opensource

OpenAM – The Book

Ludo2 Comments

For many years, I’ve been working in collaboration with the Sun access management product team,  as it started working on the Directory Server Access Management Edition (DSAME) product that years later became Sun Access Manager and OpenSSO. And now that I’m at ForgeRock, I have the pleasure to keep working with some members of that team, on OpenAM, the continuation of the OpenSSO open source project.

My knowledge of the product is rather shallow as I’ve worked on several case studies or issues related to customers and LDAP directory servers, but I never had a chance to deploy a service for production use or even extensive testing.

So when I learnt that Packt Publishing was releasing a book on “OpenAM”, writen by Indira Thangasamy, an ex-colleague of mine and manager of the Quality Assurance team, I asked if I could get a copy for review, which Packt kindly agreed to.

I haven’t finished the book yet, as it’s over 250 pages of content, covering all aspects of the OpenAM software, from its history, its components and services, to its integration with Google Apps or SalesForce… But from what I’ve read (about 2/3 of the book), I can say that the book is easy to read and well organized. It helps a beginner to grasp the concepts and starts using the product, thanks to the detailed explanations and diagrams. As the chapters advance and dive into specific technical areas, Indira uses real-world examples and simple code or commands, followed by detailed description to illustrate what OpenAM does or does not, giving a comprehensive picture of the fully featured product.

Some of the features of OpenAM are not covered in the book, like Federation or the most recent Entitlement Services or Secure Token Services. I hope they will be covered in a revised edition or may be another book, as these features are becoming more used and important to enterprise security and access management.

In summary, if you’re about to, or have just started to engage on a project with OpenAM, this book will help you understand the technology and ease your ramping up. But even for the more experienced users of OpenAM, the book contains full of details, tips and example that will save you time and make you more efficient.

You can find the book on Pack-Publishing web site or Amazon.

New releases of OpenAM and OpenDJ !

Ludo7 Comments

It’s the happy hour, with a double release day at ForgeRock.

OpenAM 9.5.2 has just been released, along with the J2EE Agents 3.0.3 and are now available for downloads from ForgeRock. You can find the release details in the Release Notes.

OpenDJ 2.4.1 has also been released today. The patch release can be found on the Downloads page in various forms: Java WebStart Installer, Zip package or SVR4 package. The Release Notes have been posted on the Documentation wiki.

Happy birthday IzPack

LudoLeave a comment

IzPack, the open source, Java based, cross-platform packager installer project is celebrating its 10th birthday with 2 releases and an impressive list of companies using the technology.

In OpenDJ, we have our own Java based (Java WebStart based) installer, but if I had to redo it, I would definitely pick IzPack to build it, for its easiness, cross-platform support and great look and feel.

Long live to IzPack !

Quality Matters

Ludo2 Comments

As we’re working towards releasing a micro-release of OpenDJ 2.4, fixing a few issues that have been raised by our customers and adopters, we’ve made another important move towards increasing the quality of ForgeRock products :

Gary Williams has started at ForgeRock today, growing the forces at the ForgeRock Grenoble Engineering Center, and will lead our quality assurance engineering efforts. Gary comes from Sun (Oracle) where he was Principal Quality Assurance Engineer, driving the testing efforts for OpenDS and previously for Sun Directory Server Enterprise Edition. He brings almost 20 years of experience in QA and testing software applications and servers.

Welcome to ForgeRock, Gary !

Upgrading from OpenDS to OpenDJ

LudoLeave a comment

OpenDJ 2.4.0 was released a couple of months ago, and we’re seeing a lot of interest for it, especially from people who’ve already been evaluating OpenDS.

It is possible, and very easy, to upgrade from OpenDS 2.x to the latest version of OpenDJ. Here’s the easiest and more error-proof way.

First start by downloading the latest version of OpenDJ from ForgeRock web site. Currently the most recent release is OpenDJ 2.4.0, but nightly builds of coming OpenDJ 2.5.0 are also available. While you can run the upgrade through the Java web start installer, I recommend that you download the Zip package and run the upgrade from the command line.

