The document discusses OpenDJ and its usage as an LDAP directory service, outlining key concepts such as directory structure, attributes, object classes, and directory requirements. It emphasizes OpenDJ's features including scalability, performance, and compliance with standards while detailing its components and architecture. Furthermore, it addresses the OpenDJ control panel, command-line tools, replication, virtual attributes, and the plugin API for extending functionality.

1. IRM Summit 2014
OpenDJ
Matthias Tristl

2. 2IRM Summit 2014
Upon completion of this module, you should be able
to:
■ OpenDJ and the OIS
■ What is an LDAP Directory
■ When to use an LDAP Directory
■ Features of OpenDJ
Objectives

3. 3IRM Summit 2014
Pillars of IAM

4. 4IRM Summit 2014
Classic scenario I
User wants to use an application...
User
Application
which does not require any of ForgeRock's
products, but ...

5. 5IRM Summit 2014
Classic scenario II
Centralization of Authentication
User
Application
… and ...

6. 6IRM Summit 2014
Classic scenario III
Central Authorization
User
Application

7. 7IRM Summit 2014
What is a Directory?
■ Special purpose data repository
■ Attribute-Value pair type of data
■ Hierarchical structure for data modeling
■ Traditionally optimized for read through heavy
indexes

8. 8IRM Summit 2014
Directory vs. Database
■ How often does your data change?
■ What kind of data are you trying to model?
■ Does it make sense to model your data in a
hierarchical structure?
■ Does your data need to be available cross-
platform?

9. 9IRM Summit 2014
Example Directory Tree

10. 10IRM Summit 2014
LDAP directories store
■ User credentials
■ Company employee phone book and organizational chart
■ Network information
■ Mail routing information
■ HR data
■ Public security keys and certificates
■ External customer contact information
■ X509 Certificates

11. 11IRM Summit 2014
LDAP entry examples

12. 12IRM Summit 2014
Schema
• A schema is a set of rules that determines what data
can and cannot be stored in a directory
• Schemas help maintain the integrity and quality of the
data being stored
• A directory server schema consists of:
> Attributes
> Object Classes
> Rules that must be followed before allowing data into the
database

13. 13IRM Summit 2014
Attributes
• Data elements used to describe something
> First Name, Last Name, City, State, Postal Code
• Can contain single or multiple values
• Can be grouped with other attributes to describe an
object
> Person, Place, Thing, etc.
• Have a particular syntax
• Common attributes are defined by RFCs
• Organizations may add their own attributes

14. 14IRM Summit 2014
Object Classes
• Data elements used to group attributes in order to
describe an object
• Act as templates that describe directory entries
• Defined by the objectClass attribute
• Required for all directory server entries
> Entries MUST have at least one object class
> Entries MAY have more than one object class
• Two types of object classes: STRUCTURAL and
AUXILIARY

15. 15IRM Summit 2014
Directory Requirements
■ Scalable: Millions of entries
■ Fast: sub-second response times
■ Flexible: wide and extensible range of
attributes
■ Standards-compliant (LDAP, SPML,SCIM,
REST)
■ High availability: replication service

16. 16IRM Summit 2014
OpenDJ Drivers
■ Lower cost of ownership
– Higher performance while consuming less disk, memory and CPU resources
– Reduction in administrative overload by automating recurrent tasks (backup
or data exports)
■ High availability, failover and disaster recovery for directory service and
data
■ Secures identity data through encryption, authentication, authorizations
and access control, password and account management capabilities
■ Complies with LDAPv3, DSMLv2 and SCIM standards
■ Can be embedded in other Java applications
■ Advances as an open source project that allows you the freedom to
use, study or modify the code

17. 17IRM Summit 2014
Directory Components
:389
host.example.com
LDAP Client
( LDAP Server )
LDAP
dc=example,dc=com
ou=People
uid=scarter
configuration files
LDIF
dc=example,dc=com
:8080 HTTP/REST

18. 18IRM Summit 2014
■ OpenDJ architecture
■ The control panel
■ LDAP SDK
■ Command line
■ OpenDJ Features
■ REST
OpenDJ in action

19. 19IRM Summit 2014
OpenDJ Architecture
User Interface
End UserManagement
ForgeRock UI Framework
ForgeRock REST
Core Server
Replication AuditingLDAPV3Caching Monitoring
Password
Policy
Groups
Schema
Management
REST2LDAP
Access
Control
Backend Services
Persistence Connectors LDIF MemoryChange Log
Java SDK/ LDAPv3
Web Application
REST2LDAP
ForgeRock REST

20. 20IRM Summit 2014
Control Panel

21. 21IRM Summit 2014
The LDAP SDK
■ Client SDK
■ Command-line tools
■ Comes with some sample code
■ Can be used with any LDAP (RFC 4510)
compliant server
■ Connection pooling
■ Load balancing

22. 22IRM Summit 2014
Command Line Tools
backup encode-password ldif-diff restore
base64 export-ldif ldifmodify start-ds
create-rc-script import-ldif ldifsearch status
dbtest ldapcompare list-backends stop-ds
dsconfig ldapdelete make-ldif verify-index
dsframework ldapmodify manage-account
dsjavaproperties ldappasswordmodify manage-tasks
dsreplication ldapsearch rebuild-index
Location: install/bin

23. 23IRM Summit 2014
Referential Integrity
■ Entry references in static groups can be
automatically updated on:
– Delete
– Update
■ The plugin needs to be enabled as it is
disabled by default

24. 24IRM Summit 2014
Virtual/Collective Attributes
■ Have dynamically generated values
■ Virtual attribute examples:
– hasSubordinates
– isMemberOf
– entryDN
– entryUUID
■ Collective attribute usage examples:
– Classes of Service
– Inheriting an Attribute from the Manager‘s entry
– Inheriting Attributes from the Locality
■ Virtual Static Groups
– Objectclass: ds-virtual-static-group
– Member attribute: ds-target-group-dn

25. 25IRM Summit 2014
Replication

26. 26IRM Summit 2014
Replication Servers

27. 27IRM Summit 2014
HTTP Connection Handler
■ OpenDJ HTTP Connection Handler exposes REST API over
HTTP
■ Configure mapping between JSON resources and LDAP
entries by editing /path/to/opendj/config/http-
config.json file
// The REST APIs and their LDAP attribute mappings.
"mappings" : {
"/users" : {
"baseDN" : "ou=people,dc=example,dc=com",
"readOnUpdatePolicy" : "controls",
"useSubtreeDelete" : false,
"usePermissiveModify" : true,
"etagAttribute" : "etag",
"namingStrategy" : {
"strategy" : "clientDNNaming",
"dnAttribute" : "uid"
},
"additionalLDAPAttributes" : [
{
"type" : "objectClass",
"values" : [
"top",
"person",
"organizationalPerson",
"inetOrgPerson

28. 28IRM Summit 2014
The Plugin API
■ The primary mechanism for extending the directory server
■ Operational plugins:
– Pre-parse – called immediately after the worker thread has taken the
request from the work queue
– Pre-operation – called before request processing is initiated
– Post-operation – called immediately after request processing is
completed (before response is sent)
– Post-response – called immediately after response is sent to client but
before worker thread completes
■ Examples of Other plug-ins
– Server startup/shutdown plug-ins
– LDIF import plug-in

29. 29IRM Summit 2014
Single Shared Model
ROA + REST + JSON
ForgeRock Services
ForgeRock REST
ForgeRock UI
Application Scripting

30. 30IRM Summit 2014
Forgerock University