Both the one-pager and FOSS checklist are attached below. Timeout is
Nov 19, 2008.
-tdc
Template Version: @(#)onepager.txt 1.31 07/08/08 SMI
This information is Copyright 2007 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
OpenDS Integration in OpenSolaris
1.2. Name of Document Author/Supplier:
Gilles Bellaton
1.3. Date of This Document:
27/10/2008
1.4. Name of Major Document Customer(s)/Consumer(s):
1.4.1. OpenSolaris
1.4.2. LSARC
1.5. Email Aliases:
1.5.2. Responsible Engineer: Gilles.Bellaton at sun.com
1.5.4. Interest List: opends-opensolaris at sun.com
2. Project Summary
2.1. Project Description:
OpenDS is an open source project led by Sun Microsystems,
building a comprehensive and complete LDAPv3 based
Directory Service. The project web site is www.opends.org
and the developer's section hosted on opends.dev.java.net.
The goal of this project is to integrate the current OpenDS
technology in the OpenSolaris repository for Unbundled product.
OpenDS will be integrated as a Binary product. The sources
will not be bundled as they are already maintained by a
separate community.
The goal of this integration is to provide to OpenSolaris
users the possibility to easily install and run OpenDS.
This should increase adoption of both OpenDS and OpenSolaris.
The current plan is to have integrate OpenDS 1.2 in OpenSolaris.
2.2. Risks and Assumptions:
No known risks at this point.
3. Business Summary
3.1. Problem Area:
OpenSolaris needs a high performance, easy to use
Directory Server for Naming Services and other applications.
OpenSolaris users have to go to OpenDS pages and manually
install OpenDS zip packages in order to benefit from
OpenDS technology.
This project will help user desiring to use both OpenSolaris
and OpenDS by providing a coherent packaging and a common
repository.
3.2. Market/Requester:
All users using both OpenSolaris and a Directory Server.
3.3. Business Justification:
Increase adoption of both OpenDS and OpenSolaris
3.4. Competitive Analysis:
OpenLDAP is already integrated in OpenSolaris.
OpenDS will provide an alternate LDAPv3 compliant directory server,
that is easier to use and manage and will offer smooth migration
for those familiar with the Sun Directory Server Enterprise
Edition.
OpenDS will also integrate in other Operating Systems.
3.5. Opportunity Window/Exposure:
OpenDS is ready to be integrated.
3.6. How will you know when you are done?:
When SVR4/IPS packages for OpenSolaris are available.
4. Technical Description:
4.1. Details:
Develop SVR4/IPS packages for OpenSolaris
4.2. Bug/RFE Number(s):
None.
4.3. In Scope:
This project will only integrate OpenDS server side.
4.4. Out of Scope:
Since OpenSolaris already has a number of LDAP libraries
and command lines, OpenDS LDAP commands and libraries will
not be provided in the OpenSolaris
4.5. Interfaces:
OpenDS main interface is LDAPv3 and is defined by a set of
well known RFCs in the LDAP community.
