cn=Directory Manager

cn=Directory Manager
All about Directory Server

All | Personal | Sun

« Previous page | Main | Next page »

Tuesday December 05, 2006

OpenDS Access Control Requirements

Question: What is the best way to make sure that OpenDS meets your needs?
Answer: Tell us what your needs are so we can take them into account when designing it.

One of the biggest components that OpenDS currently lacks is the access control subsystem. Access control is a critical part of a directory environment, and we want to make sure that we get it right. To help with this, we've put together an access control requirements document that lists all of the features that we believe need to be included in our implementation. We'll be starting work on actually implementing the access control mechanism in the near future, but we are also very interested in any feedback that anyone might have on these requirements. You can find this list of requirements on our documentation page available in either OpenDocument or PDF form.

If you have any interest in the access control features that OpenDS will provide, I would encourage you to look through this set of requirements and provide your comments on them. If you do have any feedback on anything in this document (or on anything that isn't in this document but should be), then please feel free to join the design-discuss@opends.dev.java.net mailing list and post your comments there. You can join this mailing list by going to https://opends.dev.java.net/servlets/ProjectMailingListList and clicking the "Subscribe" button for that list (currently, the design-discuss@opends.dev.java.net list is the last one listed on the page).

Any feedback that you can provide will be greatly appreciated. We want to make sure that OpenDS meets the needs of those who might want to use it, and we will likely be starting other discussions on other components in the future.

Posted by cn_equals_directory_manager ( Dec 05 2006, 06:39:50 PM CST ) Permalink

Monday November 20, 2006

Installing OpenDS Made Easier

I may be a bit biased, but I've never considered OpenDS all that hard to install or configure. Since the end of July, it's been possible to download and unpack a weekly build or check out and build the code for yourself, and for the last couple of weeks we've made our daily builds available. Today, we're debuting a new installation and setup mechanism that takes it one step further.

It's still possible to download our latest weekly build (you can get build 017 here), unzip it and run the setup program. However, if you do that, you'll probably notice that it's a graphical program rather than text-mode (unless you're running without a GUI available, or unless you provide the "--cli" argument). It will display a panel that asks you for the listen port and root DN and password. It will then ask what you want to use as the base DN for the database and how you want to populate it. You can leave the database entry, only add the base entry, import data from an LDIF, or generate any number of sample entries. It will then configure and optionally start the server.

But what's even better is that it's no longer necessary to download and unzip the build. Instead, we have a new installer based on Java Web Start technology that allows you to install the server by clicking a link in your browser. To give it a shot, follow this link. For a detailed description of what you'll see, check out the new QuickSetup guide that gives you a blow-by-blow description of the process with screen shots.

If you're reading the documentation, you might also come across our new Quick Reference Guide that gives you a basic summary of how to do a lot of common tasks in the server, complete with a number of sample usages for the command-line tools. We've also got a Command Line Usage Guide that provides complete usage information for all of the utilities that we provide with the server. It still needs some work, but it's a lot better than the nothing that we had before in this area before.

A big thanks and congratulations should go out to Brian Ehret and Josu Vergara-Lecue for putting the new graphical tools together and for putting up with all my complaining while it was under construction, and for the rest of the team for helping out with suggestions and testing.

Posted by cn_equals_directory_manager ( Nov 20 2006, 11:30:39 PM CST ) Permalink

Monday November 06, 2006

Exploring OpenDS Made Easier

Over the weekend, we made a couple of changes that make exploring the OpenDS codebase even easier, and should hopefully help make it easier to use, understand, and extend the server. While the infrastructure that java.net provides offers a number of features, it doesn't allow us to run our own daemons and perform arbitrary processing (for obvious security reasons). As such, for anything that might require capabilities beyond what java.net provides, we need to handle on our own servers. We were already doing that for content that is available only on Sun's internal network, but we are now using an external system to make some of this content publicly available.

The first of these elements is our daily builds mechanism. As you may already know, we already make weekly builds available on java.net, but we have also been performing automated daily builds on an internal server. Now, our daily builds are available externally as well at http://builds.opends.org/daily-builds/, with the latest build always reachable through http://builds.opends.org/daily-builds/latest/. If you want to try the latest build of OpenDS but don't want to check out and compile it yourself then you can get it here. You can also browse the latest Javadoc documentation and see our code coverage reports. The daily builds will be kicked off at around 11:30 pm Central Time and should be complete within about ten minutes, but if you want to be notified whenever the latest build is available you can go to https://opends.dev.java.net/servlets/ProjectMailingListList and subscribe to the daily-builds@opends.dev.java.net mailing list.

The second element that we have made publicly available is a source code browser, at http://builds.opends.org/source/. This site uses the OpenGrok source code search engine, which is also used to provide access to the OpenSolaris source code. The code is updated every 30 minutes, and the source code elements are all cross-referenced, so clicking on a variable name in the code will take you to the location at which that variable is declared, and clicking on a class name will allow you to search for all usages of that class throughout the source code. It's much more feature-rich than the bare-bones source browser provided by java.net, although the java.net version does have historical information that we haven't yet gotten working in OpenGrok.

In the future, we may make additional services available on this system, but we're currently using this as a trial to see how it works. Any feedback or suggestions that you might have are welcome.

Posted by cn_equals_directory_manager ( Nov 06 2006, 02:49:23 PM CST ) Permalink

Friday October 13, 2006

Contributing to OpenDS

Yesterday, we accepted our first contribution to OpenDS from a non-Sun employee. Benjamin Damm from Brighton Consulting provided a fix for Issue #616, in which the MakeLDIF tool displayed the wrong line number if an error was found in a template file. This was one of the issues that we had specifically identified as relatively straightforward and self-contained, and would be a good starting point for someone wanting to get involved. We borrowed an idea from OpenSolaris and have designated several such issues as bite-sized bugs. The list of all bite-sized bugs in the OpenDS project can be found at https://opends.dev.java.net/issues/buglist.cgi?keywords=bite_size.

If you'd like to get involved in the OpenDS project by writing code, then we think that issues like these are a great way to get your feet wet. There are a combination of bugs, features, and enhancements in this list. Many of them would require Java code, but others involve things like creating or editing shell scripts/batch files, SMF profiles, or helping integrate with external monitoring frameworks, and some of these issues don't require any previous directory experience. Of course, there are many other areas in which people can contribute but for someone first starting out with OpenDS it's probably easiest to pick something simple in order to get used to the way that we've laid out the project and the processes that we have in place.

