Showing posts from 2013

Experimenting with OpenDJ in CoreOS / Docker

CoreOS is new minimal Linux based OS designed to run applications in containers.  The design concept is similar to Joyent's SmartOS (aside: I would love to see the CoreOS team adopt ZFS. It has so many compelling features for hosting containers. But I digress...)

CoreOS uses Docker lightweight containers, which are in turn based on Linux LXC containers. You will want to check out the excellent getting started guide, but the readers digest summary is that Docker containers are built up incrementally and inherit from their parent containers.  Each new container contains only the deltas from the parent - making it possible to distribute a small incremental feature set.

When you run a Docker container, you are running only the processes that are needed for your service (for example, OpenDJ). You are not running an entire copy of the OS, making these containers super lightweight (OpenSolaris fans have had this feature for years in the form of zones).

For my OpenDJ experiments, I starte…

A Sample OpenIG configuration showing Tomcat Login

ForgeRock's  Open Identity Gateway (OpenIG) is a "smart" reverse proxy interacts with the HTTP session to modify headers, cookies, and the body.

A common OpenIG  use case is to SSO enable legacy applications that can not be modified to use a policy agent.

The way this works is described in the gateway guide but the readers digest version is:
OpenIG itself is protected with an OpenAM policy agentOpenAM's password capture post authentication handler is configured to capture the user's password on login, and provide it (encrypted) to OpenIG. OpenIG is configured to watch for an HTTP request to the legacy application's login pageWhen OpenIG sees the login page it injects the users credentials into the login flow.  The guide has a few examples for Wordpress login - but I wanted to demonstrate login to Tomcat. 
This OpenIG config.json file is configured to SSO into the sample form login demo that included with tomcat (/examples/jsp/security/protected).

This config.js…

OpenIDM Custom Endpoints

Let's talk about a very cool OpenIDM feature called custom endpoints.

If you have used OpenIDM you know that objects in the system (be they repository, provisioner, or configuration objects) are available at  RESTful endpoints that accept and return JSON representations. This makes OpenIDM super easy to integrate with and script.

For example, if you add an LDAP adapter called "ldap", a REST endpoint becomes available at /openidm/system/ldap/ that allows you to query, read, write, update and delete LDAP entries. 

As an aside, most OpenIDM configuration objects are dynamically reloaded when they are modified. This makes development a joy as you do not need to bounce the Felix OSGI container every time you make a change.  The container starts very fast (30 seconds or so on my laptop) - but every second counts!
What you might not know is that you can easily add your own custom endpoints. A custom endpoint is an OpenIDM script that accepts a REST request and uses the under…

Enabling pass through LDAP authentication for OpenIDM

Out of the box OpenIDM uses a local "openidm-admin" account to perform RESTful authentication. This is fine for testing, but for production you probably want to maintain control over the admin accounts in your directory.

This wiki entry will show you how to configure pass through authentication to LDAP.

This will allow you to maintain the OpenIDM administrative accounts used for RESTful access in your directory.  You simply add these accounts to the LDAP group specified in the configuration. Check out the wiki for the full story.

Spin up the ForgeRock Open Identity Stack (OIS) using Ansible and Vagrant

Tl;DR: Want to install the complete ForgeRockOpen Identity Stack in 20 minutes? This is for you.

You already know that the ForgeRock OIS stack (OpenAM, OpenIDM and OpenDJ) is super easy to install.  Using Ansible and Vagrant we can make the process even faster!

From start to finish takes approx. 20 minutes (automated, hands off) to install a Centos image running  the following:
haproxy to route ports 80/443 to various backend servicesapache instance running on port 1080 OpenIDM running on port 9090 (available at running on port 389. This is the user store for OpenAM.OpenAM running on port 8080 (available at tomcat "application" instance on port 18080 (For future sample application hosting)./etc/init.d scripts to start OpenAM, OpenDJ, Apache etc.
This project includes everything you need to get started.

Next steps:  Provision to Amazon AWS and Google GCE environme…

Automatically generate LDAP entries with OpenDJ make-ldif

Do you need to generate a large number of LDAP entries for benchmark testing?   I was all set to write a utility to do this - when a colleague pointed me to make-ldif that comes with OpenDJ.

In a nut-shell, make-ldif uses template files to create sample LDIF data, which can then be imported into your ldap server.  make-ldif can generate random data, and/or use various patterns (for example - selecting from a list of cities, phone numbers, etc.).

Check out the documentation

ForgeRock OpenAM and Google Authenticator: Will it blend?

OpenAM provides built in support for OATH authentication (not to be confused with OAuth, which is a different kettle of fish altogether).

OATH defines an open standard for One Time Password (OTP) generators.  These can be HMAC Hash based (HOTP), or time based (TOTP).

Google Authenticator is a free application that you can download for your Android or iOS device that provides an implementation of the OATH TOTP standard.   It turns out to be surprisingly easy to configure Google Authenticator to work with OpenAM.

Let's walk through the steps.

We will configure this in a realm called "test". Realm's are a kick butt feature of OpenAM that allows us to create isolated administration, data store and policy domains.  A common use would be to configure separate environments for customers and employees, but realms are also great for creating test environments.

Navigate to your test realm, click on the "Authentication Tab". Under "Modules" edit the OATH mod…

sqlplus substr formating and column width

Doing a little connection pool troubleshooting (OAAM, I am looking at you!)  I found a great sqlplus script on stackoverflow.

The script uses the substr function to format the width of each column. As in:

       substr(a.spid,1,9) pid,
       substr(b.sid,1,5) sid,
       substr(b.serial#,1,5) ser#,

The problem: The column widths are all too wide. The values specified in the substr function seem to be ignored.

The solution:  If your database is using a multi-byte character encoding (and why wouldn't you?) you need to use the substrb function. Like this:

       substrb(a.spid,1,9) pid,
       substrb(b.sid,1,5) sid,
       substrb(b.serial#,1,5) ser#,

OAM 11g - webgate redirect loop

Have you ever run into a problem where you have an infinite redirect loop between the OAM server and a webgate?

If so, the first thing to do is CHECK THE TIME on both the webgate and oam hosts!

If the time is out of sync the webgate will think the OAM token has expired - redirecting you back again to the OAM server, who will happily generate another "new" (but expired) token and send you back to the webgate. Rinse and repeat....

scp no worky?

I ran into a weird problem where the scp command would refuse to copy a file to a remote host.

The command would complete OK (exit status of 0), but nothing would ever get copied. Head scratcher, and nothing obvious on stackoverflow.

The culprit:

 sftp/scp fails at connection, but ssh is OK. sftp and/or scp may fail at connection time if you have shell initialization (.profile, .bashrc, .cshrc, etc) which produces output for non-interactive sessions. This output confuses the sftp/scp client. You can verify if your shell is doing this by executing:
ssh yourhost /usr/bin/true If the above command produces any output, then you need to modify your shell initialization.