Migrating from SunDSEE to OpenDJ

Sun DSEE 7.0 DVDAs the legacy Sun product has reached its end of life, many companies are looking at migrating from Sun Directory Server Enterprise Edition [SunDSEE] to ForgeRock Directory Services, built on the OpenDJ project.

Several of our existing customers have already done this migration, whether in house or with the help of partners. Some even did the migration in 2 weeks. In every case, the migration was smooth and easy. Regularly, I’m asked if we have a detailed migration guide and if we can recommend tools to keep the 2 services running side by side, synchronized, until all apps are moved to the ForgeRock Directory Services deployment.

My colleague Wajih, long time directory expert, has just published an article on ForgeRock.org wikis that described in details how to do DSEE to OpenDJ system to system synchronization using ForgeRock Identity Management product.

If you are planning a migration, check it out. It is that simple !



  • Update on June 8th to add link to A Global Bank case study.

Another nice ForgeRock event

Yesterday, on the side of the JavaOne and OOW conferences, we had an executive round table with selected partners, customers and future customers. The event started with a 30 minutes speech by Scott McNealy, Sun founder and former CEO, also active supporter of ForgeRock.

Scott touched on the values and benefits of open source software, gave a top 12 reasons why you know your Identity and Access Management solution is not open source and talked briefly about his new company Wayin.

Mike Wilson, VP and CISO at McKesson, presented how McKesson has started to use ForgeRock Open Identity Stack for several projects and the benefits of our solution.

Thanks Scott, Mike and all for your participation.

Meeting ForgeRock during JavaOne / OOW

If you want to meet ForgeRock and you’re in the San Francisco bay during JavaOne and Oracle Open World, there will be several opportunities to meet some of us: our CEO, our Sales team, some of our developers or myself.

Sunday September 30th:

I will be participating in the JUG Leaders meetings and discussions as well as the GlassFish ones (when schedule allows). Later, you can find me at the GlassFish and Friends Party from 8pm to 10pm at The Thirsty Bear.

Monday October 1st:

JavaOne attendees should be able to see me during the conference. I will be part of a panel discussion on Open Source Identity and Access Management solutions, from 5:30pm to 6:15pm.

Following that, some ForgeRock employees and I will be at the 2nd Annual Solaris Family reunion from 7:00pm to 11:00pm. The event, part of the ZFS Day, is free, but please register here.


Tuesday October 2nd:

ForgeRock logoCome and meet the developers and other members of the open source projects supported by ForgeRock. We’re having a Beer Burst party from 5:00pm until 8:30pm at The House of Shields. Please register through eventbrite so that we know how many to expect.

Rest of the week…

Otherwise, throughout the week, I will be most of the time at the JavaOne conference or in the ForgeRock San Francisco offices with the local team. Please send me an email or message me on Twitter (@LudoMP) to arrange a meeting.  I will be leaving California for New York on Monday, October 8th.

I hope to see a large number of people from the OpenDJ, OpenAM or OpenIDM community, other open source projects, ex-coworkers, future customers, and friends during my stay.

About OpenDJ and Hotspot JVM G1

Duke on a bike
curtesy of Charly Hunt

Understanding and tuning the JVM is quite important to get the best performances out of OpenDJ. We do provide some high level guidance in our documentation and I’ve been talking about Java performances in the last few years at various Java User Groups in France and Switzerland (you can find presentations in French here or here) as well as at a major conference in Brazil : FISL in 2009. On this later occasion, I was asked to cover the presentation for 2 prestigious names in the Sun Hotspot JVM team : Charly Hunt and Tony Printezis. I’ve spent a few hours with them and have learnt a great deal about the internals of the Hotspot JVM and memory management, and all magic parameters, in order to deliver that presentation. At that time, our directory team was interacting a lot with the Hotspot team as we were testing a new and promising garbage collector: Garbage First aka G1. OpenDS was even wrapped and used in one of the largest collection of tests for the Sun JVM.

During the acquisition of Sun by Oracle, the future of G1 and the Hotspot JVM were unsure and our interactions with the Hotspot team diminished seriously.

At ForgeRock, we continued to pay attention to Garbage First and for a long time, we noticed that it wasn’t moving along. Most of the issues that were raised after tests with OpenDS and that were addressed in some development version of the JVM were not integrated in official JVM releases. It only with the Oracle JVM 1.7 update 2 that we noticed the large list of issues fixed with G1. We’ve then resumed testing OpenDJ with G1 to see that while the promise of no full GC seems to be addressed, the performance impact of G1 is still significantly high. With our limited tests of JVM under 4GB of heap size, we noticed a 10% performance degradation over CMS, corresponding with an approximate 10% increase of CPU load (on a quad core machine with hyperthreading on), but with better overall response times for OpenDJ as the maximum response time decreased from 200ms to 80ms, as illustrated below.

LDAP Modrate with Garbage First
 Throughput     Response Time 
 (ops/second)   (milliseconds) 
recent average  recent average 99.9% 99.99% 99.999% err/sec Entries/Srch
16196.7 16374.1  1.972 1.951  18.886 28.129 66.933  0.0
16468.8 16374.9  1.941 1.951  18.883 28.087 66.521  0.0

LDAP Modrate with CMS
 Throughput     Response Time 
 (ops/second)   (milliseconds) 
recent average  recent average 99.9% 99.99% 99.999% err/sec Entries/Srch
17937.1 17487.7  1.780 1.827  18.175 30.521 116.990 0.0
17783.7 17494.3  1.796 1.826  18.145 30.320 117.017 0.0

We need to run more tests with OpenDJ and G1, especially with very large heaps (from 4 to 32GB), but we’re not sure whether G1 will be able to deliver the performances it promised.

And today I noticed on LinkedIn that both Charly Hunt and Tony Printezis, the 2 main engineers behind the HotSpot JVM and Garbage First, had left Oracle for new adventures. Charly’s gone to  SalesForce and Tony to Adobe. This is certainly a good move for both of them, but it leaves me worried about the future of the Hotspot JVM and its ability to deliver innovation in GCs.

[Update on May 6th]

It appears that more engineers of the Sun JVM team have actually left in the last couple of months : John Pampuch, Igor Veresov, Paul Hohensee..

A timeline of LDAP directory services…

Bill Nelson,  has published the “The Most Complete History of Directory Services You Will Ever Find” (until the next one comes along), a detailed history of LDAP based directory services and products. Expect a few updates as people find about this and ask for adding new data points. But this is the most complete summary I’m aware of. I had a timeline of Sun directory products a few years ago, but Bill’s has more details.

His post includes a visual timeline of the directory service products and their heritage, linked here under, for your convenience.

Click on the picture for a full size image.

Personally, I’ve been involved with the Sun and derived lines since 1996, and now drive the ForgeRock one: OpenDJ !

blogs.sun.com/Ludo : 404 !

It looks like Oracle has put another dent in Sun blogging platform. First, when they moved blogs.sun.com content to Oracle’s platform, they got rid of my blog design, breaking some of the layout, but more importantly removing the Creative Common license notice that I had explicitly used.

A few days ago, someone asked me if Oracle thought that my 6 years of blogging at Sun were not worth the storage, as he hit a 404 while trying to access my blog at blogs.sun.com/Ludo/. I checked, and it appears Oracle has made some changes and the redirection is broken. The blog and posts are still on Oracle platform, and you may search for them.

But when I moved out of Oracle, I had archived and restored all of my posts here at ludpoitou.wordpress.com. You can search through it, or use the Calendar to go back in time and retrieve those old posts (some of which still have value for anyone who has some interest in LDAP).

Time to update the old bookmarks ?!