21, and more specifically in the parsing of the LDAP filters in JNDI. The new code has a stricter parsing and will mess with LDAP filters not surrounded by parentheses. ” cn=Foo” is according to RFC 4515 not a valid filter whereas “(cn=Foo)” is.

There was one occurrence of an invalid filter in OpenDS internals, exercised when enabling replication for the first time. We fixed the issue (#4575) yesterday and starting with today’s daily-build, you can use the latest version of the Java run-time with OpenDS.

We’re looking at providing an updated version of the 2.2 version to solve this issue as well as a few other important corrections. No ETA for this though.

OpenDJ, a fork of OpenDS, has a complete resolution for this issue. You can find more about OpenDJ on ForgeRock web site : http://forgerock.com/opendj.html

OpenDS 2.3.0-build003 is now available…

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build003, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build003 is built from revision 6502 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build003/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build003, including the detailed change log

Major changes since OpenDS 2.3.0 build002 include :

  • Provides support for the MS Permissive Modify control (#4238)
  • Adds support for multiple superior objectclasses in schema (#615)
  • Updated Berkeley DB Java Edition to version 4.0.103
  • Several enhancements and fixes in the External Changelog: Reliability in special cases like disabling replication domains, naming entries by ChangeNumber (Issue #4537), performance of searches with bounded filters (#4507), supporting operational attributes…
  • Resolves an issue (#4546) during shutdown that could cause deadlock in replication
  • Resolves an issue (#4554) on Windows with the Windows services
  • Some enhancements in the GUI look and feel and in 508 compliance
  • Resolves some issues (#4529, #3891, #3404, #3402) with specific replication conflict resolution
  • Improves the startup time of the server and detection of services tags
  • Resolves an issue (#4553) with the referential integrity plugin when several attributes are configured but only one is in a user entry
  • Fixes an issue (#4386) when adding an entry with duplicate values, resulting in a NPE
  • Fixes an issue (#4468) with the way values in filters and indexes are normalized
  • Resolves some performance issue (#4384) in replication monitoring
  • Improves reliability of replication initialization protocol (Issues #3395 #3998)
  • Resolves several issues (#3966, #4406, #4536 with clients tools and control panel when the server disconnect on error
  • Fixes some issues with MakeLDIF utility
  • Resolves a few issues (#4520) within Import
  • Improves the SSHA password storage scheme to be compatible with hashes from other servers (#4558)
  • Resolves an issue (#4232) with Windows specific LDIF files during Import
  • Adds an option to log replications CSNs in the Access Logs, like Sun Directory Server does
  • Resolves an issue (#4556) with the Password Modify extended operation when some validation must be skipped for administrators
  • Resolves an issue (#2748)with the order of message logged in the access logs
  • Resolves an issue where password policies subentries are not applied after replicated

Technorati Tags: , , , , , , ,

OpenDS 2.3.0-build002 is now available…

Opends Logo TagWe have just uploaded OpenDS 2.3.0-build002, a new snapshot from the development branch of the OpenDS project, to the promoted-build repository.

OpenDS 2.3.0-build002 is built from revision 6400 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.3.0-build002/OpenDS-2.3.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.3.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.3.0-build002, including the detailed change log

Major changes since OpenDS 2.3.0 build001 include :

  • Multiple improvements on the Control Panel and the Setup
  • Multiple incremental improvements with the External Changelog, including reliability and performance (Issue #4478)
  • Upgraded the version of the Berkeley DB Java Edition to 4.0.95
  • Final fix for issue #4367, removing the need for BDB logging configuration via properties
  • Fixes some memory leaks with lots of connects and disconnects (Issue #4491)
  • Resolves a NPE when using Extensible Matching filters without matching rule OID (Issue #4385)
  • Fixes an issue (#4539) with the DSML gateway with JAXB and some Application Servers
  • Fixes an issue (#4492) in ACI where an NPE would occur when the base entry contains a single RDN component
  • Improves the reliability of the OpenDS Windows Services (Issues #4084 and #4381)
  • Resolves issue #4523 where ACI and sub-entry caches were not updated on replicas
  • Resolves issue #4538 where Virtual attributes would not be retrieved when the entry cache is configured
  • Fixes an issue with access controls that would give different results for cn=Directory Manager and plain user (Issue #4547)
  • Enhances the support and compliance of LDAP subentry, Collective attributes and Password Policy
  • Resolves several issues with Replication including Issues #4514, #4533 and #4534, and enhance the way Replication servers are electing servers they connect to (Issue #4343)
  • Renamed the extensions directory to “experimental”. The only experimental extension is the ArisID privacy control
  • Fixes several issues related to building OpenDS, especially on Windows.

Technorati Tags: , , , , , , ,

Subversion authorization through LDAP with OpenDS

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM… But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.

Update on March 18th.

Wooter has also posted a copy of the article on OpenDS documentation wiki.

I’ve also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.

Technorati Tags: , , , , , ,

OpenDS Tab Sweep

It’s been a while since I last posted an OpenDS tab sweep. So here’s a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

IconcurldapintegrationiConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

SOPERA ASF ToolSuite partial screenshot

Also in the recent days a couple of new LDAP browsers appeared.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: , , , , ,