Tuesday Nov 17, 2009

OpenDS 2.2.0 Release Candidate 3 is now available

Opends Logo TagThe OpenDS development team is very pleased to announce the immediate availability of OpenDS 2.2.0-RC3.

OpenDS 2.2 offers the following new features from OpenDS 2.0 :

  • Scalable import and indexing
  • External changelog compliant with the Internet-Draft "Definition of an Object Class to Hold LDAP Change Records", draft-good-ldap-changelog-04.txt
  • Fractional replication
  • Extensible matching rules for time base attributes
  • Support for custom syntaxes based on substitution, regular expressions or enumeration
  • Remote server management in control panel
  • Recurrent tasks in control Panel
  • Default automatic Backup in the control panel
  • Separation of LDAP Servers and Replication Servers for replication
  • Ability to merge disjoint replication topologies
  • Dsconfig script friendly mode

The purpose of the Release Candidate is to solicit one last round of testing before the final release. So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 2.2.0-RC3 is built from revision 6147 of the b2.2 branch of the source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.2.0-RC3/OpenDS-2.2.0-RC3.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.2.0-RC3/OpenDS-2.2.0-RC3-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.2.0-RC3/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.2.0-RC3, including the detailed change log

Major changes incorporated since OpenDS 2.2.0-RC2 include:

  • Revision 6100 (Issue #4337) - Resolves an issue in which importing large LDIF files would consume a lot of disk space
  • Revision 6102 (Issue #4298) - Fixes a problem with Replication changelog that could grow out of bound
  • Revisions 6108, 6123 (Issue #4283) - Resolves an issue in the Control Panel when adding operational attributes to an entry
  • Revision 6109 (Issue #4292) - Changes the Control Panel to abandon the systematic use of the ManageDSAIT Control
  • Revision 6111 (Issue #4264) - Fixes an issue in the Control Panel when doing multiple modifications on a single entry
  • Revision 6113 (Issue #4302) - Fixes unexpected errors in the Control Panel Manage Entries screen with concurrent searches
  • Revision 6117 (Issue #4322) - Provides a way in the Control Panel to rebuild all indexes
  • Revision 6118 (Issue #4328) - Resolves an issue where the Control Panel would freeze on Ubuntu
  • Revision 6119 (Issue #4332) - Resolves an issue on Windows with installation path names containing spaces
  • Revision 6120 (Issue #4269) - Fixes a problem with the External Changelog changenumber not being reset when the database was re-initialized
  • Revision 6122 (Issue #4296) - Publishes External Changelog base DN in the root DSE entry
  • Revision 6126 (Issue #4350) - Changes the way replication domain names are created with the dsreplication utility
  • Revision 6129, 6147 (Issue #4336) - Changes the Control Panel to provide the ability to refresh the suffix and entries in the Manage Entries window
  • Revision 6131 (Issue #4335) - Fixes the way scrolling works in the Control Panel
  • Revision 6134 (Issue 4293) - Resolves issues when verifying newly created indexes
  • Revision 6138 (Issue 4338) - Changes the default Global Access Controls to provide better secure by default permissions for users to update their own entry

Technorati Tags: , , , , , , ,

Friday Nov 13, 2009

OpenDS in Polish

PolandflagPavel Heimlich just announced today, on the project users mailing list that the OpenDS project is now (partly) localized in Polish. Translation of the messages for the command line tools has been contributed by 2 members of the Polish OpenDS Community : Bartłomiej Pelc and Marek Roszkowski. Many thanks from the development team to both of you.

This is the 6th localization of OpenDS that is shipping. Other languages are still work in progress : Italian, Serb, Portuguese, Korean... If you want to contribute, it's easy: Join the project as a Contributor, and create your account of the Community Translation Interface. The project is currently named OpenDS 2.3easy (it's a subset of the whole OpenDS messages, leaving out the server error messages).

The Polish translation files are available in the latest daily build. If you want to turn of Polish localization or try some other language, check the tip for enabling / disabling specific language. If you find any problem with the translations, please let us know. You can either file an issue in the Issue Tracker, or send an email on the localization and internationalization mailing list : g11n (at) opends.dev.java.net.

