Wednesday Sep 30, 2009

OpenDS 2.1.0-build002 is now available

Opends Logo TagWe have just uploaded OpenDS 2.1.0-build002, built from revision 5868 of our source tree, to our promoted builds folder.

The direct link to download the core server is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002.zip

The direct link to download the DSML gateway is: http://www.opends.org/promoted-builds/2.1.0-build002/OpenDS-2.1.0-build002-DSML.war

We have also updated the archive that may be used to install OpenDS via Java Web Start. You may launch that using the URL http://www.opends.org/promoted-builds/2.1.0-build002/install/QuickSetup.jnlp, or visit https://www.opends.org/wiki/page/OverviewOfTheQuickSetupTool for more information.

Detailed information about this build is available at http://www.opends.org/promoted-builds/2.1.0-build002, including the detailed change log

Major changes incorporated since OpenDS 2.1.0-build001 include:

  • Multiple fixes to the new Import code and new Public ChangeLog feature.
  • Revision 5783 (Issue #4171) - Fixes a hang in replica initialization when the replication servers are unreachable.
  • Revision 5804 - Performance and scalability improvements with monitoring.
  • Revision 5842 (Issue #4194) - Resolves an issue where objectclasses would disappear when modified.
  • Revision 5843 - Upgrade the underlying Berkeley DB JE to version 3.3.87.
  • Revision 5847 (Issue #4164) - Fixes a decoding problem .
  • Revision 5848 (Issue #4229) - Resolves an issue where the connection handler thread hangs and cause potential DoS attack.
  • Revision 5849 (Issue #4226) - Improves the PartialDateOrTime matching rule to match on time as well as date.
  • Revision 5854 (Issue #4240) - Resolves an issue in the Control-Panel when displaying attributes with a syntax that has no name.
  • Revision 5863 & 5867 (Issue #4117) - Resolves an issue with MODDN operation that could impact ability to export and reimport from LDIF.
  • Revision 5865 (Issue #4060) - Prevents a new server process to start while OpenDS server is shutting down. Also preserves the server.pid when in-core restart is performed.

Technorati Tags: , , , , ,

Tuesday Sep 29, 2009

LDAPCon 2009 summary

On Sunday September 20th and Monday 21st, I attended the 2nd LDAP International Conference, aka LDAPCon 2009, in Portland OR, USA.
The attendance was lower than expected initially but included most of the LDAP open source projects (Apache Directory, LSC Project, OpenDS, OpenLDAP) as well as directory server vendors (Apple, Isode, Sun, Symas, UnboundID) and some users of the technology.

All the slides for the presentations are now available, as well as the articles submitted for participation.

LP0_1859On Sunday, the conference was inaugurated by Mike Schwartz from GLUU, a Texas based start-up. GLUU intends to provide identity federation and single sign-on as a service and makes an intensive use of LDAP technologies : directory servers, directory proxy servers, virtual directories and DSML gateways for provisioning.

LP0_1860Stefan Seelman described the Apache Directory project and its toolchain, from the excellent Apache Directory Studio (you don't know the Studio yet, go get it !) to its embedded directory server. Stefan demonstrated how to use Studio to create a staged directory server, and then role out the changes into the production one.

LP0_1865Later in the day, Emmanuel Lecharny explained how Apache Directory Server is supporting RFC 4533 to allow synchronization between an OpenLDAP server and the Apache Directory Server. As of today, Apache Directory Server is only supporting the consumer side of the protocol so it can act as a replica of an OpenLDAP master. Building the supplier side is next on their roadmap but it's more complex, and then trying to do multi-master replication will require to implement conflict resolution procedures that have to be exactly identical to OpenLDAP ones. Based on our experience with Sun Directory Server and OpenDS, this will be the trickiest part. I got questioned on when OpenDS or Sun Directory Server will support this RFC. Honestly, this is not on our roadmap and we would be happy to add it if the community needs it and is willing to contribute. But today we already have a working multi-master replication feature that is much more scalable and powerful than what RFC 4533 allows to build.

LP0_1862Jonathan Clarke talked about LDAP Synchronization Connector, an open source project building synchronization tools between LDAP and other data sources such as RDBMs, flat files or alternate directories. LSC is written in Java and is already in production in a few french companies.

Terry Neely then presented how to do physical access control with LDAP. An interesting story about how to design schema, leverage replication to distribute access control information related to door and buildings. The OpenLDAP server running on an embedded hardware, with a 4GB compact flash !

