Friday Sep 14, 2007

OpenDS 1.0.0-build005 is now available

I have just uploaded OpenDS 1.0.0-build005, built from revision 3056 of our source tree, to our weekly builds folder. The direct link to download the core server is https://opends.dev.java.net/files/documents/4926/68459/OpenDS-1.0.0-build005.zip. The direct link to download the DSML gateway is https://opends.dev.java.net/files/documents/4926/68461/OpenDS-1.0.0-build005-DSML.war.

I have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://builds.opends.org/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

NOTE: -- Even though it is displayed as an option in the QuickSetup installer, we do not support upgrading from previous OpenDS builds to the 1.0.0-build005 release. There are some changes in this release that are not backward compatible with the configuration used by previous releases, and these changes may cause the upgrade process to fail.


Detailed information about this build is available at http://builds.opends.org/weekly-builds/1.0.0-build005/. Some of the changes that have been incorporated since OpenDS 1.0.0-build004 include:
  • Revision 2796 (Issue #2030) -- Update the filesystem entry cache to provide the ability to use a compact entry encoding.

  • Revision 2804 (Issues #2104, 2162) -- Update a number of the command-line utilities so that they operate in interactive mode rather than non-interactive mode by default.

  • Revision 2806 -- Update the account status notification handler API so that it is possible to provide additional properties along with the notification. This makes it possible to develop account status notification handlers that can act more intelligently and/or provide more useful information.

  • Revision 2811 (Issue #2097) -- Fix a problem in which total update initialization can fail to send a message to the replication cache.

  • Revision 2820 (Issues #43, 72) -- Implement support for the numSubordinates and hasSubordinates virtual attributes. Also, provide a new dbtest tool, which can be used to perform low-level debugging for the backends using the Berkeley DB Java Edition.

  • Revision 2824 (Issue #581) -- Provide an SMTP account status notification handler that can be used to send e-mail messages whenever an account status notification is generated. The notification message can be sent to the user that is the target of the notification and/or a specified set of administrators. The messages that will be sent are generated based on user-editable templates.

  • Revision 2843 (Issue #1831) -- Implement complete support for an interactive mode for dscfg. The tool now provides a menu-driven interface for examining and updating the server configuration.

  • Revision 2856 -- Update the CreateRCScript tool so that it provides the ability to specify the user that the server should run as, and also lets the user specify the JAVA_HOME and JAVA_ARGS settings that should be used. Also, update the start-ds and stop-ds commands to support a "--quiet" argument, which causes them to not generate any output. This mode will be used when starting and stopping the server through the generated RC script.

  • Revision 2877 -- Fix a memory leak that can occur when a backend based on the Berkeley DB Java Edition is disabled.
  • Revision 2879 (Issue #2180) -- Fix a problem in the JE backend in which contention on an index key might cause that key to contain an incomplete or incorrect value.

  • Revision 2882 (Issue #2205) -- Fix a problem that caused replication to behave incorrectly when a replicated change included an attribute type that was not defined in the schema of the target server.

  • Revision 2889 (Issue #2158) -- Add support for storing compressed schema representations in the JE backend and re-enabled the compact entry encoding by default.

  • Revision 2894 -- Add number of new configuration definitions for objects that were previously using "generic" definitions. This will help make it much easier for users to create new instances of these kinds of configuration objects.

  • Revision 2899 -- Add new directory environment properties that can be used to indicate whether the server should maintain a configuration archive, and if so the maximum number of archived configurations that should be maintained.

  • Revision 2900 (Issue #1945) -- Update the server so that it has the ability to save a copy of its current configuration into a ".startok" file whenever it starts successfully. Also, expose an option in the start-ds script and in the directory environment configuration that provide the ability to start the server using the "last known good" configuration rather than the current configuration.

  • Revision 2904 (Issues #1481, 2031) -- Add the ability to set any Berkeley DB JE property in the server configuration, for both backends based on the Berkeley DB Java Edition and the filesystem entry cache.