Technorati Tags: , , , ,

Tuesday Nov 10, 2009

OpenDS Silent install

Opends Logo TagOne of the things we're the most proud of in the OpenDS project is the simplicity of installation and initial configuration, thanks to the Java Web Start QuickSetup installer. We say that you can download, install and configure OpenDS to run on your machine in less than 3 minutes and 6 clicks.
But OpenDS can also be downloaded as a Zip and installed with the setup program, which can be either graphical or in command line and even used in silent mode.
The OpenDS community is often full of resources and Lucas Rockwell pointed out to his script for downloading and installing OpenDS automatically. I've taken the liberty to improve his idea and show it here :

#!/bin/sh

# This is the OpenDS version number to install
VER=2.2.0-RC2

# Download with curl or wget, uncomment the preferred download method
curl -O http://www.opends.org/promoted-builds/${VER}/OpenDS-${VER}.zip
# wget -nd http://www.opends.org/promoted-builds/${VER}/OpenDS-${VER}.zip

unzip OpenDS-${VER}.zip

cd OpenDS-${VER}/

# Some possible option change :
# Replace -d 20 (generate sample data with 20 entries) with -a (create
# top entry) or -l <ldifFile> (load data from the LDIF file)
# Change -w "secret12" with -j /tmp/me/passwordfile to avoid hardcoded
# cleartext password
# Add -O to avoid starting the server after install
# Add -Q for a quiet install
# ./setup --help for more information on options
./setup --cli -n -b "dc=example,dc=com" -d 20 -p 1389 \\
--adminConnectorPort 4444 -D "cn=Directory Manager" \\
-w "secret12" -q -Z 1636 --generateSelfSignedCertificate

As you can see, it's really trivial and it does the work from a few seconds to a few minutes depending on the speed of your internet connection.
The script can be downloaded here.
Have fun !

Technorati Tags: , , , ,

Friday Oct 23, 2009

What's new in Sun Directory Server Enterprise Edition 7 ?

Did you attend the event I talked about last week ? Remember, it was a webinar about Sun DSEE 7 and Role Manager 5.
Well, if you could not attend the webinar, you can watch it now, or download the video. The slides are also available.
Enjoy.

Technorati Tags: ,

Tuesday Oct 20, 2009

Enumeration based attributes in LDAP

Yesterday I've explained how to restrict LDAP attribute values using Regular Expression based syntaxes, with the OpenDS directory server. There is another use case for restricting attribute values: when there is an enumerated list of possible values. It's possible to define finite list of values as a regular expression, but as we wanted to be able to provide additional values, we added in OpenDS the ability to define Enumeration based syntaxes, and we implemented it as a syntax definition extension as well.

Here's an example of use of an Enumeration syntax for the day of the week. Let's first define and load the syntax in the OpenDS directory server's schema :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: ldapsyntaxes
ldapSyntaxes: ( 1.3.6.1.4.1.32473.4 DESC 'Day Of The Week'
X-ENUM ( 'monday' 'tuesday' 'wednesday' 'thursday'
'friday' 'saturday' 'sunday' ) )

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's use the syntax in an attribute, itself used in an object classes:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.32473.5 NAME 'test-attr-enum'
SYNTAX 1.3.6.1.4.1.32473.4 )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.32473.6 NAME 'testOCenum' SUP top
AUXILIARY MUST test-attr-enum)
-

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's create a test entry :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: add
sn: TestEntry
cn: TestEntry
objectclass: Person

Processing ADD request for cn=TestEntry,dc=example,dc=com
ADD operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

And now, let's make use of the newly created schema objects with that test entry :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: testOCenum
-
add: test-attr-enum
test-attr-enum: monday

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

But if the value isn't part of the enumeration, it gets rejected :

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=TestEntry,dc=example,dc=com
changetype: modify
replace: test-attr-enum
test-attr-enum: Lundi

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation failed
Result Code: 21 (Invalid Attribute Syntax)
Additional Information: When attempting to modify entry cn=TestEntry,dc=example,dc=com to replace the set of values for attribute test-attr-enum, value "Lundi" was found to be invalid according to the associated syntax: The provided value "Lundi" cannot be parsed because it is not allowed by enumeration syntax with OID "1.3.6.1.4.1.32473.4"
$

The enumeration syntaxes, like the regular expression one, matches like a DirectoryString, that is matches using CaseIgnoreMatch equality rule.

