Monday Mar 15, 2010

Subversion authorization through LDAP with OpenDS

If you building a centralized development environment for a team or large group of users, the question of centralizing user identities, authentication and authorization is always popping up and the answer is often to use an LDAP directory server. The developer section of the OpenDS documentation wiki has a set of tutorials for using the OpenDS LDAP directory server with various web servers and open source project like GlassFish, Apache Tomcat, SugarCRM... But not yet for Subversion. Thankfully, Wooter van Reeven, Senior Consultant at Yenlo has just published a long and detailed tutorial for setting up Subversion authentication and authorization through LDAP, with OpenDS and Apache2.

Update on March 18th.

Wooter has also posted a copy of the article on OpenDS documentation wiki.

I've also been aware of an older article on the subject of Subversion with Apache and LDAP by Jeremy Whitlock, engineer in the CollabNet Subversion team. This article contains more details on the Apache configuration parameters and snippets for both Apache 2.0 and Apache 2.2.

Technorati Tags: , , , , , ,

Wednesday Mar 10, 2010

OpenDS Tab Sweep

It's been a while since I last posted an OpenDS tab sweep. So here's a list of news and pointers related to our open source LDAP directory server.

PCQuest Top Story this month is about the Top 10 Enterprise Open Source Apps, which include OpenDS and an article on Managing Identities with OpenDS.

The OpenDS project is starting to demonstrate its maturity. Several startups and software companies are now officially supporting OpenDS.

IconcurldapintegrationiConcur Software delivers new Axiom a Requirements management tool integrates by default with OpenDS.

Bonitasoft, the leader in open source Business Process Management (BPM) and a Grenoble based company, uses OpenDS for testing its support of LDAP repositories and praises it to its own customers, for its ease of use. Ask @rodrigue !

Symeos, another high profile French startup is building its Symeos Appliance Framework on open source projects including GlassFish, OpenSSO and OpenDS.

Janua, a French IT services company specialized in identity projects has included OpenDS in its product offering and has just launched a new site for its LDAPTools.

Sopera, a german company building open source SOA is integrating OpenDS in its development tools and offering, as shown on the screenshot below (courtesy of SpringSource)

SOPERA ASF ToolSuite partial screenshot

Also in the recent days a couple of new LDAP browsers appeared.

Finally, in a introductory article titled Microsoft Azure for the Dummies, Ernest regrets the lack of flexibility in the PaaS plans from Microsoft and suggest that Java based OpenDS directory Server as a good alternative for running your own LDAP service on MS infrastructure.

Technorati Tags: , , , , ,

Monday Feb 15, 2010

Directory Service Performance Optimization Strategy: Data Priming

Directory servers usually run for long period of times and have stable performances as all caches are warmed by the traffic. But how to get optimum performances as fast as possible right after starting the server ? Brad Diggs has published Directory Data Priming Strategies, another blog post added to the series of articles on Sun (now Oracle) Directory Server Enterprise Edition 7, ZFS and Flash Technologies.

Technorati Tags: , , , ,

Monday Feb 08, 2010

The basics of Flash Memory

These days, everybody get excited with Solid State Disks, flash memory and the performance improvements they have over other mass storage solutions.

Sun F20 Flash accelerator boardWe've been running some benchmarks of Sun Oracle Directory Server 7.0 leveraging new Sun flash based hardware modules. Before we go in details about their benefits, my colleague Brad Diggs posted a very educational article on the basics of Flash Memory to set a common understanding of the technology.

Read on and get ready for more data points on how ZFS and Flash Memory can improve Directory Server performances and scalability.

Technorati Tags: , , , ,

Friday Feb 05, 2010

Oracle and Sun Directory Services...

Mark Wilcox, principal product manager for Oracle Virtual Directory has posted an initial update with regards to Oracle and Sun directory services.
Nothing really detailed so far, but it's good place to post your comments on the Oracle + Sun Identity Management Strategy and more specifically regarding directory services.

To me and my coworkers, the most important messages are :

We are going to continue to offer both Oracle Internet DirectoryAND Sun Directory Server Enterprise Edition


OpenDS will remain an open-source project

Details are still being discussed and ironed out, but I hope to be able to share them soon. Stay tuned !