If you want to contribute to OpenDS, then the following checklist may be helpful:

If you're not already, become a member of the OpenDS project. You can do that by going to https://opends.dev.java.net/servlets/ProjectMembershipRequest and request the User role. There are other roles that appear on this page, but unfortunately we don't have much control over what shows up in the list. We don't use the Observer, Developer, or Content Developer roles in our project, so please don't request them, and you'll find it's pretty unlikely that we will give out the Project Owner role so please don't request it either.
You can subscribe to one or more of our e-mail mailing lists at https://opends.dev.java.net/servlets/ProjectMailingListList. If you're interested in helping develop OpenDS, then the lists you might find most useful include dev (general discussion among OpenDS developers), commits (notifications of commits made into our repository), and precommit-notification (requests to review and comment on code before it gets committed).
Check out and build OpenDS from our repository. You can find basic instructions for checking out the code and building it in HTML form in our documentation depot. This page also contains links to the OpenDS Source Guide in OpenDocument and PDF forms, which contains a lot more detailed information.
Read our Contribute to OpenDS page and our Governance Model to understand the processes that we have in place.
Sign and submit the Sun Contributor Agreement document, which is necessary before we will accept any contributed changes. Once you have completed this, then you can send a message to contribution-request@opends.dev.java.net to request the Contributor role in the project.

Of course, there are other ways of getting involved in the project that don't involve writing code, and many of them are explained on this page.

Posted by cn_equals_directory_manager ( Oct 13 2006, 09:29:35 AM CDT ) Permalink Comments [1]

Congratulations to the Apache Directory Project

Congratulations to the Apache Directory Project on their recent 1.0 release, and also on their LDAPv3 certification. Both are significant milestones in their project. Of course, we want OpenDS to be the best directory server available (and we are improving quickly), but we certainly welcome the friendly competition. And in this case, it is particularly friendly. The ApacheCon conference happened to be in Austin, TX (where I and several other OpenDS developers live and work) this week and there were several Apache Directory contributors there. They invited us to a birds of a feather session with them Wednesday night. It was great to meet them, and we hope to work together with them in the future. There are a lot of areas in which we can collaborate, and I think that everyone can benefit from it.

Posted by cn_equals_directory_manager ( Oct 13 2006, 09:09:05 AM CDT ) Permalink Comments [1]

Friday September 22, 2006

Improving Test Coverage in OpenDS

For the last few weeks (and still for the next couple of weeks), we're in a push to improve our test coverage for the OpenDS project. This means that we're not adding lots of new features at the same rate we had been before this push (although there are still some that are sneaking through), but it will help us to ensure that when we get back to developing new features that we've got a good test framework in place to help us catch any problems that might come up.

Two of the main tools that we're using to help us with our testing are TestNG and EMMA. TestNG is similar to JUnit, but offers additional features like the ability to define test groups, and the ability to use annotations to mark your classes and methods accordingly (I do know that JUnit has recently released a new version with some of these features, but I haven't evaluated them to see how the two stack up now). I really like the @DataProvider annotation, which makes it possible to separate your test data from the test logic, but since it treats each run with a different data element as a separate test case it does seem to inflate the number of test cases (for example, TestNG reports that we're running over 10,700 test cases, but we only have about 950 test methods). Probably my biggest complaint with TestNG at the moment is that it doesn't have an assertNotEquals method (which is easy to work around but annoying nonetheless), so I guess that says something about the framework. I also hate like the use of JavaScript in the HTML-formatted reports that it generates and on the TestNG website, but that's another matter altogether.

EMMA is a tool that makes it possible to provide code coverage analysis for Java applications. It will allow you to see what code is being called, and is especially useful in testing because it helps you see what still needs to be tested. It allows you to browse all of your source code so that you can see lines in green, yellow, and red (covered, partially covered, and not covered, respectively). It's annoying that the source code display uses a variable-width font rather than one that is fixed-width, but again that's a pretty minor grievance. I also don't really care for the way that it generates the report layout using filenames that change between runs (e.g., clicking refresh after re-running coverage tests might show me a different class), but that's also easy to work around.

We're currently up to about 41% code coverage, which I will grant you isn't as high as it should be (writing test cases was a step that we skipped early on in the project to help us get the basic framework up and running as quickly as possible), but it is rising pretty quickly since we were at only 12% a month ago. There are still big chunks of code (especially corner cases) that aren't covered, but in general things are looking pretty good. I am, however, very much looking forward to getting back to adding features once our coverage gets up where it needs to be, and in the future we will be ensuring that we provide adequate test coverage as we write the code so we don't fall behind again.

Posted by cn_equals_directory_manager ( Sep 22 2006, 05:52:34 PM CDT ) Permalink

Friday September 08, 2006

Why Run the Directory Server on Solaris?

Yesterday, someone asked why Solaris was the best platform on which to run Directory Server. While I may be a bit biased, I do believe this to be the case and feel that there is plenty of evidence to support it. This is true across the board. I'll try to list many of those benefits here, and also to avoid bashing or picking on any of the other operating systems that are available for use. Many of the other operating systems are quite capable and in some areas are able to meet or even exceed the corresponding offering from Solaris, but I don't think that any of them come close to providing the complete package.

General Platform Benefits

Solaris runs on lots of different systems, on the SPARC, x86, and x64 processors. Sun makes excellent hardware and our systems are frequently setting new world records in performance, but Solaris is certified on systems from lots of other hardware vendors and our hardware compatibility list contains more systems than most other UNIX or Linux vendors.
Compatibility and stability is taken very seriously. If you develop your applications based on public interfaces (and we have tools to help you do that) in current versions of Solaris, then they will continue to work in future versions. This is not necessarily the case on other platforms.
Solaris is available for use at no cost whatsoever if you don't need support. If you do need support, then the pricing plans are frequently less expensive than the offerings from other vendors.
Solaris is continually and rapidly improving. Solaris 10 has many significant improvements over previous releases, and it is continuing to get better.

