Notes covering OpenDJ hardware & software requirements, fixes, known issues. The OpenDJ project offers open source LDAP directory services in Java.

About OpenDJ

Important

In July 2018, OpenDJ 2.6 reached End of Service Life (EOSL).

ForgeRock customers must upgrade in order to receive continued support.

OpenDJ is an LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage. OpenDJ directory server comes with plenty of tools and a full-featured LDAP SDK for Java. OpenDJ directory server also offers REST access to directory data over HTTP.

OpenDJ is free to download, evaluate, and use in developing your applications and solutions. You can also check out and modify the source code to build your own version if you prefer. ForgeRock offers training and support subscriptions to help you get the most out of your deployment.

These release notes are written for everyone working with OpenDJ 2.6. Read these notes before you install or upgrade OpenDJ software. These notes cover hardware and software prerequisites for installing and upgrading OpenDJ software. These notes list key features added and changed in this release. They also cover compatibility with previous releases and alert you to potential changes coming up that could affect your scripts and applications. Finally, these notes list both issues fixed since the previous release and known issues open at the time of release.

See the Installation Guide for more after you read these release notes. The installation guide covers installation and upgrade for OpenDJ directory server, OpenDJ REST LDAP gateway, and OpenDJ DSML gateway.

Chapter 1. What's New in OpenDJ 2.6

Before you install OpenDJ or update your existing OpenDJ installation, read these release notes. Then update or install OpenDJ.

1.1. What's New in OpenDJ 2.6.4

OpenDJ 2.6.4 is a maintenance release that resolves a number of issues, including security issues in OpenDJ directory server. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information.

The following improvements are new in OpenDJ 2.6.4:

Better log messages for "Server Error" client disconnections (OPENDJ-2327).
Performance improvements for the PBKDF2 password storage algorithm (OPENDJ-2151).
Performance improvements for looking up membership in large static groups that are updated frequently (OPENDJ-1906).

1.2. What's New in OpenDJ 2.6.3

OpenDJ 2.6.3 is a maintenance release that resolves a number of issues, including security issues in OpenDJ directory server. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information.

OpenDJ 2.6.3 includes no new enhancements beyond those included in OpenDJ 2.6.2.

1.3. What's New in OpenDJ 2.6.2

OpenDJ 2.6.2 is a maintenance release that resolves a number of issues, including security issues in OpenDJ directory server. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information.

The following improvement is new in OpenDJ 2.6.2:

OpenDJ server can now bind to a local address when making outgoing connections (OPENDJ-1565).

This improvement introduces a new configuration attribute, source-address, that you can set for Replication Domains, Replication Servers, and LDAP Pass Through Authentication Policies. If the source-address property is set to an IP address, OpenDJ binds to the address before connecting to the remote server. The address must be one assigned to an existing network interface.

1.4. What's New in OpenDJ 2.6.1

OpenDJ 2.6.1 is a maintenance release that resolves a number of issues, including security issues in OpenDJ directory server. It is strongly recommended that you update to this release to make your deployment more secure, and to take advantage of important functional fixes. ForgeRock customers can contact support for help and further information.

Compared to the OpenDJ 2.6.0 release, OpenDJ 2.6.1 provides these important enhancements:

OpenDJ directory server ships with updated Commons REST, OpenDJ LDAP SDK, and Berkeley DB Java Edition components (OPENDJ-1323).
OpenDJ directory server now makes it possible to specify password validators in subentry based password policies (OPENDJ-1295).
To configure password validators for a subentry password policy, add the auxiliary object class pwdValidatorPolicy and setting the multi-valued attribute, ds-cfg-password-validator, to the DNs of the password validator configuration entries.
OpenDJ directory server now orders attributes according to search request attribute list order (OPENDJ-1082).
OpenDJ directory server logs information to help you more effectively determine why a directory server replica switches its connection to a different replication server (OPENDJ-1053).
The REST LDAP Gateway now supports LDAPS connections and StartTLS (OPENDJ-1033).
For information on configuring the gateway to use LDAPS or StartTLS, see the comments in the configuration file, opendj-rest2ldap-servlet.json. Find the settings to change in the configuration for "ldapConnectionFactories".

