ForgeRock Community Blog Syndicate

cc by http://www.flickr.com/photos/noukorama/

Articles and links

Action Identity has posted a couple of articles about ForgeRock products:

OpenDJ – Cost Effective Directory Solution Stacking ForgeRock OpenIDM up to the competition

Our friends at ProfiQ have posted an article describing how to use OpenDJ with Red-Hat Certificate System.

While talking about using OpenDJ with LDAP enabled applications, we try to maintain a page on OpenDJ documentation wiki with different tutorials on how to configure OpenDJ client applications.

Upcoming Events

ForgeRock will be present at the European Identity and Cloud Conference (EIC), April 17-20 in Munich.

We will also be participating to Devoxx France, April 18 to 20 in Paris. I will be co-speaking on Thursday 19, 7pm about Open Source in France, and will be available for individual meetings from Thursday morning to Friday end of afternoon. So, if you want to discuss about ForgeRock products or job opportunities, send me a mail, or leave a comment.

Filed under: General Tagged: conference, eic, events, ForgeRock, identity, opendj, opensource

Our friends at ProfiQ have posted an article on how to use OpenDJ and Red-Hat Certificate System for user certificate management. Here’s a short extract:

 When you are running a Certificate Authority, the certificates have to be published typically in a LDAP directory which stores user information. The scenario would be:

the company has a corporate LDAP directory running on OpenDJ which stores the information about the employee and client identity (and has to associate it respective user accounts with their digital certificates); RHCS is introduced to manage (and publish) digital certificates for the existing accounts.

Read more…

System administrators that are familiar with legacy LDAP directory servers know that one of the key for the best performance is caching the data. With Sun Directory Server or OpenLDAP, there are 3 levels of caching that could be done : the filesystem level, the database level and the entries level. The filesystem level cache is managed by the OS and cannot be controlled by the application. Using the filesystem cache is good when the directory server is the only process on the machine, and/or for initial performance. The database level cache allows faster read or write operations, and also includes the indexes. The later cache is the higher level cache, and usually the one that provides the best performances as it requires the least processing from the server to return entries to the applications, and it has the least contention.

OpenDJ has a different design for its database and core server, and thus the caching strategy needs to be different.

By default, OpenDJ does have a database cache enabled, and 3 different kind of entry caches, all disabled. The reason for the 3 entry caches is that they are implementing for different needs and access patterns. But all have in common a specific filter to select which entries to cache, and some settings as to how much memory to use. During our stress and performance tests, we noticed that using an entry cache for all accessed entries added a lot of pressure on the garbage collector, and also caused more garbage collection from the old generation, often leading to either fragmentation of the memory, or more frequent full GC (also known as “Stop the world GC”). This resulted in an overall lower consistent average response time and throughput.

So, we recommend that you favor the database cache, and do not setup an entry cache, except for specific needs (and do not try to activate all 3 entry caches, this may lead to some really strange behavior).

The default settings with OpenDJ 2.4 is that 10 % of the JVM heap space will be used for the database cache. With OpenDJ 2.5 (soon to be released), we have bumped the default to 50% of the heap space. If you’re tuning the heap size and make it larger than 2GB, we recommend that you keep that 50% ratio or even increase it if the heap size exceeds the 3GB.

If you do have a few very specific entries that are very often accessed, like large static groups that are constantly used for ACI or group membership by application, then the entry cache becomes handy, and then you want to set a filter so only these specific entries are cached.

For example, if you want to cache at most 5 entries, that are groupOfNames, you can use the following dsconfig command:

bin/dsconfig set-entry-cache-prop --cache-name FIFO --set include-filter:\(objectclass=GroupOfNames\) --set max-entries:5 --set max-memory-percent:90 --set enabled:true -h localhost -p 4444 -D "cn=Directory Manager" -w secret12 -X -n

Otherwise, you’d better of running with no entry cache. OpenDJ read performance are such that the directory server can respond to tens of thousands if not hundred of thousands searches per second with average response time in the order of a milli-second. This should be good enough for most applications !

Filed under: Directory Services Tagged: directory, directory-server, ForgeRock, java, ldap, opendj, performance, Tips

Do you want to work with open source projects, build highly scalable identity middleware products, enjoy an international environment in a fast growing company and have fun ?