Performance and Scalability Benefits

Solaris runs on systems with anywhere from 1 to 144 CPU cores, and anywhere from hundreds of megabytes to over a terabyte of memory. These constraints are primarily based on hardware that is currently available and not necessarily limitations in the operating system.
Solaris understands subtle but important differences between different types of hardware concurrency models (SMP, CMT, NUMA, dual/multi-core, HyperThreading, etc.) and can optimize its behavior accordingly.
Solaris has excellent resource management capabilities that make it possible to control how computing resources are allocated between processes. This can be done through fixed-size processor sets, variable-size resource pools, and through various scheduler models like the fair-share scheduler, the fixed-priority scheduler, and the real-time scheduler. An upcoming CPU cap implementation may also provide another mechanism for achieving fine-grained control.
Networking performance was significantly improved in the Solaris 10 release, and work is still ongoing to make it even faster and more scalable.
In many areas, the libumem memory manager provides dramatically improved performance (especially when compared with previous alternatives like mtmalloc), in addition to providing many features that can help identify memory leaks and other related problems. Upcoming enhancements to the virtual memory subsystem should even further improve performance, especially when working with very large caches.
UFS filesystem performance was dramatically improved in Solaris 9 updates and has been carried through to Solaris 10. In many cases (and particularly for the kinds of workloads that Directory Server has), ZFS is notably faster than UFS and offers many more attractive features like compression and snapshots that work well in a directory environment.
We do much more Directory Server testing on Solaris (both SPARC and x86/x64 systems) than on any other platform. If there is a performance problem with the server on Solaris, we are more likely to find it and fix it before it is released than on other platforms.

Security Benefits

The introduction of process rights management (also called least privilege) in Solaris 10 makes it very easy to provide the Directory Server with exactly the privileges that it needs to operate, and even to take away capabilities that it doesn't need. Even if an exploitable security hole were found in the Directory Server, least privilege can be used to severely constrain what a potential attacker could do. For older Solaris systems, role-based access control (RBAC) can be used to limit the need to have root access when starting the server, although it is not as flexible as process rights management.
Solaris containers (also called zones) can provide tightly-constrained environments for applications like Directory Server to operate in a manner that isolates it from anything else that might be running on the system. When used in conjunction with features like resource pools, containers can help limit the impact of denial-of-service attacks or other forms of resource exhaustion.
The Solaris cryptographic framework provides a centralized mechanism for encryption and message digest operations, particularly those using the PKCS#11 framework. Although the Directory Server is currently unlikely to benefit from hardware SSL acceleration in most cases, it can still use this mechanism for secure key storage using FIPS 140-2 compliant devices. In addition, future developments in hardware (e.g., the "free encryption" capabilities of the Niagara 2 processor) may provide performance benefits. Note that you will not be able to take full advantage of the Solaris cryptographic framework with the Directory Server until our upcoming 6.0 release.
Solaris BSM provides fine-grained auditing capabilities for keeping track of what happens on the system.
Additional security-related enhancements that will be available in the near future include Trusted Extensions (which adds labeling capabilities to Solaris 10), ZFS encryption, and a key management framework.
Solaris 9 has been evaluated at EAL4 for the CAPP and RBACPP protection profiles. Solaris 10 is currently under EAL4+ evaluation for the same profiles, and Solaris 10 with Trusted Extensions is also being evaluated with the LSPP protection profile.

Debugging Benefits

DTrace provides complete observability into virtually all aspects of the system in a way that is unmatched by any competing offerings. Even for external users without access to the Directory Server source code, it is very useful to be able to collect information about the underlying system and the way that the Directory Server interacts with it. For cases in which there is a problem with the Directory Server, engineering may be able to provide custom DTrace scripts for more detailed analysis of a problem without a significant impact on the running server.
All of the standard performance analysis tools are available (e.g., vmstat, iostat, mpstat, etc.), but a number of additional tools are also provided, including lockstat/plockstat, prstat, cpustat, and trapstat. These can help identify potential problems or bottlenecks that may be responsible for unnecessarily low performance.
The coreadm utility provides a mechanism for managing core file creation, and offers a way for allowing setuid/setgid processes like the Directory Server to dump core (which is not allowed by most UNIX-based operating systems).
The service management framework (SMF) provides a mechanism for ensuring that services are started appropriately when the system boots, and can also monitor processes and restart them if a failure is detected. SMF can also provide further integration with process rights management to offer greater control over what rights are granted to and removed from individual processes.
Much of the Solaris source code is available through OpenSolaris (and more code is being released all the time), which can make it easier to understand how the underlying system works. The new Solaris Internals books also go into great detail on the design and implementation of the operating system. In addition, OpenSolaris provides direct access to the engineers responsible for major components of Solaris.

Posted by cn_equals_directory_manager ( Sep 08 2006, 05:58:14 PM CDT ) Permalink

Friday September 01, 2006

OpenDS Weekly Builds

As a developer, I find OpenDS very easy to check out and build. However, the process of checking out the code does require you have some way of accessing our Subversion repository. The process for doing this is documented in the OpenDS Source Guide available at https://opends.dev.java.net/public/docs/index.html, but we do realize that not everyone wants to worry about checking out and building the code. To make it easy to get for people that just want to take a look at the current state of the server, we upload a pre-built version once a week (typically on Friday -- I just uploaded build 006 a few minutes ago) based on the latest version of the code. You can access our weekly builds here. To give it a spin, just follow these steps:

Download the latest weekly build and unzip the contents of the file to wherever you want to put it.
Go into the OpenDS-0.1-build006 directory (or whatever directory was created by the version you are using) and run ./setup.sh on UNIX-based systems, or setup.bat on Windows. Follow the prompts to create the initial configuration for the server (just pressing ENTER to accept all the defaults, other than setting the root user password, will usually result in a working configuration).
Run the bin/start-ds.sh script (or for testing purposes you may prefer "bin/start-ds.sh -nodetach", which will cause the server to run in the foreground without detaching from the console) on UNIX-based systems, or "bin\start-ds.bat" on Windows (which will automatically create a separate console output window).

At this point, the server should be running and you can try talking to it with a tool like bin/ldapsearch.sh or bin/ldapmodify.sh. Note that you need to have Java SE 5 or later (it works fine with recent Java SE 6 and Java SE 7 builds as well) installed on your system. On Windows (and potentially on UNIX-based systems if the java executable isn't in the PATH) then you may need to set the JAVA_HOME environment variable to point to the directory in which Java is installed.

