opensource

“Parlez vous Français ?” @ JavaOne 2012 !

LudoLeave a comment

French dinner at JavaOneJavaOne, like most of conferences, serves 2 purposes. First it is the place to learn about the theme of the conference, in the case of JavaOne, the Java platform, language and environment. There are presentations, demos, keynotes for all of that. But more importantly, it is the place to socialize, meet friends and acquaintances, strengthen your network(s).

And so, we had on Tuesday evening, right after ForgeRock party, a “French dinner”. More specifically, a dinner with French speaking persons that are quiet active, one way or another, in the Java community. We, French, do love food and spending hours over a meal discussing, joking, laughing, sipping wine in good company. This year was no different, as the few photos can illustrate.

Thanks to Guillaume Laforge, leader of the Groovy community, for organizing it this year.

LP0_5975LP0_5979LP0_5978

Another nice ForgeRock event

LudoLeave a comment

Yesterday, on the side of the JavaOne and OOW conferences, we had an executive round table with selected partners, customers and future customers. The event started with a 30 minutes speech by Scott McNealy, Sun founder and former CEO, also active supporter of ForgeRock.

Scott touched on the values and benefits of open source software, gave a top 12 reasons why you know your Identity and Access Management solution is not open source and talked briefly about his new company Wayin.

Mike Wilson, VP and CISO at McKesson, presented how McKesson has started to use ForgeRock Open Identity Stack for several projects and the benefits of our solution.

Thanks Scott, Mike and all for your participation.

Meeting ForgeRock during JavaOne / OOW

LudoLeave a comment

If you want to meet ForgeRock and you’re in the San Francisco bay during JavaOne and Oracle Open World, there will be several opportunities to meet some of us: our CEO, our Sales team, some of our developers or myself.

Sunday September 30th:

I will be participating in the JUG Leaders meetings and discussions as well as the GlassFish ones (when schedule allows). Later, you can find me at the GlassFish and Friends Party from 8pm to 10pm at The Thirsty Bear.

Monday October 1st:

JavaOne attendees should be able to see me during the conference. I will be part of a panel discussion on Open Source Identity and Access Management solutions, from 5:30pm to 6:15pm.


Following that, some ForgeRock employees and I will be at the 2nd Annual Solaris Family reunion from 7:00pm to 11:00pm. The event, part of the ZFS Day, is free, but please register here.

 

Tuesday October 2nd:

ForgeRock logoCome and meet the developers and other members of the open source projects supported by ForgeRock. We’re having a Beer Burst party from 5:00pm until 8:30pm at The House of Shields. Please register through eventbrite so that we know how many to expect.

Rest of the week…

Otherwise, throughout the week, I will be most of the time at the JavaOne conference or in the ForgeRock San Francisco offices with the local team. Please send me an email or message me on Twitter (@LudoMP) to arrange a meeting.  I will be leaving California for New York on Monday, October 8th.

I hope to see a large number of people from the OpenDJ, OpenAM or OpenIDM community, other open source projects, ex-coworkers, future customers, and friends during my stay.

OpenDJ 2.4.6 is now available

LudoLeave a comment

As few days after an important milestone for OpenDJ, the open source LDAP directory server in Java, I’m happy to announce that a new bug fix release of  the 2.4 series has just been made available. OpenDJ 2.4.6 is an update release of the OpenDJ project and improves reliability and performances with large groups and entries, as well as very large databases. The full details about the release have been posted in the OpenDJ 2.4.6 Release Notes. Upgrading to this release is recommended for everyone running earlier versions. For additional features and bug fixes, please use OpenDJ 2.5.0-Xpress1.

The release is built out of revision 8102 of the b2.4 branch of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

Tab Sweep Summer Edition

LudoLeave a comment

Closing tabs and removing bookmarks in my browser before going on vacation, I ought to post a few links before :

ForgeRock is growing and I’m happy to count Chris Ridd as a new member of the OpenDJ team. Chris’ main focus will be support and sustaining, but he’s already started building knowledge information and posted an article on our wiki about using Eclipse for OpenDJ development; and has a new feature enhancement in progress.

Open source projects likes other open source projects. For the last few months, Silverpeas has been running demos, testing with the OpenDJ LDAP directory service. They’ve moved one step closer with integrating OpenDJ in their unit test framework, posted the JUnit module on GitHub, and documented the process. A French version of the article is also available.

Bill Nelson keeps on publishing snippets of the OpenDJ Administration, Maintenance and Tuning class, and this week posted an Architecture overview of the OpenDJ directory server.