Howard Chu, Chief Architect for OpenLDAP, and I did a joint presentation on how to store LDAP data in MySQL Cluster and we described the architecture of our respective implementations: OpenLDAP back-ndb and OpenDS ndb backends. Andrew Morgan from the MySQL Cluster team helped us describing MySQL Cluster. The question of having an in-memory distributed backend for LDAP server still raises a lot of questions and eyeballs, but people are starting to understand the value of scaling and getting simultaneous access to the data via LDAP, SQL or direct APIs.

LP0_1870Kurt Zeilenga presented his work in Isode directory to provide security label-based authorization. Security label based authorization is another flavor of authorization, in addition to identity based and role based authorization. The idea is to grant permission to access data based on the label presented by the authenticated user and the label of the data to be accessed. Which a lot of users in the directory, and many security levels (there can be up to 256 levels), this kind of authorization system scales better than Access controls. The Isode implementation has security labels at the entry level (not attribute). Clearance for a user is derived from an attribute in the user entry, from the user certificate in the directory or directly from the authentication level. While the presentation was mostly an overview of security labels and how they could be used in the context of a directory service, I found the presentation quite interesting as I've been asked a couple of time to add security label awareness to Sun Directory Server, especially in the context of Solaris Trusted Extensions.

We ended day one with a panel open discussion with the various directory projects and vendors. After briefly discussing areas where progress is to be made (see Mathias summary for details), we looked at the LDAP community and try to find ideas to increase it or make it more active. One area we (Sun) have been active is education. For the last couple of years, we've been involved in giving LDAP trainings in Universities, or helping teachers with projects involving LDAP instead of RDBMs. Another area is client APIs and code examples. The work that we're doing with the Apache Directory team is a good step. It was also quite interesting that Howard Chu came to me in the after hours and discussed about Java for servers. Obviously, getting fresh blood in projects in getting harder with C based projects than Java based projects, as most of students are no longer learning C programming but Java programming (and other modern languages).

LP0_1867On Monday September 21st, the day started with an analyst view on the LDAP directory landscape. Felix Gaehtgens, analyst and partner at Kuppinger Cole, talked about the various market segments of the directory markets and the third generation of LDAP directory products that have emerged in the last couple of years.

Kurt Zeilenga gave a status of LDAP standardization efforts, occurring at IETF and at ISO/IEC. The hottest topic is the password policy which is evolving in both standard bodies. Howard Chu and I have published an update on the Password Policy for LDAP internet-draft. We intend to post additional changes and get it through to RFC status in the coming months.
Other topics being worked on through IETF are LDAP Transaction draft, currently under editors' review, the LDAP schema for NIS (rfc 2307-bis), schema for VCard, schema for Kerberos and for NFS v4.
Kurt suggested that there is still some work to be done at IETF on the LDAP front, but it would be better conducted through a working group. He also encouraged people to join the standardization effort and bring some new blood to it, recognizing that he would be happy to participate but not lead a new working group. He suggested a list of topics that could be covered by the working group :

  • Chaining Operations
  • Access Controls based on X.500 model
  • LDIF update
  • Complex Transactions
  • Schema versioning and management
  • Password Policies
  • ...

The next 3 presentations were about APIs for LDAP Java developers. Emmanuel Lecharny and I described the work we've done in the last few months collaborating on a common LDAP API for the Java platform, and we discussed what is required to move this work to standardization. Our presentation was mostly areas of work and a call for participation on that effort. We've moved our discussion to the Apache Directory API public mailing list (api (a) directory (dot) apache (dot) org).
LP0_1871Right after, Neil Wilson, chief architect at UnboundID, showed some slick slides about UnboundID's products, focusing mainly on their new LDAP client Java SDK, demonstrating it's use on the Android platform. UnboundID SDK is already available as opposed to Apache Directory or OpenDS ones. But it would definitely need to be polished and cleaned so that it could be used by our project for our needs, i.e. use the same SDK for both the server and client tools.
Following these 2 SDK presentations, Stefan Seelman demonstrated how to leverage the DataNucleus project and more specifically its support of LDAP to the standard JDO interface.