When we upload a weekly build, we also send a message to the builds@opends.dev.java.net mailing list, and that message includes information about some of the biggest changes included in that build. If you want to keep up on these things, you can either join the mailing list or just look through the archive every once in a while. The message that we used for this week's build is provided below:

I have just uploaded OpenDS 0.1 Build 006, built from revision 262 of 
our source tree, to our weekly builds folder.  The direct link to 
download this file is:

https://opends.dev.java.net/files/documents/4926/39978/OpenDS-0.1-build006.zip

Notable changes that have been integrated since build 005 include:

Revision 211 (Issue #603) -- Add a mechanism that may be used to 
determine the operating system on which the server is running.  It 
includes code to try and identify the following operating systems:  AIX, 
FreeBSD, HP-UX, Linux, Mac OS X, Solaris, Windows, and z/OS.  We may be 
able to use this information to tailor the operation of the server to 
the underlying platform in certain cases.


Revision 227 (Issue #601) -- Provide a mechanism for setting file 
permissions.  On UNIX-based systems, we will attempt to use the chmod 
command if possible, which will work properly on both Java 5 and Java 6 
and will also provide the greatest flexibility.  On other systems, if 
the server is running with Java 6 then it will attempt to use the new 
methods added to the java.io.File class.


Revision 230 (Issue #588) -- Add initial MakeLDIF support, which can be 
used to generate entries based on a template.  This is similar to the 
MakeLDIF tool provided with SLAMD (although it is not yet completely 
implemented, and there may be cases in which the two will not be 100% 
compatible), although this version includes better validation of the 
template before generating entries.  Further, this capability has been 
directly integrated into the import utility so that it is possible to 
import data that is being generated on the fly rather than from an 
existing LDIF file.


Revision 242 (Issue #614) -- Update the client-side tools to help 
eliminate a potential race condition that could result from the reuse of 
LDAP message IDs.  On some systems, using the StartTLS extended 
operation could cause the client to reuse a message ID of an operation 
that was still being processed by the server, which would cause the 
server to reject the new request.


Revision 655 (Issue #604) -- Update the synchronization code to provide 
initial detection and resolution for conflicts that can occur when 
making updates on multiple servers at the same time.  Some of these 
conflicts include concurrent replacement of the same attribute in the 
same entry, modifying an entry on one server while deleting or renaming 
it on another, and concurrent creation of two entries with the same DN.


Revision 261 (Issue #618) -- Fix a bug that could impact indexed subtree 
searches using subInitial filters.

Posted by cn_equals_directory_manager ( Sep 01 2006, 05:48:47 PM CDT ) Permalink

Friday August 25, 2006

LDAP/Directory Server Standards and Specifications

One of the great things about LDAP is that it's a very standards-based protocol. All LDAP clients and servers speak the same language, and as long as they stick to the published standards then it doesn't matter what API the client is using or which server it's talking to. Compare that with relational databases and SQL. Every vendor has their own flavor of SQL and uses a different mechanism for talking to the database. You can't swap out one relational database for another and expect all of your applications to continue working as if nothing had happened. This is much more possible with LDAP.

Virtually everything that you need to know about LDAP (especially LDAPv3) is publicly available in the form of either RFCs or Internet Drafts. However, this information is not always as easy to find as it should be. There are thousands of RFCs covering all kinds of technologies, and it's not all that simple to figure out which ones are related to LDAP or directory technologies. It's even harder with Internet Drafts because they are in flux, and drafts are designed to expire within six months of being published. When they expire, the IETF deletes them from their site so they can be really hard to find. Each revision of a draft is numbered, so in some cases you can just try incrementing the number to see if there is a newer version, but if a draft has stalled and no new revision is available then you can be out of luck.

Since it's obviously pretty important to keep up to date on all of these specifications when you're developing a directory server, we have compiled our own collection of the various RFCs and Internet Drafts that are related to directory technologies. Since OpenDS is now public, we have all of these specifications in the documentation section of the project site at https://opends.dev.java.net/public/standards/index.html. What's also handy about this list is that it indicates whether we intend to support each of these specifications in OpenDS at some point, as well as whether it is already in place.

I should point out that the specifications we currently have marked "No" doesn't mean that's the final word on the matter. We're open to suggestion, and if you can provide a convincing argument as to why you think that we should support something that's currently marked "no", then we can reconsider it. The best way to voice your opinion on things like this is by sending a message to one of our mailing lists. The users@opends.dev.java.net list is a good one for these kinds of topics. Note that if you do intend to post to the lists, then it's easiest if you subscribe first, since posts from non-subscribers will be subject to moderation, and you may not necessarily see all of the replies since the reply-to address will automatically be set to the address of the mailing list.

This list of specifications is an ongoing work, as we try to keep it up to date as new documents are published (or new revisions of existing drafts). If you know of any specifications that aren't included on this list then please let us know.

Posted by cn_equals_directory_manager ( Aug 25 2006, 03:41:01 PM CDT ) Permalink

Thursday August 17, 2006

The truth about nsslapd-search-tune

The Directory Server has a configuration attribute named nsslapd-search-tune that isn't really addressed in our documentation, and it's not really all that well understood by a lot of the people that know about it. It can certainly be useful under the right circumstances, but it's not a panacea and probably shouldn't be used if it isn't needed. I'll try to clear things up here to help people better understand what this configuration attribute actually does and under what conditions it should (or should not) be used.

For the purposes of this discussion, two of the most important things that happen during the course of search processing in the Directory Server are:

The server will use the indexes to put together a candidate list containing the IDs of all the entries that could match the filter. This phase was discussed in an earlier post.
The server will retrieve each entry in the candidate list, check to see if it actually matches the search criteria, and if so return it to the client.

An astute observer might ask why we need the second of these steps if we have confidence in our indexing mechanism. The main reason is that the candidate list has the potential to contain entry IDs for entries that don't actually match the search filter. This could happen if the search filter contained at least one component that wasn't indexed and therefore we can't be sure that all of the entries identified in the candidate list match the criteria associated with that filter component. It could also occur if an optimization in our search filter processing caused the server to short-circuit out of the index processing portion before we had evaluated all of the filter components. There are also a few other special cases that can cause this to happen, but it ultimately all boils down to the fact that we can be sure that the candidate list contains all of the possible matches, but we can't necessarily be sure that all of the entries in the candidate list actually match the provided search criteria.