Version 2.0 of the LDAP Synchronization Connector (LSC-Project) has been released. I need to give a try to the new version, as LSC has been proved to be helpful for migrating directory services.

Dave Koelmeyer wrote a simple article, yet very useful, describing how to enable LDAP secondary group memberships with Ubuntu 12.04 and OpenDJ.

Phil Lembo, alias ELDAPO, posted a short article to describe how to update the JVM version used by OpenDJ. There are some good reasons for enforcing some stickiness with the version of the JVM, but controlling the runtime environment for a service that can be critical is the major one.

Have I already mentioned that we’re hiring ? If you’re a developer, have some good object oriented programming experience with Java, and want to live close to the Alps, enjoying cycling, hiking or hand-gliding during summer time and skiing or snowboarding in winter, then you should apply now.

At Pipay, 15 km from ForgeRock Grenoble Engineering Center

OpenDJ 2.5.0-Xpress1 is now available

Ludo3 Comments

I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.5.0-Xpress1 is a new stable release of the main development branch of the OpenDJ project.

OpenDJ 2.5.0-Xpress1 brings you the latest features such as:

  • Capability to delegate authentication to Microsoft Active Directory (pass-through authentication)
  • Improved enforcement of referential integrity for groups, whereby OpenDJ can now ensure both that members’ entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted
  • Access log filtering, with additional output configuration to combine request and response messages, log control OIDs, and specify timestamp formats
  • Optimistic concurrency control through ETag attributes
  • Synchronization of Samba and OpenDJ passwords

You can find more details about the OpenDJ 2.5.0-Xpress1 release in the OpenDJ Release Notes.

The release is built out of revision 8087 of the trunk of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for the final release of OpenDJ 2.5.0, due by the end of this year.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

What a week !

LudoLeave a comment

Big BenIt’s been one of these weeks, where you’re so busy that you hardly have the time to tweet, let even blog. The week started on Sunday morning with an early flight to London (after a very short night thanks to my daughter end of the year party). On Monday, I’ve been driven to Bristol, to see our new office, meet with Steve Ferris, head of ForgeRock UK, and meet with Chris Ridd who has just joined our company as a Support engineer, focusing mostly on OpenDJ, our open source LDAP directory services in Java.

After Oslo, this was my second stage of the tour of world-wide offices (*). Bristol office has opened a couple of weeks ago, and it’s really nice, located on Queen’s Square, in an old house and spread through 3 stores and a cellar.

Bristol officeBristol wall
Bristol break roomBristol meeting room

On Tuesday, we left the Bristol office around noon to come back to London for 2 meetings with customers, both using OpenDJ.On Wednesday morning I flew back to France, to prepare our Grenoble office warming party, planed for the Thursday at 5:30pm.

On Thursday I went and picked up Lasse Andresen our CEO, at the airport. He was just back from San Francisco and making a detour on his way home for the party. We had a little time for talking about the business, hiring, and a few other things, and already our first guests started to show up for the official opening of the new office for the ForgeRock Grenoble Engineering Center. Over an hour and half, we had the visit from some of our office neighbors, some ex-colleagues from Sun, the Chief Service Officer from BonitaSoft (another great startup from Grenoble, build on open source software), our external accountants, a few leaders from the AlpesJUG (the local Java User Group), guests from other software or services companies around, and even the future new hire who signed his contract yesterday. I was so busy with welcoming everyone, making sure glasses were not empty, that I realized afterwards I had not taken a single photo of the event, despite having my camera ready on my desk.

This morning, Lasse and I had another session of work before he started to head towards the airport to fly back home, and since then, I’ve been trying to catch up on emails, documents and all… This is my last action before I call it a week and go in the living room to sip a very fresh beer and relax !

The coming weeks should allow me more time for blogging and tweeting. Until then, enjoy the week-end !

(*) I don’t plan to continue my tour until September, and should see the San Francisco office when I’m coming to speak at JavaOne.

More secure passwords !

Ludo8 Comments

I’ve received an intriguing request from a customer last week :  he wanted to know if we’ve done benchmarks of the password hashing schemes that are available in OpenDJ, our LDAP directory service. Their fear was that with stronger schemes, they could not sustain a high authentication rate.

In light of the LinkedIn leak of several millions of passwords, hashed with a simple unsalted SHA1, I decided to run a quick and simple test.

SSHA1 is the default hashing scheme for password in OpenDJ. The salt is an 8 bytes (64-bit) random string and is used with the password to produce the 20 bytes message digest. But OpenDJ directory server supports a wide range of password hashing scheme and salted SHA512 is currently the most secure hashing algorithm we support (and the salt here is also an 8 bytes (64-bit) random octet string).