LP0_1872Howard Chu gave an overview of the new overlays developed in OpenLDAP related to user authentication and authorization. Based on the work from nss-ldapd the nssov overlay provides integration with the nss and the pam stacks. Another interesting module is an integrated certification authority overlay where user certificates and keys are generated magically based on the query filters. While this looks smart, it raises a lot of questions with regards to the security levels associated with generating and using certificates over LDAP, and it's current implementation (only search parameters are used to generate the certificate) is messing a lot with the semantics of searches. Both Kurt and I think it should be implemented as an extended operation or at least a search control.

Finally but not least, I closed the LDAPCon with my presentation on the innovations that have been done in the OpenDS project. My presentation was articulated in 2 parts, innovations that directory administrators benefit from like the Assured Multi-Master replication model and the scheduled and recurrent tasks. And the innovations for the developers, basically new LDAP syntaxes and matching rules to ease application developments. You can find the details in the slides or the paper that I wrote for the conference.

Overall, this conference was really good for us and for meeting with some of the OpenDS community members, but as well for raising the awareness on what we've been doing in the last couple of years. I really enjoyed the discussions with all attendees, the beers in the evening and the fun of trying to connect the iPhone LDAP clients to the OpenLDAP server running on Howard's G1 phone.

LP0_1874 LP0_1876 LP0_1878

All photos that I took during the conference are publicly available, and free of use for non commercial purpose.

Technorati Tags: , , , , , , ,

Monday Sep 14, 2009

Jack and Pat on OpenSSO and OpenDS...

Pat Patterson reminded me of a conversation he had at OSCON 2009 with Jack Adams about OpenSSO. Luckily, the discussion was captured in video.
During the conversation, they talk about OpenDS as well. Thanks for the plug, Pat !

 

 

Technorati Tags: , , , , , ,

Wednesday Sep 09, 2009

Another new feature in OpenDS Control Panel

Opends Logo TagOpenDS 2.0 has been out for a couple of months now but the development team kept on the pace of development.

Beside its ability to manage remote OpenDS servers, the Control Panel has been enhanced to support the Recurrent Tasks introduced in the OpenDS 2.0 server, and both Export LDIF and Backup can be scheduled to happen at a later time or on a regular basis.

OpenDS control panel Backup screen

Notice the "Change" button in the Backup Options.

OpenDS Control Panel, Choice for scheduling a backup

You can then choose the proper kind of scheduling and tune it very simply as illustrated below.

OpenDS Control Panel, scheduling a weekly backupOpenDS Control Panel, Scheduling a backup with Cron like notation

Technorati Tags: , , , ,

Tuesday Sep 08, 2009

Managing multiple OpenDS servers

Opends Logo Tag
Up until now, to manage an OpenDS server, one would need to log onto the machine and starts the Control Panel.

In the next release of OpenDS (OpenDS 2.2), the Control Panel can now connect to remote servers, allowing an administrator to remotely monitor and tune any running instance of OpenDS.

Let's see what has changed in the Control Panel for the remote access, and what are the limitations.

The first thing you will notice when starting the Control Panel is a new dialog which allows you to choose between the local server or a remote server.
OpenDS Control Panel, connection dialogOpenDS Control Panel new connection dialog

Once you've selected the server to administer, you will see the usual Control Panel window with its left action bar and information on the right.
OpenDS Control Panel remote server view

You can change server while the Control Panel is running. It's in the File menu, when you are on the Main window of the Control Panel.
OpenDS Control Panel, Changing Server to Administer
OpenDS Control Panel,  Changing Server to Administer

There is very little difference between managing a local server and managing a remote server.
One thing you will notice when administering a remote server is that you can't stop or restart it. Also, you cannot use the Control Panel to configure the Java properties of a remote server. That's it.

The Control Panel cannot be installed as a standalone tool, it's a part of the OpenDS server installation, and it can only manage one server at a time, local or remote. But the ability to manage remote servers will reduce the need to logon to each host and run the Control Panel on each instance either physically or using a remote display, simplifying the task of the directory administrators.

If you want to check this capability, you can download and install one of the recent OpenDS daily builds, or wait for next promoted build (2.1.0-build001).

Technorati Tags: , , , ,

Wednesday Sep 02, 2009

Everything has an end...

And so do vacations, and blog silence.

I've been back in the office for over a week now but I was trying to catch up with emails, irc, blogs and news, too busy to find the time to blog again.
There's a lot to say on the LDAP and OpenDS front.