OpenDS also provides a set of admin interfaces that will
not be changed by this project :
/opt/opends Volatile
/opt/opends/upgrade Uncommitted
/opt/opends/bin Uncommitted
/opt/opends/bin/dsreplication Uncommitted
/opt/opends/bin/control-panel Uncommitted
/opt/opends/bin/dsconfig Uncommitted
/opt/opends/bin/ldif-diff Uncommitted
/opt/opends/bin/verify-index Uncommitted
/opt/opends/bin/dbtest Uncommitted
/opt/opends/bin/encode-password Uncommitted
/opt/opends/bin/base64 Uncommitted
/opt/opends/bin/rebuild-index Uncommitted
/opt/opends/bin/restore Uncommitted
/opt/opends/bin/ldifmodify Uncommitted
/opt/opends/bin/ldappasswordmodify Uncommitted
/opt/opends/bin/start-ds Uncommitted
/opt/opends/bin/dsframework Uncommitted
/opt/opends/bin/list-backends Uncommitted
/opt/opends/bin/manage-account Uncommitted
/opt/opends/bin/manage-tasks Uncommitted
/opt/opends/bin/dsjavaproperties Uncommitted
/opt/opends/bin/export-ldif Uncommitted
/opt/opends/bin/make-ldif Uncommitted
/opt/opends/bin/create-rc-script Uncommitted
/opt/opends/bin/status Uncommitted
/opt/opends/bin/ldifsearch Uncommitted
/opt/opends/bin/status-panel Uncommitted
/opt/opends/bin/import-ldif Uncommitted
/opt/opends/bin/backup Uncommitted
/opt/opends/bin/stop-ds Uncommitted
/opt/opends/setup Uncommitted
/opt/opends/configure Uncommitted
/opt/opends/config Uncommitted
/opt/opends/config/schema Uncommitted
/opt/opends/config/schema/03-rfc3712.ldif Uncommitted
/opt/opends/config/schema/03-rfc2713.ldif Uncommitted
/opt/opends/config/schema/01-pwpolicy.ldif Uncommitted
/opt/opends/config/schema/03-uddiv3.ldif Uncommitted
/opt/opends/config/schema/03-rfc3112.ldif Uncommitted
/opt/opends/config/schema/04-rfc2307bis.ldif Uncommitted
/opt/opends/config/schema/02-config.ldif Uncommitted
/opt/opends/config/schema/03-rfc2739.ldif Uncommitted
/opt/opends/config/schema/00-core.ldif Uncommitted
/opt/opends/config/schema/03-rfc2714.ldif Uncommitted
/opt/opends/config/schema/03-changelog.ldif Uncommitted
/opt/opends/config/schema/03-rfc2926.ldif Uncommitted
/opt/opends/config/schema/04-rfc4876.ldif Uncommitted
/opt/opends/config/schema/04-solaris.ldif Uncommitted
/var/opt/opends Volatile
/var/opt/opends/bak Uncommitted
/var/opt/opends/changelogDb Uncommitted
/var/opt/opends/classes Uncommitted
/var/opt/opends/config Uncommitted
/var/opt/opends/config/MakeLDIF Uncommitted
/var/opt/opends/config/messages Uncommitted
/var/opt/opends/config/schema Uncommitted
/var/opt/opends/config/servicetag Uncommitted
/var/opt/opends/config/snmp Uncommitted
/var/opt/opends/config/snmp/security Uncommitted
/var/opt/opends/config/upgrade Uncommitted
/var/opt/opends/db Uncommitted
/var/opt/opends/import-tmp Uncommitted
/var/opt/opends/ldif Uncommitted
/var/opt/opends/lib Uncommitted
/var/opt/opends/lib/extensions Uncommitted
/var/opt/opends/locks Uncommitted
/var/opt/opends/logs Uncommitted
/var/opt/opends/config/buildinfo Uncommitted
/var/opt/opends/config/config.ldif Uncommitted
/var/opt/opends/config/java.properties Uncommitted
/var/opt/opends/config/MakeLDIF/
cities Uncommitted
/var/opt/opends/config/MakeLDIF/
example.template Uncommitted
/var/opt/opends/config/MakeLDIF/
first.names Uncommitted
/var/opt/opends/config/MakeLDIF/
last.names Uncommitted
/var/opt/opends/config/MakeLDIF/
states Uncommitted
/var/opt/opends/config/MakeLDIF/
streets Uncommitted
/var/opt/opends/config/messages/account-
disabled.template Uncommitted
/var/opt/opends/config/messages/account-
enabled.template Uncommitted
/var/opt/opends/config/messages/account-
expired.template Uncommitted
/var/opt/opends/config/messages/account-idle-
locked.template Uncommitted
/var/opt/opends/config/messages/account-permanently-
locked.template Uncommitted
/var/opt/opends/config/messages/account-reset-
locked.template Uncommitted
/var/opt/opends/config/messages/account-temporarily-
locked.template Uncommitted
/var/opt/opends/config/messages/account-
unlocked.template Uncommitted
/var/opt/opends/config/messages/password-
changed.template Uncommitted
/var/opt/opends/config/messages/password-
expired.template Uncommitted
/var/opt/opends/config/messages/password-
expiring.template Uncommitted
/var/opt/opends/config/messages/password-
reset.template Uncommitted
/var/opt/opends/config/servicetag/
opends.uuids.properties Uncommitted
/var/opt/opends/config/
tools.properties Uncommitted
/var/opt/opends/config/upgrade/config.ldif.