$ bin/ldapsearch -p 1389 -D cn=directory\\ manager -w secret12 \\
-b "dc=example,dc=com" '(test-attr-enum=Monday)'

dn: cn=TestEntry,dc=example,dc=com
objectClass: Person
objectClass: top
objectClass: testOCenum
test-attr-enum: monday
cn: TestEntry
sn: TestEntry

But the biggest advantage of the Enumeration syntax is the ability to use Ordering match, which is not based on strings, but on the order of the enumerated values in the syntax definition. So "Monday" is lower than "Tuesday" which is lower than "Wednesday"...

$ bin/ldapsearch -p 1389 -D cn=directory\\ manager -w secret12 \\
-b "dc=example,dc=com" '(test-attr-enum<=Thursday)'

dn: cn=TestEntry,dc=example,dc=com
objectClass: Person
objectClass: top
objectClass: testOCenum
test-attr-enum: monday
cn: TestEntry
sn: TestEntry

I hope you will find this useful and make use of these syntaxes. To do so, you need to download and install OpenDS 2.2 Release Candidate 1 (or higher).
And if you have additional requirements with syntaxes, I'd be happy to hear about them.

Technorati Tags: , , , ,

Monday Oct 19, 2009

Regular Expression based attributes in LDAP

One of the question that I get frequently asked when discussing with customers or coworkers about defining custom schema and attributes, is how to restrict the values that can be set to an attribute. From a pure LDAP standard point of view, you would need to define a new syntax and describe the valid values. Then you would need to check with the directory server's vendor or discuss with the open source developers to get the syntax implemented in the server, either in the core product, or as a plug-in extension. In the end, the easy choice goes to use a standard syntax (like DirectoryString) and let all client applications validate the values.

In OpenDS, we've choose another option. We have added support for regular expression based syntaxes, and implemented this as a syntax definition extension.

So in order to define, for example, an attribute whose values must be in the form of host:port, you simply need to define a new syntax for it with the regular expression pattern and load it in the server's schema:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: ldapsyntaxes
ldapSyntaxes: ( 1.3.6.1.4.1.32473.1
DESC 'Host and Port in the format of HOST:PORT'
X-PATTERN '\^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$' )

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

And then you can make use of the newly defined syntax in attributes.

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.32473.2 NAME 'test-attr-regex' SYNTAX 1.3.6.1.4.1.32473.1 )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.32473.3 NAME 'testOCregex' SUP top AUXILIARY MUST test-attr-regex)
-

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema
\^D

Let's create a test entry

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=TestEntry,dc=example,dc=com
changetype: add
sn: TestEntry
cn: TestEntry
objectclass: Person

Processing ADD request for cn=TestEntry,dc=example,dc=com
ADD operation successful for DN cn=TestEntry,dc=example,dc=com
\^D

And now make use of this new attribute and objectclass:

$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':

dn: cn=TestEntry,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: testOCregex
-
add: test-attr-regex
test-attr-regex: localhost:1389
-

Processing MODIFY request for cn=TestEntry,dc=example,dc=com
MODIFY operation successful for DN cn=TestEntry,dc=example,dc=com
\^D
$ bin/ldapmodify -D cn=directory\\ manager -p 1389
Password for user 'cn=directory manager':
dn: cn=testentry,dc=example,dc=com
changetype: modify
replace: test-attr-regex
test-attr-regex: foobar.com

Processing MODIFY request for cn=testentry,dc=example,dc=com
MODIFY operation failed
Result Code: 21 (Invalid Attribute Syntax)
Additional Information: When attempting to modify entry cn=testentry,dc=example,dc=com to replace the set of values for attribute test-attr-regex, value "foobar.com" was found to be invalid according to the associated syntax: The provided value "foobar.com" cannot be parsed as a valid regex syntax because it does not match the pattern "\^[a-zA-Z][.a-zA-Z0-9-]+:[0-9]+$"

It's simple and efficient. But wait there's more to come, tomorrow.

Technorati Tags: , , , ,

Friday Oct 16, 2009

A Must Event : "What's new in DSEE 7 and Role Manager 5" webinar !

