Wednesday Oct 29, 2008

OpenDS, IPS packages and Update Center 2

Picture 4The Update Center 2 project has just released a new version of the IPS packaging toolkit.

One of the nice new feature of the toolkit is the Custom Ant tasks for pkg(5) providing a easy way to produce IPS packages, package repositories and installation image for Ant based build environment.

Christopher Kampmaier has updated the example use of the pkg(5) toolkit for OpenDS, demonstrating the power of these Ant tasks.

No doubt that we will be integrating the IPS factory in the OpenDS Project in the near future.

Technorati Tags: , , , ,

Wednesday Jul 09, 2008

Running Directory Server Console with WebLogic 10.

The Sun Directory Service Control Center is a web application that allows administrators to configure and administer all of their Sun Directory 6.x servers and Directory Proxy 6.x servers from a single place.
The Console is supported to run on Tomcat 5.5 and Sun Java System Application Server 8.2. In a previous blog post, I demonstrated how to deploy DSCC in GlassFishv2.

Thanks to Eric Le Ponner, architect of DSEE and lead developer for the Administration part, we can now deploy DSCC in WebLogic 10 Application Server.

This will be fully supported with Sun Directory Server Enterprise Edition 7, but here's the workaround to get it to work with Sun Java System Directory Server Enterprise Edition 6.3.

First deploy DSCC war file on WebLogic.
Then just add the following weblogic.xml file in the WEB-INF directory, next to the web.xml file for the DSCC web application:

<?xml version="1.0" encoding="utf-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

<container-descriptor>
<filter-dispatched-requests-enabled>false</filter-dispatched-requests-enabled>
</container-descriptor>

</weblogic-web-app>

There you are.

For those who like the gory details, DSCC is a servlet 2.3 web application and implements a servlet filter to manage security. WebLogic 10 Application Server supports by default the servlet 2.4 specifications and process differently filtered requests. The trick is then to instruct WebLogic to do the filtering as for the servlet 2.3 specifications.

Technorati Tags: , , ,

Tuesday Sep 18, 2007

Directory Server 6.1 and Unix Crypt...

Sun Java System Directory Server has supported for many years the ability to hash the userPassword attribute with the crypt(3C) algorithm.
But the crypt function has evolved from the basic standard Unix crypt algorithm (which truncates password to 8 characters) to support MD5, Blowfish and other stronger algorithms.
Until Directory Server 6.1, there was very limited support for those algorithms (it happened that a password hashed with MD5 - outside DS - could be used for authentication, but the server itself would never hash a password this way).

Starting with Directory Server 6.1, there is now a way to tune the CRYPT password storage plugin to specify which crypt algorithm to use, and on Solaris only, it is even possible to delegate the choice of algorithm to the OS via the /etc/security/policy.conf (and the CRYPT_DEFAULT directive).

The way to configure with algorithm is used by the crypt library when hashing a userPassword to store in Directory Server is to add an argument to the "CRYPT password storage" plugin configuration entry.

# dsconf set-plugin-prop CRYPT argument:<Pattern>

where <Pattern> is a choice of (but not limited to):


%.2s - Default unix crypt algorithm (and the default
when no argument is defined)
$1$%.8s - bsd md5
$2a$04$%.22s - Blowfish
$md5$%.8s$ - Sun md5

If <Pattern> maps to an algorithm that is not supported by the OS (for example $2$, old variants of blowfish), then a warning message is logged and the hash will be done using the default Unix algorithm
This guarantee that the password is always hashed even if the configured salt does not match an existing algorithm.

On Solaris only, a special value of "auto" is allowed to specify that CRYPT will use the system's default mechanism, as configured in /etc/security/policy.conf

Notes:

  • Changing the plugin configuration requires a restart of Directory Server to be taken into account.
  • You should use this new capability carefully, especially in a heterogeneous and replicated environment where some algorithms might not be present or enabled.
  • Make sure that CRYPT is the password Storage mechanism defined in the Password Policy configuration (the default is SSHA).

