Cyril's Identity Management Blog

OpenDJ TIP

cyril — Wed, 08 Feb 2012 11:17:00 +0100

It's been a while since my previous post ! Did you know OpenDJ has a nice feature to help debugging index problems ? Not a lot of people seem to know that trick, so here's your chance to catch it ! Just use "debugsearchindex" as the attribute name to retrieve in a search, and you'll see OpenDJ will return a detailed list of the index processing:

ldapsearch -b "ou=people,dc=example,dc=com" -w secret "(|(objectclass=inetorgperson)(uid=login_2*))" debugsearchindex

dn: cn=debugsearch
debugsearchindex: filter=(|(objectClass=inetorgperson)
INDEX:objectClass.equality LIMIT-EXCEEDED)LIMIT-EXCEEDED
scope=wholeSubtreeLIMIT-EXCEEDED:83315 final=LIMIT-EXCEEDED:83315

Nice feature isn't it ?

OATH, Google authenticator and Authentic 2

cyril — Mon, 26 Dec 2011 17:23:00 +0100

OATH and Google authenticator are some relatively new components of the IAM/IDM world, that could change our lives some day: OATH proposes the wide adoption of OTP based and 2 factor authentication frameworks, making the web actors exchanges more secure, easier to implement and easier to integrate thanks to some well known authentication standards like HOTP.

OATH also features simplified authentication thanks to federation (that is some kind of virtually unlimited web SSO). The very new thing here is that OATH proposes a standard framework at the users, devices, and networks levels, potentially making adoption faster.

Google authenticator, on its side, is one of Google's user friendly solution to the authentication and identity thieft issues: if your application or authentication server supports Google authenticator, then your users will be able to benefit from strong authentication (one time password based authentication) just by downloading the Google authenticator Android application on their smart phone. Interesting at least for businesses requiring more security in the cloud.

And thus, if you noticed the title of this article, you may wonder what's Authentic 2, with regards to OATH and Google authenticator ? Well, it's the new version of an authentication software server that supports each of them, and also proposes many other identity related features like a federation gateway and PAM support.

OpenAM: session expiration at login time and security best practices

cyril — Fri, 09 Dec 2011 11:44:00 +0100

I recently had to deal with the OpenAM authentication framework, and especially find a way to prevent expiration of HTTP sessions for unauthenticated users. For those interested in this topic, follow this link.

I also added my 2 cents with some security best practices when deploying OpenAM: let's read it

OpenDJ powerful logging interface

cyril — Fri, 25 Nov 2011 15:50:00 +0100

Did you know that OpenDJ, one of the major open source directory server, features a powerful logging interface ? For each need and use case, the OpenDJ logging system brings a solution to debug, finely tune and optimize or just filter out what you want or don't want to see in your logs.

For example, let's have a look at a few commands below...

Use this one to enable nanoseconds accuracy for LDAP operations execution time:

dsconfig -j mypasswordfile -Xn set-global-configuration-prop --set etime-resolution:nanoseconds

Use this one to enable the debug log with a somewhat talkative log level:

dsconfig -j mypasswordfile -Xn set-log-publisher-prop --publisher-name File-Based Debug Logger --set default-debug-level:verbose --set enabled:true

The last one below is a bit more complicated:

dsconfig -j mypasswordfile -Xn set-log-publisher-prop --publisher-name "File-Based Access Logger" --set connection-client-address-not-equal-to:10.0.0.1 --set log-record-type:extended --set response-etime-less-than:500 --set log-format:combined --set log-control-oids:true --set suppress-internal-operations:true --set buffer-size:512kb --set filtering-policy:exclusive --set queue-size:100000

It would have the following effects:

- it would exclude (from the access log) access requests issued by the 10.0.0.1 IP address, which can be very useful for example to prevent load balancers health-check requests from being logged, making the access log grow large unusefully if not excluded.
- it would also exclude LDAP extended operations like the replication trafic for example
- it would also exclude requests that took less than half a millisecond (500 ns) to be served. In such a case, it's recommended to log both requests and results on the same line, for the same operation. That's exactly what the "log-format:combined" parameter does.
- it would log LDAP controls OIDs, as well as the server internal LDAP operations like the ones executed by some enabled plugins
- finally, to limit disks I/O and improve the overall throughput, it would increase the default asynchronous access logger queue size as well as the log buffer size.