Most of the time, the fact that we do this secondary evaluation on each candidate entry doesn't really cause any problems. Determining whether a particular entry matches a given filter is generally a very fast operation and the benefits that it provides far outweigh any added cost that might be incurred. Of course, there's always an exception to the rule and in this case one exception happens to be an indexed equality filter component that targets an attribute with a very large number of values. This most commonly manifests itself in the form of static groups with lots of members (e.g., getting into at least the tens or hundreds of thousands of members). In these kinds of entries, there can be a notable performance hit that results from that secondary evaluation, and it can be the case that skipping it can make things significantly faster. I should point out that it's especially evident for large static groups because not only are there large numbers of values, but processing them may require a lot of DN normalization which can become expensive.

This is where the nsslapd-search-tune configuration attribute comes into play. It can be used to change the way that the server processes search operations such that if it is possible to ensure that all of the filter components were indexed, and if we are confident that the candidate list doesn't contain any entries that don't actually match the criteria, then we can skip the potentially costly secondary evaluation. For example, consider the following very simple search filter:

(member=uid=john.doe,ou=People,dc=example,dc=com)

This is a very common type of search that might be used to identify the set of static groups in which the user uid=john.doe,ou=People,dc=example,dc=com is a member. In this type of filter (unless that user is or has been a member of more than ALLIDs groups), the candidate list should be exactly the set of entries that match that filter, and the process of actually checking each of those entries against the filter doesn't add any additional value.

Similarly, let's take this slightly more complicated filter:

(&(cn=My Group)(member=uid=john.doe,ou=People,dc=example,dc=com))

This is a fairly common way for clients to determine if the user john.doe,ou=People,dc=example,dc=com is a member of the group named "My Group". Even though it's a logical AND of multiple components, if we know that indexes were used to obtain the ID lists for each of those components, then their intersection should exactly equal the ID list for entries that match the entire filter. However, in this case there's more that could happen to make it infeasible to rely purely on the candidate list. One case is that one of the components could be unindexed or have hit the ALLIDs threshold, in which case the resulting candidate list would only take into account the other filter component (meaning that it could include IDs for entries that don't match the other component). Another could be an optimization in our filter processing code that causes the index evaluation to stop after the first component (meaning that the candidate list could include IDs for entries that don't match the second).

The nsslapd-search-tune configuration attribute can be used to allow the server to skip this secondary filter evaluation and just rely on the candidate list when it's possible to ensure that it doesn't contain any non-matching entries. If you do wish to use it, then it should go in the "cn=config,cn=ldbm database,cn=plugins,cn=config" entry. Its value is an integer that is interpreted as a bitmap, meaning that different bits are taken to mean different things. The most important bits are:

1 -- This controls whether the feature will actually be enabled. If it is not set, then there will always be a secondary check against the filter before returning each entry. If it is set, then this secondary check can be skipped under the right conditions.
8 -- This controls whether to allow skipping the secondary filter test even if an attribute used in the filter is also included in the values returned to the client. More on this later.
16 -- This controls whether to allow skipping the secondary filter test for compound filters (i.e., those containing AND or OR components). If it is not set, then only simple equality filters will be candidates for skipping the check.
32 -- This controls whether to ensure that index processing is always applied to all components in a compound AND filter. If it is set, then it can disable certain optimizations in the index processing code that could allow short-circuiting out of the index evaluation, which may degrade performance in some areas but will increase the conditions under which it is possible to bypass the secondary filter check.

As I mentioned above, the value is a bitmap, which means that you can just add the values of each of the components together to get what you want. For example, if you want to enable all of these options, you would use a value of 57 (1+8+16+32=57). In most deployments, however, it may be recommended to leave out the "8" option, leaving you with a value of 49 (1+16+32=49).

So what's the problem with the "8" option? It has to do with a very tiny race condition that can arise if the secondary filter test is skipped. As noted above, normal search processing is done by first building the candidate list, then retrieving each entry, checking it against the filter, and sending it to the client if it matches. It is possible that in the split-second between the time that the candidate list is constructed and an entry on that list is retrieved and returned to the client, that entry could be modified so that it no longer matches the filter criteria. With the secondary filter check in place, the server would see that the entry no longer matches and wouldn't send it to the client, but if that secondary test is skipped then it is possible that the server could return an entry that no longer matches. In most cases, this isn't a problem since the entry did match the filter at the time that the server started processing the search, but it does have the potential to cause a problem if the client does try to do some validation on the entries that it gets back and "freaks out" in some way if it finds one that doesn't match. The chances of the required conditions are extremely small, and the chance that the client will notice and care about it are even smaller. Nevertheless, if you're concerned about it and want to avoid that possibility, then you can just leave option "8" out of the bitmap.

It's important to note that the nsslapd-search-tune configuration attribute has been around in one form or another for quite some time (it was around in a more limited form in the 4.x server), but there were code changes required to make it "safer" to use (i.e., to reduce the chance of false positives). If you're running the 5.1 version of the server, then those fixes did not integrate until the 5.1SP4 release. If you're running the 5.2 version of the server, then they did not integrate until the 5.2patch2 release. If you're running something older than that, then you really should consider upgrading for a number of reasons, but until you do it's probably best to avoid using nsslapd-search-tune.

It's also important to note that this configuration attribute is not a panacea, and it can slow things down in some cases because of the search optimizations that it can disable. I would advise against using it unless you are seeing a performance problem in dealing with entries containing an attribute with a large number of values (like big static groups). If you're not sure if a particular use case might benefit from nsslapd-search-tune, then open a support case and we can help you figure that out, and we may be able to provide other tuning recommendations that may also help.

Posted by cn_equals_directory_manager ( Aug 17 2006, 09:01:32 AM CDT ) Permalink Comments [1]

Friday August 11, 2006

OpenDS, Java, and Performance

I've seen a few questions, comments, and concerns recently about how OpenDS will perform. In particular, many of them have focused on the fact that OpenDS is written in Java. I wanted to take this opportunity to address them here.

If you've heard anything about Sun's Directory Server in the last several years, it's hard to miss the fact that performance and scalability are very important to us. We've been continually working on improving this in our current Sun Java System Directory Server, and it is one of the main goals of OpenDS to be even faster and more scalable. If we really thought that Java was going to significantly hold us back, then the project probably wouldn't have even gotten off the ground.