Example:
> dsconf set-plugin-prop -p 1389 CRYPT 'argument=$md5$%.8s$'
Enter "cn=Directory Manager" password:
Directory Server must be restarted for changes to take effect.
> dsadm restart /local/demo/ds
> dsconf get-plugin-prop -p 1389 CRYPT
Enter "cn=Directory Manager" password:
argument : $md5$%.8s$
depends-on-named :
depends-on-type :
desc : Unix crypt algorithm (CRYPT)
enabled : on
feature : crypt-password-storage-scheme
init-func : crypt_pwd_storage_scheme_init
lib-path : /opt/SUNWdsee/ds6/lib/pwdstorage-plugin.so
type : pwdstoragescheme
vendor : Sun Microsystems, Inc.
version : 6.2
>

Technorati Tags: , ,

Thursday Sep 06, 2007

Directory Server Enterprise Edition 6.2...

DSEE 6.2 is out.
It has been released as part of Java Enterprise System 5 Update 1.

The patches are in the process of being made available through SunSolve.

Here's a quick overview of the patch numbers

126748-02 Solaris9-sparc, Solaris10-sparc
126749-02 Solaris9-x86
126750-02 Solaris10-x86, Solaris10-AMD64
126751-02 Red Hat Enterprise Linux AS 3 UP4, Red Hat Enterprise Linux AS 4 UP2, SuSE 9UP3
126753-02 Windows 2000 AS SP4, Windows 2003 EE/SE SP2 (32&64-bits), Windows XP

The full download will soon be available from the DSEE Download page.

As Deepak already mentioned, the Documentation has been published
.
DSEE 6.2 is mostly a bug fix release, aligns with the other Java ES products and components, but does also contain one specific performance improvement.

Enjoy !

Technorati Tags: , , , , ,

Friday Jul 20, 2007

A long awaited feature...

Directory Server Enterprise Edition 6.x is built on SleepyCat Berkeley DB for the storage of the LDAP entries and indexes...

For many years, customers have requested that we provide a way to shrink the database files, reclaiming unused pages. Well, the version of the SleepyCat BDB that we are using with DS 6.1 now has a public API that offer this capability and we've added the feature in DSEE 6.1. There is now a new subcommand for dsadm the offline DS management CLI: repack.
The usage is the following:

ludo:dsee63 > ds6/bin/dsadm repack --help                         

Usage: dsadm repack [ -b ] INSTANCE_PATH SUFFIX_DN [SUFFIX_DN ...]

Repacks existing suffix

The accepted value for OPTIONS is:

-b, --backend
                Enables to specify backend name instead of SUFFIX_DN

For global options, use dsadm --help.

INSTANCE_PATH  Path of the Directory Server instance
SUFFIX_DN      Suffix DN (Distinguished Name) to repack

For more information, see dsadm(1M).

It operates on a Suffix and all DB files for this suffix are compacted. This includes the main data file (id2entry), all index files but also the replication changelog file if the suffix is Replicated and configured as a Master or Hub Replica. The compaction will process up to 8 files in parallel, each in its own thread.

Because database compaction is very IO intensive and requires exclusive access to the database, the Directory Server must be stopped to run this.

The time to do the compaction varies a lot depending on the overall size of the database, the number of updates done on the data since the creation of the suffix or last compaction, and mostly the performance of the disk subsystem. Or course, the larger the DB and the more changes, the longer it'll take but the more it'll regain disk space. In our experience with a database of approximately 10 million entries and many changes done since creation, the compaction process took approximately a couple of hours (on a v20 z).

Definitely, database compaction is not something that you want to run in your weekly maintenance routine. The downtime of Directory Server may be too long. But if the available disk's space is getting close to the low watermark, it is worth stopping the server and reclaiming some of the space, before thinking of expanding the disk partition.

Below is an example of the dc=example,dc=com DB files before and after compaction, and the commands used to do the compaction: stop the server, compact, start the server.

ludo:dsee63 > ll instances/ds1/db/example/
total 3640
drwx------   2 lpoitou  icnc        1536 Jul  3 10:45 .
drwxr-xr-x   3 lpoitou  icnc         512 Jul  9 17:39 ..
-rw-------   1 lpoitou  icnc          38 Jul  3 10:45 DBVERSION
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_aci.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 17:39 example_ancestorid.db3
-rw-------   1 lpoitou  icnc      147456 Jul  9 17:39 example_cn.db3
-rw-------   1 lpoitou  icnc      122880 Jul  9 17:39 example_entrydn.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_givenName.db3
-rw-------   1 lpoitou  icnc      835584 Jul  9 17:39 example_id2entry.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_mail.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_mailAlternateAddress.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_mailHost.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_member.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nsCalXItemId.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nscpEntryDN.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nsds5ReplConflict.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nsLIProfileName.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nsRoleDN.db3
-rw-------   1 lpoitou  icnc      131072 Jul  9 17:39 example_nsuniqueid.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_nswcalCALID.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_numsubordinates.db3
-rw-------   1 lpoitou  icnc       32768 Jul  9 17:39 example_objectclass.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_owner.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 17:39 example_parentid.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pipstatus.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pipuid.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pwdaccountlockedtime.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pwdfailuretime.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pwdgraceusetime.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_seeAlso.db3
-rw-------   1 lpoitou  icnc      139264 Jul  9 17:39 example_sn.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_telephoneNumber.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_uid.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_uniquemember.db3