So for the test, I generated a sample directory data set with 10 000 users, and imported it in the OpenDJ directory (a 2.5 development build) with the default settings, on my laptop (MacBook Pro, 2.2 GHz intel Core i7).

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "dc=example,dc=com" 'uid=user.10' dn userPassword
dn: uid=user.10,ou=People,dc=example,dc=com
userPassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==

I then ran an “authrate” which is a small benchmark tool that allows to stress an LDAP server with a high number of authentications (LDAP Bind requests) and let it run to 5 minutes.

authrate -h localhost -p 1389 -g 'rand(0,10000)' -D "uid=user.%d,ou=people,dc=example,dc=com" -w password -c 32 -f
-----------------------------------------------------------------
 Throughput     Response Time
 (ops/second)   (milliseconds)
 recent average recent average 99.9% 99.99% 99.999% err/sec
 -----------------------------------------------------------------
 ...
 26558.0  26148.9   1.179    1.195  10.168  19.431  156.421      0.0

I then stopped the server, changed the import default password encryption scheme to Salted SHA512, and reimported the data.

$ ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -b "dc=example,dc=com" 'uid=user.10' dn userPassword
 dn: uid=user.10,ou=People,dc=example,dc=com
 userPassword: {SSHA512}eTGiwtTM4niUKNkEBy/9t03UdbsyYTL1ZXhy6uFnw4X0T6Y9Zf5/dS7hDIdx3/UTlUQ/9JjNV9fOg2BkmVgBhWWu5WpWKPog

And then re-run the “authrate”

$ authrate -h localhost -p 1389 -g 'rand(0,10000)' -D "uid=user.,ou=people,dc=example,dc=com" -w password -c 32 -f
 -----------------------------------------------------------------
 Throughput     Response Time
 (ops/second)   (milliseconds)
 recent average recent average 99.9% 99.99% 99.999% err/sec
 -----------------------------------------------------------------
 ...
 25481.7 25377.6 1.222 1.227 10.470 15.473 158.234 0.0

As you can see, there is not much of a difference in throughput or response time, when using the strongest algorithm to hash user password. So do not hesitate to change the default settings and make use of the strongest password hashing schemes with OpenDJ. It could save you from the embarrassment of, one day, contacting each of your users or customers to ask them to change their compromised password.

The default password hashing schemes are in 2 locations :

  • The default password policy for all passwords that are changed online.
dn: cn=Default Password Policy,cn=Password Policies,cn=config
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config
  • In the Import Password Policy
dn: cn=Password Policy Import,cn=Plugins,cn=config
ds-cfg-default-user-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Schemes,cn=config

Both properties can be changed with dsconfig while the OpenDJ server is running, and the new scheme will be used for all subsequent operations.

An Optimized solution for directory services ?

Ludo4 Comments

I was recently pointed to a white paper published by Oracle called : Oracle Optimized Solution for Oracle Unified Directory — Implementation Guide.

Because Oracle Unified Directory and OpenDJ have a common root (both derive from the Sun initiated OpenDS project), I was curious about that optimized solution, and if there was anything that might be applicable for our customers. And after reading the 45 pages white-paper, honestly, the Oracle Optimized Solution is not something I would recommend to any of our customers (*).

The white paper describes the hardware used for the solution : 3 SPARC T4-1 systems with 128GB of RAM and 6 300GB internal disks each. A Sparc T4-1 machine is an 8 core machine with each core supporting up to 8 threads. Each T4-1 system has 10GbE add-on network card. And each T4-1 machine is attached to a Sun Storage 2500-M2 array (with 2540 controllers) through two fiber channel cards, and each storage has 12 disks.

Let’s see the average price for this solution : The SPARC T4-1 with 128 GB of RAM has an estimated public price of $24,344, but with only 2 internal disks. So add another $1,660 for the additional 4 disks. The lowest price for a 10GbE card for that system is $2,000 and the cheapest storage array with the same amount of disks roughly $27,000. A total cost per system over $55,000, not including the cost of the Operating System, and a total cost for the “Optimized Solution” of approximately $165,000 (estimated public price).