Check out our open positions.

We are seeking for a number of highly motivated and skilled software professionals to grow our engineering team, in Development, Quality and Technical writing. Our engineering teams are based in the Bay Area and Portland (USA), Bristol (UK) and Grenoble (France). We also have positions opened in Support, Sales, Account Management and Business Development.

A view of Grenoble, France. (c) January 2012, Ludovic Poitou.

Filed under: General Tagged: engineering, ForgeRock, grenoble, hiring, job, jobs

I’m a great fan of @gapingvoid, and if you haven’t done it yet, I’d recommend you read his books.

Most of the times, his cartoons are hitting so right on that you’d want to believe they’ve been made specially for you. Like this one:

Filed under: General Tagged: cartoon, ForgeRock, gapingvoid, humour, rock

I’m sure most of you have seen this already… I’m posting it here for posterity !

ForgeRock secures $7M in a series A funding from Accel Partners

Let’s pop up the volume now !!!

I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.4.5 is an update release of the OpenDJ project and improves reliability with SSL connections, replication meta-data indexes and Java 7. The full details about the release have been posted in the OpenDJ 2.4.5 Release Notes. Note that if you upgrade from a previous version, the ds-sync-hist index must be rebuilt, prior to restart the server.

The release is built out of revision 7743 of the b2.4 branch of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The Java WebStart Installer The Zip package (the SHA signature is here). The SVR4 package for Solaris users. The DSML gateway for those who want to provide a web service access to their LDAP directory server.

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

Cross posted from Ludo’s sketches.

I’m happy to announce that a new revision of OpenDJ, the open source LDAP directory server in Java has just been released. OpenDJ 2.4.5 is an update release of the OpenDJ project and improves reliability with SSL connections, replication meta-data indexes and Java 7. The full details about the release have been posted in the OpenDJ 2.4.5 Release Notes. Note that if you upgrade from a previous version, the ds-sync-hist index must be rebuilt, prior to restart the server.

The release is built out of revision 7743 of the b2.4 branch of the code repository.

As usual, you can find every thing on the OpenDJ Downloads page:

The Java WebStart Installer The Zip package (the SHA signature is here). The SVR4 package for Solaris users. The DSML gateway for those who want to provide a web service access to their LDAP directory server.

The draft documentation for OpenDJ, and more specifically the Administration Guide, has been updated on the OpenDJ project site, still on the track for an accurate, reviewed version for OpenDJ 2.5.

Feedback is important to us and you can participate on the IRC channel, the mailing lists or join our community.

Enjoy !

Filed under: Directory Services Tagged: directory, directory-server, ForgeRock, java, ldap, opendj, opensource, release

I’ve been traveling a little bit last week, visiting a major customer in the UK (helping with their OpenDJ based directory service that has grown from 13 Millions entries to 17 Millions in a about 6 months).

Last week was also a busy week in term of news for ForgeRock. First, we’ve  announced the release of OpenIDM 2.0, a major version of our real-time identity life-cycle management, provisioning and synchronization software product. OpenIDM 2.0 is a new release, but is already running in production at a few happy customers.

ForgeRock and Qubera Solutions have announced a partnership for the delivery of Standard-based Identity Services based on ForgeRock I3 Open Platform. Qubera Solutions offers workshops and migration tools to help former Sun Microsystems customers to move away legacy software solutions.

I’ve also came across a blog post from Martin Sandren, that positions ForgeRock as one of the challengers on the Identity and Access Management market.  It’s an interesting reading and it looks like the previous announcement does start to address some of his concerns.

Martin was not the only one to talk about ForgeRock. Scott Mc Nealy has been nicely advertising about us on Twitter.

And finally, we’re expanding and therefore we’ve published a few job postings on our web site. I’m pretty confident that these are just a few to start with and we will have more, including some in our Grenoble Engineering Center.

Filed under: Identity Tagged: ForgeRock, identity, news, openidm, opensource, partners, release, software

I am no longer associated in any way with ForgeRock AS.  With my renewed independence, I’ve a new startup activity I’m exploring, and I’m open for consulting, speaking and writing engagements during those explorations. Do please get in touch if you have any need of open source policy, process and community consulting.