opendj: an introduction
DESCRIPTION
Session from 2014 IRM Summit in Phoenix, Arizona. Introduction to OpenDJ by Matthias Tristl of ForgeRockTRANSCRIPT
IRM Summit 2014
OpenDJ
Matthias Tristl
2IRM Summit 2014
Upon completion of this module, you should be able to:
■ OpenDJ and the OIS
■ What is an LDAP Directory
■ When to use an LDAP Directory
■ Features of OpenDJ
Objectives
3IRM Summit 2014
Pillars of IAM
4IRM Summit 2014
Classic scenario IUser wants to use an application...
User
Application
which does not require any of ForgeRock's products, but ...
5IRM Summit 2014
Classic scenario IICentralization of Authentication
User
Application… and ...
6IRM Summit 2014
Classic scenario IIICentral Authorization
User
Application
7IRM Summit 2014
What is a Directory?■ Special purpose data repository
■ Attribute-Value pair type of data
■ Hierarchical structure for data modeling
■ Traditionally optimized for read through heavy indexes
8IRM Summit 2014
Directory vs. Database■ How often does your data change?
■ What kind of data are you trying to model?
■ Does it make sense to model your data in a hierarchical structure?
■ Does your data need to be available cross-platform?
9IRM Summit 2014
Example Directory Tree
10IRM Summit 2014
LDAP directories store■ User credentials
■ Company employee phone book and organizational chart
■ Network information
■ Mail routing information
■ HR data
■ Public security keys and certificates
■ External customer contact information
■ X509 Certificates
11IRM Summit 2014
LDAP entry examples
12IRM Summit 2014
Schema• A schema is a set of rules that determines what data
can and cannot be stored in a directory • Schemas help maintain the integrity and quality of the
data being stored• A directory server schema consists of:
> Attributes> Object Classes> Rules that must be followed before allowing data into the
database
13IRM Summit 2014
Attributes• Data elements used to describe something
> First Name, Last Name, City, State, Postal Code
• Can contain single or multiple values• Can be grouped with other attributes to describe an
object> Person, Place, Thing, etc.
• Have a particular syntax• Common attributes are defined by RFCs• Organizations may add their own attributes
14IRM Summit 2014
Object Classes• Data elements used to group attributes in order to
describe an object• Act as templates that describe directory entries• Defined by the objectClass attribute• Required for all directory server entries
> Entries MUST have at least one object class> Entries MAY have more than one object class
• Two types of object classes: STRUCTURAL and AUXILIARY
15IRM Summit 2014
Directory Requirements■ Scalable: Millions of entries
■ Fast: sub-second response times
■ Flexible: wide and extensible range of attributes
■ Standards-compliant (LDAP, SPML,SCIM, REST)
■ High availability: replication service
16IRM Summit 2014
OpenDJ Drivers■ Lower cost of ownership
– Higher performance while consuming less disk, memory and CPU resources
– Reduction in administrative overload by automating recurrent tasks (backup or data exports)
■ High availability, failover and disaster recovery for directory service and data
■ Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities
■ Complies with LDAPv3, DSMLv2 and SCIM standards
■ Can be embedded in other Java applications
■ Advances as an open source project that allows you the freedom to use, study or modify the code
17IRM Summit 2014
Directory Components
:389
host.example.comLDAP Client( LDAP Server )
LDAP
dc=example,dc=com
ou=Peopleuid=scarter
configuration files
LDIF
dc=example,dc=com
:8080 HTTP/REST
18IRM Summit 2014
■ OpenDJ architecture
■ The control panel
■ LDAP SDK
■ Command line
■ OpenDJ Features
■ REST
OpenDJ in action
19IRM Summit 2014
OpenDJ ArchitectureUser Interface
End User Management
ForgeRock UI Framework
ForgeRock REST
Core Server
Replication AuditingLDAPV3 Caching Monitoring
Password Policy Groups
Schema ManagementREST2LDAP Access
Control
Backend Services
Persistence Connectors LDIF MemoryChange Log
Java SDK/ LDAPv3
Web Application
REST2LDAP
ForgeRock REST
20IRM Summit 2014
Control Panel
21IRM Summit 2014
The LDAP SDK■ Client SDK
■ Command-line tools
■ Comes with some sample code
■ Can be used with any LDAP (RFC 4510) compliant server
■ Connection pooling
■ Load balancing
22IRM Summit 2014
Command Line Tools
backup encode-password ldif-diff restore
base64 export-ldif ldifmodify start-ds
create-rc-script import-ldif ldifsearch status
dbtest ldapcompare list-backends stop-ds
dsconfig ldapdelete make-ldif verify-index
dsframework ldapmodify manage-account
dsjavaproperties ldappasswordmodify manage-tasks
dsreplication ldapsearch rebuild-index
Location: install/bin
23IRM Summit 2014
Referential Integrity■ Entry references in static groups can be
automatically updated on:– Delete– Update
■ The plugin needs to be enabled as it is disabled by default
24IRM Summit 2014
Virtual/Collective Attributes■ Have dynamically generated values
■ Virtual attribute examples:– hasSubordinates– isMemberOf– entryDN– entryUUID
■ Collective attribute usage examples:– Classes of Service– Inheriting an Attribute from the Manager‘s entry– Inheriting Attributes from the Locality
■ Virtual Static Groups– Objectclass: ds-virtual-static-group– Member attribute: ds-target-group-dn
25IRM Summit 2014
Replication
26IRM Summit 2014
Replication Servers
27IRM Summit 2014
HTTP Connection Handler■ OpenDJ HTTP Connection Handler exposes REST API over
HTTP
■ Configure mapping between JSON resources and LDAP entries by editing /path/to/opendj/config/http-config.json file// The REST APIs and their LDAP attribute mappings. "mappings" : { "/users" : { "baseDN" : "ou=people,dc=example,dc=com", "readOnUpdatePolicy" : "controls", "useSubtreeDelete" : false, "usePermissiveModify" : true, "etagAttribute" : "etag", "namingStrategy" : { "strategy" : "clientDNNaming", "dnAttribute" : "uid" }, "additionalLDAPAttributes" : [ { "type" : "objectClass", "values" : [ "top", "person", "organizationalPerson", "inetOrgPerson
28IRM Summit 2014
The Plugin API■ The primary mechanism for extending the directory server
■ Operational plugins:– Pre-parse – called immediately after the worker thread has
taken the request from the work queue– Pre-operation – called before request processing is initiated– Post-operation – called immediately after request processing is
completed (before response is sent)– Post-response – called immediately after response is sent to
client but before worker thread completes
■ Examples of Other plug-ins– Server startup/shutdown plug-ins– LDIF import plug-in
29IRM Summit 2014
Single Shared Model
ROA + REST + JSON
ForgeRock Services
ForgeRock REST
ForgeRock UI
Application Scripting
30IRM Summit 2014
Forgerock University