1.5. What's New in OpenDJ 2.6.0

Compared to the OpenDJ 2.4.6 release, OpenDJ 2.6.0 provides the following new features:

OpenDJ now provides native RESTful access over HTTP to directory data (OPENDJ-808). See the procedure, To Set Up REST Access to OpenDJ Directory Server in the Administration Guide, to activate this feature.
OpenDJ REST LDAP gateway lets clients access directory data in remote LDAP servers over HTTP (OPENDJ-757). See the procedure, To Install OpenDJ REST LDAP Gateway in the Installation Guide, to get started.
OpenDJ now lets you delegate authentication to another LDAP directory service, such as Active Directory. The feature is called pass through authentication (PTA) (OPENDJ-262). With PTA, OpenDJ replays a user's simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ.
For PTA to work, OpenDJ must be able to match its OpenDJ entry for the user with the user's entry on the remote directory service. The two entries must correspond in one of the following ways.
- Both the OpenDJ entry and the remote entry have the same DN.
- The OpenDJ entry has an attribute that holds the DN of the entry on the remote directory service.
- The OpenDJ entry and the remote entry share an attribute that has exactly the same value.
If user entries do not match originally, you can no doubt add an attribute to users' OpenDJ entries when configuring them to use pass through authentication.
To configure PTA, you set up an LDAP pass through authentication policy in OpenDJ's configuration, and then assign the policy to users in the same way you would assign a password policy. See the Administration Guide in the Administration Guide for details.
OpenDJ now provides Debian and RPM packages (OPENDJ-408).
The OpenDJ upgrade process and upgrade command have changed to facilitate native packaging on more platforms and to make upgrade easier to handle over time (OPENDJ-455).
Also, you can now force OpenDJ upgrade to complete if errors occur in non-interactive mode (OPENDJ-522).
See Upgrading to OpenDJ 2.6.0 in the Installation Guide for instructions.
OpenDJ now lets you filter access and audit logs to focus on messages that interest you. OpenDJ supports many criteria for flexible log filtering (OPENDJ-308).
OpenDJ now includes an ETag attribute for optimistic concurrency control (OPENDJ-409).
OpenDJ now supports the PBKDF2 password storage scheme (OPENDJ-510).
OpenDJ now lets you use more TLS cipher suites in SSFs, including those provided by Bouncy Castle and IBM (OPENDJ-826).
OpenDJ can now synchronize Samba password attribute values with the userPassword attribute value, ensuring that when users change their LDAP passwords in OpenDJ or change their LanMan or NT passwords in Samba, their password attribute values all stay in sync (OPENDJ-233, OPENDJ-511). To activate this feature, configure the OpenDJ Samba Password plugin by using the dsconfig command.
The OpenDJ dictionary password validator can now check whether a password value contains dictionary words as substrings (OPENDJ-295).
The character set password validator now supports optional character sets (OPENDJ-168). Also, The character set password validator now understands classes like "All non-Latin characters" (OPENDJ-620)
OpenDJ now provides a read-only, non-searchable operational attribute, ds-pwd-password-expiration-time, to make it easier to read the password expiration time for an account (OPENDJ-441).
OpenDJ now computes last login time as UTC time when the value is expressed in GeneralizedTime syntax (OPENDJ-418).
OpenDJ now lets you escape characters in make-ldif templates (OPENDJ-800).
Country String syntax now validates ISO 3166 codes (OPENDJ-562).
OpenDJ now sets isMemberOf on groups as well as user entries (OPENDJ-513).
Performance has been significantly improved for searches with a virtual attribute in the filter (OPENDJ-508).
OpenDJ now better supports more, and larger static groups (OPENDJ-197).
OpenDJ now supports checking that entries of new group members exist (OPENDJ-221). OpenDJ can now ensure both that members' entries exist when they are added to groups, and also that members are removed from groups when their entries are deleted.
OpenDJ now includes attribute syntax validation for X.509 certificate values (OPENDJ-482).
OpenDJ now runs more reliably as a Windows Service (OPENDJ-617).
OpenDJ now provides the rebuild-index --rebuildDegraded command for rebuilding degraded indexes (OPENDJ-406).
The OpenDJ rebuild-index command now provides an option, --clearDegradedState, to forcefully clear the state of an unused index for a newly created attribute (OPENDJ-473).
Import now performs better when handling LDIF entries with attributes that have many values, such as large static group entries (OPENDJ-469).
Persistent connections can now be identified when querying cn=monitor for the LDAP client connection handler. (OPENDJ-677).
OpenDJ now lets you configure the access log to display LDAP controls (OPENDJ-60).
OpenDJ now adds Unindexed to access log response messages for unindexed searches, making it easier to identify searches rejected by default (OPENDJ-246).
OpenDJ now logs use of the proxied authorization V1 control with obsoleteProxiedAuthzV1Control (OPENDJ-283).
OpenDJ now logs only fatal errors, severe errors, warnings, and notices at startup time (OPENDJ-438).
The mechanism to determine during setup whether the configuration has been modified runs a more effective check (OPENDJ-446).
OpenDJ now lets you setup the server in command-line mode without creating a default backend (OPENDJ-435).
OpenDJ schema for configuration attributes has been cleaned up (OPENDJ-393).
OpenDJ now uses Berkeley JE 5, which brings many performance improvements (OPENDJ-371, OPENDJ-662).
With the new version, explicitly use the Java setting -XX:+UseCompressedOops to improve performance, even if the setting is enabled by default in recent versions of the Java runtime environment. To apply JVM settings for your server, edit config/java.properties, and apply the changes with the dsjavaproperties command.
OpenDJ now exposes the je.log.fileCacheSize property through the ds-cfg-db-log-filecache-size configuration attribute (OPENDJ-383).
OpenDJ verify and rebuild index commands now use JE 5 disk ordered cursoring (OPENDJ-372).
More OpenDJ tools now prompt for a bind password when none is provided (OPENDJ-358).
OpenDJ DSML gateway now allows authentication using an ID rather than a DN (OPENDJ-352).
OpenDJ DSML gateway can now connect over SSL to the LDAP server (OPENDJ-269).
OpenDJ now lets you configure attributes to be removed or renamed on update (OPENDJ-258).
Subordinate indexes id2children and id2subtree can now be disabled on OpenDJ JE backends to improve performance when repeated adds and deletes are performed beneath the same entry (OPENDJ-250).
OpenDJ now calls Account Status Notification Handlers when an account in enabled or disabled by the manage-account (OPENDJ-248).
Change log content and configuration has been improved in this release (OPENDJ-194).
Default database cache size, request handler counts, and replication purge delay are now set more sensibly for default installations (OPENDJ-116, OPENDJ-186).
Collective attributes can now be applied based on the values of virtual attributes (OPENDJ-76).
OpenDJ now lets you execute control-panel as any user, not only the user who installed OpenDJ (OPENDJ-19).

1.6. What's New in OpenDJ LDAP Toolkit

The following new features and enhancements have been introduced since 2.6.0.

1.6.1. What's New in OpenDJ LDAP Toolkit 2.6.11

OpenDJ LDAP SDK 2.6.11 provides the following new features and enhancements:

The PersistentSearchChangeType enum now lets the developer get enum values from the int value representation. This lets you switch on values without redefining constants (OPENDJ-2023).
OpenDJ LDAP SDK now provides a TransactionIdControl to pass a transaction ID for audit logging in LDAP requests (OPENDJ-1926).

1.6.2. What's New in OpenDJ LDAP Toolkit 2.6.9

OpenDJ LDAP SDK 2.6.9 provides the following new features and enhancements:

OPENDJ-1508: Allow "=" in malformed attribute options
OPENDJ-1466: Improve initialization of InetSocketAddress in SDK to prevent cached DNS data.
OPENDJ-1152: Provide the ability to debug leaked pooled connections
OPENDJ-1124: Connection.search() return value not mockable
OPENDJ-1112: LoadBalancing connection factories need better diagnostic messages
OPENDJ-1091: Implement a cached connection pool
OPENDJ-1033: The Rest2LDAP servlet does not support SSL

1.7. Security Advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock's security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Chapter 2. Before You Install OpenDJ Software

This chapter covers requirements to consider before you run OpenDJ, especially before you run OpenDJ in your production environment.

Note

OpenDJ 2.6.2 adds support for Java 8.

If you have a special request to support a combination not listed here, contact ForgeRock at info@forgerock.com.

2.1. Java Environment

OpenDJ software consists of pure Java applications. OpenDJ servers and clients therefore should run on any system with full Java support. OpenDJ is tested on a variety of operating systems, including Solaris SPARC and x86, various Linux distributions, Microsoft Windows, and Apple Mac OS X.

OpenDJ 2.6.1 and earlier requires Java 6 or 7, specifically at least the Java Standard Edition runtime environment. OpenDJ 2.6.2 and later requires Java 6, 7, or 8, ForgeRock has tested most with Oracle Java Platform, Standard Edition.

OpenDJ LDAP Toolkit requires Java 6 or 7. To build applications with the OpenDJ LDAP SDK, you need the corresponding Java SDK.

ForgeRock recommends that you keep your Java installation up to date with the latest security fixes.

2.2. Maximum Open Files

OpenDJ needs to be able to open many files, especially when handling many client connections. Linux systems in particular often set a limit of 1024 per user, which is too low for OpenDJ.

