Page tree
Skip to end of metadata
Go to start of metadata

Installation

OpenDJ can be downloaded at http://forgerock.com/opendj.html Get the zip file, unzip it at any convenient location, run the "setup" utility and configure the following recommended parameters:

LDAP Listener Port

1389

Administration Connector Port

4444

LDAP Secure Access

disabled

Root User DN

cn=Directory Manager

Password

secret

Topology Options

select "This server will be part of a replication topology", but do not change other options on this form.

Directory Base DN

dc=example,dc=com

Import data from LDIF file

https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/example-base-only.ldif

Leave all other options set to their default values.

Make sure that the OpenDJ instance is started. If it is not, use the start-ds script in the OpenDJ bin directory (or start-ds.bat in bat director on Windows) to start it.

Please note that OpenDJ 2.4.x seems to not work quite correctly with Oracle JRE 7 (this applies to its Control Panel but also to several other utilities). Also setting OPENDS_JAVA_HOME to a JDK directory (not a JRE directory) seems to cause installation to fail (at least in some situations). So e.g. Oracle JRE 6 is fine with OpenDJ 2.4.x.

Setting Up Directory Content

The directory server needs to be populated with data (providing at least a basic tree structure), and a midPoint administrative user has to be created. The user is assumed to be uid=idm,ou=Administrators,dc=example,dc=com in following examples. For correct midPoint operation this user needs to have an ability to execute unindexed searches. This is necessary for iterating over all the user entries during import and reconciliation. Although midPoint uses simple paged results and VLV controls, OpenDJ server treats this as an unindexed search. Therefore the administrative user needs the unindexed-search privilege, as illustrated by the following example.

IDM Administrative User

dn: uid=idm,ou=Administrators,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: idm
cn: IDM Administrator
sn: IDM Administrator
description: Special LDAP acccount used by the IDM to access the LDAP data.
ou: Administrators
userPassword: secret
ds-privilege-name: unindexed-search
ds-privilege-name: password-reset

You can import the base LDAP structure with the user described above (with corresponding ACI) by importing any of  example*.ldif files from samples/resources/opendj directory.

Enabling External ChangeLog

External Changelog is enabled when a replication is enabled.

If installing stock OpenDJ, make sure to enable replication by checking the "Server part of replication topology" (as described above). This will enable External Change Log (ECL, cn=changelog LDAP subtree).

If there is an existing OpenDJ instance that does not have ECL enabled several operations needs to be executed. Please see Ludo's blog entry for the details.

Access Control Setup

The IDM administration account needs access rights to the cn=changelog suffix.

For OpenDJ on non-Windows platforms, use the following.

Allow ACI for cn=changelog suffix (non-Windows platforms only)

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*||+\")(version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n

Add another allow ACI that will provide access to root DSE attributes changeLog, firstChangeNumber and lastChangeNumber to the IDM admin.

Allow ACI for root DSE (non-Windows platforms only)

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetattr=\"changeLog || firstChangeNumber || lastChangeNumber\")(version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n

For OpenDJ on Windows, please follow the following steps instead:

Allow ACI for cn=changelog suffix - ACI for root DSE for Windows command line shell

Enter the dsconfig (you need run the file from bat subdirectory) interactive mode by entering:

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret

Choose 1) Automatically trust (How do you want to trust the server certificate?)
Choose 1) Access Control Handler (What do you want to configure?)
Choose 1) View and edit the Access Control Handler (What would you like to do?)
Choose 2) global-aci.
Choose 2) Add one or more values (Do you want to modify the "global-aci" property?)

(target="ldap:///cn=changelog")(targetattr="*||+")(version 3.0; acl "IDM Access to ChangeLog"; allow (read,search,compare) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";)

Press Enter.

(target="ldap:///")(targetattr="changeLog || firstChangeNumber || lastChangeNumber")(version 3.0; acl "IDM Access to ChangeLog"; allow (read,search,compare) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";)

Finish the command by selecting 1) Use these values.

Alternatively, if you are brave enough (and tired of repeating the above steps on various OpenDJ installations), you can try the following:

Allow ACIs for Windows (an alternative, automated way)

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret <aci.txt

where aci.txt can be downloaded here. Please note that the script is inherently fragile, as it depends on a particular menu structure of dsconfig. It was tested on OpenDJ 2.4.3.

Note: OpenDJ servers version 2.4.0 and older have deny ACI for cn=changelog which needs to be removed.

Referential Integrity Plugin

If you plan to use LDAP groups, you should also turn the Referential Integrity Plugin on, otherwise users will remain in the LDAP groups after deletion (or rename).

Referential Integrity Plugin

Enter the dsconfig (you need run the file from bin/bat subdirectory) interactive mode by entering:

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret

Choose 32) Plugin
Choose 3) View and Edit an existing Plugin
Choose 9) Referential Integrity
Choose 3) enabled
Choose 2) Change it to the value: true

Finish the command by selecting f) Finish

Checking the Installation

You can use a command for checking external changelog availability as described here.

(Now you can return to First Steps#OpenDJ Resource Setup section, if you came here from there.)

OpenDJ JVM Tuning

To set JVM options for OpenDJ, please check file <opendj>/config/java.properties.

Example:

  • start-ds.java-args=-server -XX:+UseCompressedOops -Xmx512m -XX:MaxPermSize=256m

After any change, you have to:

  1. run <opendj>/bin/dsjavaproperties
  2. restart OpenDJ server

You may want to check OpenDJ Installation Guide on Forgerock and An important tuning flag for OpenDJ with 64bit JVM blog entry

External links

  • No labels