So what do we get in performance for this price ? Well the white paper will not tell you what the solution is optimized for. The only number that appears, is the time it took to import the 15 Million entries on one of the systems :

[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847569 msg=Total import time was 3790 seconds. Phase one processing completed in 2868 seconds, phase two processing completed in 922 seconds
[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847454 msg=Processed 15000001 entries, imported 15000001, skipped 0, rejected 0 and migrated 0 in 3790 seconds (average rate 3957.0/sec)
[07/Jan/2012:12:19:29 +0000] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds

Last week, I was in Mexico with a partner of ours, demonstrating the capabilities of OpenDJ with the customer’s data (exported from a week ago, and which also contains several hundreds of very large static groups). We used x.86 based machines, with 96GB of memory, although we only used 16GB for the instance of OpenDJ.

And here’s the output of the import command :

[25/Apr/2012:20:10:44 +0200] category=JEB severity=NOTICE msgID=8847538 msg=DN phase two processing completed. Processed 21654508 DNs
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847569 msg=Total import time was 2002 seconds. Phase one processing completed in 1137 seconds, phase two processing completed in 865 seconds
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847454 msg=Processed 21654508 entries, imported 21654508, skipped 0, rejected 0 and migrated 0 in 2002 seconds (average rate 10815.3/sec)
[25/Apr/2012:20:10:45 +0200] category=JEB severity=NOTICE msgID=8847536 msg=Import LDIF environment close took 0 seconds

I don’t have the price for the servers we used (but our partner can get in touch with you if you’re interested in the solution), but I doubt that it tops half of the price of the Oracle optimized solution !

So before you drink the Oracle cool-aid, think twice about what an optimized solution should be, and how much it should cost. Oh, by the way, there is no cost in license for OpenDJ, it’s open source, it’s available now and you can try it free of charge. Of course, we do appreciate if you subscribe to one of our support offering to protect your investment and ensure some Service Level Agreement.

(*) I would not recommend a directory solution on SPARC Tx machine ever. While the machines have a good capacity for load, the performance for any write activity is really bad, especially as soon as access controls are in use. Most of our partners who have been deploying directory services on these machines will agree with me. As a matter of fact, I don’t recall any recent customer mentioning SPARC nor Solaris when renewing their directory service infrastructure.

Devoxx France, 1st Edition

LudoLeave a comment

DecoxxI was in Paris end of last week, attending the first edition of Devoxx France, a Java developers’ conference.

Devoxx is a well known and highly attended Java developers conference that takes place late fall in Antwerp. The French version has been initiated by the Paris Java User Group and has a similar structure but with 75% of the talks in French.
For a first edition, Devoxx France 2012 is a real success. Sold out 2 weeks before the event, over 1200 persons attended the 3 days’ conference. Yet, the conference felt human.

I was there only for the second and third days, as an attendee and as a co-speaker in the BOF session about Open Source Software in France.It was also the opportunity to meet and discuss with other developers, open source project leaders and potential customers.

photo by Pierre-Antoine Gregoire, alias @zepag

Out of the talks that I’ve attended, I preferred the ones that were quite low level. Among them, 2 around hacking the JVM and the bytecode:  

I also enjoyed 2 presentations by Alex Snaps, one around concurrency and the CompareAndSet method. The other one about SizeOf or the difficulty to compute the exact size of Java objects, in order to improve large cache efficiency and management. I shall look at the ehcache project code, to see if we can leverage some of it for OpenDJ caches.

Also worth mentioning, 2 greats keynotes on the Friday morning with Pat Chanezon and Neal Ford.

I’ve taken a few photos during Devoxx France 2012, feel free to use or share them (under Creative Commons). And if you want to see more photos of the event, you can check Arnaud Heritier’s collections : Day 1, Day 2, Day 3.

See you next year at Devoxx France 2013, and may be in Antwerp in November for Devoxx (WorldWide)

OpenAM 10.0.0 is now available…

LudoLeave a comment

This is a big milestone for ForgeRock and the OpenAM project, an open source WebSSO, Authentication, Authorization, Federation and Entitlements solution. After months of development (a few more than we anticipated), we’ve finally released OpenAM 10.0.0, a major version of the product.

OpenAM 10 brings a set of new features, including support for OAuth 2.0 client authentication, the ForgeRock Identity Gateway (built out of project OpenIG), enhanced SAML 2 identity provider capabilities, a new Risk Based Authentication module, …  It also now relies on OpenDJ 2.4.5, the latest stable release of OpenDJ the open source LDAP directory server, and supports the internet-draft based LDAP password policy. You can find more details  in the press announcement, or the product release notes. The documentation of the OpenAM 10 release can be read at http://docs.forgerock.org/en/index.html?product=openam&version=10.0.0.

The OpenAM 10 release owes a lot to the OpenAM community, for the issues raised : a total of 41 issues fixed in OpenAM 10 were raised by 26 different persons, and for the generous patches offered to fix over a dozen of these issues.
To each and every contributor : THANK YOU !