On Wednesday October 21, 2009 at 8:00am PST, Nick Wooler, product manager for Directory Services, and Neil Ghandi, Role Manager Technical Product Manager will be giving an overview of some of the great features that exist in the new releases of Sun Directory Server Enterprise Edition and Sun Role Manager.
Here are a few highlights:

What's New with Directory Server EE 7.0

  • Boosts speed and performance: DSEE 7.0 has been optimized to improve performance of some operations by more than 3x the current version. In addition, this release provides hardware optimization with up to 60% improvement in authentications and modifications.
  • Reduces Total Cost of Ownership– Reduce cost by using the only solution in the market that provides customers with a directory server, virtual directory, proxy server, web console and Active Directory synchronization tool-kit under a single license.
  • Hassle Free Upgrade – DSEE 7.0 provides a simple upgrade path and provides 5x performance improvement in data import times, thereby reducing migration costs.

What's New with Role Manager 5.0

  • 360 Degree View of Assigned Access – A unified view of data related to user access that empowers reviewers to make more intelligent decisions concerning users access.
  • Closed-loop Remediation – A complete end-to-end solution for reviewing user access and removing inappropriately assigned access.
  • Rule Life-cycle Management – The first solution for managing the complete life-cycle of role assignment and SoD audit rules.

Register now for the webinar and you will learn more about the releases and what business problems they solve in your enterprise.


Webinar
Improve Compliance, Access Controls, and Performance with Sun's Latest Releases of Role Manager and DSEE
Wedneday October 21, 2009
10:00am PDT / 1:00pm EDT / 19:00 CET
One Hour

Technorati Tags: , , , ,

Thursday Oct 15, 2009

Tip on OpenDS localization and error messages...

The OpenDS LDAP directory server is localized by default in many different languages, thanks to our community.
All (well we try) messages from the client tools, command lines or graphical, are translated in Chinese (Simplified and Traditional), German, French, Japanese, Korean and Spanish (and soon Polish). But the server error messages are also localized, and the OpenDS directory server picks up the current locale of the process owner to choose in which language to print them.
Not everyone wants to have the server error messages in their own language, especially in distributed or international teams. There is a way to make sure the server always uses English as the language for the message, regardless of who starts it, and it's very simple (thanks to Josu for reminding me how to do it ;) ):

Edit the java.properties file (from the config/ directory) and append the following to the start-ds.java-args line:

-Duser.language=en -Duser.country=US

Example:

start-ds.java-args=-server -Xms128m -Xmx256m -Duser.language=en -Duser.country=US

Now run the dsjavaproperties command and restart the server.

Et voila ! All in English.

Technorati Tags: , , , , , ,

Tuesday Oct 13, 2009

OpenDS 2.2.0 Release Candidate 1 is now available

Opends Logo TagThe OpenDS development team is very pleased to announce the immediate availability of OpenDS 2.2.0-RC1 which is the first release candidate for OpenDS 2.2.

OpenDS 2.2 offers the following new features from OpenDS 2.0 :

  • Scalable import and indexing
  • External changelog compliant with the Internet-Draft "Definition of an Object Class to Hold LDAP Change Records", draft-good-ldap-changelog-04.txt
  • Fractional replication
  • Extensible matching rules for time base attributes
  • Support for custom syntaxes based on substitution, regular expressions or enumeration
  • Remote server management in control panel
  • Recurrent tasks in control Panel
  • Default automatic Backup in the control panel
  • Separation of LDAP Servers and Replication Servers for replication
  • Ability to merge disjoint replication topologies
  • Dsconfig script friendly mode

We've also captured a first snapshot of the OpenDS 2.2 documentation and hosted it on it's own wiki: https://docs.opends.org/2.2/. The documentation is not complete yet, but will be almost at the same time we will do the final release of OpenDS 2.2.

The purpose of the Release Candidate is to solicit one last round of testing before the final release. So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 2.2.0-RC1 is built from revision 5941 of our source tree.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.2.0-RC1/OpenDS-2.2.0-RC1.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.2.0-RC1/OpenDS-2.2.0-RC1-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.2.0-RC1/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.2.0-RC1, including the detailed change log

Major changes incorporated since OpenDS 2.1.0-build002 include:

  • Revisions 5870, 5888 (Issue #4181) - Resolves a Null pointer exception in DSML Gateway with specific substring search filters
  • Revision 5871 (Issue #4217) - Fixes an issue with ACI containing parenthesis in the description field
  • Revision 5874 - Improves the rebuild-index processing for performances
  • Revision 5880 (Issue #4252) - Fixes a replication issue between OpenDS 2.1/2.2 and OpenDS 2.0
  • Revision 5883 (Issue #4203) - Fixes an issue where restore -l (list the available backups) would exit with return code 1
  • Revision 5926 (Issue #4257) - Fixes an error raised when deleting recurrent tasks