Download and/or copy the OpenDJ zip package on the machine which has the instance to upgrade. Do not unzip it.

Go in the directory of the instance to upgrade:

cd /local/OpenDS2.2/

From that place, run the OpenDS 2.2 upgrade command :

./upgrade

The first question you’re asked is to confirm you plan to do an upgrade, so press the <Enter> key

The provide the full absolute path to the OpenDJ zip package, for example : /tmp/OpenDJ-2.4.0.zip

And then continue with the Upgrade program.

Should some customization of the schema or the configuration failing to be upgraded, the Upgrade program will stop and ask you what you want to do. You can review the details and decide to abort or continue the upgrade.

If you’re not sure about what to do, please consider continuing the upgrade. All files and customizations are preserved under the history directory and you can review them and decide if you want to try to reconfigure or not the upgraded server.

And do not forget to rebuild the dn2id index after the upgrade, as there’s been a change of format in this system index, to correct a defect and improve space efficiency.  To do so, stop the upgraded server and run the rebuild-index command :

bin/rebuild-index <some options> -i dn2id -b "<suffix>"

If you have a replicated environment, you can upgrade all the servers, one after the other, without interrupting the service nor changing anything in the replication configuration. The upgrade of a single server should take less than 5 minutes.

Prior to running an upgrade, we recommend you take a full backup of the server. A quick way to do this with small databases, is to stop the server and just fully copy it to another location. You can run the upgrade and then move back the copy in place if something didn’t run as expected.

Enjoy.

Update on Feb 27: Mention the need to rebuild the dn2id index. This was described in the 2.4.0 release notes, but was missing here.

Update on June 3: When upgrading to OpenDJ 2.4.2 or later, it is necessary to run a simple script against the OpenDS or OpenDJ instances before running the upgrade command. This script is patching a file used for the upgrade to detect schema changes. More details are available in the OpenDJ 2.4.2 Installation Guide.

1 Year Old and 1 New Architect

Ludo1 Comment

ForgeRock is exactly ONE year old today. As we’re a distributed and quite global company, we’re not going to blow the candle on the cake today. But I’m sure next time we meet, we’ll have one as nice as the one we had during our last company meeting in Faro, Portugal.

Also today is the first day at ForgeRock of Matthew Swift, as Architect for the OpenDJ project, growing the forces at the ForgeRock Grenoble Engineering Center. Matthew comes from Sun (Oracle) where he was leading the development of the core of OpenDS, as well as the LDAP Client API. He has been doing interesting work with regards to performances with the OpenDS server (he’s the one who provided me with nice numbers to present), and its reliability. Matthew has several years of experience building LDAP and Directory related products as well as Java development, for Sun, Bloomberg and Isode. He’s bringing his talent and energy back to the open source project and will help make OpenDJ an even stronger and better product.

I’m really delighted to work with Matthew again.

And what a great day today !

OpenDJ LDAP server for Snow Leopard Server and Unix

Ludo1 Comment

One of the things that I appreciate with Mac OS X is that it’s based on Unix, the family of operating systems I’ve been using since my years at university.

And what’s more natural to integrate a  Unix system with other Unix systems ? Well, one point of integration for identities and services is an LDAP directory server, like OpenDJ, the Open source LDAPv3 Directory service in Java.

Phillip Steinbachs has been working on a pet project of his: providing Mac OS X desktop environment via SunRay thin-clients. For this, he needed to have his Apple Xserver boxes, running Snow Leopart Server, to be integrated within the current LDAP and NFS environment, based on OpenDS (from which OpenDJ derives). Having successfully done it, Phillip just posted a summary of the changes needed to have its integrated, including the proper schema files. A good reference post for whoever wants to integrate its Mac OS based machines with LDAP!