4535 Uncommitted
/var/opt/opends/config/upgrade/schema.ldif.
4535 Uncommitted
/var/opt/opends/config/
wordlist.txt Uncommitted
All the files and directories in /var/opt/ are created by the
/opt/opends/configure command. /var/opt is only the default path,
this can
be changed by the user at installation time.
4.6. Doc Impact:
OpenDS documentation is currently delivered on a wiki.
man pages will be delivered for the main administrative interfaces
- opends (5) overview
- dsconfig
- control-panel
- dsreplication
- configure
4.7. Admin/Config Impact:
A new command is being developped to create the OpenDS instance
after the packages have been added on the OS.
4.8. HA Impact:
None.
4.9. I18N/L10N Impact:
None.
OpenDS is already internationalized and localized in several
languages.
4.10. Packaging & Delivery:
This project will deliver a new package called OpenDS whose
content
is described below.
opends package content:
basedir: /opt
layout:
d none opends 0755 root sys
d none opends/bin 0755 root sys
d none opends/config 0755 root sys
d none opends/config/schema 0755 root sys
d none opends/legal-notices 0755 root sys
d none opends/lib 0755 root sys
d none opends/lib/extensions 0755 root sys
d none opends/tmpl_instance 0755 root sys
d none opends/tmpl_instance/bak 0755 root sys
d none opends/tmpl_instance/changelogDb 0755 root sys
d none opends/tmpl_instance/classes 0755 root sys
d none opends/tmpl_instance/config 0755 root sys
d none opends/tmpl_instance/config/MakeLDIF 0755 root sys
d none opends/tmpl_instance/config/messages 0755 root sys
d none opends/tmpl_instance/config/schema 0755 root sys
d none opends/tmpl_instance/config/servicetag 0755 root sys
d none opends/tmpl_instance/config/snmp 0755 root sys
d none opends/tmpl_instance/config/snmp/security 0755 root sys
d none opends/tmpl_instance/config/upgrade 0755 root sys
d none opends/tmpl_instance/db 0755 root sys
d none opends/tmpl_instance/import-tmp 0755 root sys
d none opends/tmpl_instance/ldif 0755 root sys
d none opends/tmpl_instance/lib 0755 root sys
d none opends/tmpl_instance/lib/extensions 0755 root sys
d none opends/tmpl_instance/locks 0755 root sys
d none opends/tmpl_instance/logs 0755 root sys
f none opends/bin/backup 0755 root sys
f none opends/bin/base64 0755 root sys
f none opends/bin/control-panel 0755 root sys
f none opends/bin/create-rc-script 0755 root sys
f none opends/bin/dbtest 0755 root sys
f none opends/bin/dsconfig 0755 root sys
f none opends/bin/dsframework 0755 root sys
f none opends/bin/dsjavaproperties 0755 root sys
f none opends/bin/dsreplication 0755 root sys
f none opends/bin/encode-password 0755 root sys
f none opends/bin/export-ldif 0755 root sys
f none opends/bin/import-ldif 0755 root sys
f none opends/bin/ldappasswordmodify 0755 root sys
f none opends/bin/ldif-diff 0755 root sys
f none opends/bin/ldifmodify 0755 root sys
f none opends/bin/ldifsearch 0755 root sys
f none opends/bin/list-backends 0755 root sys
f none opends/bin/make-ldif 0755 root sys
f none opends/bin/manage-account 0755 root sys
f none opends/bin/manage-tasks 0755 root sys
f none opends/bin/rebuild-index 0755 root sys
f none opends/bin/restore 0755 root sys
f none opends/bin/start-ds 0755 root sys
f none opends/bin/status 0755 root sys
f none opends/bin/status-panel 0755 root sys
f none opends/bin/stop-ds 0755 root sys
f none opends/bin/verify-index 0755 root sys
f none opends/config/schema/00-core.ldif 0644 root sys
f none opends/config/schema/01-pwpolicy.ldif 0644 root sys
f none opends/config/schema/02-config.ldif 0644 root sys
f none opends/config/schema/03-changelog.ldif 0644 root sys
