OpenDJ - An Introduction


Published on

An IAM for Beginners session led by Dr. Matthias Tristl, Senior Instructor, ForgeRock

Learn more about ForgeRock Access Management:

Learn more about ForgeRock Identity Management:

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Directory great for some applications, but not others.Possible to create a structure about any kind of data but not necessarily a good ideaOptimized for read (so less efficient in writes). Directories implement extensive indexes. The indexes are tied to a schema which defines attributes. The attributes represent your application. Benefit of hierarchical structure: ability to apply access control to all child elements in the tree structure.
  • Perfectly suited to handle the kind of traffic you see on the internet.
  • Most LDAP servers are heavily optimized for read. Big difference when reading data from an LDAP directory versus obtaining the same data from a relational database server optimized for OLTP. That come at the cost of writing operations, so not best suited when data change a lot (e.g not suited for high-volume e-commerce site).Does your data need to be distributed? Do you need fine grained security?
  • Why Use Ldap Directories For Ldap Authentication?Lightweight Directory Access Protocol (LDAP) directories and LDAP authentication have become one of the enterprise user infrastructure cornerstones. As the enterprise has digitized and opened itself up to customer, business partner, vendor and wide-spread employee access to pieces of most enterprise applications, the need to know who the user is has significantly increased from a security perspective. Who is the user trying to access an application? What is the strength of authentication by which the application can trust the user trying to access the application? What are the user's authorization privileges?

The frequency with which to authenticate who a user is has also increased. Thus in medium to large enterprise it is not uncommon to have several thousand to several hundred of thousand identity look-ups per second. 

The above are the reasons why LDAP directories and authentication have taken on such a dominant role in enterprise authentication. LDAP directories offer the following features:They are very quick for doing identity reads against as compared to traditional databasesThey are low cost - in fact some LDAP directories are available for freeVirtual LDAP directories enable quick linkage between multiple databases and multiple LDAP directoriesLDAP directories are excellent for doing rapid LDAP authentication against for any digitized authenticationLDAP directories have a universal protocol enabling quick interaction and exchange of identity information between enterprisesLDAP directories can be easily partitioned to place the directory close to the end user, thus improving performance and reducing network load
  • OpenDJ - An Introduction

    1. 1. OpenDJ for Beginners EMEA Summit 2013
    2. 2. Objectives Upon completion of this module, you should be able to: • OpenDJ and the OIS • What is an LDAP Directory • When to use an LDAP Directory • Features of OpenDJ 2
    3. 3. Pillars of IAM 3
    4. 4. Classic scenario I User wants to use an application... which does not require any of ForgeRock's products, but ... Application User 4
    5. 5. Classic scenario II Centralization of Authentication … and ... Application OpenDJ User 5
    6. 6. Classic scenario III Central Authorization OpenAM OpenDJ Application User 6
    7. 7. What is a Directory? • Special purpose data repository • Attribute-Value pair type of data • Hierarchical structure for data modeling • Traditionally optimized for read through heavy indexes 7
    8. 8. LDAP History • Worldwide Directory, like phone book • X500 • How to access a directory (lightweight client) 8
    9. 9. Example Directory Tree 9
    10. 10. LDAP directory can store • User credentials • Company employee phone book and organizational chart • Network information • Mail routing information • HR data • Public security keys and certificates • External customer contact information 10
    11. 11. LDAP entry examples 11
    12. 12. Schema • A schema is a set of rules that determines what data can and cannot be stored in a directory • Schemas help maintain the integrity and quality of the data being stored • A directory server schema consists of: > Attributes > Object Classes > Rules that must be followed before allowing data into the database 12
    13. 13. Attributes • Data elements used to describe something > First Name, Last Name, City, State, Postal Code • Can contain single or multiple values • Can be grouped with other attributes to describe an object > Person, Place, Thing, etc. • Have a particular syntax • Common attributes are defined by RFCs • Organizations may add their own attributes 13
    14. 14. Object Classes • Data elements used to group attributes in order to describe an object • Act as templates that describe directory entries • Defined by the objectClass attribute • Required for all directory server entries > Entries MUST have at least one object class > Entries MAY have more than one object class • Two types of object classes: STRUCTURAL and AUXILIARY 14
    15. 15. Today’s Directory Requirements • Scalable: Millions of entries • Fast: sub-second response times • Flexible: wide and extensible range of attributes • Standards-compliant (LDAP, SPML,SCIM) • High availability: replication service 15
    16. 16. OpenDJ Drivers • Lower cost of ownership • Higher performance while consuming less disk, memory and CPU resources • Reduction in administrative overload by automating recurrent tasks (backup or data exports) • High availability, failover and disaster recovery for directory service and data • Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities • Complies with LDAPv3, DSMLv2 and SCIM standards • Can be embedded in other Java applications • Advances as an open source project that allows you the freedom to use, study or modify the code 16
    17. 17. Directory vs Relational Database • How often does your data change? • What kind of data are you trying to model? • Does it make sense to model your data in a hierarchical structure? • Does your data need to be available cross-platform? 17
    18. 18. Typical Use Case: Authentication • Very quick for doing identity reads • Low cost • Excellent for doing rapid LDAP authentication for any digitized authentication • Universal protocol enabling quick interaction and exchange of identity information • Can be easily partitioned allowing flexible architecture • Can be easily replicated providing high availability and reliability 18
    19. 19. Directory Server Components LDIF dc=example,dc=com ou=People uid=scarter configuration files LDAP dc=example,dc=com :389 LDAP Client :8080 HTTP/REST ( LDAP Server ) 19
    20. 20. OpenDJ in action • Install OpenDJ • The control panel • Command line • REST 20
    21. 21. Replication 21
    22. 22. Stand-alone Replication Servers 22
    23. 23. OpenDJ Interfaces • LDAP • The native directory server interface • Based on the DAP protocol • DSML • Accessed through a gateway (web application) • REST • Exchange of JSON messages • Native or through a gateway (web application) 23
    24. 24. Single Shared Model ForgeRock UI Application ForgeRock REST Scripting ForgeRock Services ROA + REST + JSON 01-24
    25. 25. OpenDJ Features • Admin GU • Rich admin command line • LDAP SDK • Verbose access control • High availability • Flexible, and easy to use plug in mechanism • Pass through authentication • Optimistic concurrency control (MVCC) • SAMBA integration • Static, dynamic and virtual static groups and roles 25
    26. 26. Forgerock University 01-26