Technorati Tags: , , , , ,

Friday Jan 22, 2010

Sun Directory compresses data for better performance !

Sun Directory Server Enterprise Edition 7.0 was released last November, and in the December timeframe Brad Diggs and Wajih Ahmed, both Principal Field Technologists and big experts in Directory Services, backed with engineers from the Directory engineering team and Mr Benchmark, put the product on the test bench to evaluate its performance and scalability with Sun new hardware and especially the new F-20 PCIe flash drives (see also what Mr Benchmark says about the F-20).

Brad's first article describes how much Directory Server 7 entry compression rocks, "extending search performance by more than 50% through increased caching potential". Brad provides details of his findings and gives the commands to run to get the benefits of DSEE 7 in your deployment.

The entry compression feature is also available in the technology that will power future versions of Sun Directory Enterprise Edition: the OpenDS project. In OpenDS, there are 2 options to reduce the size of entries stored in the database. The first one is called entry compaction, and it's enabled by default. The entry compaction feature removes all references to attribute names and replace them with small identifiers. The second option is actually entry compression which will use the popular ZLib algorithm. This option is not activated by default, but it's just a command away :

<OPENDS_HOME>/bin/dsconfig -X -p 4444 -h localhost -D cn=Directory\\ manager\\
 -w password -n set-backend-prop \\
 --backend-name userRoot --set entries-compressed:true

Below is the dsconfig usage for disabling entry compaction with OpenDS:

<OPENDS_HOME>/bin/dsconfig -X -p 4444 -h localhost -D cn=directory\\ manager\\
 -w password -n set-backend-prop \\
 --backend-name backend --set compact-encoding:false

Here's a table that compares the size of the databases of OpenDS 2.2.0 with no compat encoding, with it (default settings) and with compression enabled. The table compares the size of the entry record within the database as well as the overall size of the database which also includes indexes (default OpenDS settings).

Entry Count LDIF Entry Size Uncompacted Entry Size Compacted Entry Size Compressed Entry Size Uncompacted DB Size Compacted DB Size Compressed DB Size
100K 599 b 645 b 481 b 361 b 178.8 MB 163.20 MB 151.65 MB
-34% - 25% -9.6% - 7.1%
1M 603 b 649 b 485 b 364 b 1,515 MB 1,358 MB 1,243 MB
-34% - 25% -11.5% - 8.5%
10M 607 b 653 b 490 b 363 b 13,973 MB 12,416 MB 11,188 MB
-33% - 26% -12.5% - 9.9%

The percentages are computed from the reference value which is the default i.e. compacted. A negative value means an increased size, a positive one means a reduced size.

The second table compares the import times for the 3 different modes for storing entries, for the 3 sample data files.

Entry Count Uncompacted Compacted Compressed
100K 21 s 21 s 22 s
1.1% - -3.5%
1M 106 s 107 s 112 s
0.5% - -4.9%
10M 1006 s 1009 s 1101 s
0.2% - -8.9%

Note: in this table, negative numbers represent increase in time required to import compared to the default settings.

Enabling compression does result in a smaller disk use with that sample data (fully random values), but does come with a performance penalty at least at import time, less than 10% but the penalty increases with the amount of entries. If you've read Brad's article on DSEE entry compression, you understand that the smaller the entries in the database, the more can be potentially cached in the Database Cache and the better the overall performances are. So if your entries are quite large, contain values that are strings, you should consider enabling the entry compression with OpenDS.

Changing from the default mode (compacted) to uncompacted mode does not give any real advantage in performance, but does increase the disk space usage, so I do not see the value of changing these settings in OpenDS.

Anyway, the benefits of having compact entries in the database are available today with Sun Directory Server Enterprise Edition 7 and Sun OpenDS Standard Edition 2.2, and are helping customers to reduce the overall cost of ownership of the directory services.

Technorati Tags: , , , ,

Thursday Jan 14, 2010

Happy New Year !

Hello again after this too long break. Well, I wasn't on vacation the whole time, but I find it hard to go back into writing mood. I also got distracted by the amount of snow that we received in Grenoble's valley: yesterday there was still 30 cm of snow everywhere around my house.

