Four questions

Next week begins the time of year when, for eight days, I will be passing over many activities that I typically do the other 51 weeks of the year; eating bread or pasta is an example of just one. I will also dine at two extraordinarily long repasts on weekday nights. Fortunately, I won’t have to work the following day.

I have four questions for you. I will provide my answers but welcome yours as well. (Drinking four cups of wine while reading and answering these questions is optional, but encouraged).

  1. Why is the Sun Identity Suite different from other vendor offerings?

  2. Why is your deployment of other vendor Identity offerings likely to be a bitter experience, akin to wandering in the desert for 40 years?

  3. Why do Sun Professional Services employees judiciously revise their work at least twice, whereas some other vendors not even once?

  4. Why can you relax and recline after deploying a Sun Identity Suite offering, but not after deploying other vendor offerings?

The answers that four sons might offer are:

  1. I am wise and know the difference.

  2. I am too wicked to tell you why.

  3. I am too simple to know the difference.

  4. I have no idea how to even answer the questions.

My answers to the four questions are simply don’t slave over another vendor’s offering, like your predecessors did. Deploy Sun Identity solutions using Sun Professional services‘s strong outstretched arm. Thus you can relax and recline since you are now free! Free from complex manual provisioning and compliance responsibilities.
Celebrate your freedom with a meal and relate the story to your children and their children for generations

In closing, here are four riddles…………… Here are the answers


Night Night Night Night Night Night Night  Night Night Night Night





Technorati Tags:


Identity and HR-XML

Last week I had the distinct pleasure of dining with Sara Moss, a joint partner at The Code Works Inc – an up and coming consulting firm. She writes a lot on the staffing and hiring indusry. We shared a delicious Mediterranean repast and discussed our experiences in, and potential synergies between, The Code Works Inc and Sun.

  • The Code Works helps staffing firms with technology decisions, implementation and integration and has a lot of knowledge of on-boarding employees and using HR-XML technology.
  • Sun’s Identity solution automatically provision users to applications once they are entered (on-boarded) into a corporation’s HR system.

Stay tuned to this blog for further insights into how The Code Works and Sun can develop joint solutions.

Technorati Tags:

Sun Directory Server 6.0 replication

I read with interest Pete Browley’s blog posting on replication with
OpenLDAP. A uidUniqueness plugin exists in Sun Directory Server 5.2 and
6.0. Of course uidUniqueness replication will be available in OpenDS
and if Pete would like to port his replication code to OpenDS it would
be most welcome. The issue tracker item for a uidUniqueness plugin in
OpenDS is #258

Now onto Directory Server 6.0 replication which introduces:

  • Unlimited multi-master replication. (Directory Server 5.2 sp4 restricted a deployment to four masters).
  • Prioritized replication
  • Replication authentication methods
  • ……..and more, all in the official documentation

My esteemed peer, Neil Wilson, makes the case for an all-master (no
read-write) deployment of Directory Server 6.0. Gentle reader, please
do imbibe of Neil’s wisdom.

Directory Server 6.0 replication can be managed in the GUI or CLI using /opt/SUNWdsee/ds6/bin/dsonf

Here is a basic synopsis of the CLI steps:

Create server instance(s)

#/opt/SUNWdsee/ds6/bin/dsadm create -p 1389 -P 16363 /var/opt/SUNWdsee/dsins10
Choose the Directory Manager password:
Confirm the Directory Manager password:
Use ‘dsadm start /var/opt/SUNWdsee/dsins10’ to start the instance

Start the instance

#/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dsins10
Waiting for server to start…
Waiting for server to start…
Waiting for server to start…
Server started: pid=1039

Create suffix

#/opt/SUNWdsee/ds6/bin/dsconf create-suffix -h sol10vmware -p 1389 dc=sun,dc=com
Certificate “CN=sol10vmware, CN=1636, CN=Directory Server, O=Sun Microsystems” presented by the server is not trusted.
Type “Y” to accept, “y” to accept just once, “n” to refuse, “d” for more details
: Y
Enter “cn=Directory Manager” password:

Enable replication – consumer

#/opt/SUNWdsee/ds6/bin./dsconf enable-repl -h sol10vmware -p 2389 consumer dc=sun,dc=com
Enter “cn=Directory Manager” password:

Enable replication – master

#/opt/SUNWdsee/ds6/bin./dsconf enable-repl -v -d 1 -h sol10vmware -p 1389 master dc=sun,dc=com
Enter “cn=Directory Manager” password:
Enter “cn=Directory Manager” password: Enabling suffix “dc=sun,dc=com” for replication by assigning the role “master” to it…
Use “dsconf create-repl-agmt” to create replication agreements on “dc=sun,dc=com”.
The “enable-repl” operation succeeded on “sol10vmware:1389”.

