This document provides an overview of OpenDJ for beginners. It discusses what an LDAP directory is and when it should be used. The key features of OpenDJ are listed, including its scalability, performance, flexibility, and support for LDAP, SPML and SCIM standards. Components of OpenDJ like replication and interfaces for LDAP, DSML and REST are described. The differences between a directory and relational database are outlined. Typical use cases for authentication are discussed. Finally, features of OpenDJ like its administration GUI, command line, SDK, access control, and group/role support are highlighted.

1. OpenDJ for Beginners
EMEA Summit 2013

2. Objectives
Upon completion of this module, you should be able to:
•
OpenDJ and the OIS
•
What is an LDAP Directory
•
When to use an LDAP Directory
•
Features of OpenDJ
2

3. Pillars of IAM
3

4. Classic scenario I
User wants to use an application...
which does not require any of ForgeRock's
products, but ...
Application
User
4

5. Classic scenario II
Centralization of Authentication
… and ...
Application
OpenDJ
User
5

6. Classic scenario III
Central Authorization
OpenAM
OpenDJ
Application
User
6

7. What is a Directory?
•
Special purpose data repository
•
Attribute-Value pair type of data
•
Hierarchical structure for data modeling
•
Traditionally optimized for read through heavy indexes
7

8. LDAP History
•
Worldwide Directory, like phone book
•
X500
•
How to access a directory (lightweight client)
8

9. Example Directory Tree
9

10. LDAP directory can store
•
User credentials
•
Company employee phone book and organizational chart
•
Network information
•
Mail routing information
•
HR data
•
Public security keys and certificates
•
External customer contact information
10

11. LDAP entry examples
11

12. Schema
• A schema is a set of rules that determines what data
can and cannot be stored in a directory
• Schemas help maintain the integrity and quality of the
data being stored
• A directory server schema consists of:
> Attributes
> Object Classes
> Rules that must be followed before allowing data into the
database
12

13. Attributes
• Data elements used to describe something
> First Name, Last Name, City, State, Postal Code
• Can contain single or multiple values
• Can be grouped with other attributes to describe an
object
> Person, Place, Thing, etc.
• Have a particular syntax
• Common attributes are defined by RFCs
• Organizations may add their own attributes
13

14. Object Classes
• Data elements used to group attributes in order to
describe an object
• Act as templates that describe directory entries
• Defined by the objectClass attribute
• Required for all directory server entries
> Entries MUST have at least one object class
> Entries MAY have more than one object class
• Two types of object classes: STRUCTURAL and
AUXILIARY
14

15. Today’s Directory Requirements
•
Scalable: Millions of entries
•
Fast: sub-second response times
•
Flexible: wide and extensible range of attributes
•
Standards-compliant (LDAP, SPML,SCIM)
•
High availability: replication service
15

16. OpenDJ Drivers
•
Lower cost of ownership
• Higher performance while consuming less disk, memory and CPU resources
• Reduction in administrative overload by automating recurrent tasks (backup or
data exports)
•
High availability, failover and disaster recovery for directory service and
data
•
Secures identity data through encryption, authentication, authorizations
and access control, password and account management capabilities
•
Complies with LDAPv3, DSMLv2 and SCIM standards
•
Can be embedded in other Java applications
•
Advances as an open source project that allows you the freedom to use,
study or modify the code
16

17. Directory vs Relational Database
•
How often does your data change?
•
What kind of data are you trying to model?
•
Does it make sense to model your data in a
hierarchical structure?
•
Does your data need to be available cross-platform?
17

18. Typical Use Case: Authentication
•
Very quick for doing identity reads
•
Low cost
•
Excellent for doing rapid LDAP authentication for any
digitized authentication
•
Universal protocol enabling quick interaction and exchange
of identity information
•
Can be easily partitioned allowing flexible architecture
•
Can be easily replicated providing high availability and
reliability
18

19. Directory Server Components
LDIF
dc=example,dc=com
ou=People
uid=scarter
configuration files
LDAP
dc=example,dc=com
:389
LDAP Client
:8080
HTTP/REST
host.example.com
( LDAP Server )
19

20. OpenDJ in action
•
Install OpenDJ
•
The control panel
•
Command line
•
REST
20

21. Replication
21

22. Stand-alone Replication Servers
22

23. OpenDJ Interfaces
•
LDAP
• The native directory server interface
• Based on the DAP protocol
•
DSML
• Accessed through a gateway (web application)
•
REST
• Exchange of JSON messages
• Native or through a gateway (web application)
23

24. Single Shared Model
ForgeRock UI
Application
ForgeRock REST
Scripting
ForgeRock Services
ROA + REST + JSON
01-24

25. OpenDJ Features
•
Admin GU
•
Rich admin command line
•
LDAP SDK
•
Verbose access control
•
High availability
•
Flexible, and easy to use plug in mechanism
•
Pass through authentication
•
Optimistic concurrency control (MVCC)
•
SAMBA integration
•
Static, dynamic and virtual static groups and roles
25

26. Forgerock University
01-26