Copyright © 2011 ForgeRock AS
Last updated: February 21, 2012
Notes covering OpenDJ hardware & software requirements, fixes, known issues. The OpenDJ project offers open source LDAP directory services in Java.
OpenDJ is an LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.
You can download OpenDJ software from the OpenDJ download page. OpenDJ is free to download, evaluate, and use. You can even check out and modify the source code to build your own version if you prefer.
These release notes are written for everyone working with the OpenDJ 2.5.0 release. Read these notes before you install or upgrade OpenDJ software. These notes cover hardware and software prerequisites for installing and upgrading OpenDJ software. These notes list key features added and changed in this release. They also cover compatibility with previous releases and alert you to potential changes coming up that could affect your scripts and applications. Finally, these notes list both issues fixed since the previous release and known issues open at the time of release.
See the Installation Guide for more after you read these release notes. The installation guide covers installation and upgrade for OpenDJ directory server and OpenDJ DSML gateway.
Compared to the OpenDJ 2.4.4, OpenDJ 2.5.0 fixes a number of issues. OpenDJ 2.5.0 provides the following new features.
OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes. (OPENDJ-406)
OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering. (OPENDJ-308)
OpenDJ now logs use of the proxied authorization V1 control with
obsoleteProxiedAuthzV1Control (OPENDJ-283).
OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269).
OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ.
For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways.
Both the OpenDJ entry and the remote entry have the same DN.
The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service.
The OpenDJ entry and the remote entry share an attribute that has exactly the same value.
If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication.
To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide for details.
OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258).
OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248).
OpenDJ now adds Unindexed to access log response
messages for unindexed searches, making it easier to identify searches
rejected by default (OPENDJ-246).
OpenDJ can now synchronize Samba password attribute values with the
userPassword attribute value, ensuring that when users
change their LDAP passwords in OpenDJ or change their LanMan or NT
passwords in Samba, their password attribute values all stay in sync
(OPENDJ-233). To activate this feature, configure the OpenDJ Samba
Password plugin by using the dsconfig command.
OpenDJ now supports checking that entries of new group members exist (OPENDJ-221).
OpenDJ now better supports more, and larger static groups (OPENDJ-197).
Change log content and configuration has been improved in this release (OPENDJ-194).
Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186).
The character set password validator now supports optional character sets (OPENDJ-168).
Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76).
OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60).
OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).
This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.
The ldif-diff command has been renamed
ldifdiff, and the --outputLDIF,
--overwriteExisting, --sourceLDIF,
--targetLDIF options have been dropped in favor of a
format closer to that of the diff command.
OpenDJ 2.5.0 makes use of new environment variables aligned with the project name. Use of the old variables is deprecated. The old variables are likely to be removed in a future release.
OpenDJ issues are tracked at https://bugster.forgerock.org/jira/browse/OPENDJ. This chapter covers the status of key issues at release 2.5.0.
Release 2.5.0 has the following limitations, none of which are new since 2.4.4 .
OpenDJ directory server provides full LDAP v3 support, except for alias dereferencing, and limited support for LDAPv2.
When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however.
OpenDJ is not fully integrated with Microsoft Windows, yet OpenDJ directory server can be run as a service, and thus displayed in the Windows Services Control Panel.
OpenDJ replication is designed to permit an unlimited number of replication servers in your topology. Project testing has, however, focused only on topologies of up to eight replication servers.
On Niagara systems such as T2000, hardware SSL crypto acceleration runs more slowly than software crypto acceleration. To work around this issue take the following actions.
Add more request handlers to LDAP (for TLS) and LDAPS (for SSL) connection handlers.
Disable hardware acceleration for server's JVM by removing the
SunPKCS11 security provider from
jre/lib/security/java.security.
The following known issues remained open at the time release 2.5.0 became available.
TODO
Furthermore when deploying for production, make sure that you follow the installation instructions on allowing OpenDJ to use at least 64K (65536) file descriptors, and tuning the JVM appropriately.
For the latest status, query the OpenDJ bug database online at https://bugster.forgerock.org/jira/browse/OPENDJ.
OpenDJ software depends on the Java environment more than it depends on the underlying operating systems. OpenDJ directory server relies on Java 6, specifically at least the Java Standard Edition 6.0 (Sun version 1.6.0_10) runtime environment. For best server performance, use at least version 1.6.0_22, which includes a major security fix for TLS as well. To build applications with the OpenDJ LDAP SDK, you need the Java SDK as the runtime environment has no compiler.
That said, OpenDJ 2.5.0 has been validated on the following operating systems.
Apple Mac OS X 10.7
Linux 2.6
Microsoft Windows Server 2008
Oracle Solaris 10
OpenDJ 2.5.0 DSML gateway has been validated on Apache Tomcat 6.
If you have questions regarding OpenDJ which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/opendj where you are likely to find an answer.
If you have found issues or reproducible bugs within OpenDJ 2.5.0, report them in https://bugster.forgerock.org.
When requesting help with a problem, please include the following information:
Description of the problem, including when the problem occurs and its impact on your operation
Machine type, operating system version, web container and version, Java version, and OpenDJ release version, including any patches or other software that might be affecting the problem
Steps to reproduce the problem
Any relevant access and error logs, stack traces, or core dumps
You can purchase OpenDJ support subscriptions and training courses from ForgeRock and from consulting partners around the world and in your area. To contact ForgeRock, send mail to info@forgerock.com. To find a partner in your area, see http://www.forgerock.com/partners.html.