OpenDJ for BeginnersEMEA Summit 2013

2

Upon completion of this module, you should be able to:

• OpenDJ and the OIS

• What is an LDAP Directory

• When to use an LDAP Directory

• Features of OpenDJ

Objectives

3

Pillars of IAM

4

Classic scenario IUser wants to use an application...

User

Application

which does not require any of ForgeRock's products, but ...

5

Classic scenario IICentralization of Authentication

User

Application… and ...

OpenDJ

6

Classic scenario IIICentral Authorization

User

Application

OpenDJ

OpenAM

7

What is a Directory?

• Special purpose data repository

• Attribute-Value pair type of data

• Hierarchical structure for data modeling

• Traditionally optimized for read through heavy indexes

8

LDAP History

• Worldwide Directory, like phone book

• X500

• How to access a directory (lightweight client)

9

Example Directory Tree

10

LDAP directory can store

• User credentials

• Company employee phone book and organizational chart

• Network information

• Mail routing information

• HR data

• Public security keys and certificates

• External customer contact information

11

LDAP entry examples

12

Schema

• A schema is a set of rules that determines what data can and cannot be stored in a directory

• Schemas help maintain the integrity and quality of the data being stored

• A directory server schema consists of:> Attributes> Object Classes> Rules that must be followed before allowing data into the

database

13

Attributes• Data elements used to describe something> First Name, Last Name, City, State, Postal Code

• Can contain single or multiple values• Can be grouped with other attributes to describe an

object> Person, Place, Thing, etc.

• Have a particular syntax• Common attributes are defined by RFCs• Organizations may add their own attributes

14

Object Classes

• Data elements used to group attributes in order to describe an object

• Act as templates that describe directory entries• Defined by the objectClass attribute• Required for all directory server entries > Entries MUST have at least one object class> Entries MAY have more than one object class

• Two types of object classes: STRUCTURAL and AUXILIARY

15

Today’s Directory Requirements

• Scalable: Millions of entries

• Fast: sub-second response times

• Flexible: wide and extensible range of attributes

• Standards-compliant (LDAP, SPML,SCIM)

• High availability: replication service

16

OpenDJ Drivers• Lower cost of ownership

• Higher performance while consuming less disk, memory and CPU resources

• Reduction in administrative overload by automating recurrent tasks (backup or data exports)

• High availability, failover and disaster recovery for directory service and data

• Secures identity data through encryption, authentication, authorizations and access control, password and account management capabilities

• Complies with LDAPv3, DSMLv2 and SCIM standards

• Can be embedded in other Java applications

• Advances as an open source project that allows you the freedom to use, study or modify the code

17

Directory vs Relational Database

• How often does your data change?

• What kind of data are you trying to model?

• Does it make sense to model your data in a hierarchical structure?

• Does your data need to be available cross-platform?

18

Typical Use Case: Authentication

• Very quick for doing identity reads

• Low cost

• Excellent for doing rapid LDAP authentication for any digitized authentication

• Universal protocol enabling quick interaction and exchange of identity information

• Can be easily partitioned allowing flexible architecture

• Can be easily replicated providing high availability and reliability

19

Directory Server Components

:389

host.example.comLDAP Client( LDAP Server )

LDAP

dc=example,dc=com

ou=Peopleuid=scarter

configuration files

LDIF

dc=example,dc=com

:8080 HTTP/REST

20

• Install OpenDJ

• The control panel

• Command line

• REST

OpenDJ in action

21

Replication

22

Stand-alone Replication Servers

23

• LDAP• The native directory server interface• Based on the DAP protocol

• DSML• Accessed through a gateway (web application)

• REST• Exchange of JSON messages• Native or through a gateway (web application)

OpenDJ Interfaces

01-24

Single Shared Model

ROA + REST + JSON

ForgeRock Services

ForgeRock REST

ForgeRock UI

Application Scripting

25

• Admin GU

• Rich admin command line

• LDAP SDK

• Verbose access control

• High availability

• Flexible, and easy to use plug in mechanism

• Pass through authentication

• Optimistic concurrency control (MVCC)

• SAMBA integration

• Static, dynamic and virtual static groups and roles

OpenDJ Features

01-26

Forgerock University