A year after sunset…

Ludo1 Comment

My ex-colleague Eduardo Pelegri has been collecting and posting interesting data about the ex-Sun people and the Sun initiated open source projects, a year after the Sun-set. I find interesting to see how the Sun heritage is disseminating and creating a larger ecosystem of new companies.

 

The First OpenAM Book

Ludo1 Comment

OpenAM Book CoverThe first book on OpenAM, the open source web single sign-on and federation project, will be released very soon (it should be Jan 21st 2011), and it’s been written by one of my former and well esteemed colleague Indira Thangasamy.

I haven’t reviewed the book yet, but I’m expecting to have a review copy in my hands pretty soon (thanks again Indira and Packt Publishing).

However, if you want to get a feel of the book content, Indira has posted a very detailed table of content of the book, and some background information about it. I’m really looking forward reading the book and discovering some hidden gems of OpenAM. Also, this will help me to rethink the way the Configuration Store and User Store are considered and help improving the integration with OpenDJ, the Open source LDAP Directory services in Java, currently used as the embedded configuration store.

The book is already available for Pre-Order.

Directory Administrative Accounts – cont.

Ludo2 Comments

In a previous post, I’ve explained how to create multiple administrative accounts in the OpenDJ directory service. Today we’re going to look at restricting what applications can do with these administrative accounts.

In the OpenDJ directory service, there are 2 types of authorization systems :

  • Privileges control who can perform which administrative tasks : backup, restore, stop and restart of the server, managing acl…
  • Access Controls Lists govern the access to the data through LDAP operations.

Most operations involving sensitive or administrative data require that the user has both the privilege and authorization. This allows finer-grain authorization for specific data related action such as managing acl or reseting passwords.

The Privilege SubSystem

Privileges are assigned to users and apply globally to the directory service. Any user can be granted or denied any privilege and by default only the RootDN users are assigned a default set of privileges.

That set of privileges assigned to RootDN users is defined by the “default-root-privilege-name” property, which can be listed or modified using the dsconfig command.

To list the current default privileges assigned to all RootDN users :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n get-root-dn-prop

Property                    : Value(s)
----------------------------:--------------------------------------------------
default-root-privilege-name : backend-backup, backend-restore, bypass-acl,
                            : bypass-lockdown, cancel-request, config-read,
                            : config-write, disconnect-client, ldif-export,
                            : ldif-import, modify-acl, password-reset,
                            : privilege-change, server-lockdown,
                            : server-restart, server-shutdown, subentry-write,
                            : unindexed-search, update-schema

To make sure that all searches are done with proper indexes, you may want to remove the privilege to all Administrative Accounts to perform unindexed searches :

bin/dsconfig -h localhost -p 4444 -X -D “cn=directory manager” -j /var/tmp/dmpassfile -n set-root-dn-prop –remove default-root-privilege-name:unindexed-search

Note: Removing this privilege to all Administrative accounts including the default “cn=Directory Manager” may have side effects for certain internal operations such as group membership, referential integrity…

Whenever adding a new Administrative Account under the “cn=Root DNs,cn=config” container, it automatically inherits from those privileges. But each administrative account can then be denied or added specific privileges by adding values of the “ds-privilege-name” attribute directly in the user entry, in the form of the privilege name or a Minus sign followed by the privilege name.

For example, I can make sure that my newly added Administrative Account is subject to access controls and cannot modify access controls lists, I modify the entry as followed :

Create a temporary file modAdminPrivileges.ldif with the following LDIF modification statement:

dn: cn=Second Admin,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: -bypass-acl
ds-privilege-name: -modify-acl

And then apply it to the directory service with the following command :

bin/ldapmodify -h localhost -p 4444 -X -Z -D “cn=directory manager” -j /var/tmp/dmpassfile -f modAdminPrivileges.ldif

Using similar commands and different privileges, one could completely separate the administrative tasks and restrict each Administrative Account to its specific tasks.