f none opends/config/schema/03-rfc2713.ldif 0644 root sys
f none opends/config/schema/03-rfc2714.ldif 0644 root sys
f none opends/config/schema/03-rfc2739.ldif 0644 root sys
f none opends/config/schema/03-rfc2926.ldif 0644 root sys
f none opends/config/schema/03-rfc3112.ldif 0644 root sys
f none opends/config/schema/03-rfc3712.ldif 0644 root sys
f none opends/config/schema/03-uddiv3.ldif 0644 root sys
f none opends/config/schema/04-rfc2307bis.ldif 0644 root sys
f none opends/config/schema/04-rfc4876.ldif 0644 root sys
f none opends/config/schema/04-solaris.ldif 0644 root sys
f none opends/configure 0744 root sys
f none opends/example-plugin.zip 0644 root sys
f none opends/install.html 0644 root sys
f none opends/install.txt 0644 root sys
f none opends/legal-notices/BerkeleyDB-JE.LICENSE 0644 root sys
f none opends/legal-notices/jaf.LICENSE 0644 root sys
f none opends/legal-notices/javamail.LICENSE 0644 root sys
f none opends/legal-notices/OpenDS.LICENSE 0644 root sys
f none opends/lib/_client-script.sh 0755 root sys
f none opends/lib/_mixed-script.sh 0755 root sys
f none opends/lib/_script-util.sh 0755 root sys
f none opends/lib/_server-script.sh 0755 root sys
f none opends/lib/activation.jar 0644 root sys
f none opends/lib/je.jar 0644 root sys
f none opends/lib/mail.jar 0644 root sys
f none opends/lib/OpenDS.jar 0644 root sys
f none opends/lib/quicksetup.jar 0644 root sys
f none opends/opends_logo.png 0644 root sys
f none opends/README 0644 root sys
f none opends/setup 0755 root sys
f none opends/tmpl_instance/config/admin-backend.ldif 0644 root
sys
f none opends/tmpl_instance/config/buildinfo 0644 root sys
f none opends/tmpl_instance/config/config.ldif 0644 root sys
f none opends/tmpl_instance/config/java.properties 0644 root sys
f none opends/tmpl_instance/config/MakeLDIF/cities 0644 root sys
f none opends/tmpl_instance/config/MakeLDIF/example.template
0644 root sys
f none opends/tmpl_instance/config/MakeLDIF/first.names 0644
root sys
f none opends/tmpl_instance/config/MakeLDIF/last.names 0644 root
sys
f none opends/tmpl_instance/config/MakeLDIF/states 0644 root sys
f none opends/tmpl_instance/config/MakeLDIF/streets 0644 root sys
f none opends/tmpl_instance/config/messages/account-
disabled.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-
enabled.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-
expired.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-idle-
locked.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-permanently-
locked.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-reset-
locked.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-temporarily-
locked.template 0644 root sys
f none opends/tmpl_instance/config/messages/account-
unlocked.template 0644 root sys
f none opends/tmpl_instance/config/messages/password-
changed.template 0644 root sys
f none opends/tmpl_instance/config/messages/password-
expired.template 0644 root sys
f none opends/tmpl_instance/config/messages/password-
expiring.template 0644 root sys
f none opends/tmpl_instance/config/messages/password-
reset.template 0644 root sys
f none opends/tmpl_instance/config/servicetag/
opends.uuids.properties 0644 root sys
f none opends/tmpl_instance/config/tools.properties 0644 root sys
f none opends/tmpl_instance/config/upgrade/config.ldif.4535 0644
root sys
f none opends/tmpl_instance/config/upgrade/schema.ldif.4535 0644
root sys
f none opends/tmpl_instance/config/wordlist.txt 0644 root sys
f none opends/upgrade 0755 root sys
4.11. Security Impact:
The OpenDS components listens on the LDAP port and a port used
for replication.