ludo:dsee63 > ds6/bin/dsadm stop /local/demo/dsee63/instances/ds1
Server stopped

ludo:dsee63 > ds6/bin/dsadm repack /local/demo/dsee63/instances/ds1 dc=example,dc=com
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example'
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', LDAP entries, size 827392 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index aci, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index ancestorid, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index ancestorid finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index aci finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index cn, size 139264 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', LDAP entries finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index cn finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mailHost, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mailHost finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index member, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index member finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsCalXItemId, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsCalXItemId finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nscpEntryDN, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nscpEntryDN finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsds5ReplConflict, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsds5ReplConflict finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsLIProfileName, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsLIProfileName finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsRoleDN, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsRoleDN finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsuniqueid, size 122880 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nswcalCALID, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nswcalCALID finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index nsuniqueid finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index entrydn, size 122880 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index numsubordinates, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index numsubordinates finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index entrydn finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index givenName, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index givenName finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index parentid, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index parentid finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pipstatus, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pipstatus finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pipuid, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pipuid finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdaccountlockedtime, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdaccountlockedtime finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdfailuretime, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdfailuretime finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdgraceusetime, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index pwdgraceusetime finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index seeAlso, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index seeAlso finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index sn, size 131072 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index uid, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index uid finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index sn finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index owner, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index owner finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index telephoneNumber, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index telephoneNumber finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index uniquemember, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index uniquemember finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mail, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mail finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mailAlternateAddress, size 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index mailAlternateAddress finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index objectclass, size 32768 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example', index objectclass finished, size now 16384 bytes.
[10/Jul/2007:14:11:46 +0200] - Repacking backend 'example' ended.
[10/Jul/2007:14:11:46 +0200] - Repack finished.
[10/Jul/2007:14:11:46 +0200] - Waiting for 6 database threads to stop
[10/Jul/2007:14:11:47 +0200] - All database threads now stopped

ludo:dsee63 > ll instances/ds1/db/example/
total 1000
drwx------   2 lpoitou  icnc        1536 Jul  3 10:45 .
drwxr-xr-x   3 lpoitou  icnc         512 Jul 10 14:11 ..
-rw-------   1 lpoitou  icnc          38 Jul  3 10:45 DBVERSION
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_aci.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_ancestorid.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_cn.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_entrydn.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_givenName.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_id2entry.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_mail.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_mailAlternateAddress.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_mailHost.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_member.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nsCalXItemId.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nscpEntryDN.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nsds5ReplConflict.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nsLIProfileName.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nsRoleDN.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nsuniqueid.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_nswcalCALID.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_numsubordinates.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_objectclass.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_owner.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_parentid.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_pipstatus.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_pipuid.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_pwdaccountlockedtime.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_pwdfailuretime.db3
-rw-------   1 lpoitou  icnc       16384 Jul  9 16:38 example_pwdgraceusetime.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_seeAlso.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_sn.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_telephoneNumber.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_uid.db3
-rw-------   1 lpoitou  icnc       16384 Jul 10 14:11 example_uniquemember.db3

ludo:dsee63 > ds6/bin/dsadm start /local/demo/dsee63/instances/ds1
Server started: pid=15983

ludo:dsee63 >

Technorati Tags: , ,

Friday Apr 13, 2007

Directory Server 6 and ldappasswd

Sun Java System Directory Server 6.0 now supports RFC 3062 : LDAP Password Modify Extended Operation, and a new tool is delivered as part of Directory Server Enterprise Edition 6.0 to take advantage of it: ldappasswd.

ldappasswd allows a user or an administrator to change the password of any account. Of course, by default a set of restrictions is configure to prevent malicious use of this feature.

