OpenDJ: An Introduction

54,754 views

Published on

Session from 2014 IRM Summit in Phoenix, Arizona. Introduction to OpenDJ by Matthias Tristl of ForgeRock

Published in: Software, Technology

OpenDJ: An Introduction

  1. 1. IRM Summit 2014 OpenDJ Matthias Tristl
  2. 2. 2IRM Summit 2014 Upon completion of this module, you should be able to: ■ OpenDJ and the OIS ■ What is an LDAP Directory ■ When to use an LDAP Directory ■ Features of OpenDJ Objectives
  3. 3. 3IRM Summit 2014 Pillars of IAM
  4. 4. 4IRM Summit 2014 Classic scenario I User wants to use an application... User Application which does not require any of ForgeRock's products, but ...
  5. 5. 5IRM Summit 2014 Classic scenario II Centralization of Authentication User Application … and ...
  6. 6. 6IRM Summit 2014 Classic scenario III Central Authorization User Application
  7. 7. 7IRM Summit 2014 What is a Directory? ■ Special purpose data repository ■ Attribute-Value pair type of data ■ Hierarchical structure for data modeling ■ Traditionally optimized for read through heavy indexes
  8. 8. 8IRM Summit 2014 Directory vs. Database ■ How often does your data change? ■ What kind of data are you trying to model? ■ Does it make sense to model your data in a hierarchical structure? ■ Does your data need to be available cross- platform?
  9. 9. 9IRM Summit 2014 Example Directory Tree
  10. 10. 10IRM Summit 2014 LDAP directories store ■ User credentials ■ Company employee phone book and organizational chart ■ Network information ■ Mail routing information ■ HR data ■ Public security keys and certificates ■ External customer contact information ■ X509 Certificates
  11. 11. 11IRM Summit 2014 LDAP entry examples
  12. 12. 12IRM Summit 2014 Schema • A schema is a set of rules that determines what data can and cannot be stored in a directory • Schemas help maintain the integrity and quality of the data being stored • A directory server schema consists of: > Attributes > Object Classes > Rules that must be followed before allowing data into the database
  13. 13. 13IRM Summit 2014 Attributes • Data elements used to describe something > First Name, Last Name, City, State, Postal Code • Can contain single or multiple values • Can be grouped with other attributes to describe an object > Person, Place, Thing, etc. • Have a particular syntax • Common attributes are defined by RFCs • Organizations may add their own attributes
  14. 14. 14IRM Summit 2014 Object Classes • Data elements used to group attributes in order to describe an object • Act as templates that describe directory entries • Defined by the objectClass attribute • Required for all directory server entries > Entries MUST have at least one object class > Entries MAY have more than one object class • Two types of object classes: STRUCTURAL and AUXILIARY
  15. 15. 15IRM Summit 2014 Directory Requirements ■ Scalable: Millions of entries ■ Fast: sub-second response times ■ Flexible: wide and extensible range of attributes ■ Standards-compliant (LDAP, SPML,SCIM, REST) ■ High availability: replication service
  16. 16. 16IRM Summit 2014 OpenDJ Drivers ■ Lower cost of ownership – Higher performance while consuming less disk, memory and CPU resources – Reduction in administrative overload by automating recurrent tasks (backup or data exports) ■ High availability, failover and disaster recovery for directory service and data ■ Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities ■ Complies with LDAPv3, DSMLv2 and SCIM standards ■ Can be embedded in other Java applications ■ Advances as an open source project that allows you the freedom to use, study or modify the code
  17. 17. 17IRM Summit 2014 Directory Components :389 host.example.com LDAP Client ( LDAP Server ) LDAP dc=example,dc=com ou=People uid=scarter configuration files LDIF dc=example,dc=com :8080 HTTP/REST
  18. 18. 18IRM Summit 2014 ■ OpenDJ architecture ■ The control panel ■ LDAP SDK ■ Command line ■ OpenDJ Features ■ REST OpenDJ in action
  19. 19. 19IRM Summit 2014 OpenDJ Architecture User Interface End UserManagement ForgeRock UI Framework ForgeRock REST Core Server Replication AuditingLDAPV3Caching Monitoring Password Policy Groups Schema Management REST2LDAP Access Control Backend Services Persistence Connectors LDIF MemoryChange Log Java SDK/ LDAPv3 Web Application REST2LDAP ForgeRock REST
  20. 20. 20IRM Summit 2014 Control Panel
  21. 21. 21IRM Summit 2014 The LDAP SDK ■ Client SDK ■ Command-line tools ■ Comes with some sample code ■ Can be used with any LDAP (RFC 4510) compliant server ■ Connection pooling ■ Load balancing
  22. 22. 22IRM Summit 2014 Command Line Tools backup encode-password ldif-diff restore base64 export-ldif ldifmodify start-ds create-rc-script import-ldif ldifsearch status dbtest ldapcompare list-backends stop-ds dsconfig ldapdelete make-ldif verify-index dsframework ldapmodify manage-account dsjavaproperties ldappasswordmodify manage-tasks dsreplication ldapsearch rebuild-index Location: install/bin
  23. 23. 23IRM Summit 2014 Referential Integrity ■ Entry references in static groups can be automatically updated on: – Delete – Update ■ The plugin needs to be enabled as it is disabled by default
  24. 24. 24IRM Summit 2014 Virtual/Collective Attributes ■ Have dynamically generated values ■ Virtual attribute examples: – hasSubordinates – isMemberOf – entryDN – entryUUID ■ Collective attribute usage examples: – Classes of Service – Inheriting an Attribute from the Manager‘s entry – Inheriting Attributes from the Locality ■ Virtual Static Groups – Objectclass: ds-virtual-static-group – Member attribute: ds-target-group-dn
  25. 25. 25IRM Summit 2014 Replication
  26. 26. 26IRM Summit 2014 Replication Servers
  27. 27. 27IRM Summit 2014 HTTP Connection Handler ■ OpenDJ HTTP Connection Handler exposes REST API over HTTP ■ Configure mapping between JSON resources and LDAP entries by editing /path/to/opendj/config/http- config.json file // The REST APIs and their LDAP attribute mappings. "mappings" : { "/users" : { "baseDN" : "ou=people,dc=example,dc=com", "readOnUpdatePolicy" : "controls", "useSubtreeDelete" : false, "usePermissiveModify" : true, "etagAttribute" : "etag", "namingStrategy" : { "strategy" : "clientDNNaming", "dnAttribute" : "uid" }, "additionalLDAPAttributes" : [ { "type" : "objectClass", "values" : [ "top", "person", "organizationalPerson", "inetOrgPerson
  28. 28. 28IRM Summit 2014 The Plugin API ■ The primary mechanism for extending the directory server ■ Operational plugins: – Pre-parse – called immediately after the worker thread has taken the request from the work queue – Pre-operation – called before request processing is initiated – Post-operation – called immediately after request processing is completed (before response is sent) – Post-response – called immediately after response is sent to client but before worker thread completes ■ Examples of Other plug-ins – Server startup/shutdown plug-ins – LDIF import plug-in
  29. 29. 29IRM Summit 2014 Single Shared Model ROA + REST + JSON ForgeRock Services ForgeRock REST ForgeRock UI Application Scripting
  30. 30. 30IRM Summit 2014 Forgerock University

×