The LDAP port is secured using the standard LDAP mechanisms
(SASL,
TLS and kerberos)
The replication port is only accessible using SSL.
The LDAP data are protected using the same access control model
as
the DSEE LDAP server.
4.12. Dependencies:
OpenDS requires a 1.5 Java Virtual Machine.
5. Reference Documents:
https://www.opends.org
6. Resources and Schedule:
6.1. Projected Availability:
Dec 2008
6.2. Cost of Effort:
A few months of work.
6.4. Product Approval Committee requested information:
6.4.1. Consolidation or Component Name: DSEE
6.4.7. Target RTI Date/Release:
This project needs to be ready by Jan 2009 in order to
integrate Open Solaris 2009.04
6.5. ARC review type: FastTrack
6.6. ARC Exposure: open
6.6.1. Rationale: Part of OpenSolaris
7. Prototype Availability:
7.1. Prototype Availability:
Nov 2008
7.2. Prototype Cost:
A few weeks.
FCL--FOSS Check List
0. Introduction
0.1 Document History
Version Author Changes
Date
0.1 John Fischer Initial Draft
01/11/2008
0.2 John Fischer Modified based upon feedback from ARC
members 01/29/2008
0.3 John Fischer Modified based upon feedback during
committee 02/12/2008
review
0.4 John Fischer Modified based upon SAC review
feedback 04/01/2008
0.5 John Fischer Modified based upon LSARC business meeting
06/10/2008
adding familiarity question and mod
dates.
0.6 John Fischer Modified based upon user feedback
about 06/20/2008
sections that were unanswerable.
0.2 Purpose
Architecture review at Sun has allowed the company to evolve our
projects
within multiple disjoint groups while still maintaining a cohesive
product
line. Each architecture review was conducted within Sun's
control. With
the advent of Free Open Source Software processes the control that
Sun as
a company can wield has been diminished. Now that Sun is moving
to a more
fluid delivery mechanism with project Indiana we need to evolve the
architecture review process. This document is meant to aid in the
architecture review process. Each new project must complete this
check list
to help ensure that the overall resulting product conforms to Sun
product
standards. If the project deviates from these standards further
review
would be necessary by an architecture review committee.
After the check list is completed the project team should be able to
determine if a project can be automatically approved. This will
occur
if all checks result in no "ARC review required" answers. A
committee
member will assist the project team in filing the automatically
approved
fast track. An automatically approved fast track is still
required in order
to record the interfaces for future reference. If the project
needs to
have further review then follow the regular process for getting
projects
reviewed.
1.0 Project Information
1.1 Name of project/component
Sun OpenDS
1.2 Author of document
Gilles Bellaton
2.0 Project Summary
2.1 Project Description
OpenDS is an open source community project building a free and
comprehensive next generation directory service.
OpenDS is designed to address large deployments,
to provide high performance, to be highly extensible,
and to be easy to deploy, manage and monitor.
The Directory Server is a network-accessible database that is able to
store information in a hierarchical form.
Clients may communicate with it using
standard network protocols (at present LDAP and DSML are supported)
to retrieve and update information in a variety of ways.
Initial development of OpenDS was done by Sun Microsystems, but it
is now available under the open source
Common Development and Distribution License (CDDL).
2.2 Release binding
What is is the release binding?
