Download - OpenDJ - An Introduction
OpenDJ for BeginnersEMEA Summit 2013
2
Upon completion of this module, you should be able to:
• OpenDJ and the OIS
• What is an LDAP Directory
• When to use an LDAP Directory
• Features of OpenDJ
Objectives
3
Pillars of IAM
4
Classic scenario IUser wants to use an application...
User
Application
which does not require any of ForgeRock's products, but ...
5
Classic scenario IICentralization of Authentication
User
Application… and ...
OpenDJ
6
Classic scenario IIICentral Authorization
User
Application
OpenDJ
OpenAM
7
What is a Directory?
• Special purpose data repository
• Attribute-Value pair type of data
• Hierarchical structure for data modeling
• Traditionally optimized for read through heavy indexes
8
LDAP History
• Worldwide Directory, like phone book
• X500
• How to access a directory (lightweight client)
9
Example Directory Tree
10
LDAP directory can store
• User credentials
• Company employee phone book and organizational chart
• Network information
• Mail routing information
• HR data
• Public security keys and certificates
• External customer contact information
11
LDAP entry examples
12
Schema
• A schema is a set of rules that determines what data can and cannot be stored in a directory
• Schemas help maintain the integrity and quality of the data being stored
• A directory server schema consists of:> Attributes> Object Classes> Rules that must be followed before allowing data into the
database
13
Attributes• Data elements used to describe something> First Name, Last Name, City, State, Postal Code
• Can contain single or multiple values• Can be grouped with other attributes to describe an
object> Person, Place, Thing, etc.
• Have a particular syntax• Common attributes are defined by RFCs• Organizations may add their own attributes
14
Object Classes
• Data elements used to group attributes in order to describe an object
• Act as templates that describe directory entries• Defined by the objectClass attribute• Required for all directory server entries > Entries MUST have at least one object class> Entries MAY have more than one object class
• Two types of object classes: STRUCTURAL and AUXILIARY
15
Today’s Directory Requirements
• Scalable: Millions of entries
• Fast: sub-second response times
• Flexible: wide and extensible range of attributes
• Standards-compliant (LDAP, SPML,SCIM)
• High availability: replication service
16
OpenDJ Drivers• Lower cost of ownership
• Higher performance while consuming less disk, memory and CPU resources
• Reduction in administrative overload by automating recurrent tasks (backup or data exports)
• High availability, failover and disaster recovery for directory service and data
• Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities
• Complies with LDAPv3, DSMLv2 and SCIM standards
• Can be embedded in other Java applications
• Advances as an open source project that allows you the freedom to use, study or modify the code
17
Directory vs Relational Database
• How often does your data change?
• What kind of data are you trying to model?
• Does it make sense to model your data in a hierarchical structure?
• Does your data need to be available cross-platform?
18
Typical Use Case: Authentication
• Very quick for doing identity reads
• Low cost
• Excellent for doing rapid LDAP authentication for any digitized authentication
• Universal protocol enabling quick interaction and exchange of identity information
• Can be easily partitioned allowing flexible architecture
• Can be easily replicated providing high availability and reliability
19
Directory Server Components
:389
host.example.comLDAP Client( LDAP Server )
LDAP
dc=example,dc=com
ou=Peopleuid=scarter
configuration files
LDIF
dc=example,dc=com
:8080 HTTP/REST
20
• Install OpenDJ
• The control panel
• Command line
• REST
OpenDJ in action
21
Replication
22
Stand-alone Replication Servers
23
• LDAP• The native directory server interface• Based on the DAP protocol
• DSML• Accessed through a gateway (web application)
• REST• Exchange of JSON messages• Native or through a gateway (web application)
OpenDJ Interfaces
01-24
Single Shared Model
ROA + REST + JSON
ForgeRock Services
ForgeRock REST
ForgeRock UI
Application Scripting
25
• Admin GU
• Rich admin command line
• LDAP SDK
• Verbose access control
• High availability
• Flexible, and easy to use plug in mechanism
• Pass through authentication
• Optimistic concurrency control (MVCC)
• SAMBA integration
• Static, dynamic and virtual static groups and roles
OpenDJ Features
01-26
Forgerock University