Technorati Tags: , , , , , , ,

Monday Oct 05, 2009

Directory "Engineering"

Arnaud a co-worker from the Sun directory engineering team, has taken the term "Directory Engineering" to a new level. Arnaud has always been a doer, someone who starts playing with things, investigate, test, benchmark... Recently, he's been deploying OpenDS on Amazon cloud, configuring a Sun workstation running OpenSolaris with 4 displays in Xinerama mode and much more... 

But in the past few weeks, Arnaud started to play with hardware devices like USB Bit Whacker, a few lines of codes, his favorite server product and finally built this :

OpenDS Weather Station

The OpenDS Weather Station, provides a dashboard of the important metrics from an OpenDS server, showing instantaneously how loaded is the server.
Arnaud already has 3 Stations in order (I and other members of our team want one for demo purpose), but I'm not sure he's ready to accept orders from other people and turn this into another business :)
Anyway, this is a nice little engineering project !

Technorati Tags: , , , ,

Wednesday Sep 30, 2009

OpenDS 2.1.0-build002 is now available

Opends Logo TagWe have just uploaded OpenDS 2.1.0-build002, built from revision 5868 of our source tree, to our promoted builds folder.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.1.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.1.0-build002, including the detailed change log

Major changes incorporated since OpenDS 2.1.0-build001 include:

  • Multiple fixes to the new Import code and new Public ChangeLog feature.
  • Revision 5783 (Issue #4171) - Fixes a hang in replica initialization when the replication servers are unreachable.
  • Revision 5804 - Performance and scalability improvements with monitoring.
  • Revision 5842 (Issue #4194) - Resolves an issue where objectclasses would disappear when modified.
  • Revision 5843 - Upgrade the underlying Berkeley DB JE to version 3.3.87.
  • Revision 5847 (Issue #4164) - Fixes a decoding problem .
  • Revision 5848 (Issue #4229) - Resolves an issue where the connection handler thread hangs and cause potential DoS attack.
  • Revision 5849 (Issue #4226) - Improves the PartialDateOrTime matching rule to match on time as well as date.
  • Revision 5854 (Issue #4240) - Resolves an issue in the Control-Panel when displaying attributes with a syntax that has no name.
  • Revision 5863 & 5867 (Issue #4117) - Resolves an issue with MODDN operation that could impact ability to export and reimport from LDIF.
  • Revision 5865 (Issue #4060) - Prevents a new server process to start while OpenDS server is shutting down. Also preserves the server.pid when in-core restart is performed.

Technorati Tags: , , , , ,

Tuesday Sep 29, 2009

LDAPCon 2009 summary

On Sunday September 20th and Monday 21st, I attended the 2nd LDAP International Conference, aka LDAPCon 2009, in Portland OR, USA.
The attendance was lower than expected initially but included most of the LDAP open source projects (Apache Directory, LSC Project, OpenDS, OpenLDAP) as well as directory server vendors (Apple, Isode, Sun, Symas, UnboundID) and some users of the technology.

All the slides for the presentations are now available, as well as the articles submitted for participation.

LP0_1859On Sunday, the conference was inaugurated by Mike Schwartz from GLUU, a Texas based start-up. GLUU intends to provide identity federation and single sign-on as a service and makes an intensive use of LDAP technologies : directory servers, directory proxy servers, virtual directories and DSML gateways for provisioning.

LP0_1860Stefan Seelman described the Apache Directory project and its toolchain, from the excellent Apache Directory Studio (you don't know the Studio yet, go get it !) to its embedded directory server. Stefan demonstrated how to use Studio to create a staged directory server, and then role out the changes into the production one.

LP0_1865Later in the day, Emmanuel Lecharny explained how Apache Directory Server is supporting RFC 4533 to allow synchronization between an OpenLDAP server and the Apache Directory Server. As of today, Apache Directory Server is only supporting the consumer side of the protocol so it can act as a replica of an OpenLDAP master. Building the supplier side is next on their roadmap but it's more complex, and then trying to do multi-master replication will require to implement conflict resolution procedures that have to be exactly identical to OpenLDAP ones. Based on our experience with Sun Directory Server and OpenDS, this will be the trickiest part. I got questioned on when OpenDS or Sun Directory Server will support this RFC. Honestly, this is not on our roadmap and we would be happy to add it if the community needs it and is willing to contribute. But today we already have a working multi-master replication feature that is much more scalable and powerful than what RFC 4533 allows to build.