When setting up OpenDJ for production use, make sure OpenDJ can use at least use at least 64K (65536) file descriptors. For example when running OpenDJ as user opendj on a Linux system that uses /etc/security/limits.conf to set user level limits, you can set soft and hard limits by adding these lines to the file.

opendj soft nofile 65536
opendj hard nofile 131072

The example above assumes the system has enough file descriptors available overall. You can check the Linux system overall maximum as follows.

$ cat /proc/sys/fs/file-max
204252

2.3. Operating System

OpenDJ software depends on the Java environment more than it depends on the underlying operating system. That said, OpenDJ 2.6.0 has been validated on the following operating systems.

Apple Mac OS X 10.7, 10.8
Linux 2.6 and later
Microsoft Windows Server 2008 R2 and Windows Server 2012
Oracle Solaris 11 x86

In order to avoid directory database file corruption after crashes or power failures on Linux systems, enable file system write barriers and make sure that the file system journaling mode is ordered. For details on how to enable write barriers and how to set the journaling mode for data, see the options for your file system in the mount command manual page.

2.4. Virtualization

ForgeRock has tested OpenDJ software on systems running atop VMware vSphere Hypervisor (ESXi) 5.1.

2.5. Application Servers

OpenDJ directory server runs as a standalone Java service, and does not depend on an application server.

OpenDJ DSML gateway has been validated on Apache Tomcat 6 and 7.

OpenDJ REST LDAP gateway has been validated on Apache Tomcat 6 and Jetty 8. Using Jetty 8 is not supported with Java 8.

2.6. FQDNs For Replication

OpenDJ replication requires that you use fully qualified domain names, such as opendj.example.com.

Although you can use host names like my-laptop.local for evaluation, in production and even in your lab, you must either ensure DNS is set up correctly to provide fully qualified domain names, or set up /etc/hosts (or C:\Windows\System32\drivers\etc\hosts) to provide fully qualified domain names.

2.7. Hardware

Thanks to the underlying Java platform, OpenDJ software runs well on a variety of processor architectures. Many directory service deployments meet their service-level agreements without the very latest or very fastest hardware.

For a server evaluation installation, you need 256 MB memory (32-bit) or 1 GB memory (64-bit) available to OpenDJ, with 100 MB free disk space for the software and a small set of sample data. For installation in production, read the rest of this section. You need at least 2 GB memory for OpenDJ and 4 times the disk space needed to house initial production data in LDIF format.^[1] To get a more accurate estimate of the disk space needed, import a known fraction of the initial LDIF with OpenDJ configured as for production, run tests based on the estimated rates of change and growth in directory data, and then use the actual space used in the test environment to estimate how much disk space you need in production.

OpenDJ directory servers almost always benefit from having enough system memory to cache all directory database files used. The reason is that reading from and writing to memory is typically much faster than reading from and writing to disk storage. For small data sets, you might not need extra memory. For large directories with millions of user directory entries, the system might not have enough slots to house sufficient memory to cache everything. To improve performance in such cases, one approach is to add solid state drives as an intermediate cache between memory and disk storage.

Processor architectures that provide fast single thread execution tend to help OpenDJ software deliver the lowest response times. For top end performance in terms both of sub-millisecond response times and also of throughput ranging from tens of thousands to hundreds of thousands of operations per second, the latest x86/x64 architecture chips tend to perform better than others tested. Chip multi-threading (CMT) processors can do very well on directory servers providing pure search throughput, even though response times can be higher. Yet, CMT processors can be slow to absorb hundreds or thousands of write operations per second. Their slower threads get blocked waiting on resources, and thus are not optimal for topologies with high write throughput requirements.

On systems with fast processors and enough memory to cache directory data completely, the network can become a bottleneck. Even if a single 1 Gbit Ethernet interface offers plenty of bandwidth to handle your average traffic load, it can be too small for peak traffic loads. Furthermore, you might choose to use separate interfaces for administrative traffic and application traffic. To estimate what network hardware you need, calculate the size of the data you return to applications during peak load. For example, if you expect to have a peak load of 100,000 searches per second, each returning a full 8 KB entry, you need a network that can handle 800 MB/sec (3.2 Gbit/sec) throughput, not counting any other operations such as writes that result in replication traffic.

The storage hardware you choose must allow you to house not only directory data including historical data for replication, but also logs. If you choose to retain access logs for auditing purposes on a heavily used directory, dedicate storage for the log archives as well. Furthermore, your storage must also keep pace with the write throughput. Write throughput can arise from modify, modify DN, add, and delete operations, but it can also result from bind operations. Such is the case when the last successful bind is recorded, and when account lockout is configured, for example. In a replicated topology, not only does a directory service write entries to disk when they are changed, but a directory service also writes changelog data and historical information in order to resolve potential replication conflicts. You base your network throughput needs on peak loads. Also base your storage throughput needs on peak loads.