Some words for developers about the IETF LDAP API

cyril — Tue, 15 Nov 2011 09:25:00 +0100

If you use the IETF LDAP API to develop your application, maybe you've not noticed some operations work in asynchronous mode by default. For example, let's consider the following piece of code, which generates a simple LDAP search request for entries matching a given email address :

LDAPSearchResults res = conn.search(ldapUserBase, LDAPConnection.SCOPE_SUB, "(mail=" + aEmailAddress + ")", attrs, false);

Written this way, the API may return partial results, since the request will be considered as asynchronous. To prevent such "headache prone" behaviour, the proper way to make such requests consists in adding an LDAP search constraint to the request, with a 0 batch size, as shown below:

LDAPSearchConstraints cons = new LDAPSearchConstraints(); cons.setBatchSize(0); LDAPSearchResults res = conn.search(ldapUserBase, LDAPConnection.SCOPE_SUB, "(mail=" + aEmailAddress + ")", attrs, false, cons);

Some other OpenDJ features

cyril — Tue, 13 Sep 2011 16:24:00 +0200

It's been a while since my previous post, so let's push 2 articles today. OpenDJ brings some nice features in comparison with Sun DSEE, but may also give you some headaches if you don't closely read the documentation (I did !).

Among the good things, it's possible to have a very fine grained directory administration with OpenDJ, thanks to privileges. Privileges define administrative rights one must gain in order to perform some specific operations. It can be administrative operations, but also operations on data. For example, in order to be able to modify the access control rules (stored as aci attributes in the LDAP entries), defining the right acis is not enough, one needs the modify-acl privilege. Among other privileges, any user can be assigned the right to bypass the whole acis, thanks to the bypass-acl privilege, or to execute unindexed searches, which is forbidden by default.

Among some other features that require special care, OpenDJ now distinguishes between user and operational attributes in acis, in such a way that when specifying "all" in an aci, it means all user attributes, implicitly excluding the operational attributes. To target them in acis, they now have to be explicitly mentioned. Or you can alternatively use the special keyword "+" to target all operational attributes.So, beware !

OpenDJ groups management

cyril — Tue, 13 Sep 2011 13:37:00 +0200

Did you know that OpenDJ adds nice features to optimize user groups management ? For example, one can define virtual static groups, to present dynamic groups as if they were static.

Also, you can finely tune the directory entry cache, to maximize search or modify requests targeting a group: multiple caches can be defined, with different priority levels, different cached entries (bases on a LDAP filter), different sizes and purge trigger thresholds, as well as different cache strategies (FIFO,LRU).

Not so many directory server, if any, proposes such flexibility.

Sun directory to OpenLDAP Migration

cyril — Thu, 16 Jun 2011 18:50:00 +0200

If you plan to migrate from Sun Directory Server (Sun DS v5 to Sun DSEE v7, including ODSEE 11gR1) to OpenLDAP 2.4 or later, here're a few non exhaustive tips to keep in mind:

- Sun directory server versions up to 6.x don't enforce any attribute value checking, as opposed to OpenLDAP. So, expect some work on your data before being able to import them in OpenLDAP. Typically, if you had mail attribute values containing forbidden characters (like "ç" for example) in Sun DS, you'll have to modify your Sun DS LDIF export file and replace "ç" by "c" in each mail attribute value, before being able to import it in OpenLDAP. In the same manner, if you have illegal DN values for attributes like "manager" or "uniquemember", OpenLDAP will refuse them and they must be fixed before you try to import your data in OpenLDAP.

- Sun legacy attributes such like nsaccountlock don't exist in a standard OpenLDAP schema. When nsaccountlock is FALSE, it just means the account is not locked out, so you can just safely remove such attributes in the corresponding LDIF entries of the OpenLDAP database. On the contrary, Sun directory server locked accounts have a value of TRUE for the nsaccountlock attribute. In such a case, if you want to keep the account locked in OpenLDAP, this should be replace by: "pwdAccountLockedTime;pwd-userpassword: 000001010000Z"

And of course, you first need to include the password policy overlay and schema in OpenLDAP to be able to use that kind of feature.

- Empty valued attributes are forbidden in OpenLDAP, and thus, the corresponding attributes must be removed before being imported in OpenLDAP.