Tab Sweep for Friday April 13th

LudoLeave a comment

Another week goes by, and it’s time for another tab sweep.

Syntegrity Networks, one of our major partners in the US, has launched a campaign to encourage their customers to migrate from Sun Directory Server to OpenDJ.

Silverpeas, a Collaborative Platform, built as open source under the GNU Affero license by the eponym company, has been supporting LDAP for authentication and authorization for some time. The documentation for setting up the LDAP domain has been updated using OpenDJ as the recommended server.

ForgeRock OpenIDM capabilities are growing. After getting OpenIDM to work with Activity to provide workflows, the team posted a experimental tutorial to integrate Jasper with OpenIDM to produce nice reports. You can find more of these tutorials in the OpenIDM How To Collection.

Tips: resource limits in OpenDJ

Ludo4 Comments
Photo by Scallop Holden http://www.flickr.com/photos/scallop_holden/
Photo by Scallop Holden http://www.flickr.com/photos/scallop_holden/

OpenDJ, the open source LDAP directory services in Java, defines a few global resource limits to prevent client connections or operations from abusing the server’s resources. These limits are

  • the maximum number of entries returned to a search request (size-limit, default is 1000),
  • the maximum amount of time to spend returning results to a client (time-limit, default is 60 seconds),
  • the maximum number of entries to look through while processing a search request (lookthrough-limit, default is 5000),
  • the maximum amount of time a connection can sit idle before the server disconnect it (idle-time-limit, default is unlimited).

There are default values for all of these limits in the Global configuration, but they can also be set on a per user basis. The global limits are read or set using dsconfig :

$ bin/dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost \
 -D cn=directory\ manager -w secret12
Property : Value(s)
--------------------------------------:------------------------
bind-with-dn-requires-password : true
default-password-policy : Default Password Policy
disabled-privilege : -
entry-cache-preload : false
etime-resolution : milliseconds
idle-time-limit : 0
lookthrough-limit : 5000
max-allowed-client-connections : 0
max-psearches : unlimited
proxied-authorization-identity-mapper : Exact Match
reject-unauthenticated-requests : false
return-bind-error-messages : false
save-config-on-successful-startup : true
size-limit : 1000
smtp-server : -
time-limit : 60 s
writability-mode : enabled

The per user limits have a different LDAP attribute name and can be found or set directly in users’ entry, or through Collective Attributes. The Directory Manager entry has such specific limits set, so that everything is unlimited.

$ bin/ldapsearch -D "cn=directory manager" -w secret12 -p 1389 -X -b "cn=config" \
  '(objectClass=inetOrgPerson)' ds-rlim-time-limit ds-rlim-size-limit \
  ds-rlim-lookthrough-limit ds-rlim-idle-time-limit
dn: cn=Directory Manager,cn=Root DNs,cn=config
ds-rlim-lookthrough-limit: 0
ds-rlim-time-limit: 0
ds-rlim-idle-time-limit: 0
ds-rlim-size-limit: 0

If you decide to change the default global settings, for example the idle-time-limit, to force idle connections to be closed by the server after some time (often a smaller time than the settings of the load-balancer in between your applications and the OpenDJ servers), please remember that you might also want to change the limit for “cn=Directory Manager”, especially if your client applications are connecting with Directory Manager credentials.

Tab sweep, Easter edition, and upcoming events

LudoLeave a comment
cc by http://www.flickr.com/photos/noukorama/

Articles and links

Action Identity has posted a couple of articles about ForgeRock products:

Our friends at ProfiQ have posted an article describing how to use OpenDJ with Red-Hat Certificate System.

While talking about using OpenDJ with LDAP enabled applications, we try to maintain a page on OpenDJ documentation wiki with different tutorials on how to configure OpenDJ client applications.

Upcoming Events

ForgeRock will be present at the European Identity and Cloud Conference (EIC), April 17-20 in Munich.

We will also be participating to Devoxx France, April 18 to 20 in Paris. I will be co-speaking on Thursday 19, 7pm about Open Source in France, and will be available for individual meetings from Thursday morning to Friday end of afternoon. So, if you want to discuss about ForgeRock products or job opportunities, send me a mail, or leave a comment.

IBM Cognos and OpenDJ LDAP directory server

Ludo3 Comments

BrightStar Partners, a consulting company specialized in IBM Cognos business intelligence product suite, has published an illustrated and detailed yet simple tutorial for using OpenDJ LDAP directory server with IBM Cognos.

Yet another product that nicely works with OpenDJ.