But the great thing about privileges is that they can also be granted to regular users part of the Directory Information Tree, allowing them to become administrators for very specific tasks.

The complete list of privileges supported in OpenDJ 2.4 is below:

  • backend-restore: Ability to perform backend restore operations.
  • bypass-acl: Ability to bypass access control evaluation.
  • bypass-lockdown:Ability to bypass server lockdown mode.
  • cancel-request: Ability to cancel arbitrary client requests.
  • config-read: Ability to read the server configuration.
  • config-write: Ability to update the server configuration.
  • data-sync: Ability to participate in a data synchronization environment.
  • disconnect-client: Ability to terminate arbitrary client connections.
  • jmx-notify: Ability to subscribe to JMX notifications.
  • jmx-read: Ability to perform read operations via JMX.
  • jmx-write: Ability to perform write operations via JMX.
  • ldif-export: Ability to perform LDIF export operations.
  • ldif-import: Ability to perform LDIF import operations.
  • modify-acl: Ability to modify access control rules.
  • password-reset: Ability to reset user passwords.
  • privilege-change: Ability to change the set of privileges for a user, or to change the set of privileges automatically assigned to a root user.
  • proxied-auth: Ability to perform proxied authorization or request an alternate authorization identity.
  • server-lockdown: Ability to lockdown a server.
  • server-restart: Ability to request a server restart.
  • server-shutdown: Ability to request a server shutdown.
  • subentry-write: Ability to perform write operations on LDAP subentries.
  • unindexed-search: Ability to perform an unindexed search
  • update-schema: Ability to update the server schema.

Multiple Directory Administrative Users

Ludo6 Comments

Most of LDAP directory servers configure a single well known directory administrative account (cn=Directory Manager [,dc=example,dc=com]) which has full access to everything. While there is a need to have one special user to bootstrap the server, we are too often seeing that special account being used by all applications that have specific administrative needs : the provisioning application, the email management application, …

OpenDJ has different mechanisms to define multiple administrative accounts, but today, I’m going to focus on the “Root DNs” i.e. defining multiple Directory Managers.

The default administrative account is “cn=Directory Manager”, and is stored in the configuration under the “cn=Root DNs,cn=config” container entry.

Adding another administrative account is as simple as adding another entry under that container, with one specific objectClass : ds-cfg-root-dn-user.

Create a file newAdmin.ldif

dn: cn=Second Admin,cn=Root DNs,cn=config
cn: Second Admin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: ds-cfg-root-dn-user
sn: Second Admin
ds-cfg-alternate-bind-dn: cn=Admin2,dc=example,dc=com
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
userPassword: password42

ldapmodify -a -D cn=Directory Manager -j /var/tmp/dmpassfile -f  newAdmin.ldif

Processing ADD request for cn=Second Admin,cn=Root DNs,cn=config
ADD operation successful for DN cn=Second Admin,cn=Root DNs,cn=config

If you prefer, you can choose not to set the password in the LDIF file, but set it in a secure way afterwards :

$ bin/ldappasswordmodify -p 1389 -D “cn=directory manager” -j /var/tmp/dmpassfile -a “”cn=Admin2,dc=example,dc=com” -N /var/tmp/newpw
The LDAP password modify operation was successful

Where /var/tmp/dmpassfile contains the password for “cn=directory manager” and /var/tmp/newpw the new password for Admin2.

Did you notice the “ds-cfg-alternate-bind-dn” attribute in the definition of the new administrative account ? This enables to authenticate to the directory server with the DN value specified in this attribute, while the entry still has a DN and is located under the “cn=config” suffix.

So now, don’t hesitate to create different administrative accounts for the various applications that need special access to the directory.

In a follow-up post, I will explain how to restrict what those administrative accounts can do in the OpenDJ directory service.

OpenDJ 2.4.0 has been released

Ludo6 Comments

I’m very pleased to announce the first full release of our Open source Directory services for the Java platform : OpenDJ 2.4.0.