- "passwordexpirationtime: 19700101000000Z" should be replaced by "pwdChangedTime: 19700101000000Z"

- If passwordexpirationtime is different from 19700101000000Z, the corresponding value for pwdChangedTime must be set accordingly with your password policy. Those attribute names are self explanatory to understand how the value must be computed for each LDIF entry.

- The real nightmare comes with ACI's since there's no standard implementation of LDAP access rights. Each directory vendor uses its own syntax, its own implementation, and its own evaluation algorithm. So, there may be different ways to translate the access rights for a a Sun directory server to OpenLDAP. One could simply try to reproduce the same rules, which limits the risks but may not be optimized, since OpenLDAP works differently. Another way would be to rethink the access rights globally, understand what was done and how OpenLDAP works to achieve the same result, in a possibly more efficient way. At least, I would recommand to use (and include in the main OpenLDAP config file) several files to clarify the access rights, and ease their management. Also, I would think of using the OpenLDAP "break" directive, which can help to mimic the Sun DS ACI's evaluation process.

Great news: First OpenDJ release

cyril — Wed, 22 Dec 2010 11:51:00 +0100

ForgeRock's just announced the first Open DJ release. It's like a new birth in the LDAP directory world, and I just wanted to relay it to everyone. Some new features like the support for (standard RFC's based) collective attributes are definitely of interest, to simplify LDAP data management for example.

Just check the release notes for more details !

Password synchronization between Sun DS and Active Directory

cyril — Wed, 13 Oct 2010 11:30:00 +0200

Former Sun Identity Synchronization for Windows (IDSync) can help you to migrate your users' password from Sun DS 5.2 to Windows AD, and also has some nice features. It's also a simple solution to a common problem, in comparison with IDM software (from any vendors) which will also do the job but that you probably don't want to deploy just for AD to/from Sun DS synchronization, since ROI would be discouraging.

So, basically, if you don't want to upgrade or migrate your Sun DS 5.2 directory, you can safely use choose IDSync, it will often be one of the cheapest Sun DS 5.2 to/from AD password synchronization solution (including services and licence costs), and also probably one of the best ROI, but beware of:

- the vendor proposed support, if any (probably quite expensive now that Sun belongs to Oracle)

- high availability: IDSync is designed for high availability, in some use cases at least, so carefully check your requirements and what ID Sync can or can not do from that perspective.

IDSync is also bundled with Sun DS since v 6 (=Sun DSEE 6) and still exists in DSEE v7.0. As far as I know, Oracle Directory Server Enterprise Edition 11 g Release 1 (11.1.1), which corresponds to DSEE 7.0 update 1 is still bundled with that synchronization solution.

Please note that ODSEE 11gR1 is different from Oracle's virtual directory which probably also contains a synchronization solution from/to AD, but it's of course designed to synchronize with Oracle's directory solution.

To answer the primary question of initial password synchronization from Sun DS 5.2 to AD without password reset, IDSync won't do the job, without resetting those passwords, or without forcing users to change it. Basically, with IDSync, your passwords can be synchronized on the fly once they've been synchronized once, but IDSync won't help you for that first time. As described above, you need to capture your users' passwords (so you need them to type it in a Web interface for example) and then you can push them to AD through LDAPS. For example, if you've got a webmail interface that authenticate your users to Sun DS, you can possibly hack the webmail system to do the job. Careful planning must also be decided, between the initial password synchronization and the real time synchronization solution taking then place.

JSON2LDAP: Another gateway to the world of LDAP directories

cyril — Tue, 31 Aug 2010 15:26:00 +0200

In the last ten years or so, directory services flourished to address identity management issues. Web Applications, operating systems, authentication servers or appliances are common examples of LDAP enabled clients of those services. And historical or organizational reasons (like acquisitions) are often at the source of LDAP repositories multiplication. Without fail, it sometimes leaded to complex architectures or synchronization processes. Or even no synchronization at all. Also, costs of ownership increased as IT departments saw directories grow like mushrooms. That's why one of the next trend was to design and build a unique directory, where it made sense. To further leverage its usage, some organizations developed at the same time a specific business layer to offer business applications a unique LDAP access layer. But this layer doesn't necessarily covers the whole needs. Mobile devices or external (cloud) applications like portals usually don't fit in this model. That's why deploying a more modern access interface to the LDAP service makes senses for some businesses at least. And guess what ? Json2LDAP proposes such a solution. As a web application, it can rely on an underlying application server for fault tolerance and load balancing, as well as common operations (monitoring, deployment, ..)

