Showing posts from 2014

Dart's Async / Await is here. The Future starts now

The latest development release of the Dart Editor includes experimental support for Async / Await.  Check out Gilad's article for an introduction. In the Editor go into preferences -> experimental to enable this feature.

async / await is "syntactic sugar" for what can be accomplished using Futures, Completors and a whack of nested then() closures. But this sugar is ohh so sweet (and calorie free!).  Your code will be much easier to understand and debug.

Here is a little before and after example using async/await. In this example, we need to perform 3 async LDAP operations in sequence. Using Futures and nested then() closures, we get something like this:

// add mickey to directory ldap.add(dn, attrs).then( expectAsync((r) { expect( r.resultCode, equals(0)); // modify mickey's sn var m = new Modification.replace("sn", ["Sir Mickey"]); ldap.modify(dn, [m]).then( expectAsync((result) { expect(…

ForgeRock OpenIG 3.0- OIDC authentication example

My colleague, Simon Moffat has written a nice introductory article on some of the new features in OpenIG 3.0.

OpenIG is a Java based reverse proxy server with a focus on solving identity management challenges. The release adds support for scripting in Groovy and Javascript, and adds new authentication and authorization filters for OpenID Connect and OAuth 2.

I like to describe OpenIG as the Swiss Army knife of identity proxy servers. It can perform arbitrary transformations on HTTP requests and broker them to a number of backend services.

If you want a "ready to run" sample OpenIG project that demonstrates the new OpenID Connect filter  have a look at example1 in

Hopefully the cleary explains how this all works, but if not, drop me a note and I will improve the documentation.

If you have any OpenIG samples that you would like to share please feel free to send a pull request.

Systemd is the Cat's Pyjamas

I have been converting some of the startup scripts for my Open Identity Stack project to use systemd. Systemd is now available on Fedora, CentOS and Redhat - and is coming soon to Debian and Ubuntu (you can actually get it now in Debian testing).

What strikes me is how dead simple it is to create init services that just work.  Here is an example for openidm.service that leverages start/stop scripts that come with OpenIDM:

[Unit] Description=OpenIDM [Service] Type=simple ExecStart=/opt/ois/openidm/ ExecStop=/opt/ois/openidm/shutdown.shUser=fr SuccessExitStatus=143 [Install] * The only tricky thing above is the SuccessExitStatus. For reasons that I do not fully understand, many Java based programs started with shell scripts will use that system exit code.

Copy the above to /etc/systemd/system/openidm.service and you are good to go:

systemctl start openidm.service systemctl stop openidm.service systemctl sta…

Will it blend? Configure OpenAM to use Ping's OIDC RP module

OpenAM can be configured as an OpenID Connect provider.  Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.
Prerequisites: A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.xThe Ping OIDC module from here OpenAM as an OIDC providerCreate an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)
The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example: From:
OIDCProviderIssuer OIDCProviderAuthorizati…

Ansible roles to install ForgeRock's OpenDJ LDAP server

Ansible is a really nice "dev-ops" automation tool in the spirit of Chef, Puppet, etc.  It's virtues are simplicity, an "agentless" installation model and a very active and growing community.

One of the neat features of Ansible is the concept of "roles". These are reusable chunks of dev-ops code that perform a specific task. Ansible "Playbooks" orchestrate a number of roles together to perform software installation and configuration.

Roles by themselves are not sufficient to drive reusability.  We need a way to collaborate and share roles.    Enter Ansible Galaxy, the central repository for Ansible roles.

If you have ever used apt or yum, galaxy will appear quite familiar. For example, to install and use the "opendj" role, you issue the following command:

$ ansible-galaxy install warren.strange.opendj

(Roles are prefixed with a contributor name to avoid name collisions).

If you want to install ForgeRock's OpenDJ server, here are…

Logstash configuration for collecting OpenAM and OpenIDM logs

Following on to my previous posting, here is a logstash configuration that collects logs from both OpenAM and OpenIDM, and feeds them into elastic search:

input { file { type => idmRecon start_position => beginning path => "/opt/openidm/audit/recon.csv" } file { type => idmActivity start_position => beginning path => "/opt/openidm/audit/activity.csv" } file { type => amAccess # start_position => beginning path => "/opt/openam/openam-config/openam/log/amAuthentication.*" } } filter { if [type] == "idmRecon" { csv { columns => [ "idX","action","actionId","ambiguousTargetObjectIds","entryType","message","reconciling","reconId", "rootActionId","situation","sourceObj…

Collecting OpenAM logs with logstash

Logstash is a general purpose log collector that can read, transform and collect various logs.

The following logstash configuration will collect OpenAM Access logs. The default target here is Elastic Search - which is document oriented no-sql database optimized for text search (perfect for log files).

In a future blog I will show you how you can use Kibana to makes some sexy charts of your access data.

file { type => amAccess start_position => beginning path => "/path_to_your_install/openam/openam/log/amAuthentication.access" } } filter { if [type] == "amAccess" { csv { columns => [time,Data,LoginID,ContextID, IPAddr, LogLevel, Domain, LoggedBy, MessageID, ModuleName, NameID, HostName] separator => " " } date { match => ["dateTime", "yyyy-MM-dd HH:mm:ss"] } geoip { databas…