  • Revision 2913 (Issue #257) -- Implement support for a plugin that can be used to maintain referential integrity within the server. Whenever an entry is deleted or renamed, then any references to that entry in a specified set of attributes will be removed or renamed accordingly.

  • Revision 2921 -- Update the LDAP connection handler to explicitly close the selector when it is disabled or the server is shut down to prevent problems with being unable to re-bind to that port when the server is restarted.

  • Revision 2926 (Issue #139) -- Implement support for a maximum blocked write time limit in the LDAP connection handler. If an attempt to write data to the client is stalled for too long, then the client connection will be terminated.

  • Revision 2932 (Issue #261) -- Implement support for a 7-bit clean plugin, which can be used to ensure that the values of a specified set of attributes will only be allowed to contain ASCII characters.

  • Revision 2933 (Issue #2218) -- Update the LDIFPluginResult object to provide a mechanism that can be used to indicate why an entry should not be imported/exported.

  • Revision 2935 (Issue #1830) -- Implement support for secure communication in the dsconfig utility.

  • Revision 2950 (Issue #2216) -- Implement support for an LDIF connection handler, which may be configured to watch for new LDIF files to be created in a specified directory and have changes defined in those files automatically applied in the server through internal operations.

  • Revision 2955 (Issue #2181) -- Implement support for delete and modify operations in the task backend.

  • Revision 2961 -- Update a number of command-line tools that can be used to perform operations either directly against a backend or through the task backend so that if a port number and/or bind DN are provided, then the tool will default to using the tasks interface.

  • Revision 2966 -- Implement support for encryption and authentication when using replication.

  • Revision 2974 (Issue #2155) -- Update the server configuration so that a password storage scheme is referenced by its DN rather than the storage scheme name.

  • Revision 2986 -- Update the replication changelog database so that it implements the backend API. This provides the ability to backup and restore the changelog database, and provides a groundwork for future LDAP access to the changelog contents.

  • Revision 2998 (Issue #1594) -- Provide the ability to expose a monitor entry for the server entry cache.

  • Revision 2999 (Issue #2057) -- Update the server to provide a basic framework to control when plugins will be invoked. In particular, this adds the ability to indicate whether a plugin should be invoked for internal operations, and it also adds the ability to have plugins that are notified whenever changes are applied through synchronization. The unique attribute plugin has been updated so that it can detect uniqueness conflicts introduced through synchronization and generate an alert to notify administrators of the problem.

  • Revision 3006 -- Make a number of minor changes to improve server performance.

  • Revision 3008 -- Update the server configuration handler to fix a problem in which some change listeners may not be notified when the associated entry is updated.

  • Revision 3024 -- Make a number of additional changes to improve server performance.

  • Revision 3031 (Issues #1335, 1336, 1878, 2201, 2250) -- Provide new utilities that can be used to configure the server to participate in a replication environment.

  • Revision 3033 -- Upgrade the Berkeley DB Java Edition library to version 3.2.44.

  • Revision 3044 -- Make a couple of minor changes to improve server performance.

  • Revision 3048 -- Add a new tool that may be used to manage tasks defined in the server.

  • Revision 3051 (Issue #2059) -- Display SHA-1 and MD5 digests of a certificate fingerprint instead of the complete certificate when prompting the user about whether the certificate should be trusted in the status panel.

  • Revision 3054 -- Update the server so that it is possible to call EmbeddedUtils.startServer after having previously called EmbeddedUtils.stopServer. Previously, the server shutdown process did not leave the server in a sufficient state to allow it to be restarted in the same JVM.

Tuesday Sep 04, 2007

Configuring OpenDS with dsconfig -- part 2

Several weeks ago, I wrote about the dsconfig tool that can be used to help manage the OpenDS configuration. It provides a convenient way to view and edit the server configuration, and it can be very helpful in writing administrative scripts, much like the dscfg tool does in DSEE 6.

Honestly, though, I think that it's time to come clean about something: whenever I'm configuring DSEE 6, I rarely use the dscfg tool. I think the main reason for this is that I got so used to managing the server with ldapmodify over the years with the 3.x, 4.x, and 5.x versions that it's always been just as easy for me to use ldapmodify (since I know all of the configuration entry DNs and attribute names by heart) than to try to remember all of the command line arguments to make dscfg do what I want.