In order to be usable by users other than administrators, the Password Modify Extended Operation requires to add some specific ACI under cn=config.

An example of ACI for the Password Modify Extended operation is presented in the Directory Server Enterprise Edition Administration Manual.

But to allow any authenticated user to change its own password with this tool, the Directory Administrator must add the following entry and ACI, in addition to the usual ACI that allows self write on the userPassword attribute:

dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
cn: Password Modify Extended Op Access Control
aci: (targetattr != "aci";)(version 3.0; acl "Allow Password Change
Extended Op to all auth users"; allow( read , search, compare, proxy )
(userdn = "ldap:///all" and authmethod = "SSL";);)

Note that this ACI will require that ldappasswd be used with SSL (which is a good thing if you want to avoid passwords being transfered in cleartext on the network).

Now I can change my own password in LDAP with the tool:

ldappasswd -h <host> -p <port> -D "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=Com" -A -S -Z \\
-P /home/ludo/security -N "LudoCert" -W keypasswd "cn=Ludo,ou=Smart Engineers,dc=Sun,dc=com"
Old Password: myOldPasswd
New Password: aNewOne
Re-enter new Password: aNewOne
ldappasswd: password successfully changed

Thursday Mar 15, 2007

Directory Server and advanced certificate management

Directory Server 6.0 introduced many changes in its administration tools: a new GUI, new CLIs such as dsconf and dsadm.

dsadm has a set of commands to do certificate management for directory server instances, such as requesting new certificates, listing certificates, adding certificates. This feature has been added in Directory Server 6, because certutil, the utility available with the NSS library is not officially supported.

The dsadm utility does the work in most of the cases but there are some known limitations such as no support for the subjectAltName extension. For those advance use cases, the workaround is to use certutil (at your own risks).

One big difference between dsadm and certutil is the certificate store password. By default, the password is unknown to the administrators, and managed through a file. Certutil does require the password to be known.

To change the default password and be able to use certutil, you need to launch the following command as root or the owner of the directory server instance:

>  /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=on
Choose the new certificate database password:
Confirm the new certificate database password:
Certificate database password successfully updated.

From them, you will be able to run "certutil -d /local/demo/dstest/alias -P slapd- ..." with the appropriate options.

When you're done, you can store the password again in a text file for use by dsadm or Directory Server at restart with the following command:

>  /opt/SUNWdsee/ds6/bin/dsadm set-flags /local/demo/dstest cert-pwd-prompt=off
Enter the certificate database password:
Certificate database password has been successfully stored.

Wednesday Mar 14, 2007

Directory bigots in a lively conversation...

Don BowenSteve ShoaffMy boss Steve Shoaff, Director of Engineering for Directory, and Don Bowen, Distinguished Marketing Director, are discussing the new release of Directory Server Enterprise Edition in a lively and passionate Identity Management Buzz podcast.

 Listen to this episode of the podcast.

You will understand why I really enjoy working with these two bright guys and the rest of the team.


Tuesday Mar 13, 2007

DSEE 6.0 CLI made easier for /bin/bash users

Mark has published several posts on the new Directory Server Enterprise Edition CLI: dsadm, dsconf for Directory Server and dpadm, dpconf for Directory Proxy Server [1][2][3][4][5].

Here's a little trick to facilitate the use of the command line utilities, at least when using  /bin/bash.

The dsconf --help list all available sub-commands, plus a few messages. The first command extract the list of sub-commands and store it in a variable.

ludo:bin > DSC=`dsconf --help | cut -d' ' -f1 | grep -v '\^-' | grep -- '-'`

Then we define the list of words to use for completion for the dsconf tool.

ludo:bin > complete -W "`echo $DSC`" dsconf

And we checked that we have a proper completion wordlist for the command. 

ludo:bin > complete -p dsconf
complete -W 'accord-repl-agmt change-repl-dest create-encrypted-attr
create-index create-plugin create-repl-agmt create-repl-priority
create-suffix delete-encrypted-attr delete-index delete-plugin
delete-repl-agmt delete-repl-priority delete-suffix demote-repl
disable-plugin disable-repl disable-repl-agmt enable-plugin enable-repl
enable-repl-agmt get-index-prop get-log-prop get-plugin-prop
get-repl-agmt-prop get-server-prop get-suffix-prop help-properties
init-repl-dest list-encrypted-attrs list-indexes list-plugins
list-repl-agmts list-repl-priorities list-suffixes promote-repl
pwd-compat rotate-log-now set-index-prop set-log-prop set-plugin-prop
set-repl-agmt-prop set-server-prop set-suffix-prop
show-repl-agmt-status show-task-status update-repl-dest-now' dsconf