(see http://opensolaris.org/os/community/arc/policies/release-taxonomy/)
[ ] Major
[X] Minor
[ ] Patch or Micro
[ ] Unknown -- ARC review required
2.3 Type of project
Is this case a Linux Familiarity project?
[ ] Yes
[X] No
2.4 Originating Community
2.4.1 Community Name
OpenDS
2.4.2 Community Involvement
Indicate Sun's involvement in the community
[X] Maintainer
[ ] Contributor
[ ] Monitoring
Will the project team work with the upstream community to resolve
architectural issues of interest to Sun?
[X] Yes
[ ] No - briefly explain
Will we or are we forking from the community?
[ ] Yes - ARC review required prior to forking
[X] No
3.0 Technical Description
3.1 Installation & Sharable
3.1.1S Solaris Installation - section only required for Solaris
Software
(see http://opensolaris.org/os/community/arc/policies/install-locations/
for details)
Does this project follow the Install Locations best practice?
[X] Yes
[ ] No - ARC review required
Does this project install into /usr under [sbin|bin|lib|include|
man|share]?
[ ] Yes
[X] No or N/A
Does this project install into /opt?
[X] Yes - explain below
[ ] No or N/A
Does this project install into a different directory structure?
[ ] Yes - ARC review required
[X] No or N/A
Do any of the components of this project conflict with anything
under /usr?
(see http://opensolaris.org/os/community/arc/caselog/2007/047/
for details)
[ ] Yes - explain below
[X] No
If conflicts exist then will this project install under /usr/gnu?
[ ] Yes
[ ] No - ARC review required
[X] N/A
Is this project installing into /usr/sfw?
[ ] Yes - ARC review required
[X] No
3.1.2 Share and Sharable
Does the module include any components that are used or shared by
other projects?
[ ] Yes
[X] No
If yes are these components packaged to be shared with the other
FOSS?
[ ] Yes
[ ] No - ARC review required
[X] N/A
Are these components already in the Solaris WOS?
[ ] Yes
[X] No - continue with next section (section 3.2)
If yes are these newer versions being delivered?
[ ] Yes
[ ] No - ARC review required
If yes are the newer versions replacing the existing versions?
[ ] Yes
[ ] No - ARC review required
3.2 Exported Libraries
Are libraries being delivered by this project?
[ ] Yes
[X] No - continue with next section (section 3.3)
Are 64-bit versions of the libraries being delivered?
[ ] Yes
[ ] No - ARC review required
Are static versions of the libraries being delivered?
[ ] Yes - ARC review required
[ ] No
3.3 Services and the /etc Directory
(see http://opensolaris.org/os/community/arc/policies/SMF-policy/)
Does the project integrate anything into /etc/init.d or /etc/
rc?.d?
[ ] Yes - ARC review required
[X] No
Does the project integrate any new entries into /etc/inittab or
/etc/inetd.conf?
[ ] Yes - ARC review required
[X] No
Does the project integrate any private non-public files into /
etc/default
or /etc/ configuration files?
[ ] Yes - ARC review required
[X] No
Does the service manifests method context grant rights above that
of the noaccess user and basic privilege set?
[ ] Yes - ARC review required
[X] No
3.4 Security
3.4.1 Secure By Default
(see http://opensolaris.org/os/community/arc/policies/secure-by-default/
for details)
(see http://www.opensolaris.org/os/community/arc/policies/NITS-policy/
for details)
(see parts of
http://opensolaris.org/os/community/arc/policies/SMF-policy/
for
addtional details)
Are there any network services provided by this project?
[X] Yes
[ ] No - continue with the next section (section 3.4.2)
Are network services enabled by default?
[ ] Yes - ARC review required
[X] No
[ ] N/A
Are network services automatically enabled by the project during
installation?
[ ] Yes - ARC review required
[X] No
[ ] N/A
Are inbound network communications denied by default?
[ ] Yes
[ ] No - ARC review required
[X] N/A
Is inbound data checked to prevent content-based attacks?