Create a replication agreement

#/opt/SUNWdsee/ds6/bin/dsconf create-repl-agmt -h sol10vmware -p 1389 dc=sun,dc=com sol10vmware:1389
Enter “cn=Directory Manager” password:
Use “dsconf init-repl-dest dc=sun,dc=com sol10vmware:1389” to start replication
of “dc=sun,dc=com” data.

Start replication

#/opt/SUNWdsee/ds6/bin/dsconf init-repl-dest dc=sun,dc=com sol10vmware:1389
Enter “cn=Directory Manager” password:
Started initialization of “sol10vmware:1389”; Feb 8, 2007 1:49:50 AM

Sent 407 entries…
Sent 807 entries…
Sent 1228 entries…
Sent 1633 entries…
Sent 2098 entries…
Sent 2497 entries…
Sent 3008 entries…
Sent 3511 entries…
Sent 3888 entries.
Completed initialization of “sol10vmware:1389”; Feb 8, 2007 1:54:03 AM

The replication manager password is generated automatically, encrypted and synchronized on the new hosts
The replication identity is created here by default:

cn=Replication Manager,cn=replication,cn=config

Prioritized replication
Prioritized replication allows you to replicate certain attributes ahead of others
For example, you may want to push password changes ahead of name changes.

#/opt/SUNWdsee/ds6/bin/dsconf create-repl-priority -h localhost -p 3389 dc=sun,dc=com pw-rule attr:userPassword
Enter “cn=Directory Manager” password:

In the Sun Directory Server 6.0 GUI you can

  •     see servers which have prioritized replication enabled.
  •     view the replication topology in the Sun Directory Server 6.0 GUI. Here is screenshot of six masters and one consumer in a  replication topology

Technorati Tags: , , ,

Directory Server 6.0 backups

It goes without saying that backups are critical, Karena puts it quite succinctly.

Sun Java Directory Server 6.0 offers new backup features. (Read the official documentation here)

Frozen mode
Frozen mode disallows updates to the data, enabling you to take backup. You can see a screenshot of how to set frozen mode or use the CLI as follows:

set-server-prop read-write-mode:frozen

This will take the database
offline, process all pending operations and flush the database environment.
Remember that the data isn’t
accessible until you turn frozen mode off as follows

#./opt/SUNWdsee/ds6/bin/dsconf set-server-prop
read-write-mode: read-write

Of course if you are using
the new ZFS file system, (read what Adam writes about it), then you can take a pretty quick snapshot (see my entry last year) of the data. Otherwise follow the guidelines below for using the CLI.

Backups using the CLI


dsadm requires that the
server be stopped first


dsconf does not require that
the server be stopped first.The dsconf utility writes a temporary entry to the cn=backup,cn=task,cn=config branch of the directory, the task runs, and the temporary entry is removed     

Backup in LDIF/text format

/opt/SUNWdsee/ds6/bin/dsadm export

/opt/SUNWdsee/ds6/bin/dsconf export

dsadm and dsconf will export a single directory database to LDIF. Both bypass the LDAP protocol and read directly from the database. 

The dsconf and dsadm export commands can also be used with the –no-repl option to specify that no replication information is to be exported. The default is that the replicated suffix is exported to an LDIF file with replication information. The resulting LDIF will contain attributes that are used by the replication mechanism.

Backups of the logs and configuration information

The server creates backups
of the configuration located in /pathto/instance/config

dse.ldif.startOK is created upon successful
server startup, this way you are fairly certain that the configuration is

dse.ldif.bak is up-to-date with latest changes
as well

Technorati Tags: