OpenDJ is a fork of the OpenDS directory server, with OpenDS originally being developed by Sun. Sun went its own way with JDS, and OpenDS was developed for a while by the community. ForgeRock came along and forked the stale project off (the last OpenDS release was back in 2010) and have been actively developing and since then have been releasing builds as OpenDJ. OpenDJ forms part of the complete ForgeRock open-identity stack, fully supported, and is a very viable alternative to the Sun/Oracle IDM stack. OpenDS, and therefore OpenDJ, are pure Java implementations.
In this article, I will install and configure OpenDJ on two nodes running Oracle Enterprise Linux 5.7 x86_64. OpenDJ will be configured with multi-master replication between both nodes. The same procedure should work on any RHEL 5.x or 6.x derivative. Node names are foo-0001prjenv and foo-0002prjenv.
You should obtain the latest versions of all software for your platform.
JDK Installation
First, install appropriate JDKs on both servers. I am installing the x86_64 versions of both Oracle’s 1.6 and 1.7 JDKs. This will give us the flexibility to choose which version of Java we run (and also these hosts require some other software down the track that’ll only work with Java 1.6 - not pertinent to this article).
Download and install your JDKs. This article presumes that all downloaded software is in /var/tmp, and that you’re installing to locations under /app:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# chmod +x /var/tmp/open/jdk-6u35-linux.x64.bin # cd /app/jdk # /var/tmp/open/jdk-6u35-linux.x64.bin # tar xzf /var/tmp/open/jdk-7u7-linux-x64.tar.gz # jdk1.6.0_35/bin/java -d64 -version java version "1.6.0_35" Java(TM) SE Runtime Environment (build 1.6.0_35-b10) Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01, mixed mode) # jdk1.7.0_07/bin/java -d64 -version java version "1.7.0_07" Java(TM) SE Runtime Environment (build 1.7.0_07-b10) Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode) |
So we now have our JDKs installed under /app/jdk/<version>. For OpenDJ, we’ll use jdk1.7.0_07. If you use the latest JDK, check the OpenDJ release notes to ensure that it is supported.
Preparing to Install OpenDJ
Next, add a user and group for opendj, and set an appropriate password:
|
1 2 3 |
# groupadd -g 1389 opendj # useradd -m -d /home/opendj -s /bin/bash -g opendj -u 1389 opendj # passwd opendj |
LDAP implementations sometimes need to open a vast number of files during the course of operation. Therefore, set high soft and hard resource limits for the opendj user in /etc/security/limits.conf for nofile (number of open file descriptors):
|
1 2 |
# echo -e "opendj\tsoft\tnofile\t65535" >> /etc/security/limits.conf # echo -e "opendj\thard\tnofile\t65535" >> /etc/security/limits.conf |
OpenDJ Installation
Next, install OpenDJ on both nodes:
|
1 2 3 4 5 |
# cd /app # unzip -qq /var/tmp/OpenDJ-2.4.6.zip # mv OpenDJ-2.4.6 opendj-2.4.6 # ln -s opendj-2.4.6 opendj # chown -R opendj:opendj opendj-2.4.6 |
Switch user to opendj, and set the JAVA_HOME and OPENDJ_JAVA_HOME variables as appropriate:
|
1 2 3 4 |
# su - opendj $ vi .bash_profile export JAVA_HOME=/app/jdk/jdk1.7.0_07 export OPENDJ_JAVA_HOME=${JAVA_HOME} |
Source the new profile to configure your environment:
|
1 |
$ . .bash_profile |
Next, fire up the OpenDJ setup utility in command line mode:
|
1 2 |
$ cd /app/opendj $ ./setup --cli |
The full session transcript will follow from foo-0001prjenv - perform the same steps on both nodes, substituting appropriate values for your environment:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
OpenDJ 2.4.6 Please wait while the setup program initializes... What would you like to use as the initial root user DN for the Directory Server? [cn=Directory Manager]: Please provide the password to use for the initial root user: Please re-enter the password for confirmation: On which port would you like the Directory Server to accept connections from LDAP clients? [1389]: On which port would you like the Administration Connector to accept connections? [4444]: Do you want to create base DNs in the server? (yes / no) [yes]: Provide the base DN for the directory data: [dc=example,dc=com]: dc=example,dc=com Options for populating the database: 1) Only create the base entry 2) Leave the database empty 3) Import data from an LDIF file 4) Load automatically-generated sample data Enter choice [1]: Do you want to enable SSL? (yes / no) [no]: yes On which port would you like the Directory Server to accept connections from LDAPS clients? [1636]: Do you want to enable Start TLS? (yes / no) [no]: yes Certificate server options: 1) Generate self-signed certificate (recommended for testing purposes only) 2) Use an existing certificate located on a Java Key Store (JKS) 3) Use an existing certificate located on a JCEKS key store 4) Use an existing certificate located on a PKCS#12 key store 5) Use an existing certificate on a PKCS#11 token Enter choice [1]: Provide the fully-qualified host name or IP address that will be used to generate the self-signed certificate [foo-0001prjenv.example.com]: Do you want to start the server when the configuration is completed? (yes / no) [yes]: no Setup Summary ============= LDAP Listener Port: 1389 Administration Connector Port: 4444 LDAP Secure Access: Enable StartTLS Enable SSL on LDAP Port 1636 Create a new Self-Signed Certificate Root User DN: cn=Directory Manager Directory Data: Create New Base DN dc=example,dc=com. Base DN Data: Only Create Base Entry (dc=example,dc=com) Do not start Server when the configuration is completed What would you like to do? 1) Set up the server with the parameters above 2) Provide the setup parameters again 3) Print equivalent non-interactive command-line 4) Cancel and exit Enter choice [1]: See /tmp/opends-setup-7679033776868201652.log for a detailed log of this operation. Configuring Directory Server ..... Done. Configuring Certificates ..... Done. Creating Base Entry dc=example,dc=com ..... Done. To see basic server configuration status and configuration you can launch /app/opendj-2.4.6/bin/status |
To note from the session above, we configure and create a base DN of dc=example,dc=com, enable SSL (with a self-signed certificate), and tell setup not to start the server after setup has completed.
Add entries for both nodes to /etc/hosts on both servers, even if you have DNS configured appropriately, as an extra precaution against nameserver failure:
|
1 2 3 |
# vi /etc/hosts 192.168.120.8 foo-0001prjenv.example.com foo-0001prjenv 192.168.120.9 foo-0002prjenv.example.com foo-0002prjenv |
Finally, start the OpenDJ server on each node, observing the output messages during startup for errors.
|
1 |
$ bin/start-ds |
Replication Configuration
We now have two servers running OpenDJ, listening on port 1389 for standard LDAP and 1636 for LDAPS. The servers also listen on port 4444 for administrative commands.
With the servers ready to go, we can configure replication. This is done with the dsreplication command via its enable subcommand as follows; perform this step on a single node (in my case foo-0001prjenv). A discussion will follow the session output.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
$ bin/dsreplication enable --host1 foo-0001prjenv --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 "Passw0rd" --replicationPort1 1388 --host2 foo-0002prjenv --port2 4444 --bindDN2 "cn=Directory Manager" --bindPassword2 "Passw0rd" --replicationPort2 1388 --adminUID admin --adminPassword "Passw0rd" --baseDN "dc=example,dc=com" >>>> Specify server administration connection parameters for the first server How do you want to trust the server certificate? 1) Automatically trust 2) Use a truststore 3) Manually validate Enter choice [3]: 1 Do you want replication to use encrypted communication when connecting to replication port 1388 on the first server? (yes / no) [no]: yes >>>> Specify server administration connection parameters for the second server How do you want to trust the server certificate? 1) Automatically trust 2) Use a truststore 3) Manually validate Enter choice [3]: 1 Do you want replication to use encrypted communication when connecting to replication port 1388 on the second server? (yes / no) [no]: yes Establishing connections ..... Done. Checking registration information ..... Done. Configuring Replication port on server foo-0001prjenv:4444 ..... Done. Configuring Replication port on server foo-0002prjenv:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server foo-0001prjenv:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server foo-0002prjenv:4444 ..... Done. Updating registration configuration on server foo-0001prjenv:4444 ..... Done. Updating registration configuration on server foo-0002prjenv:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server foo-0001prjenv:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server foo-0002prjenv:4444 ..... Done. Initializing registration information on server foo-0002prjenv:4444 with the contents of server foo-0001prjenv:4444 ..... Done. Initializing schema on server foo-0002prjenv:4444 with the contents of server foo-0001prjenv:4444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /tmp/opends-replication-8647139673826989471.log for a detailed log of this operation. |
We configure SSL-based replication, and supply all appropriate DNs and credentials. Substitute parameters as applicable to your environment.
Next, on foo-0002prjenv, initalise the base DN we wish to replicate - dc=example, dc=com.
|
1 |
$ bin/dsreplication initialize --baseDN "dc=example,dc=com" --adminUID admin --adminPassword "Passw0rd" --hostSource foo-0001prjenv --portSource 4444 --hostDestination foo-0002prjenv --portDestination 4444 |
If no errors are reported, replication is now successfully configured. You can verify this with the dsreplication status command:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ bin/dsreplication status -h localhost -p 4444 --adminUID admin --adminPassword "Passw0rd" -X dc=example,dc=com - Replication Enabled =========================================== Server : Entries : M.C. (1) : A.O.M.C. (2) : Port (3) : Security (4) ---------------------:---------:----------:--------------:----------:------------- foo-0001prjenv:4444 : 1 : 0 : N/A : 1388 : Enabled foo-0002prjenv:4444 : 1 : 0 : N/A : 1388 : Enabled [1] The number of changes that are still missing on this server (and that have been applied to at least one of the other servers). [2] Age of oldest missing change: the date on which the oldest change that has not arrived on this server was generated. [3] The port used to communicate between the servers whose contents are being replicated. [4] Whether the replication communication through the replication port is encrypted or not. |
Conclusion
This article has covered the installation of OpenDJ - a supported fork of OpenDS. It has shown how to configure multi-master replication of a base DN between two instances of the directory.