LP0_1862Jonathan Clarke talked about LDAP Synchronization Connector, an open source project building synchronization tools between LDAP and other data sources such as RDBMs, flat files or alternate directories. LSC is written in Java and is already in production in a few french companies.

Terry Neely then presented how to do physical access control with LDAP. An interesting story about how to design schema, leverage replication to distribute access control information related to door and buildings. The OpenLDAP server running on an embedded hardware, with a 4GB compact flash !

Howard Chu, Chief Architect for OpenLDAP, and I did a joint presentation on how to store LDAP data in MySQL Cluster and we described the architecture of our respective implementations: OpenLDAP back-ndb and OpenDS ndb backends. Andrew Morgan from the MySQL Cluster team helped us describing MySQL Cluster. The question of having an in-memory distributed backend for LDAP server still raises a lot of questions and eyeballs, but people are starting to understand the value of scaling and getting simultaneous access to the data via LDAP, SQL or direct APIs.

LP0_1870Kurt Zeilenga presented his work in Isode directory to provide security label-based authorization. Security label based authorization is another flavor of authorization, in addition to identity based and role based authorization. The idea is to grant permission to access data based on the label presented by the authenticated user and the label of the data to be accessed. Which a lot of users in the directory, and many security levels (there can be up to 256 levels), this kind of authorization system scales better than Access controls. The Isode implementation has security labels at the entry level (not attribute). Clearance for a user is derived from an attribute in the user entry, from the user certificate in the directory or directly from the authentication level. While the presentation was mostly an overview of security labels and how they could be used in the context of a directory service, I found the presentation quite interesting as I've been asked a couple of time to add security label awareness to Sun Directory Server, especially in the context of Solaris Trusted Extensions.

We ended day one with a panel open discussion with the various directory projects and vendors. After briefly discussing areas where progress is to be made (see Mathias summary for details), we looked at the LDAP community and try to find ideas to increase it or make it more active. One area we (Sun) have been active is education. For the last couple of years, we've been involved in giving LDAP trainings in Universities, or helping teachers with projects involving LDAP instead of RDBMs. Another area is client APIs and code examples. The work that we're doing with the Apache Directory team is a good step. It was also quite interesting that Howard Chu came to me in the after hours and discussed about Java for servers. Obviously, getting fresh blood in projects in getting harder with C based projects than Java based projects, as most of students are no longer learning C programming but Java programming (and other modern languages).

LP0_1867On Monday September 21st, the day started with an analyst view on the LDAP directory landscape. Felix Gaehtgens, analyst and partner at Kuppinger Cole, talked about the various market segments of the directory markets and the third generation of LDAP directory products that have emerged in the last couple of years.

Kurt Zeilenga gave a status of LDAP standardization efforts, occurring at IETF and at ISO/IEC. The hottest topic is the password policy which is evolving in both standard bodies. Howard Chu and I have published an update on the Password Policy for LDAP internet-draft. We intend to post additional changes and get it through to RFC status in the coming months.
Other topics being worked on through IETF are LDAP Transaction draft, currently under editors' review, the LDAP schema for NIS (rfc 2307-bis), schema for VCard, schema for Kerberos and for NFS v4.
Kurt suggested that there is still some work to be done at IETF on the LDAP front, but it would be better conducted through a working group. He also encouraged people to join the standardization effort and bring some new blood to it, recognizing that he would be happy to participate but not lead a new working group. He suggested a list of topics that could be covered by the working group :

  • Chaining Operations
  • Access Controls based on X.500 model
  • LDIF update
  • Complex Transactions
  • Schema versioning and management
  • Password Policies
  • ...