While I was happily riding the Mont Ventoux and around with friends and family, the project kept on moving on the path to OpenDS 2.2 and several new features have been committed by the team in the code repository:

  • The Control Panel can now be used to manage remote server instances.
  • OpenDS now publishes all changes in a public ChangeLog accessible (subject to access control) under the cn=changelog naming context.
  • Replication now supports a Fractional mode allowing to exclude or include only specific attributes of all replicated entries.
  • dsreplication utility has been improved to allow separating the replication service from the replicated OpenDS instance.
  • The import feature has been rewritten and optimized, reducing the time and memory required to import very large set of data.
  • The server now supports 2 new MatchingRules to better deal with Time and Dates (GeneralizedTime syntax).
  • The server now supports the ability to declare a new syntax but default it's implementation to an existing one.
  • The server now supports the ability to declare new Regular Expression based syntaxes and attributes.
  • The server now supports the ability to declare new Enumeration based syntaxes and attributes.

Most of the new features are already documented as part of the User Documentation of the OpenDS documentation wiki. You can test these features in recent daily builds, or you can wait for the next promoted build (2.1.0-build001) that should come pretty soon.
I will be starting a series of articles to describe with illustrations and details those new features, in the coming days and weeks.

Also in a separated branch, Matt and Bo have been working on an LDAP Client API, which is getting in a good shape to be released for beta testing soon (probably along with OpenDS 2.2).

LDAPCon 2009
The 2nd. International conference on LDAP, LDAPCon 2009 will be held on September 20th and 21st at Waterfront Marriot Hotel , Portland OR, USA. If you haven't registered yet, please register now ! The registration fee includes access to the LinuxCon 2009 (Sep 21 - 23), and if you still need to be convinced that it's worth attending, you can check the agenda. I hope to see you there.

Also noticed in the blogosphere and the websphere :

Finally I know the title of this post may have alarmed some of you. I don't know what's going to happen in the coming days, but I just hope I won't have to write another post with the same title on the subject of OpenDS or myself.

Technorati Tags: , , , , , ,

Tuesday Jul 28, 2009

OpenDS turns 3 today...

OpenDS open source project is 3 years oldAnother year has passed and we already end of July. Today is the anniversary day for the OpenDS project which is turning 3 this year.

As usual, this is also time to look back in the mirror and consider what we've achieved.

A little more than 10 days ago, we announced the availability of OpenDS 2.0, the new and stable release of our LDAPv3 directory server. OpenDS 2.0 came just about one year after OpenDS 1.0 and 6 months after OpenDS 1.2.
You can read about OpenDS 2.0 features in the Release Notes, but also in the various articles that have relayed our own announcement such as:

Sun OpenDS Standard Edition 2.0 CD
Yesterday, Sun publicly announced the general availability of Sun OpenDS Standard Edition 2.0, a Sun supported version of the OpenDS project, as well as the release of OpenSSO Express Build 8 (due in a couple of weeks).

Sun OpenDS Standard Edition 2.0 has the same features as OpenDS 2.0. Differences are in the branding, the license, the documentation that is available from docs.sun.com in HTML and PDF and of course the support services offered by Sun.
Mark Craig has already posted an illustrated article describing how easy it was to install Sun OpenDS Standard Edition 2.0 on Windows XP.

OpenSSO Express builds are supported snapshots of OpenSSO development. As Pat Patterson, Community Manager for OpenSSO and covering all Identity Products at Sun, detailed on his blog, OpenSSO Express Build 8 includes a new Mobile One Time Password Feature, the Fedlet for .Net and a new task flow enabling single sign-on to Salesforce.com.

As OpenDS is getting mature, we're seeing public endorsement and use of it. In the last couple of weeks, we had 2 success stories including the use of OpenDS :

Finaly within a year, the OpenDS Community has more than doubled, in term of members in the community, but as well in the number of active contributors and participants in the #opends IRC channel, and in term of unique visitors on the www.OpenDS.org.

OpenDS.org Monthly visits

I'm proud of what we've accomplished in 3 years and even more of the past year. We still have a lot of ideas and customers requirements to build in the OpenDS project. Overall we know where we want to go and we hope our new executives will agree that it's a nice and viable path to follow...

Technorati Tags: , , , , , , , ,

Monday Jul 27, 2009

OpenDS 2.0 on Mac OS X with the latest JVM...