Based on open source and open standards, OpenDJ is a new LDAPv3 compliant directory service, providing a high performance, highly available and secure store for the identities managed by enterprises. Its easy installation process, combined with the power of the Java platform makes of OpenDJ the simplest and fastest directory server to deploy and manage.

Choosing OpenDJ as an enterprise directory service has the following benefits :

  • Lower the cost of ownership : Delivers more performance while consuming less resources (disks, memory and CPUs). Simplifies the administrative tasks by automating them.
  • Platform independence : Runs on any platform that supports Java 6, including virtualized environments.
  • High Availability : Supports deployment of multiple servers in a multi-master replication topology, providing failover and disaster recovery.
  • Secure data store : Supports different levels of authentication and authorization. Protects passwords through encryption and extensive policies.
  • Monitoring and Alerts : Can be monitored by 3rd party applications using SNMP and JMX. Supports custom alerts to inform of specific events in the service.
  • Interoperability : Supports all LDAPv3 standard specifications, most of LDAPv3 standard and experimental extensions as well as some vendor specific extensions, easing integration with applications.

After a little bit over 2 months of beta testing, OpenDJ is now ready for use into production. And with this release, the OpenDJ project delivers the features announced on OpenDS roadmap and plans to continue the development of the project in a true open and collaborative way.

OpenDJ 2.4.0 can be downloaded from our downloads page, or installed through Java WebStart by just clicking here. You can find more details about it in the Release Notes.

Enjoy !

And send us your feedback, on the OpenDJ mailing list (subscribe here) or on #opendj IRC channel.

Managing multiple OpenDS servers

Ludo1 Comment

Opends Logo Tag
Up until now, to manage an OpenDS server, one would need to log onto the machine and starts the Control Panel.

In the next release of OpenDS (OpenDS 2.2), the Control Panel can now connect to remote servers, allowing an administrator to remotely monitor and tune any running instance of OpenDS.

Let’s see what has changed in the Control Panel for the remote access, and what are the limitations.

The first thing you will notice when starting the Control Panel is a new dialog which allows you to choose between the local server or a remote server.

OpenDS Control Panel, connection dialogOpenDS Control Panel new connection dialog

Once you’ve selected the server to administer, you will see the usual Control Panel window with its left action bar and information on the right.

OpenDS Control Panel remote server view

You can change server while the Control Panel is running. It’s in the File menu, when you are on the Main window of the Control Panel.

OpenDS Control Panel, Changing Server to Administer
OpenDS Control Panel, Changing Server to Administer

There is very little difference between managing a local server and managing a remote server.

One thing you will notice when administering a remote server is that you can’t stop or restart it. Also, you cannot use the Control Panel to configure the Java properties of a remote server. That’s it.

The Control Panel cannot be installed as a standalone tool, it’s a part of the OpenDS server installation, and it can only manage one server at a time, local or remote. But the ability to manage remote servers will reduce the need to logon to each host and run the Control Panel on each instance either physically or using a remote display, simplifying the task of the directory administrators.

If you want to check this capability, you can download and install one of the recent OpenDS daily builds, or wait for next promoted build (2.1.0-build001).

Technorati Tags: , , , ,

OpenDS 2.0 on Mac OS X with the latest JVM…

LudoLeave a comment

Opends2 PictoMacOSX 10.5.7There is an issue in the start and stop scripts that is preventing OpenDS 2.0 to be installed via Java Web Start on Mac OS X 10.5 with the latest version of the JVM (Update 4 a.k.a 1.6.0_13). I’ve discovered the problem at the same time we were releasing OpenDS 2.0.0 release candidate 4 which was planned to be the last release candidate. So the fix is not the release but has been committed to the trunk.

The issue is that the new JVM does use a larger default minimal heap size and reject any calls with -Xmx if the maximum heap size is smaller than its internal default (around 30MB).

