Mark Craig used to work as lead writer on Sun’s Directory Server documentation, then he managed Sun’s Identity Documentation teams. After that at Sun and at Oracle, he managed the Directory Integration Team, part of the Directory Services engineering group.

While at Sun, Mark’s blog was called Margin Notes. This blog is both a continuation and also a new version of Margin Notes, hence the 2.0.

Mark now works at ForgeRock. He lives near Grenoble, France, with his wife and three children.

5 thoughts on “About

  1. Csaba Dobo

    Nice blog,
    may I ask a few questions?

    In my company we are thinking about using forgerock but have been unable to find aswers to help decide on if it is for us or not.

    Also set up previously an openldap server with sudo ldap and nss for my purposes but forgerock seems more streamlined. Not sure if it has all the tools ready for what we want.

    I managed to set up openidm and opendj under linux.
    What I need to know to evaluate the product is:
    would this system work for us in setting up a centralized directory to manage users in a unix-linux server enviroment? We also want to set what user can accsess to what host and who can be a system admin on what host.
    This is what we would like to use this system for.

    Do you have any case studies and docs on this? Perhaps a step-by-step doc?

    I would also like to know if this can provide a simple web gui to manage users and hosts?

    1. Thanks Csaba,

      Great questions, and I know that some of the people on the OpenDJ mailing list, https://lists.forgerock.org/pipermail/opendj/, are using OpenDJ as a network directory. Some additional features like the Samba Password Sync plugin help to make OpenDJ a good fit, http://docs.forgerock.org/en/opendj/2.6.0/admin-guide/index/chap-samba.html

      OpenIDM can can give you REST and GUI access to manage users, and can handle the provisioning for example integrate with existing systems. I’m not sure that it would be something out of the box specific to UNIX-Linux system administration, though. The default UI is going to be something like what you see in the Integrators Guide, http://docs.forgerock.org/en/openidm/3.0.0/integrators-guide/#ui-overview
      The OpenIDM mailing list is also very active, https://lists.forgerock.org/pipermail/openidm/


  2. kiefermd

    Hello Mark!
    I have hit a road block with what I assumed would be a simple demo setup using OpenDJ 7. This demo has the simple “dc=example,dc=com” DIT, with each being a backend, like so:

    Backend : Type : enabled : base-dn
    ExmpRoot : je : true : dc=example,dc=com
    userData : je : true : dc=com

    The userData (dc=com) backend is created via the setup script, and we do NOT want this to replicate. Next the ExmpRoot backend (dc=example) is created with dsconfig, and we DO want this one to replicate.

    The goal is to support site specific ACIs stored at the dc=com level, and shared data under dc=example. The config guide says you can not replicate both of these from the same server, but is it possible to only replicate the level that is “deeper” in the DIT?

    Any suggestions would be appreciated.

    1. The setup profiles expect that you’ll want to replicate the data. So I don’t think they even give you an option for that. If you want *not* to replicate the data, then you must change the configuration to stop replicating the domain.

      In DS 7, to stop replicating the domain dc=com, disable replication for the domain *on each replica*. For example, the following command sets enabled:false for the replication domain dc=com:

      dsconfig set-replication-domain-prop \
      –provider-name Multimaster\ Synchronization \
      –domain-name dc=com \
      –set enabled:false \
      –hostname localhost \
      –port 4444 \
      –bindDn uid=admin \
      –bindPassword password \
      –trustAll \

      If dc=com doesn’t really hold any data, just ACIs, then another alternative is not to create a dc=com backend at all, but to use global ACIs instead. Global ACIs are the same as regular ACIs, except that they reside in the server configuration, not in the data. So they cannot be replicated.

      You can list global-acis, dsconfig get-access-control-handler-prop –property global-aci , but I’d recommend editing them interactively at least to get started. Run dsconfig without any subcommand to start it in interactive mode. Once you’ve made the change interactively, the dsconfig command will display the equivalent command-line in case you want to script the operation afterwards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.