First, though, I should say that we haven't yet spent a lot of time on performance optimization, primarily because it's too early in the process. Since there's still a lot more code to be written, anything that we do to optimize performance now might get negated by changes that we make later when adding other features. We'd rather get things working first and then we'll see what we need to do to make it as fast as possible. However, I will say that we're definitely writing the code with performance and scalability in mind, and we have run a few performance tests that do show that we're in pretty good shape. For example, our modify performance is about twice as fast as the best that I've seen out of Directory Server 6. Our LDIF import code is also faster and more scalable. Search performance right now can range from a little slower to a lot faster, but we also know of a few things that can be improved to give us some significant boosts. I do find it a little hard to resist the temptation to jump into performance analysis, but at least it does allow development to progress more quickly.

So how does Java fit into all of this? In many ways, it does play a very big role because the JVM is what is actually executing the code. The performance of the JVM has improved dramatically over time, and it keeps getting better. This works very much in our favor, since switching to a faster JVM can give OpenDS a notable performance boost without changing a line of code. Further, new releases of Java can introduce new features and capabilities that we may be able to use to our advantage. For example, the Java 5 release added a number of libraries for better concurrency that allows us to reduce locking and improve performance and scalability, and improved upon the NIO features added in the 1.4 release for fast and scalable network communication. Back in the Java 1.1 or 1.2 days, we probably would have been crazy to attempt something like this and expect decent performance, but things have come a long way since then. Note that I am talking primarily about Sun's JVM implementation, since I don't have a lot of experience with those from other vendors. It may or may not be the case that other JVMs share the same level of performance, but Sun's implementation certainly shows what's possible.

Other things to consider with regard to Java and performance include:

Java is not an interpreted language. The HotSpot JIT compiler translates the bytecode into native machine code and then executes that. It is true that when the JVM is just started and the program initially starts running that it may be interpreted for a period of time, but once it has been compiled then it is running natively.
It is true that garbage collection does run in the background. However, if it's done right then this has a negligible impact on performance. In fact, in many some ways the memory management approach that Java uses can be faster than most native applications because it's optimized for this kind of usage and allocating memory for small temporary objects is very efficient. Further, there are several different garbage collector models that you can choose from based on your requirements.
Java is an extremely observable language. It's easy to see what's going on inside the JVM, and there are a plethora of tools that can be used to help analyze the performance of Java applications. There are interfaces that profilers can plug into, and it is also possible to use DTrace on Solaris 10 that can be used to examine code running in production. Similarly, we've even built a simple profiler into OpenDS itself that you can use to collect data about what's going on while the server is running (and without the need to restart). All of this makes it very easy to identify the portions of the code that can benefit most from performance optimization to help us know where to spend our time.
There are a lot of configurable options available for use with the JVM, and some of them can have a significant impact on performance. This can include settings that impact memory usage, garbage collection, native compilation, lock behavior, etc. This can provide a number of benefits for different kinds of systems without the need for us to write any special code to take advantage of them.
Java can also help us write code more quickly, since there are a number of IDEs that can help with rapid development, and we also don't need to spend as much time worrying about things like memory management and cross-platform compatibility.

However, there are also a number of improvements in the area of performance and scalability that are not directly related to our use of Java. We have made a number of architectural changes based on our experiences with the current Directory Server that allow us to avoid problems that we've encountered in the past. We have focused heavily on avoiding the need to acquire locks wherever possible, and to minimize the scope of those locks that are necessary. We have changed the way in which we store entries in the backend database to make them much more efficient to encode and decode so that it is still possible to get very good performance even when not using an entry cache, and we've changed our approach to entry caching to allow for different implementations that may be suited for different kinds of use cases. The algorithms used for interacting with indexes in the backend can allow us to be more efficient and reduce the number of entries that we need to look at in several cases. We've increased the parallelization in several areas like connection handling and backend processing to be faster and more scalable. As development continues, we'll add other improvements throughout the code.

So to summarize, the performance today is pretty impressive and we know that there are ways to make it better. Java is not going to be a performance inhibitor, and it's only going to keep getting better. You can get it now to try it out for yourself, or watch our development to see how we progress in the future. If you still have concerns, or if you have ideas about how we can make it better, then feel free to participate on our mailing lists.

Posted by cn_equals_directory_manager ( Aug 11 2006, 02:29:21 PM CDT ) Permalink Comments [2]

Monday August 07, 2006

Interesting new features in OpenDS

As we've stated in the past, our intention is to make OpenDS better than any other directory server. This is true on multiple fronts, including performance, scalability, reliability, supportability, and feature set. All of the features that we want to include in OpenDS have been entered into the issue tracker, but I thought that I would highlight some of the more interesting new features here.

Configuration Features

Configuration Cloning (Issue #164) -- When creating a new instance of the server, it will be possible to clone the configuration of an existing instance.
Configuration Archiving (Issues #165, 166) -- The server will keep track of all of the configuration changes that are made over time and make it easy to determine who made what changes and when.

Backup/Restore and Import/Export Features

Incremental Backup and Restore (Issue #15) -- It will be possible to perform an incremental backup including only the database changes since the last incremental or full backup.
Compressed Backup and LDIF Export (Issues #16, 26) -- It will be possible to have the server compress database backups and LDIF exports, and to restore from the compressed archives.
Encrypted Backup and LDIF Export (Issues #17, 27) -- It will be possible to have the server encrypt database backups and LDIF exports, and to restore from the encrypted archives.
Hashed and/or Signed Backup and LDIF Export (Issues #18, 28) -- It will be possible to include a cryptographic digest and/or digital signature with a backup or LDIF export, and to verify that hash or signature upon performing a restore.

Backend Features

Index Verification Tool (Issue #42) -- We will include a tool with the server that will allow you to ensure that all of the indexes are in sync with the data.
Multiple Base DNs (Issue #48) -- It will be possible to include multiple base DNs in a single backend, which can help avoid the need to create a new backend for each suffix.
Better Database Portability (Issue #67) -- While the Sun Java System Directory Server allows for binary copy initialization in some limited cases, there will be fewer restrictions for OpenDS. In particular, there will no longer be requirements to keep the database stored in the same location on the filesystem, nor to use the same operating system or CPU architecture.
Database Preloading (Issue #60) -- There will be an option to allow the server to automatically preload portions of the database on startup so that the information will be read into caches for faster availability.
Better Debugging Options (Issues #69, 70) -- The server will make information available to clients about the processing performed as part of a search operation (e.g., how many potential candidate entries there are, and how candidate lists are merged).
NFS Support (Issue #566) -- The server will support the ability to store the database on an NFS volume (although it will not be supported to access the database from multiple systems concurrently).