Opends2 PictoMacOSX 10.5.7There is an issue in the start and stop scripts that is preventing OpenDS 2.0 to be installed via Java Web Start on Mac OS X 10.5 with the latest version of the JVM (Update 4 a.k.a 1.6.0_13). I've discovered the problem at the same time we were releasing OpenDS 2.0.0 release candidate 4 which was planned to be the last release candidate. So the fix is not the release but has been committed to the trunk.

The issue is that the new JVM does use a larger default minimal heap size and reject any calls with -Xmx if the maximum heap size is smaller than its internal default (around 30MB).

Still OpenDS 2.0 can be installed on Mac OS X and used with the latest JVM, by downloading the Zip file, unzipping it and doing minor edition in the start-ds and stop-ds scripts.

$ unzip ~/Desktop/OpenDS-2.0.0.zip
Archive: /Users/ludo/Desktop/OpenDS-2.0.0.zip
creating: OpenDS-2.0.0/
...
inflating: OpenDS-2.0.0/upgrade
$ cd OpenDS-2.0.0/bin

In the start-ds and the stop-ds scripts, replace all occurences of the string "-Xms8M -Xmx8M" with "-client"

$ cp start-ds start-ds.orig
$ sed -e "s/-Xms8M -Xmx8M/-client/g" < start-ds.orig > start-ds
$ cp stop-ds stop-ds.orig
$ sed -e "s/-Xms8M -Xmx8M/-client/g" < stop-ds.orig > stop-ds

OpenDS QuickSetup App IconYou can now run the setup program (or launch the QuickSetup application) to install and configure the OpenDS directory server.

Technorati Tags: , , , , , ,

Thursday Jul 23, 2009

Assured Replication: A New Feature of OpenDS 2.0

OpenDS 2.0 has just been released and there are several new and exciting features in it.

To me, the biggest innovation in this release is "Assured Replication", an extension to the loose consistency multi-master replication feature that brings tighter consistency of data between replica. "Assured Replication" is not to be taken for a full synchronous and transactional replication mechanism. A change is not transactionally applied to a set of or all replicas of a topology. With "Assured Replication", the response to an LDAP modification is delayed until the change has been received or applied by other servers, in a best effort mode. It provides a greater assurance that a change is not lost even if the server receiving it crashes.

Opends Assured Replication with Safe Data level 2

Assured Replication can function in 2 modes :

  • Safe Data Mode: an update must be propagated to a defined number of Replication Servers before returning a response to the client. So if the server or the replication server is stopped, the data is still available to all other replicas.
  • Safe Read Mode: an update must be propagated to all directory servers in the domain before the client is returned a response for the update.

Of course, for both modes, it's possible to configure a timeout interval to prevent LDAP clients to be waiting indefinitely if some servers are not available.

Configuring Assured Replication is pretty straightforward but cannot be done when setting up replication itself. So the first step is to configure Multi-Master Replication for a domain with dsreplication.

$ bin/dsreplication enable --host1 localhost --port1 5444 --bindDN1 'cn=directory manager' --bindPassword1 secret12 --replicationPort1 8989 --host2 localhost --port2 6444 --bindDN2 'cn=directory manager' --bindPassword2 secret12 --replicationPort2 8990 --adminUID admin --adminPassword secret12 --baseDN "dc=example,dc=com" -X -n

Establishing connections ..... Done.
Checking Registration information ..... Done.
Configuring Replication port on server localhost:5444 ..... Done.
Configuring Replication port on server localhost:6444 ..... Done.
Updating replication configuration for baseDN dc=example,dc=com on server localhost:5444 ..... Done.
Updating replication configuration for baseDN dc=example,dc=com on server localhost:6444 ..... Done.
Updating Registration configuration on server localhost:5444 ..... Done.
Updating Registration configuration on server localhost:6444 ..... Done.
Updating replication configuration for baseDN cn=schema on server localhost:5444 ..... Done.
Updating replication configuration for baseDN cn=schema on server localhost:6444 ..... Done.
Initializing Registration information on server localhost:6444 with the contents of server localhost:5444 ..... Done.
Initializing schema on server localhost:6444 with the contents of server localhost:5444 ..... Done.

Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so).

$ bin/dsreplication initialize --baseDN "dc=example,dc=com" --adminUID admin --adminPassword secret12 --hostSource localhost --portSource 5444 --hostDestination localhost --portDestination 6444 -X -n

Initializing base DN dc=example,dc=com with the contents from localhost:5444:
23 entries processed (100 % complete).
Base DN initialized successfully.