Still OpenDS 2.0 can be installed on Mac OS X and used with the latest JVM, by downloading the Zip file, unzipping it and doing minor edition in the start-ds and stop-ds scripts.

$ unzip ~/Desktop/OpenDS-2.0.0.zip

Archive: /Users/ludo/Desktop/OpenDS-2.0.0.zip

creating: OpenDS-2.0.0/



inflating: OpenDS-2.0.0/upgrade

$ cd OpenDS-2.0.0/bin

In the start-ds and the stop-ds scripts, replace all occurences of the string "-Xms8M -Xmx8M" with "-client"

$ cp start-ds start-ds.orig

$ sed -e "s/-Xms8M -Xmx8M/-client/g" < start-ds.orig > start-ds

$ cp stop-ds stop-ds.orig

$ sed -e "s/-Xms8M -Xmx8M/-client/g" < stop-ds.orig > stop-ds

OpenDS QuickSetup App IconYou can now run the setup program (or launch the QuickSetup application) to install and configure the OpenDS directory server.

Technorati Tags: , , , , , ,

Configuring Replication Groups: A small but important new feature of OpenDS 2.0

Ludo1 Comment

Opends2.0

I’m mostly done with the series of post concerning the new features of the latest release of OpenDS, the opensource LDAPv3 directory service. Yesterday, Mathieu, the developer behind Assured Replication, reminded me of a small but important new feature of OpenDS, in the area of replication: the ability to configure Replication Groups.

A replication group is a simple way to relate replicated OpenDS directory servers together. It’s useful when there are more than 2 replicated servers, when the replicated servers are within different data-centers or to distinguished primary servers from secondary servers.

Replications groups are identified by a group ID which is a unique number assigned to a replication domain on a directory server and to replication servers. Group IDs determine how a directory server domain connects to an available replication server. From the list of configured replication servers, a directory server first tries to connect to a replication server that has the same group ID as that of the directory server. If no replication server with a compatible group ID is available, the directory server connects to a replication server with a different group ID.

In practice, it allows to prioritize how the replication traffic is done between the servers. In the case of multiple data-centers, it’s preferable that all directory servers in a data-center are connected to replication servers in the same data-center. Only in the case of absence of a local replication server, a directory server will connect to a remote replication server.



Note that when configuring replication with OpenDS 2.0 and the dsreplication utility, both the replication server and the directory server are configured in the same process and thus the same host. It will be very rare if the replication server is not working for its directory server.



The figure below is an illustration of 2 Replication Groups, one for each data center.

OpenDS 2.0 Replication Groups with multiple data-centers

Now to configure a replication group ?

A replication group is configured on each directory server and replication server that should be part of the same group.

On the directory server, the replication group is configured per replication domain (i.e. per replicated suffix).

First identify the replication domain

$ bin/dsconfig -D “cn=directory manager” -j /tmp/passwdfile -n -s list-replication-domains –provider-name “Multimaster Synchronization”

cn=admin data (domain 29167)

cn=schema (domain 9674)

dc=example,dc=com (domain 14741)

Then set the group ID for the domain

$ bin/dsconfig -D “cn=directory manager” -j /tmp/passwdfile -n set-replication-domain-prop –provider-name “Multimaster Synchronization” –domain-name “dc=example,dc=com (domain 14741)” –advanced –set group-id:5

For the replication server

$ bin/dsconfig -D “cn=directory manager” -j /tmp/passwdfile -n set-replication-server-prop –provider-name “Multimaster Synchronization” –advanced –set group-id:5

Repeat this to the other directory servers and replication servers that should be part of the same group.

Note that there is a group by default with the group ID 1.

Configuring replication groups have some impact when using Assured Replication, since Assured Replication only works within a single group. So groups can be used to limit the impact of network latency when using Assured Replication, or to constrain the changes to be more consistent in a single data-center.

You can find more information about replication groups in the Replication Architecture reference manual and in the Replication section of the Administration Guide.

Technorati Tags: , , , , ,