Until very recently, I had fallen into the same trap with the OpenDS dsconfig tool. However, last week Matt Swift updated the dsconfig tool to provide a new interactive mode that takes all the effort out of it. The interactive mode isn't suitable for use in writing scripts that automate config changes, but the non-interactive mode is still available for that. However, if you just want to make a configuration change to the server (or even if you just want to see what is available to be configured) then I think that you'll like the new interactive mode.

To start it up in interactive mode, simply invoke the dsconfig tool with no arguments. For example, on a UNIX-based system, you can just use:
bin/dsconfig
The tool will then prompt you for information about how to connect to the server, and then it will present you with a menu of options. You can use this interactive mode to view information about the current configuration, edit or remove existing configuration objects, or create new configuration objects (basically, all of the same things that you can do with the non-interactive mode, but without the need to remember any subcommand, argument, or property names).

As an example, here's the output from a session that I used to edit the default password policy in order to configure passwords to expire after 90 days. I've formatted the output so that the stuff I typed is bold and underlined and the output from the tool is in italics:
$ bin/dsconfig


>>>> Specify OpenDS LDAP connection parameters

Directory server hostname or IP address [localhost]: 127.0.0.1

Directory server port number [389]: 389

Administrator user bind DN [cn=directory manager]: cn=Directory Manager

Password for user 'cn=directory manager': password


>>>> OpenDS configuration console main menu

What do you want to configure?

    1)   Access Control Handler               20)  Matching Rule
    2)   Account Status Notification Handler  21)  Monitor Provider
    3)   Alert Handler                        22)  Multimaster Domain
    4)   Attribute Syntax                     23)  Password Generator
    5)   Backend                              24)  Password Policy
    6)   Certificate Mapper                   25)  Password Storage Scheme
    7)   Connection Handler                   26)  Password Validator
    8)   Crypto Manager                       27)  Plugin
    9)   Debug Target                         28)  Plugin Root
    10)  Entry Cache                          29)  Replication Server
    11)  Extended Operation Handler           30)  Root DN
    12)  Global Configuration                 31)  Root DSE Backend
    13)  Group Implementation                 32)  SASL Mechanism Handler
    14)  Identity Mapper                      33)  Synchronization Provider
    15)  JE Index                             34)  Trust Manager
    16)  Key Manager                          35)  Virtual Attribute
    17)  Log Publisher                        36)  VLV JE Index
    18)  Log Retention Policy                 37)  Work Queue
    19)  Log Rotation Policy

    q)   quit

Enter choice: 24


>>>> Password Policy management menu

What would you like to do?

    1)  List existing Password Policies
    2)  Create a new Password Policy
    3)  View and edit an existing Password Policy
    4)  Delete an existing Password Policy

    b)  back
    q)  quit

Enter choice [b]: 3


>>>> Select the Password Policy from the following list:

    1)  Default Password Policy
    2)  Root Password Policy

    c)  cancel
    q)  quit

Enter choice [c]: 1


>>>> Configure the properties of the Password Policy

         Property                                   Value(s)
    ---------------------------------------------------------------------------
    1)   account-status-notification-handler-dn     -
    2)   allow-expired-password-changes             false
    3)   allow-multiple-password-values             false
    4)   allow-pre-encoded-passwords                false
    5)   allow-user-password-changes                true
    6)   default-password-storage-scheme            SSHA
    7)   deprecated-password-storage-scheme         -
    8)   expire-passwords-without-warning           false
    9)   force-change-on-add                        false
    10)  force-change-on-reset                      false
    11)  grace-login-count                          0
    12)  idle-lockout-interval                      0 s
    13)  last-login-time-attribute                  -
    14)  last-login-time-format                     -
    15)  lockout-duration                           0 s
    16)  lockout-failure-count                      0
    17)  lockout-failure-expiration-interval        0 s
    18)  maximum-password-age                       0 s
    19)  maximum-password-reset-age                 0 s
    20)  minimum-password-age                       0 s
    21)  password-attribute                         userpassword
    22)  password-change-requires-current-password  false
    23)  password-expiration-warning-interval       5 d
    24)  password-generator-dn                      "cn=Random Password
                                                    Generator,cn=Password
                                                    Generators,cn=config"
    25)  password-history-count                     0
    26)  password-history-duration                  0 s
    27)  password-validator-dn                      -
    28)  previous-last-login-time-format            -
    29)  require-change-by-time                     -
    30)  require-secure-authentication              false
    31)  require-secure-password-changes            false
    32)  skip-validation-for-administrators         false
    33)  state-update-failure-policy                reactive