Sun Directory Server Enterprise Edition 7.0: the following ...

cyril — Tue, 17 Aug 2010 17:30:00 +0200

Oracle recently published the first release of ODSEE, Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1), formerly known as Sun Directory Server Enterprise Edition 7.0 (DSEE 7). ODSEE 11.1.1 simply corresponds to the first patch for DSEE 7, so one can see it as DSEE 7.0P1 or DSEE 7.1, as you want !
This is only a "bug fix" release, there's no new feature.

Read the complete release notes here.

Little focus on another solution on the SSO market

cyril — Tue, 27 Jul 2010 17:34:00 +0200

Ping Identity's "Ping Federate" software looks like an attractive solution for businesses with identity federation issues, at least from a technical point of view. I don't know neither the pricing model nor the license cost, and I didn't have the opportunity to evaluate the software yet but I noticed some strong and not so common arguments, among others, that pushed me to add this article: high integration features with most widely spread authentication and provisioning solutions time to deploy and TCO which seem to be significantly lower than for challengers. This is especially important since federation solutions and protocols tend to be complex, potentially making them long and difficult to setup and debug.

Authentication in a mixed environment

cyril — Tue, 27 Jul 2010 17:10:00 +0200

Likewise solves the user management nightmare in heterogeneous environment mixing Unix, Linux and Windows desktops or servers, making it possible for administrators to manage their internal users from a single point: the corporate Active Directory environment. Recently, the open source version, "Likewise Open 6" was released, as well as its "legacy" counterpart: Likewise Enterprise.
So, I thought it was an opportunity for another article in this blog, since I think it's a nice software. The former open source version may fit for most customers just interested in a simple solution to a simple problem. For those requiring rich features like advanced reporting or group policy management, the latter solution may be a better choice.
Shed a light on the latest improvments.

Restful web services, OAUth, OpenSSO and federation

cyril — Tue, 20 Jul 2010 16:30:00 +0200

The OpenSSO software, formerly Sun Access Manager, keeps on surfing on the wave of innovation and up to date open standards. In last September, support for OpenID v2 was added, and a few months ago, an OAuth extension was also made available. Check this out for some more details.

OpenDS training

cyril — Tue, 20 Jul 2010 15:55:00 +0200

One of my team mate delivered our first OpenDS training last week.
Just contact us if you're interested in it.

Here's the agenda:

Day 1
LDAP protocol overview
Introduction to OpenDS
OpenDS Prerequisites
Installing OpenDS
Starting with a fresh directory

Day 2
OpenDS Concepts
OpenDS Tools
OpenDS monitoring
OpenDS backup
Java considerations
H/A considerations

Day 3
OpenDS vs. DSEE
OpenDS fine tuning
Replication concepts
Data import and exchange
OpenDS security aspects
OpenDS performance testing by slamd (short overview, transfer of knowledge )

Day 4
OpenDS's Virtual Attributes
Using Virtual Attributes
Replacing COSes with Virtual Attributes
OpenDS plugins / extended features
Build instructions from OpenDS source code
Practical Exercises

An open source PKI

cyril — Mon, 28 Jun 2010 19:16:00 +0200

EJBCA is a full PKI solution, featuring a dynamic community, some strong customer references and a wide conformance to standards and recent technologies. It looks like an attractive solution that's worth evaluating if you're looking for a cost effective solution.

The Kantara initiative prepares the future ...

cyril — Mon, 28 Jun 2010 19:16:00 +0200

The Kantara initiative workgroup recently unveiled his plans and threw the bases for a more secure and wider adoption of federation technologies: Check this !

XLDAP versus DSML

cyril — Mon, 28 Jun 2010 18:54:00 +0200

For those interested in offering the developers a convenient and easy way to connect to their LDAP directory, I would suggest to keep an eye on XLDAP. While not widely accepted yet, this protocol could make the difference especially in the rapidly growing mobile world. You can of course google to find more about XLDAP, or just follow this link.

Open IDM / Open IAM

cyril — Fri, 14 May 2010 16:50:00 +0200

Back from a beautiful scenery, it looks like things are moving and happening at Forgerock's: former Sun execs join and intend to keep the IDM/IAM suite alive, and open source !