Use is very simple: type a few characters, hit the [TAB] key, and the command will complete if possible. Hitting [TAB][TAB] will show all available possibilities.

ludo:bin > dsconf create-[TAB][TAB]
create-encrypted-attr  create-plugin          create-repl-priority
create-index           create-repl-agmt       create-suffix
ludo:bin > dsconf create-

The same commands can also work for Directory Proxy Server's tool: dpconf.

ludo:bin > DPC=`dpconf --help | cut -d' ' -f1 | grep -v '\^-' | grep -- '-'`
ludo:bin > complete -W "`echo $DPC`" dpconf
ludo:bin > complete -p dpconf
complete -W 'add-jdbc-attr add-virtual-transformation
attach-jdbc-data-source attach-ldap-data-source
create-connection-handler create-custom-search-size-limit
create-jdbc-data-source create-jdbc-data-source-pool
create-jdbc-data-view create-jdbc-object-class create-jdbc-table
create-join-data-view create-ldap-data-source
create-ldap-data-source-pool create-ldap-data-view
create-ldif-data-view create-request-filtering-policy
create-resource-limits-policy create-search-data-hiding-rule
create-user-mapping delete-connection-handler
delete-custom-search-size-limit delete-jdbc-data-source
delete-jdbc-data-source-pool delete-jdbc-data-view
delete-jdbc-object-class delete-jdbc-table delete-join-data-view
delete-ldap-data-source delete-ldap-data-source-pool
delete-ldap-data-view delete-ldif-data-view
delete-request-filtering-policy delete-resource-limits-policy
delete-search-data-hiding-rule delete-user-mapping
detach-jdbc-data-source detach-ldap-data-source get-access-log-prop
get-attached-ldap-data-source-prop get-connection-handler-prop
get-custom-search-size-limit-prop get-error-log-prop get-jdbc-attr-prop
get-jdbc-data-source-pool-prop get-jdbc-data-source-prop
get-jdbc-data-view-prop get-jdbc-object-class-prop get-jdbc-table-prop
get-join-data-view-prop get-ldap-data-source-pool-prop
get-ldap-data-source-prop get-ldap-data-view-prop
get-ldap-listener-prop get-ldaps-listener-prop get-ldif-data-view-prop
get-request-filtering-policy-prop get-resource-limits-policy-prop
get-search-data-hiding-rule-prop get-server-prop get-user-mapping-prop
get-virtual-aci-prop get-virtual-transformation-prop help-properties
list-attached-jdbc-data-sources list-attached-ldap-data-sources
list-connection-handlers list-custom-search-size-limits list-jdbc-attrs
list-jdbc-data-source-pools list-jdbc-data-sources list-jdbc-data-views
list-jdbc-object-classes list-jdbc-tables list-join-data-views
list-ldap-data-source-pools list-ldap-data-sources list-ldap-data-views
list-ldif-data-views list-request-filtering-policies
list-resource-limits-policies list-search-data-hiding-rules
list-user-mappings list-virtual-transformations remove-jdbc-attr
remove-virtual-transformation rotate-log-now set-access-log-prop
set-attached-ldap-data-source-prop set-connection-handler-prop
set-custom-search-size-limit-prop set-error-log-prop set-jdbc-attr-prop
set-jdbc-data-source-pool-prop set-jdbc-data-source-prop
set-jdbc-data-view-prop set-jdbc-object-class-prop set-jdbc-table-prop
set-join-data-view-prop set-ldap-data-source-pool-prop
set-ldap-data-source-prop set-ldap-data-view-prop
set-ldap-listener-prop set-ldaps-listener-prop set-ldif-data-view-prop
set-request-filtering-policy-prop set-resource-limits-policy-prop
set-search-data-hiding-rule-prop set-server-prop set-user-mapping-prop
set-virtual-aci-prop set-virtual-transformation-prop' dpconf
ludo:bin > dpconf set-ldap[TAB][TAB]
set-ldap-data-source-pool-prop  set-ldap-listener-prop
set-ldap-data-source-prop       set-ldaps-listener-prop
set-ldap-data-view-prop
ludo:bin > dpconf set-ldap 

Add the 4 lines below to your .bashrc to have the completion available in your shells and terminals:

DSC=`dsconf --help | cut -d' ' -f1 | grep -v '\^-' | grep -- '-'`
complete -W "`echo $DSC`" dsconf
DPC=`dpconf --help | cut -d' ' -f1 | grep -v '\^-' | grep -- '-'`
complete -W "`echo $DPC`" dpconf

Of course, similar commands could be used for dsadm and dpadm as well.