    ?)   help
    f)   finish - apply any changes to the Password Policy
    c)   cancel
    q)   quit

Enter choice [f]: 18


>>>> Configuring the "maximum-password-age" property

    Specifies the maximum length of time that a user may continue using the
    same password before it must be changed.

    Specifies the maximum length of time that a user may continue using the
    same password before it must be changed (i.e., the password expiration
    interval). The value of this attribute should be an integer followed by a
    unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds will
    disable password expiration. Changes to this configuration attribute will
    take effect immediately.

    Syntax: DURATION (s)

Do you want to modify the "maximum-password-age" property?

    1)  Keep the default value: 0 s
    2)  Change the value

    ?)  help
    q)  quit

Enter choice [1]: 2


Enter a value for the "maximum-password-age" property [continue]: 90 days

Press RETURN to continue


>>>> Configure the properties of the Password Policy

         Property                                   Value(s)
    ---------------------------------------------------------------------------
    1)   account-status-notification-handler-dn     -
    2)   allow-expired-password-changes             false
    3)   allow-multiple-password-values             false
    4)   allow-pre-encoded-passwords                false
    5)   allow-user-password-changes                true
    6)   default-password-storage-scheme            SSHA
    7)   deprecated-password-storage-scheme         -
    8)   expire-passwords-without-warning           false
    9)   force-change-on-add                        false
    10)  force-change-on-reset                      false
    11)  grace-login-count                          0
    12)  idle-lockout-interval                      0 s
    13)  last-login-time-attribute                  -
    14)  last-login-time-format                     -
    15)  lockout-duration                           0 s
    16)  lockout-failure-count                      0
    17)  lockout-failure-expiration-interval        0 s
    18)  maximum-password-age                       12 w 6 d
    19)  maximum-password-reset-age                 0 s
    20)  minimum-password-age                       0 s
    21)  password-attribute                         userpassword
    22)  password-change-requires-current-password  false
    23)  password-expiration-warning-interval       5 d
    24)  password-generator-dn                      "cn=Random Password
                                                    Generator,cn=Password
                                                    Generators,cn=config"
    25)  password-history-count                     0
    26)  password-history-duration                  0 s
    27)  password-validator-dn                      -
    28)  previous-last-login-time-format            -
    29)  require-change-by-time                     -
    30)  require-secure-authentication              false
    31)  require-secure-password-changes            false
    32)  skip-validation-for-administrators         false
    33)  state-update-failure-policy                reactive

    ?)   help
    f)   finish - apply any changes to the Password Policy
    c)   cancel
    q)   quit

Enter choice [f]: f
The Password Policy was modified successfully

Press RETURN to continue


>>>> Password Policy management menu

What would you like to do?

    1)  List existing Password Policies
    2)  Create a new Password Policy
    3)  View and edit an existing Password Policy
    4)  Delete an existing Password Policy

    b)  back
    q)  quit

Enter choice [b]: q
$

As I mentioned above, this was just integrated last week, so it will be in our next build (build005, which will hopefully be available at the end of this week). If you want to try it out before then, then feel free to check out and build the server for yourself.

About

cn_equals_directory_manager

Search

Top Tags
Categories
Archives
« September 2007
SunMonTueWedThuFriSat
      
1
2
3
5
6
7
8
9
10
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
      
Today