OpenDJ can be downloaded at http://forgerock.com/opendj.html Get the zip file, unzip it at any convenient location, run the "setup" utility and configure the following recommended parameters:
LDAP Listener Port
Administration Connector Port
LDAP Secure Access
Root User DN
select "This server will be part of a replication topology", but do not change other options on this form.
Directory Base DN
Import data from LDIF file
Leave all other options set to their default values.
Make sure that the OpenDJ instance is started. If it is not, use the start-ds script in the OpenDJ bin directory (or start-ds.bat in bat director on Windows) to start it.
Please note that OpenDJ 2.4.x seems to not work quite correctly with Oracle JRE 7 (this applies to its Control Panel but also to several other utilities). Also setting OPENDS_JAVA_HOME to a JDK directory (not a JRE directory) seems to cause installation to fail (at least in some situations). So e.g. Oracle JRE 6 is fine with OpenDJ 2.4.x.
Setting Up Directory Content
The directory server needs to be populated with data (providing at least a basic tree structure), and a midPoint administrative user has to be created. The user is assumed to be
uid=idm,ou=Administrators,dc=example,dc=com in following examples. For correct midPoint operation this user needs to have an ability to execute unindexed searches. This is necessary for iterating over all the user entries during import and reconciliation. Although midPoint uses simple paged results and VLV controls, OpenDJ server treats this as an unindexed search. Therefore the administrative user needs the
unindexed-search privilege, as illustrated by the following example.
You can import the base LDAP structure with the user described above (with corresponding ACI) by importing any of
example*.ldif files from
Enabling External ChangeLog
External Changelog is enabled when a replication is enabled.
If installing stock OpenDJ, make sure to enable replication by checking the "Server part of replication topology" (as described above). This will enable External Change Log (ECL,
cn=changelog LDAP subtree).
If there is an existing OpenDJ instance that does not have ECL enabled several operations needs to be executed. Please see Ludo's blog entry for the details.
Access Control Setup
The IDM administration account needs access rights to the
For OpenDJ on non-Windows platforms, use the following.
allow ACI that will provide access to root DSE attributes
lastChangeNumber to the IDM admin.
For OpenDJ on Windows, please follow the following steps instead:
Alternatively, if you are brave enough (and tired of repeating the above steps on various OpenDJ installations), you can try the following:
Note: OpenDJ servers version 2.4.0 and older have
deny ACI for
cn=changelog which needs to be removed.
Referential Integrity Plugin
If you plan to use LDAP groups, you should also turn the Referential Integrity Plugin on, otherwise users will remain in the LDAP groups after deletion (or rename).
Checking the Installation
You can use a command for checking external changelog availability as described here.
(Now you can return to First Steps#OpenDJ Resource Setup section, if you came here from there.)
OpenDJ JVM Tuning
To set JVM options for OpenDJ, please check file
- start-ds.java-args=-server -XX:+UseCompressedOops -Xmx512m -XX:MaxPermSize=256m
After any change, you have to:
- restart OpenDJ server
You may want to check OpenDJ Installation Guide on Forgerock and An important tuning flag for OpenDJ with 64bit JVM blog entry