Tuesday Mar 06, 2007

Directory Server 6 HA with Sun Cluster

This cookbook describes how to install Directory Server as a data service for Sun Cluster 3.1 on Solaris 9 or 10 systems, for SPARC, x86, and x64 platforms.[Read More]

Monday Mar 05, 2007

DSCC - customizing and troubleshooting

Directory Service Control Center (DSCC) is the new graphical user interface to manage a complete directory service deployment. Below is a screen-shot of the main panel when starting DSCC.

DSCC Screenshot 

DSCC is relying on the Solaris WebConsole, which is available by default on Solaris but has been ported to the other supported platforms (HP-UX, Linux, Windows).

If you want to get a better understanding of the Web Console, want to change its default configuration or need to troubleshoot it, please refer to this document: http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5ke?a=view.

Thursday Mar 01, 2007

It's time to upgrade your Directory Service...

Sun Java System Directory Server Enterprise Edition 6.0 (DSEE) was released today along with Sun Java Enterprise System 5.

They are available for download immediately.

The DSEE 6.0 Evaluation Guide (one of the new guide out of the complete documentation set) contains a quick overview of the new features, help on how to get started and much more.

You may also want to check Mark, Jonathan, Neil's blogs in the coming days and weeks for more information about Directory Server Enterprise Edition 6.0.

 Go, get our product, play with it and have fun !

 [Update on March 6th] For smaller downloads than the complete Java ES 5,  DSEE 6.0 and the Identity Management Suite can be downloaded from http://www.sun.com/software/swportfolio/get.jsp. Select the Identity Management Suite, and click the Get Downloads and Media button at the bottom.

Wednesday Feb 28, 2007

Directory Server Enterprise Edition 6.0 docs are live...

As Mark pointed out yesterday, the Directory Server Enterprise Edition 6.0 documentation set went live at http://docs.sun.com/coll/1224.1.

The product should be available for download very soon.

Wednesday Dec 20, 2006

Directory Services in the Telco world

Last week I was invited to a meeting with one of our customers, a wireless telecom operator happily  user of Sun Directory Server 5.2 (patch3) with a few tens of million entries.

With the convergence of voice and data, the telcos are looking for ways to reduce the number of databases they have and consolidate the data in a single repository such as LDAP-based directory services.
The discussion went on the subject of the data models, the differences between the LDAP model and the relational model, drifting to which model would be the most appropriate in consideration with the Generic User Profile recommendation from the IMS specifications. Clearly the discussion was reaching the limits of my expertise (while I'm quite confident in the LDAP area, IMS is not something that I've followed), but it was very informative.

The one thing that I really found interesting in this discussion: at no time, the consideration of performances was mentioned. It seemed obvious for all parties that LDAP directory services (and probably more specifically our Directory Server) do have the capability of keeping with the high throughput and low response time requirements of the network equipments.

And in fact, they really do. We will have some evidence of this with Directory Server Enterprise Edition 6.0 very soon.

Tuesday Dec 05, 2006

Is this the biggest Directory Server in production ?

Another great Sun customer story has just been published on www.sun.com.

This time it's about Sina, one of the largest Web portals and a leading online media and value-added information service provider in China, who redeployed its Sun Java System Directory Server on 12 Sun Fire T1000 servers, powered by coolthreads.

But with over 230 million users in Sun Java System Directory Server, I believe that this is the largest Directory Server in production.

I'm amazed with what our customers are doing with our product, and I'm sure that this "record" (if it is one) will not stand long with Directory Server Enterprise Edition 6.0 coming soon, enabling new kinds of highly scalable and manageable directory services.

Addendum on Dec 20, 2006:

It seems that the current number of entries in the Directory is more around 120 than 230 as the article suggested. But according to one of the engineers involved in the project, the plan is to move to 600 millions soon. I'm still waiting for the deployment details: size of data, partitioning and performance numbers. May be early next year ;-)

About

This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today