OpenDJ: An Introduction

IRM Summit 2014

OpenDJ

Matthias Tristl

2IRM Summit 2014

Upon completion of this module, you should be able to:

■ OpenDJ and the OIS

■ What is an LDAP Directory

■ When to use an LDAP Directory

■ Features of OpenDJ

Objectives

3IRM Summit 2014

Pillars of IAM

4IRM Summit 2014

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

5IRM Summit 2014

Classic scenario IICentralization of Authentication

User

Application… and ...

6IRM Summit 2014

Classic scenario IIICentral Authorization

User

Application

7IRM Summit 2014

What is a Directory?■ Special purpose data repository

■ Attribute-Value pair type of data

■ Hierarchical structure for data modeling

■ Traditionally optimized for read through heavy indexes

8IRM Summit 2014

Directory vs. Database■ How often does your data change?

■ What kind of data are you trying to model?

■ Does it make sense to model your data in a hierarchical structure?

■ Does your data need to be available cross-platform?

9IRM Summit 2014

Example Directory Tree

10IRM Summit 2014

LDAP directories store■ User credentials

■ Company employee phone book and organizational chart

■ Network information

■ Mail routing information

■ HR data

■ Public security keys and certificates

■ External customer contact information

■ X509 Certificates

11IRM Summit 2014

LDAP entry examples

12IRM Summit 2014

Schema• A schema is a set of rules that determines what data

can and cannot be stored in a directory • Schemas help maintain the integrity and quality of the

data being stored• A directory server schema consists of:

> Attributes> Object Classes> Rules that must be followed before allowing data into the

database

13IRM Summit 2014

Attributes• Data elements used to describe something

> First Name, Last Name, City, State, Postal Code

• Can contain single or multiple values• Can be grouped with other attributes to describe an

object> Person, Place, Thing, etc.

• Have a particular syntax• Common attributes are defined by RFCs• Organizations may add their own attributes

14IRM Summit 2014

Object Classes• Data elements used to group attributes in order to

describe an object• Act as templates that describe directory entries• Defined by the objectClass attribute• Required for all directory server entries

> Entries MUST have at least one object class> Entries MAY have more than one object class

• Two types of object classes: STRUCTURAL and AUXILIARY

15IRM Summit 2014

Directory Requirements■ Scalable: Millions of entries

■ Fast: sub-second response times

■ Flexible: wide and extensible range of attributes

■ Standards-compliant (LDAP, SPML,SCIM, REST)

■ High availability: replication service

16IRM Summit 2014

OpenDJ Drivers■ Lower cost of ownership

– Higher performance while consuming less disk, memory and CPU resources

– Reduction in administrative overload by automating recurrent tasks (backup or data exports)

■ High availability, failover and disaster recovery for directory service and data

■ Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities

■ Complies with LDAPv3, DSMLv2 and SCIM standards

■ Can be embedded in other Java applications

■ Advances as an open source project that allows you the freedom to use, study or modify the code

17IRM Summit 2014

Directory Components

:389

host.example.comLDAP Client( LDAP Server )

LDAP

dc=example,dc=com

ou=Peopleuid=scarter

configuration files

LDIF

dc=example,dc=com

:8080 HTTP/REST

18IRM Summit 2014

■ OpenDJ architecture

■ The control panel

■ LDAP SDK

■ Command line

■ OpenDJ Features

■ REST

OpenDJ in action

19IRM Summit 2014

OpenDJ ArchitectureUser Interface

End User Management

ForgeRock UI Framework

ForgeRock REST

Core Server

Replication AuditingLDAPV3 Caching Monitoring

Password Policy Groups

Schema ManagementREST2LDAP Access

Control

Backend Services

Persistence Connectors LDIF MemoryChange Log

Java SDK/ LDAPv3

Web Application

REST2LDAP

ForgeRock REST

20IRM Summit 2014

Control Panel

21IRM Summit 2014

The LDAP SDK■ Client SDK

■ Command-line tools

■ Comes with some sample code

■ Can be used with any LDAP (RFC 4510) compliant server

■ Connection pooling

■ Load balancing

22IRM Summit 2014

Command Line Tools

backup encode-password ldif-diff restore

base64 export-ldif ldifmodify start-ds

create-rc-script import-ldif ldifsearch status

dbtest ldapcompare list-backends stop-ds

dsconfig ldapdelete make-ldif verify-index

dsframework ldapmodify manage-account

dsjavaproperties ldappasswordmodify manage-tasks

dsreplication ldapsearch rebuild-index

Location: install/bin

23IRM Summit 2014

Referential Integrity■ Entry references in static groups can be

automatically updated on:– Delete– Update

■ The plugin needs to be enabled as it is disabled by default

24IRM Summit 2014

Virtual/Collective Attributes■ Have dynamically generated values

■ Virtual attribute examples:– hasSubordinates– isMemberOf– entryDN– entryUUID

■ Collective attribute usage examples:– Classes of Service– Inheriting an Attribute from the Manager‘s entry– Inheriting Attributes from the Locality

■ Virtual Static Groups– Objectclass: ds-virtual-static-group– Member attribute: ds-target-group-dn

25IRM Summit 2014

Replication

26IRM Summit 2014

Replication Servers

27IRM Summit 2014

HTTP Connection Handler■ OpenDJ HTTP Connection Handler exposes REST API over

HTTP

■ Configure mapping between JSON resources and LDAP entries by editing /path/to/opendj/config/http-config.json file// The REST APIs and their LDAP attribute mappings. "mappings" : { "/users" : { "baseDN" : "ou=people,dc=example,dc=com", "readOnUpdatePolicy" : "controls", "useSubtreeDelete" : false, "usePermissiveModify" : true, "etagAttribute" : "etag", "namingStrategy" : { "strategy" : "clientDNNaming", "dnAttribute" : "uid" }, "additionalLDAPAttributes" : [ { "type" : "objectClass", "values" : [ "top", "person", "organizationalPerson", "inetOrgPerson

28IRM Summit 2014

The Plugin API■ The primary mechanism for extending the directory server

■ Operational plugins:– Pre-parse – called immediately after the worker thread has

taken the request from the work queue– Pre-operation – called before request processing is initiated– Post-operation – called immediately after request processing is

completed (before response is sent)– Post-response – called immediately after response is sent to

client but before worker thread completes

■ Examples of Other plug-ins– Server startup/shutdown plug-ins– LDIF import plug-in

29IRM Summit 2014

Single Shared Model

ROA + REST + JSON

ForgeRock Services

ForgeRock REST

ForgeRock UI

Application Scripting

30IRM Summit 2014

Forgerock University