See
/var/folders/SH/SHFsRjymHtqiZ4GxPNZERU++Fwk/-Tmp-/opends-replication-737929812662715818.log
for a detailed log of this operation.

$ bin/dsreplication status -h localhost -p 5444 --adminUID admin --adminPassword secret12 -X

dc=example,dc=com - Replication Enabled
=======================================
Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4)
---------------:---------:----------:--------------:----------:-------------
localhost:5444 : 23 : 0 : N/A : 8989 : Disabled
localhost:6444 : 23 : 0 : N/A : 8990 : Disabled

Now that replication is setup, we can enable the Assured Replication mode, using the dsconfig utility. For this, on each of the OpenDS direcotry servers, we first need to retrieve the full name of the replication domain.

$ bin/dsconfig -D cn=directory\\ manager -w secret12 -n -s list-replication-domains --provider-name "Multimaster Synchronization"

cn=admin data (domain 29167)
cn=schema (domain 9674)
dc=example,dc=com (domain 14741)

$ bin/dsconfig -D cn=directory\\ manager -w secret12 -n set-replication-domain-prop --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com (domain 14741)" --advanced --set assured-type:safe-data --set assured-sd-level:2

Note that the Replication Domain has a different value on each server, so you have to repeat these 2 commands on each instance.
Setting the assured level for Safe Data to 2 means that the server will make sure the data has been received by at least 2 replication services before returning to the LDAP client the response to the update request.

From a client point of view, there should be no difference, except that the server might take a little longer to return the response to an update request. In our measures, we found that the response time increased by 25% for Safe Data Level 2, which seems a lot, but honestly, when the response time is in the order of 2ms, it's hard to notice !

You can find more information about Assured Replication on OpenDS 2.0 documentation wiki, both in the overview of OpenDS Replication Architecture and the Replication Administration Guide, and more specifically Assured Replication Administration Guide

Technorati Tags: , , , , ,

Monday Jul 20, 2009

New in OpenDS 2.0: Recurrent and Scheduled Tasks

Opends2 PictoOpenDS 2.0 has just been released and there are several new and exciting features on it.

Today we will focus on one simple feature that greatly reduce cost of administration: scheduled tasks.

Being a Directory Server administrator often implies that you have to perform some administrative tasks on a regular basis. One of those tasks for example that an administrator has to do is a backup of the database. With most Directory Servers, the administrator would write a script to be run on a specific time of the day (or rather the night) that would proceed with the backup.
With OpenDS and the Recurrent Tasks, we've simplified this to the extreme: Just instruct OpenDS to do a backup on a weekly or daily basis, and as long as the server is running, it will execute the backup procedure at the desired time.

Here's how to schedule an hourly, compressed backup for the main back-end :

$ bin/backup -p 5444 -D cn=directory\\ manager -w secret12 -n userRoot \\
-d ./backups -c --recurringTask '0 \* \* \* \*'
Recurring Backup task BackupTask-dc89d98e-4ade-410e-ad19-325279af8f67
scheduled successfully

Now, just wait for the hour to pass, and check if the backup has been taken ;-)

The string passed as a parameter following the --recurringTask option has the same format as for the crontab(5) time/date: a 5 integer pattern field, separated by blank spaces: Minute (0-59), Hour (0-23), Day Of Month (1-31) Month Of Year (1-12) Day Of The Week (0-6 with 0 being Sunday).

The recurrent tasks are not limited to backups. They can be applied to all tasks, although some may not be that useful to everyone. Although I do see some use of a daily import of an LDIF file from a well know location, as a way to synchronize with external sources.

And of course, you can list the scheduled and recurrent tasks with dsconfig and cancel them if needed.

In the next release of OpenDS, you will be able to configure the recurrent tasks with the Control Panel. If you can't wait, you can try with the latest daily build.

You can find more information on recurrent tasks on the OpenDS Documentation Wiki.

Technorati Tags: , , , , ,

Friday Jul 17, 2009

OpenDS 2.0 is here !

The OpenDS development team is very please to announce the availability of OpenDS 2.0.0 and it's supported companion Sun OpenDS Standard Edition 2.0.