Entry Cache Features

Run Without an Entry Cache (Issue #562) -- The server will provide the ability to run without any kind of entry cache (in fact, this is the default configuration).
Cache Filtering (Issue #563) -- The server will provide the ability to define include and exclude filters that can be used to control the kinds of entries that may be stored in the entry cache.
Better Memory Management Options (Issues #564,565) -- Entry cache sizing should be relatively simple and should not require much interaction from the administrator.

Connection Handler Features

Multiple Request Handlers (Issue #149) -- The server will provide the ability to have multiple threads used to read requests from clients, which can provide for better performance and scalability.
Ability to Disconnect Clients (Issue #429) -- The server will provide the ability for administrators to terminate client connections if it is deemed necessary (e.g., a particular client is sending a large number of inefficient requests to the server).
On-the-Fly Management (Issue #568) -- The server will provide the ability to enable, disable, create, and destroy connection handlers on the fly without the need to restart.
Stop Accepting without Disconnecting (Issue #150) -- The server will provide the ability to configure a connection handler so that it can stop accepting new connections without terminating existing connections, which can be used as a kind of graceful shutdown mechanism.

Security Features

Pluggable Keystores (Issue #412-415, 569) -- The server will provide the ability to obtain its SSL certificates from a variety of locations, including JSSE and NSS keystores, PKCS#12 files, and PKCS#11 devices. An API will also be provided to allow further extending this capability.
Multiple Root DNs (Issue #419) -- The server will provide the ability to have multiple root DNs in the server. This will allow for the use of different passwords (and potentially different password policies) for each root user, and will provide a better audit trail for operations performed by root users.
Strong Authentication for Root DNs (Issue #420) -- Root user accounts will be represented as entries, which will allow them to contain the information necessary to be used to perform SASL authentication.
Access Controls for Bind Operations (Issue #421, 440) -- The server will provide the ability to enforce access controls for bind operations, including binds by root users.
Hashed/Encrypted Compare-Only Attributes (Issue #467) -- The server will provide the ability to create attributes whose values are hashed or encrypted, and will not allow general searches against values for those attributes.
Scoped Privileges (Issues #468, 469) -- The server will provide a privileges capability, which can be used to assign capabilities to normal users that would normally only be available to root users. Further, those privileges may be scoped to constrain their effects in some way (e.g., a user may be exempted from access control evaluation, but only for a particular branch of the directory tree).

Password Policy Features

Pass-Through Authentication (Issues #294-300) -- The server will provide the ability to allow user passwords to be stored in other repositories (e.g., other directory servers, IMAP/POP3, Access Manager, Kerberos servers, etc.) and have authentication interact with that external repository to verify the user's password.
New Password Storage Schemes (Issues #310,312,314-318) -- The server will support a number of new password storage schemes, including the SHA-2 algorithms, as well as reversible schemes like 3DES and AES.
Storage Scheme Deprecation/Migration (Issue #323) -- The server will support the ability to automatically deprecate certain storage schemes so that if a user authenticates to the server and has a password encoded in one or more deprecated schemes it will be automatically re-encoded using the default schemes.
Idle Account Lockout (Issue #307) -- The server will provide the ability to automatically lock accounts that have not been used for longer than a specified length of time.
Account Expiration (Issue #543) -- The server will provide the ability to define an expiration time for accounts, so that they cannot be used after that time. This could be useful for temporary accounts like those used by contractors.
Pluggable Password Validators (Issues #334-341) -- The server will provide an API for defining password validators and will include a number of default implementations, including those based on the length of the password, the types of characters in the password, whether the password is in the user's password history, whether the password is contained in a given dictionary, and whether the password matches the value of any attribute in the user's entry.
Account Status Change Notification (Issue #483) -- The server will provide a mechanism for notifying users of significant changes to their account, including warning about an upcoming expiration, a password change or administrative reset, or a lockout due to failed attempts.

Logging Features

Multiple Concurrent Loggers (Issue #178) -- The server will allow administrators to configure multiple loggers of each type. For example, it will be possible to have multiple access loggers, with one capturing all information, another only logging failed operations, a third only logging write operations, etc.
Log Filtering (Issue #183) -- The server will make it possible to define log filters, which can be used to control which operations get written to a log.
Centralized Logging (Issues #180-182) -- The server will provide the ability for muultiple server instances to log to a centralized repository (e.g., to a central database, or to a shared filesystem).
Compressed Logging (Issue #185) -- The server will provide the ability to write log information in compressed form.
Encrypted Logging (Issue #186) -- The server will provide the ability to write log information in encrypted form.
Signed/Hashed Logging (Issue #187) -- The server will provide the ability to hash and/or sign log records as a means of tamper detection.
Rotation Actions (Issues #193-196) -- The server will provide the ability to perform various operations when a log file is rotated (e.g., compress on rotate, encrypt on rotate, sign on rotate, etc.).
Unique Message IDs (Issue #203) -- Every message that may be written to the server's error log or that may be included in a response sent to the client will be assigned a unique integer ID.

Monitoring/Alerting Features

Better Monitor Coverage (Issues #206-216) -- The server will provide the ability to publish more monitor information, so that it is easier to understand its performance and health state.
Integrating with External Systems (Issues #226-232) -- We will provide instructions that can be used to allow the server to integrate with external monitoring frameworks like Big Brother, HP OpenView, Nagios, BMC PATROL, and Tivoli Monitoring.
Pluggable Notification Mechanisms (Issues #219-224) -- The server will provide a notification mechanism so that administrators can be made aware of any significant problems or notable events that are encountered during processing.

Note that these aren't all of the new features that we're planning. We've got some other gems that we're thinking about as well. As I mentioned above, you can check our issue tracker for what should be a pretty complete list. If you have other ideas for features that you don't see in the list, then feel free to add them to the issue tracker yourself (anyone with the User role or higher in the project can file new issues), and if you're so inclined then you could even help us implement them.

I should point out that not everything listed in the issue tracker will necessarily be actually implemented in OpenDS, and if it is included then it might not be in the initial release. We're certainly working hard to make the server as feature-rich as possible, but we're not yet at the point at which we can make any guarantees about what will be available and when.