The next 3 presentations were about APIs for LDAP Java developers. Emmanuel Lecharny and I described the work we've done in the last few months collaborating on a common LDAP API for the Java platform, and we discussed what is required to move this work to standardization. Our presentation was mostly areas of work and a call for participation on that effort. We've moved our discussion to the Apache Directory API public mailing list (api (a) directory (dot) apache (dot) org).
LP0_1871Right after, Neil Wilson, chief architect at UnboundID, showed some slick slides about UnboundID's products, focusing mainly on their new LDAP client Java SDK, demonstrating it's use on the Android platform. UnboundID SDK is already available as opposed to Apache Directory or OpenDS ones. But it would definitely need to be polished and cleaned so that it could be used by our project for our needs, i.e. use the same SDK for both the server and client tools.
Following these 2 SDK presentations, Stefan Seelman demonstrated how to leverage the DataNucleus project and more specifically its support of LDAP to the standard JDO interface.

LP0_1872Howard Chu gave an overview of the new overlays developed in OpenLDAP related to user authentication and authorization. Based on the work from nss-ldapd the nssov overlay provides integration with the nss and the pam stacks. Another interesting module is an integrated certification authority overlay where user certificates and keys are generated magically based on the query filters. While this looks smart, it raises a lot of questions with regards to the security levels associated with generating and using certificates over LDAP, and it's current implementation (only search parameters are used to generate the certificate) is messing a lot with the semantics of searches. Both Kurt and I think it should be implemented as an extended operation or at least a search control.

Finally but not least, I closed the LDAPCon with my presentation on the innovations that have been done in the OpenDS project. My presentation was articulated in 2 parts, innovations that directory administrators benefit from like the Assured Multi-Master replication model and the scheduled and recurrent tasks. And the innovations for the developers, basically new LDAP syntaxes and matching rules to ease application developments. You can find the details in the slides or the paper that I wrote for the conference.

Overall, this conference was really good for us and for meeting with some of the OpenDS community members, but as well for raising the awareness on what we've been doing in the last couple of years. I really enjoyed the discussions with all attendees, the beers in the evening and the fun of trying to connect the iPhone LDAP clients to the OpenLDAP server running on Howard's G1 phone.

LP0_1874 LP0_1876 LP0_1878

All photos that I took during the conference are publicly available, and free of use for non commercial purpose.

Technorati Tags: , , , , , , ,

Monday Sep 14, 2009

Jack and Pat on OpenSSO and OpenDS...

Pat Patterson reminded me of a conversation he had at OSCON 2009 with Jack Adams about OpenSSO. Luckily, the discussion was captured in video.
During the conversation, they talk about OpenDS as well. Thanks for the plug, Pat !

 

 

Technorati Tags: , , , , , ,

Friday Sep 11, 2009

OpenDS 2.1.0-build001 is now available

Opends Logo TagWe have just uploaded OpenDS 2.1.0-build001, built from revision 5775 of our source tree, to our promoted builds folder. This is the first development build past 2.0, on the path to the 2.2 release planned for October 2009.

In addition to many corrections, the build includes the following new features:

  • Scalable import
  • External changelog compliant with the Internet-Draft "Definition of an Object Class to Hold LDAP Change Records", draft-good-ldap-changelog-04.txt
  • Fractional replication
  • Extensible matching rules for time base attributes
  • Support for custom syntaxes based on substitution, regular expressions or enumeration
  • Remote server management in control panel
  • Recurrent tasks in control Panel
  • Default automatic Backup in the control panel
  • Separation of LDAP Servers and Replication Servers for replication
  • Ability to merge disjoint replication topologies
  • Dsconfig script friendly mode

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.1.0-build001/OpenDS-2.1.0-build001.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.1.0-build001/OpenDS-2.1.0-build001-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.1.0-build001/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.1.0-build001, including the detailed change log

Technorati Tags: , , , , ,

Wednesday Sep 09, 2009

Another new feature in OpenDS Control Panel

Opends Logo TagOpenDS 2.0 has been out for a couple of months now but the development team kept on the pace of development.

Beside its ability to manage remote OpenDS servers, the Control Panel has been enhanced to support the Recurrent Tasks introduced in the OpenDS 2.0 server, and both Export LDIF and Backup can be scheduled to happen at a later time or on a regular basis.

OpenDS control panel Backup screen

Notice the "Change" button in the Backup Options.

OpenDS Control Panel, Choice for scheduling a backup

You can then choose the proper kind of scheduling and tune it very simply as illustrated below.

OpenDS Control Panel, scheduling a weekly backupOpenDS Control Panel, Scheduling a backup with Cron like notation

Technorati Tags: , , , ,

About

This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today