[X] Yes
[ ] No - ARC review required
[ ] N/A
Is the outbound receiver authenticated?
[X] Yes
[ ] No - ARC review required
[ ] N/A
Is the receiver authenticated prior to receiving any sensitive
outbound communication?
[X] Yes
[ ] No - ARC review required
[ ] N/A
3.4.2 Authorization
(see http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/
and
http://opensolaris.org/os/community/arc/bestpractices/rbac-
profiles/ and
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
for details)
Are there any setuid/setgid privileged binaries in the project?
[ ] Yes - ARC review required
[X] No - continue with next section (section 3.4.3)
If yes then are the setuid/setgid privileges handled by the use
of roles?
[ ] Yes
[ ] No - ARC review required
3.4.3 Auditing
(see http://opensolaris.org/os/community/arc/policies/audit-policy/
for details)
(see http://opensolaris.org/os/community/arc/caselog/2003/397
for details)
Does this component contain administrative or security enforcing
software?
[ ] Yes - ARC review required
[X] No - continue to next section (section 3.4.4)
(see http://opensolaris.org/os/community/arc/caselog/2003/397
for details)
Do the components create audit logs detailing what took place
including what event
took place, who was involved, when the event took place?
[ ] Yes - ARC contract and Audit project team review required
[ ] No - ARC review required
3.4.4 Authentication
(see http://opensolaris.org/os/community/arc/policies/PAM/)
Do the components contain any authentication code?
[X] Yes
[ ] No - continue to next section (section 3.4.5)
If yes do the components use PAM (plugable authentication
modules) for authentication?
[ ] Yes
[X] No - ARC review required
If yes is a single PAM session maintained during authentication?
[ ] Yes
[ ] No - ARC review required
If yes are the components sufficiently privileged to allow the
requested
operations (authentication, password change, process credential
manipulation,
audit state initialization)?
[ ] Yes - briefly describe below
[ ] No - ARC review required
3.4.5 Passwords
(see http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/
and
http://opensolaris.org/os/community/arc/bestpractices/passwords-files/
for details)
Do any of the components for the project deal with passwords?
[X] Yes
[ ] No - continue to next section (section 3.4.6)
If yes are these passwords entered via the CLI or environment?
[X] Yes - ARC review required
[ ] No
Are passwords stored within the file system for the component?
[X] Yes
[ ] No - continue to next section (section 3.4.6)
If yes are the permissions on the file such to protect exposing
the password(s)?
[X] Yes
[ ] No - ARC review required
3.4.6 General Security Questions
(see
http://opensolaris.org/os/community/arc/bestpractices/security-questions/
for details)
Are there any network protocols used by this project?
[X] Yes
[ ] No - continue with the next section (section 3.5)
Do the components use standard network protocols?
[X] Yes
[ ] No - ARC review required
Do network services for the project make decisions based upon
user, host or
service identities?
[X] Yes - explain below
Access control information can make decisions based on host
identity
[ ] No
[ ] N/A
Do the components make use of secret information during
authentication and/or
authorization?
[X] Yes - explain below
LDAP protocol includes BIND operation that can use a password.
[ ] No
[ ] N/A
3.5 Networking
Do the components access the network?
[X] Yes
[ ] No - continue with the next section (section 3.6)
If yes do the components support IPv6?
[X] Yes
[ ] No - ARC review required
3.6 Core Solaris Components
Do the components of this project compete with or duplicate core
Solaris components?