OpenDS is an LDAPv3 compliant Directory Service written entirely in Java. The 2.0 release has many new features since OpenDS 1.0 that was released a year ago:
• A graphical control panel that enables basic server and data administration is available and replaces the OpenDS 1.0 status-panel
• An administration connector manages all administration related traffic to the server. By separating user operations and administration operations, the administration connector ensure a better quality of service and simplify logging and monitotring
• Connections can be secured and encrypted with SASL mechanisms
• Access Control mechanism has been enhanced to control access based on the level of security of the connection
• The ;binary transfert option is now supported
• Standard schema files related to Solaris and OpenSolaris LDAP naming services are provided by default
• Setup and tools provide an enhanced support for the JCEKS keystore and alternate security providers
• A new mode for Multi-Master Replication providing greater consistency and availability of data: Assured Replication
• Recurring tasks allow an administrator to schedule repeated tasks such as backups
• New extensible matching rules and indexing allowing comparing, ordering of data according to specific locales and languages
• Better monitoring information for the server and for Replication
• Full compliance with RFC 4518 and matching of UTF-8 in attributes with a DirectoryString syntax
• VLV indexes are now built during the Import
• Works with IBM JVM (Java 6 SR4 required)
• Works by default with JConsole and VisualVM when JMX Connection Handler is enabled
• Default settings and ergonomics have been improved reducing the need for tuning parts of the server
• Greatly improved performances and stability over time of those performances
• Resolved a possible security issue when Pre-ReadEntry, Post-ReadEntry and Assertion Controls were enabled

OpenDS 2.0.0 is a promotion of OpenDS 2.0.0 Release Candidate 4, built with revision 5492, to the stable and finalized version.
It can be installed with the Java WebStart QuickSetup or downloaded as a Zip file.
A DSML-to-LDAP Gateway is available as a War file.

Like for previous OpenDS releases, a snapshot of the documentation wiki has been setup. The documentation is still being verified and a few links might not be functional yet. We expect it to be finalized by the end of next week.

You can find more information about OpenDS 2.0 in the release notes.
For a supported version of OpenDS, please check the Sun OpenDS Standard Edition 2.0 home page or get it directly from Sun Download Center.

I'd like to address a special thank to our external contributors who have helped making this release a better release, especially Christian Brennsteiner for the German translation of messages, Tosiki Iga for the Japanese translation, D.J Hagberg for the performance enhancements, Andy Wang for the IBM JVM Support.
Thanks also to all users who have raised issues during the development phase, helping us with testing the server in ways we can't.

This is a major milestone for the OpenDS project, but there is more to come... Make sure you check the Roadmap and you participate to it.

Technorati Tags: , , , ,

Friday Jul 10, 2009

A nice gesture from FISL organizers

I've just received a "certificate of attendance as a Speaker" from the FISL organizers. This is a very nice gesture and adds to the amazing experience that is FISL. Big thanks to the organizers and more specifically Fernanda Weiden who had to cope with the egos of over 320 speakers.

FISL Certificate

Technorati Tags: , , , ,

Thursday Jul 09, 2009

Lowering the bar for OpenDS Translation...

Opends Logo TagPavel Heimlich, also known as Hajma on in the OpenDS project and lead for many Translation projects, has gone through all of the OpenDS messages to figure out the ones that were still in use and important to translate. There is now a "simplified" OpenDS project in the Community Translation Interface that contains a 5th of the initial messages, making it easier and faster for the volunteers to translate OpenDS to their preferred language. There are currently on-going translation for chinese, french, german, japanese, korean, polish, portuguese, serbian and spanish, but new language projects can be initiated on demand.
If you're interested, check the How To Guide.

Technorati Tags: , , , , ,

Monday Jun 29, 2009

FISL 10 Trip report

I've just spent a wonderful week in Porto Alegre, Brazil where I've landed to talk about OpenDS at the FISL 10 conference.
This is my first visit in Brazil and I must say that I didn't get any good impression of the country in the first two days. As a matter of fact, I didn't get any impression at all. I arrived on Monday evening around 9pm, it was all dark. After more than 16 hours of traveling, I just wanted to hit a bed.
On the Tuesday morning, thanks to the jet lag, I got up quite early, checked email and went for breakfast by 7am, noticing a rainy day and still pretty dark. I was just done with the breakfast when Bruno Souza arrived and took me to the location of the Javali meeting, an ancillary event of FISL, sponsored by Sun and organized by SOU Java and RS JUG.
We spent the whole day in the conference room, watching from time to time through the windows the heavy rain and wind. The Javali talks ended with pizzas and guarana and by then the night was already dark.
While I didn't get to see how Porto Alegre looks like in the first days of my visit, I did enjoyed the friendliness of Brazilians. At Javali, trying to follow the presentations in Portuguese was though but I think I got probably 50% of the technical parts thanks to the mix of english words and to my understanding of Spanish. And when it was necessary, Bruno or Mauricio Leal would do some translation for us.
I didn't get to talk at Javali, the agenda was pretty full and I hadn't told Bruno I would be coming as I wasn't sure I could make it. But Pat Patterson presented Securing RESTful Web Services with OpenSSO (and OAuth) and mentioned a few times OpenDS.