Note

OpenDJ servers do not currently support network file systems such as NFS for database storage. Provide sufficient disk space on local storage such as internal disk or an attached disk array.

^[1]OpenDJ stores data in Berkeley DB Java Edition, which is implemented as a rolling log. Berkeley DB appends updates to the end of the last log file, and marks old pages as deleted. Berkeley DB cleaner threads monitor the log file occupancy ratio, moving the data to get rid of old log files. Yet, with the default occupancy ratio of 50%, log files are cleaned only when they have less than 50% valid pages. As a result, the database can reach twice its initial size in the worst case.

Furthermore, when you import data from LDIF, OpenDJ stores not only the data, but also builds indexes for many of the attributes, resulting in some growth. Replication historical data and other operational attributes can also take up space.

Finally, it makes sense to leave space for growth in the database size as you modify and add entries over time.

Chapter 3. Compatibility

This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.

Note

No incompatible changes have been made to OpenDJ server software since 2.6.0. This chapter reflects changes made in version 2.6.0.

The current OpenDJ LDAP SDK versions are binary-compatible with SDK 2.6.1. These maintenance versions do not introduce major changes.

3.1. Important Changes to Existing Functionality

OpenDJ 2.6.0 improves on earlier releases introducing many new features. Also take the following into account.

The upgrade process and upgrade command have changed to facilitate native packaging on more platforms. See Upgrading to OpenDJ 2.6.0 in the Installation Guide for instructions.
The default DB cache size is now 50%, rather than 10%.
If you have multiple backends, configure cache sizes accordingly.
The number of LDAP request handlers now defaults to half the CPU count.
The replication purge delay default has increased from one day to three days.
Syntax checking has been added for certificate and country attribute values. This affects applications updating those attribute values. Applications updating country attribute values must now use Country String syntax for example, which uses two-character codes from ISO 3166 such as US instead of full names such as United States.
The following global ACI settings have changed.
- OpenDJ directory server now allows any client to use the LDAP Permissive Modify Request control, 1.2.840.113556.1.4.1413, by default for newly installed servers.
- The "Anonymous read access" global ACI has changed. The list of attributes that are not allowed has been changed to add includedAttributes and to remove targetUniqueID.
When you upgrade from earlier versions of OpenDJ, however, the previous global-aci settings are not updated. To apply the changes manually, change the relevant global-aci settings by using the dsconfig command. An example of how to change a global-aci property can be found in the Administration Guide, ACI: Disable Anonymous Access in the Administration Guide.
For the SNMP Connection Handler, the default security-agent-file has changed to opendj-snmp.security (OPENDJ-982), and the upgrade process changes the file name. The community has also changed to OpenDJ. If the SNMP Connection Handler fails to start after upgrade, use the dsconfig command to make sure that the security-agent-file property is correctly set for your installation.

3.2. Deprecated Functionality

OpenDJ 2.6.0 makes use of new environment variables aligned with the project name to use OPENDJ. Use of the old variables is Deprecated. The old variables are likely to be removed in a future release.

The dsframework command is Deprecated and likely to be removed in a future release.

The following OpenDJ LDAP SDK methods are Deprecated and likely to be removed in a future release.

org.forgerock.opendj.ldap.LDAPListenerOptions#getTCPNIOTransport
org.forgerock.opendj.ldap.LDAPListenerOptions#setTCPNIOTransport
org.forgerock.opendj.ldap.LDAPOptions#getTCPNIOTransport
org.forgerock.opendj.ldap.LDAPOptions#setTCPNIOTransport

3.3. Removed Functionality

Native packages in SVR4 format for Solaris are not provided at this time.

Chapter 4. OpenDJ Fixes, Limitations, & Known Issues

This chapter covers the status of key issues and limitations for OpenDJ 2.6. For details and information on other issues, see the OpenDJ issue tracker.

Note

OpenDJ 2.6 contains fixes that resolve security issues within OpenDJ. Older versions of OpenDJ contain these security issues. It is recommended that you upgrade to 2.6 to resolve these security issues. ForgeRock customers can contact support for details.

OpenDJ 2.6.0 also includes important improvements to replication. Replication remains fully compatible with earlier versions. However, some operations that work fine with OpenDJ 2.6.0, such as replicating large groups and replicating high volumes of adds and deletes, can cause issues for earlier versions. Make sure you upgrade all servers to 2.6.0 before allowing clients to take advantage of write operations that could cause trouble for older servers.