[ ] Yes - ARC review required
[X] No
Examples of Core Solaris Components include but are not limited
to:
Secure By Default
Authorizations
PAM -- Plugable Authentication Module
Privilege
PRM -- Process Rights Management -- Privilege
Audit
xVm -- Virtualization
zones / Solaris Containers
PRM -- Process Rights Management
RBAC -- Role Based Access Control
TX / Trusted Extensions
ZFS
SMF -- Service Management Facility
FMA -- Fault Management Architecture
SCF -- Smart Card Facility
IPsec
4.0 Interfaces
(see http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/
for details)
4.1 Exported Interfaces
Interface Name Classification Comments
--------------------------- -------------------
---------------------------
LDAP committed LDAP is defined by
a set of RFC
most of them supported by
Sun OpenDS
DSML committed
SNMP committed
JMX Uncommitted Sun OpenDS monitoring is
possible
using JMX. While JMX
protocol is stable
the monitored object are
still evolving.
dsconfig CLI Uncommitted dsconfig is the command
line used
for configuration
administration Uncommitted Sun OpenDS use a set of
Shell scripts
scripts for administartive purpose
(start/stop, backup, ...)
4.2 Imported Interfaces
Interface Name Classification Comments
--------------------------- --------------------
--------------------------
Java SE 1.5 I'm not sure about the
Classification of Java SE
1.5
Brief Interface Classifications - See Appendix C for definitions
Volatile - interfaces are fluid and will follow a rapidly changing
community
Uncommitted - interfaces are still evolving in the community and
might follow
the community
Committed - interfaces are stable in the community
Project Private - no review required, just document in table
Contracted (interface modifier) - further review required
Appendix A - References
1. Solaris Installation Locations Policy
http://opensolaris.org/os/community/arc/policies/install-
locations/
2. /usr/gnu Installation ARC case
http://opensolaris.org/os/community/arc/caselog/2007/047/
3. Secure By Default Policy
http://opensolaris.org/os/community/arc/policies/secure-by-
default/
4. Network Install Time Securityuy Policy
http://www.opensolaris.org/os/community/arc/policies/NITS-policy/
5. Adding RBAC Authorizations Policy
http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/
6. When to use setuid -vs- RBAC roles and profiles
http://opensolaris.org/os/community/arc/bestpractices/rbac-
intro/ and
7. Building RBAC Rights Profiles
http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
8. Solaris Audit Policy
http://opensolaris.org/os/community/arc/policies/audit-policy/
9. Security questionaire
http://opensolaris.org/os/community/arc/bestpractices/security-questions/
10. Interface Taxonomy
http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/
11. Plugable Authentication Modules -- PAM
http://opensolaris.org/os/community/arc/policies/PAM/
12. Reusable Passwords In Command Line Arguments and Environment
Variables
http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/
13. Storing Reusable Passwords on a Filesystem
http://opensolaris.org/os/community/arc/bestpractices/passwords-files/
14. Release Taxonomy
http://opensolaris.org/os/community/arc/policies/release-taxonomy/
15. Service Management Facility (SMF) usage
http://opensolaris.org/os/community/arc/policies/SMF-policy/
Appendix B - Suggested case materials
1. man pages
2. SMF manifests
3. links to contracts
Appendix C - Definitions
Submitter
an agent responsible for creation of an ARC project along with the
materials describing that project.
Owner
the ARC agent responsible for shepherding the case through review
and ensuring a formal opinion is written where required.
Maintainer
an agent responsible for releasing new versions of a program,
typically
the "main" contributor or person incharge of making Architectural
decisions for the project
Contributor
an agent who make contributions to a project, typically has a
voice in
making Architectural decisions for the project
Monitoring
an agent who is only following the changes made in the community
and
has no Architectural input into the project
Volatile*
interfaces that are very fluid and typically follow the originating
community. Typically these interfaces can not be imported by other
projects.
Uncommitted*
interfaces that are still evolving but will most likely be present
from
release to release.
Committed*
interfaces that are stable and with Sun guaranteeing some level of
compatibility from release to release.
Project Private*
interfaces that are exposed only to or intended to be used only by
the project being reviewed. These interfaces can not be imported by
other projects.
Not-An-Interface*
components that are not interfaces.
Contracted* (interface modifier) - ARC review of Contract required
interfaces that do not allow another project to import can be
*Note: see http://opensolaris.org/os/community/arc/policies/interface-taxonomy/
for details