LP0_1036

LP0_1039Wednesday was the first day of FISL and all the Sun participants went quite early to help setting up the booth in the Exhibition Hall. Sun's booth was very well located and its main attraction was the thousands of small soccer balls that were given to attendees that registered to the OSUM program. I think that throughout the whole event, the Sun's booth was the most vibrant and busy one, with Roger Brinkley making demos with his toys, Angel Camacho, Brian Leonard, Kirthankar Das and others helping with installs of OpenSolaris on attendees' laptops.

LP0_1167LP0_1181

Arun Gupta fired the event on Wednesday morning with his presentation demonstrating the combined power of GlassFish, MySQL and NetBeans to build web applications.

Arun Gupta, inauguring FISL conf with the 1st talk

Friday was the busiest day for me as I was scheduled for 2 presentations. But before that, I was invited to participate in Simon Phipps talk show, describing in 5 minutes, what was OpenDS, what were the benefits for the Brazilian open source users and developers.

Fisl10 Simontalk

Immediately after, and in the same room, I did my presentation for OpenDS with the theme of "Scaling the Identity Store with OpenDS". The sessions talked about the 3 models we have in OpenDS for deployment :

  • Embedded in Java applications,
  • Standalone replicated servers,
  • LDAP Front-end access to MySQL Cluster's network DB.

While FISL is mostly attended by students, my session had a majority of System Administrators, interested by simplifying and reducing the cost of their data-centers.

4791_116007741662_583231662_2881035_1391095_n

Later in the afternoon, I was presenting again, repeating JavaOne's presentation from Tony Printezis and Charlie Hunt GC Tuning In the HotSpot Java Virtual Machine. Charlie was meant to attend the event, but the week before found out he could not make it. As they recalled I was in the room at JavaOne and I'm quite familiar with the subject as we're spending a lot of time trying the different options to tune the JVM to get the best performances out of OpenDS, they asked me to cover the talk. I think I've done a reasonable job, despite the density of information in the slides, and the simultaneous translation in Portuguese for the largest part of the crowd not so familiar with English.

Still on Friday, part of the exhibition floor was closed to the public as the Brazilian President, Lula Da Silva, was schedule to visit the event. Sun booth was very well positioned, on the border on the closed area and the crowd started to gather by the booth as President Lula arrived. The excitement was amazing. When the President reached by the OpenSolaris Brazil user group, he received an OpenSolaris cap and T-shirt from Vitorio Sassi, Sun employee and one of the leaders of the Brazilian OpenSolaris community.

Brazilian Presidente Lula with OpenSolaris community
Photo taken by Ludovic Poitou, June 26 2009.
Somerights20

.

On Saturday and last day of the FISL conference, I got to share a little bit more of the stage by answering a performance related question from the attendance on Bruno Souza's session about the future of Java,with the exceptional presence of Javali, the mascote for the Javali user group.

Bruno Souza with Duke and Javali

Overall FISL has been an amazing experience. It is definitely the biggest open source I've participated to. Over 8200 registered visitors, from 27 different countries, more than 320 speakers for 354 presentations and a presidential visit. More than that, Brazilians are extremely nice, generous and happy to live. They made our stay in Porto Alegre something that I'll remember for a long time. A special thanks to the main organizers: Bruno Souza and Eduardo Lima (here below with Simon Phipps)

LP0_1127

.

I'll definitely participate to the Call For Presentation next year, if evangelism of the OpenDS project is still one of my tasks for next year.

You can find all photos for the event in the FISL 10 picasa album.

Technorati Tags: , , , , , , , ,

Saturday Jun 27, 2009

To the FISL attendees...

FISL 10

Many of you have requested the slides.
Here they are :

Thanks for your presence...
A more detailed article is in the works.

Technorati Tags: , , , , ,

About

This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today