Lp0 2941

Anyway, I'm back to this blogosphere, with the same hope that I will be posting more regularly than last year.

Opends Logo Tag

Looking back at 2009, it's been an amazing year for the OpenDS project team.

In a year, we've released 3 important versions of OpenDS, with many features and innovation:

  • In January, OpenDS 1.2 added the Control Panel, SASL security, Support for JCEKS, enhancements in Access Controls and several Solaris / OpenSolaris specific features such as IPS packages, support for SMF and RBAC, ...
  • In July, OpenDS 2.0 brought many performance improvements, several new features including Assured Replication, Recurring Tasks, Locale specific matching rules, and enhancements of the monitoring, the indexing, the ease of use, ...
  • In December, OpenDS 2.2 added support for Fractional Replication, External Changelog, some date and time based matching rules, syntaxes extensions for Enumerations and Regular Expressions, up to 8 Masters in Replication, ...

During the same period, the OpenDS Community has more than doubled, and so has the number of downloads of the OpenDS builds.

The OpenDS development continues. We have planned the release of OpenDS 2.4 in the middle of 2010. You can check the OpenDS RoadMap to see the features that are being worked on. If you're using OpenDS in production, or if you're building solutions that use the OpenDS LDAP directory server, please share your experience with the community. Send us details of your experiences or deployments. We will post them on the OpenDS wiki or Sun Adoption Stories blog.

While we're still in January, let me wish all of you a happy and prosperous New Year 2010, and a long life to the OpenDS project.

Technorati Tags: , , , , ,

Tuesday Dec 22, 2009

OpenDS helps load testing in the cloud.

In the CloudJason Shao explains on his blog how they do loadtesting of their web-based portal application on Amazon EC2.

What raised my interest was that they've added the OpenDS ldap directory server in the image, as it was faster and easier than dealing with their usual infrastructure.
This is not the first time we see customers deploying OpenDS in the cloud. As a matter of fact, I think the first in production deployment of OpenDS was on More recently, Arnaud posted an article and performance numbers on running OpenDS on Amazon EC2.

If you are building services on the cloud and need authentication, authorization or storing profiles for your users, OpenDS provides a standard based solution (LDAP) that is very easy and fast to deploy. Give it a try !

Technorati Tags: , , , , ,

Tuesday Dec 15, 2009

OpenDS 2.2 has been released !

Opends Logo TagThe OpenDS development team is very happy to announce the immediate availability of OpenDS 2.2.0.
The Sun team is also announcing the release of Sun OpenDS Standard Edition 2.2, a commercial offering based on OpenDS 2.2.0.

OpenDS is an LDAPv3 compliant directory service written entirely in Java. With less than 5 months since the availability of OpenDS 2.0, the new release brings several new features and enhancements :

  • New scalable Import and Indexing feature allows to import 10 M entries in less than a half hour
  • External Changelog is activated with Replication to search and retrieve data updates
  • Fractional Replication, to specify which attributes to include or exclude in replication
  • Extensible matching rules for date and time based attributes to define time based access control rules
  • Support for custom syntaxes based on substitutions, regular expressions or enumerations
  • Remote server management in the Control Panel
  • Improved replication management and grouping, tested with up to 8 masters
  • Recurrent Tasks in the Control Panel to automate backups
  • Dsconfig script friendly mode

OpenDS 2.2.0 is the promotion of OpenDS 2.2.0-RC4, built with revision 6181 of the b2.2 branch, to stable status.
You can download it as a Zip file or install it now with the Java WebStart Installer.

As with previous stable releases, we've taken a snapshot of the documentation wiki. Links are still being verified and some screenshots might be updated in the coming days, but the content is complete.

You can find more information about OpenDS 2.2 in the release notes. And if you're considering deploying in production and you're looking for support options, please check Sun OpenDS Standard Edition 2.2, built on the same code.

I'd like to thank all the members of the community who have helped us to make OpenDS 2.2 a better release, and especially those who helped with translations : Marek Roszkowski and Bartłomiej Pelc for the Polish translation, Christian Brennsteiner for the German one, and all those who have created issues in the Issue Tracker : crstop, robdale, ajangity, swtet2003, soonleong, stroeder, ogr. My thanks are also going to the chatters on the IRC channel that are providing enormous feedback.

New features and enhancements have already been committed on the trunk and are available for test in daily builds. Please check the OpenDS roadmap for more details on coming features, and possible contribute to it.

Technorati Tags: , , , ,

Monday Dec 07, 2009

Securing JBoss JMX console with OpenDS

Steve Millidge, founder of C2B2, has just published a nice and illustrated step by step tutorial for securing JBoss JMX console with LDAP and more specifically the OpenDS directory server. Similar steps could be used to secure all the different subsystems in JBoss, as illustrated in this already 2 years old tutorial about JBoss Portal, OpenSSO and OpenDS.

Technorati Tags: , , , , , ,

Monday Nov 30, 2009

OpenDS 2.2.0 Release Candidate 4 is now available

Opends Logo TagLast week, the OpenDS 2.2.0 Release Candidate 4 has been made available on our website. This new release candidate was mostly done to accommodate with some late changes to messages being localized, and give more time for testing to OpenDS 2.2 and the Sun branded product based on it.

OpenDS 2.2.0-RC4 is built from revision 6147 of the b2.2 branch of the source tree.

The direct link to download the core server is:

The direct link to download the DSML gateway is:

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL, or visit for more information.

Detailed information about this build is available at, including the detailed change log

Major changes incorporated since OpenDS 2.2.0-RC3 include:

  • Revision 6150 (Issue #4355) - Fixes a caching issue with the Control Panel when aborting a search
  • Revisions 6156, 6160, 6172 (Issue #4358, #4329, #4340) - Resolve several issues with the External Change Log at initialization or shutdown
  • Revision 6181 (Issue #4325) - Resolves an issue with values of Enumeration Syntax not being case insensitive in Add or Modify operations

Technorati Tags: , , , , , , ,

Tuesday Nov 17, 2009

OpenDS 2.2.0 Release Candidate 3 is now available

Opends Logo TagThe OpenDS development team is very pleased to announce the immediate availability of OpenDS 2.2.0-RC3.

OpenDS 2.2 offers the following new features from OpenDS 2.0 :

  • Scalable import and indexing
  • External changelog compliant with the Internet-Draft "Definition of an Object Class to Hold LDAP Change Records", draft-good-ldap-changelog-04.txt
  • Fractional replication
  • Extensible matching rules for time base attributes
  • Support for custom syntaxes based on substitution, regular expressions or enumeration
  • Remote server management in control panel
  • Recurrent tasks in control Panel
  • Default automatic Backup in the control panel
  • Separation of LDAP Servers and Replication Servers for replication
  • Ability to merge disjoint replication topologies
  • Dsconfig script friendly mode

The purpose of the Release Candidate is to solicit one last round of testing before the final release. So please test the OpenDS release with your client applications, in your environment or on your favorite platform.

If you do find a bug, please report it with Issue Tracker.

We welcome feedback. Please report you experience with OpenDS on our mailing lists, or on #opends IRC channel on Freenode.

OpenDS 2.2.0-RC3 is built from revision 6147 of the b2.2 branch of the source tree.

The direct link to download the core server is:

The direct link to download the DSML gateway is:

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL, or visit for more information.

Detailed information about this build is available at, including the detailed change log

Major changes incorporated since OpenDS 2.2.0-RC2 include:

  • Revision 6100 (Issue #4337) - Resolves an issue in which importing large LDIF files would consume a lot of disk space
  • Revision 6102 (Issue #4298) - Fixes a problem with Replication changelog that could grow out of bound
  • Revisions 6108, 6123 (Issue #4283) - Resolves an issue in the Control Panel when adding operational attributes to an entry
  • Revision 6109 (Issue #4292) - Changes the Control Panel to abandon the systematic use of the ManageDSAIT Control
  • Revision 6111 (Issue #4264) - Fixes an issue in the Control Panel when doing multiple modifications on a single entry
  • Revision 6113 (Issue #4302) - Fixes unexpected errors in the Control Panel Manage Entries screen with concurrent searches
  • Revision 6117 (Issue #4322) - Provides a way in the Control Panel to rebuild all indexes
  • Revision 6118 (Issue #4328) - Resolves an issue where the Control Panel would freeze on Ubuntu
  • Revision 6119 (Issue #4332) - Resolves an issue on Windows with installation path names containing spaces
  • Revision 6120 (Issue #4269) - Fixes a problem with the External Changelog changenumber not being reset when the database was re-initialized
  • Revision 6122 (Issue #4296) - Publishes External Changelog base DN in the root DSE entry
  • Revision 6126 (Issue #4350) - Changes the way replication domain names are created with the dsreplication utility
  • Revision 6129, 6147 (Issue #4336) - Changes the Control Panel to provide the ability to refresh the suffix and entries in the Manage Entries window
  • Revision 6131 (Issue #4335) - Fixes the way scrolling works in the Control Panel
  • Revision 6134 (Issue 4293) - Resolves issues when verifying newly created indexes
  • Revision 6138 (Issue 4338) - Changes the default Global Access Controls to provide better secure by default permissions for users to update their own entry

Technorati Tags: , , , , , , ,

Friday Nov 13, 2009

OpenDS in Polish

PolandflagPavel Heimlich just announced today, on the project users mailing list that the OpenDS project is now (partly) localized in Polish. Translation of the messages for the command line tools has been contributed by 2 members of the Polish OpenDS Community : Bartłomiej Pelc and Marek Roszkowski. Many thanks from the development team to both of you.

This is the 6th localization of OpenDS that is shipping. Other languages are still work in progress : Italian, Serb, Portuguese, Korean... If you want to contribute, it's easy: Join the project as a Contributor, and create your account of the Community Translation Interface. The project is currently named OpenDS 2.3easy (it's a subset of the whole OpenDS messages, leaving out the server error messages).

The Polish translation files are available in the latest daily build. If you want to turn of Polish localization or try some other language, check the tip for enabling / disabling specific language. If you find any problem with the translations, please let us know. You can either file an issue in the Issue Tracker, or send an email on the localization and internationalization mailing list : g11n (at)

Technorati Tags: , , , ,

Tuesday Nov 10, 2009

OpenDS Silent install

Opends Logo TagOne of the things we're the most proud of in the OpenDS project is the simplicity of installation and initial configuration, thanks to the Java Web Start QuickSetup installer. We say that you can download, install and configure OpenDS to run on your machine in less than 3 minutes and 6 clicks.
But OpenDS can also be downloaded as a Zip and installed with the setup program, which can be either graphical or in command line and even used in silent mode.
The OpenDS community is often full of resources and Lucas Rockwell pointed out to his script for downloading and installing OpenDS automatically. I've taken the liberty to improve his idea and show it here :


# This is the OpenDS version number to install

# Download with curl or wget, uncomment the preferred download method
curl -O${VER}/OpenDS-${VER}.zip
# wget -nd${VER}/OpenDS-${VER}.zip

unzip OpenDS-${VER}.zip

cd OpenDS-${VER}/

# Some possible option change :
# Replace -d 20 (generate sample data with 20 entries) with -a (create
# top entry) or -l <ldifFile> (load data from the LDIF file)
# Change -w "secret12" with -j /tmp/me/passwordfile to avoid hardcoded
# cleartext password
# Add -O to avoid starting the server after install
# Add -Q for a quiet install
# ./setup --help for more information on options
./setup --cli -n -b "dc=example,dc=com" -d 20 -p 1389 \\
--adminConnectorPort 4444 -D "cn=Directory Manager" \\
-w "secret12" -q -Z 1636 --generateSelfSignedCertificate

As you can see, it's really trivial and it does the work from a few seconds to a few minutes depending on the speed of your internet connection.
The script can be downloaded here.
Have fun !

Technorati Tags: , , , ,

Friday Oct 23, 2009

What's new in Sun Directory Server Enterprise Edition 7 ?

Did you attend the event I talked about last week ? Remember, it was a webinar about Sun DSEE 7 and Role Manager 5.
Well, if you could not attend the webinar, you can watch it now, or download the video. The slides are also available.

Technorati Tags: ,


This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo


« February 2017