Posted by cn_equals_directory_manager ( Aug 07 2006, 01:45:13 PM CDT ) Permalink

Tuesday August 01, 2006

Introducing the OpenDS Directory Service

The Sun Java System Directory Server has a distinguished heritage and a proven track record, with thousands of customers and billions of entries deployed. However the codebase is over ten years old and its origins are from a time when performance, scalability, and feature set requirements then were very different from what we're seeing today and expect to see in the future. It has also grown quite complex, and making a change to one area of the code may require an in-depth understanding of several other components. We're still working on improving this code, and the upcoming Directory Server 6.0 release will be the best we've had yet, but we are also preparing for the future and we think that an open development model needs to be a big part of that.

Last year, we decided to start from scratch, designing a new server from the ground up. Drawing from our years of experience, customer feedback, and some of our own ideas, we began working on what we hope will become even more enduring and successful than our current Directory Server. We're calling the new codebase OpenDS, and last Friday we rather quietly pushed the code out to https://opends.dev.java.net/.

OpenDS is an open source Directory Service written entirely in Java. I say "Directory Service" because we will include more than just the core LDAP-accessible database. Much like our current Directory Server Enterprise Edition, we'll also include directory proxy functionality (including virtual directory and data distribution capabilities), the ability to synchronize with Active Directory and potentially other sources, and various client-side tools.

To date, our development has primarily focused on the Directory Server itself, and we have basic support for all core LDAPv3 operations, and several extensions like controls, extended operations, and SASL mechanisms. However there are still a number of components to be added, like the access control subsystem, virtual attribute capabilities, and administrative interfaces, and there is significant work to be done in other areas like password policy and logging. We very much wish to have an open development process, and we welcome community participation. You can provide comments and feedback, file bugs and enhancement requests, participate in mailing lists, or even write code.

I'm sure that there will be a lot of questions about OpenDS, and our FAQ (I suppose in this case, that's "Frequently Anticipated Questions") at https://opends.dev.java.net/public/docs/OpenDS-FAQ.html aims to address many of them. If you still have other questions, then check out other parts of the site like our Documentation Depot or join our mailing lists. We'd love to have you help us achieve our goal of making OpenDS better than any other directory product out there.

Posted by cn_equals_directory_manager ( Aug 01 2006, 03:33:21 PM CDT ) Permalink Comments [12]

Monday July 31, 2006

Posts now mirrored at www.directorymanager.org

I've felt for a long time that the information here is too hard to find once it gets pushed off the front page, and a few others have confirmed that for me. I've been meaning to mirror this content somewhere else for a long time, but it wasn't until this weekend that the time to get it done and the ambition to do so.

Now you can go to http://www.directorymanager.org/blogs/ to see a list of all of the posts that I've made here in the past. As I add more content in the future, I'll try to keep them in sync.

There's not much point to trying to look around the rest of the site, since there's nothing else there yet. I may get around to adding more stuff in the future, but for now the mirror of this content is all that there is.

Posted by cn_equals_directory_manager ( Jul 31 2006, 08:30:09 AM CDT ) Permalink Comments [2]

Friday July 28, 2006

Understanding the Backend Monitor Entries

Earlier, I wrote about the cn=monitor entry and the kinds of information that it provides. I mentioned in passing that the backendMonitorDN attribute specifies the DNs of the monitor entries for the backends defined in the server, but I didn't go into any detail on what data they provided. There is a lot of useful information in the backend monitor entries, and they deserve their own post to describe their content.

The backend monitor entries have a DN of "cn=monitor,cn={backendID},cn=ldbm database,cn=plugins,cn=config", where "{backendID}" is the name of the backend you're interested in monitoring (e.g., "userRoot" is the name for the default backend when a new instance is created). The monitor entry provides information specific to that backend, including cache and database statistics. The attributes in these entries include:

currentEntryCacheCount -- This specifies the number of entries that are currently held in the entry cache for the backend.
currentEntryCacheSize -- This specifies the amount of memory (in bytes) that the server believes the backend's entry cache is consuming. This number may be somewhat inaccurate (see my earlier post on cache sizing for why this is the case), although the accuracy should be improved in the upcoming Directory Server 6 release.
database -- This specifies the type of database that is in use for the backend. This should always be "ldbm database".
dbEntryCount -- This specifies the number of entries in the backend database (i.e., the number of unique keys in the id2entry database file).
dbFileCacheHit-# -- This specifies the number of times the server requested an entry from the associated database file and the data was already contained in the database cache.
dbFileCacheMiss-# -- This specifies the number of times the server requested an entry from the associated database file and the data was not contained in the database cache.
dbFileName-# -- This specifies the path to a database file for the backend. Note that the "-#" part of this and other dbFile* attribute names actually indicates an integer value. Each database file accessed by the server will be given a different number, and the same number will be used for the DB file name, hit and miss count, and page in and out count so that those statistics can be associated with the appropriate database file.
dbFilePageIn-# -- This specifies the number of times that content from the associated database file had to be paged into the cache.
dbFilePageOut-# -- This specifies the number of times that content from the associated database file was paged out of the cache (presumably to make room in the cache for another database page that needed to be paged in).
entryCacheHitRatio -- This specifies the percentage of the time that a request to retrieve an entry from the entry cache actually finds that entry in the cache. It will be equal to 100 * entryCacheHits / entryCacheTries.
entryCacheHits -- This specifies the total number of times that a request to retrieve an entry from the entry cache actually finds that entry in the cache.
entryCacheTries -- This specifies the total number of times that a request was made to retrieve an entry from the entry cache, regardless of whether or not the target entry was in the cache.
ldapEntryCount -- This specifies the number of LDAP entries in the backend database. The difference between this and the dbEntryCount attribute is that the ldapEntryCount does not include special entries like tombstones that are not generally accessible over LDAP.
maxEntryCacheCount -- This specifies the maximum number of entries that may be held in the entry cache, or -1 if there is no upper limit to the number of entries to store.
maxEntryCacheSize -- This specifies the maximum amount of memory in bytes that the server will try to use for the entry cache. Again, this may be a little inaccurate, but Directory Server 6 should be better than 5.2 in this area.
nextID -- This specifies the entry ID that will be used for the next entry that is added to the backend database. This is generally not that useful for monitoring, but may be helpful for some corner cases when debugging problems.
readOnly -- This indicates whether the backend is configured to be read-only. Note that even if the backend itself is not configured in read-only mode, the server-wide read-only configuration may be enabled which has the same effect but across all backends.

Posted by cn_equals_directory_manager ( Jul 28 2006, 05:29:08 PM CDT ) Permalink