- OpenDS Installation on Debian Lenny
OpenDS is a fully LDAPv3 compatible directory server, which is particularly recommended to be used as user store with OpenAM. Though, beside general installation instruction, this document will describe configuration issue regarding its usage with an OpenAM Identity Provider Installation.
In preparation of the OpenDS setup, the following software packages should be installed and configured
- Sun JDK 6 (Java)
Installing Sun JDK 6 (Java)¶
Java 6 is required to run OpenDS
Please follow the instructions Java Development Kit 6 Installation on Debian Lenny.
OpenDS":http://www.opends.org provides current and previous releases as "promoted builds":http://www.opends.org/promoted-builds. We will use "release 2.3.0-build003 here. So, download and unzip the distribution to the directory /opt and create a symbolic link /opt/OpenDS targeting to the current installation directory. That way, the currently used OpenDS installation can now always be addressed by the link /opt/OpenDS.
wget http://www.opends.org/promoted-builds/2.3.0-build003/OpenDS-2.3.0-build003.zip unzip OpenDS-2.3.0-build003.zip -d /opt link -s /opt/OpenDS-2.3.0-build003/ /opt/OpenDS
Next, OpenDS":http://www.opends.org must be deployed by running the setup command. For instance, the following command initialises "OpenDS as a user data store for an OpenAM Identity Provider Installation supporting the ldap and ldaps protocols listening on ports 50389 and 50636 respectively.
/opt/OpenDS/setup --cli --baseDN dc=opensso,dc=e-taxonomy,dc=eu --addBaseEntry --ldapPort 50389 --adminConnectorPort 5444 --rootUserDN cn=Directory\ Manager --rootUserPasswordFile opends-userstore-manager.secret --no-prompt --noPropertiesFile --enableStartTLS --ldapsPort 50636 --usePkcs12keyStore /etc/ssl/private/idpdemo.e-taxonomy.eu.p12 --keyStorePasswordFile idpdemo.e-taxonomy.eu.p12.secret --certNickname idpdemo.e-taxonomy.eu
Here is a brief description of the basic setup parameters.
Command line mode
Base DN for user information
Create baseDN in the directory server database
Port for LDAP communication
Port for administration connector (Don't know if this is necessary)
DN for the root user of this directory service
File containing the password for the root user
Enable non-interactive mode
Disable properties file
Activate StartTLS to enable secure communication on ldap port
In order to run OpenDS in secure communication mode, the following parameters must be configured.
Activate SSL and configure ldaps communication if port is explicitly stated here
File of a PKCS12 keystore containing key and certificate required for SSL or StartTLS connections.
Please refer to PKCS!#12 Keystore creation to find out how to create PKCS!#12 keystores.
File containing the password for the key store
Name of the certificate within the keystore to be used for secure communications.
Please find more detailed information about setup options by running the following command.
Uninstalling OpenDS is quite simple. First, run the uninstall command, select option "1" to uninstall completely and answer "Yes" in order to stop the server as well. Then remove any remaining distribution files.
/opt/OpenDS/uninstall --cli rm -R /opt/OpenDS-2.3.0-build003/
Prepare OpenDS as OpenAM user store¶
Next, OpenDS must be prepared to be compatible with OpenAM. This includes the actions described in the following subsections.
There are few extra objectclasses/attributes are required to be added to the OpenDS to fully exploit the OpenSSO's functionality.
Next, apply the following command to add the schema to OpenDS.
/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -f am_remote_opends_schema.ldif
add OpenDS configuration data¶
Next, apply the following command to add the schema to OpenDS.
/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f configure_opends_userstore.ldif
This will configure the following issues
Adding the basic configuration users¶
For profile read and write permissions are required. There will be two users created under the root suffix (openssouser and ldapuser).
Adding the privilege to enable password reset for the other users¶
There is a special privilege that needs to be assigned for an user to reset password of other users. We need to add the password-reset privilege to the openssouser.
Adding the Access Control Instructions(ACIs)¶
There are four ACIs are required to make the OpenDS work with OpenSSO as user store.
ACI to allow read and search permissions for the ldapuser
ACI to allow all permissions under the root suffix
Add ACI to allow persistent search connection to the datastore configuration DN
Add ACI to prevent self modification of certain OpenSSO user attributes
enable Referential Integrity Plugin¶
This plugin is necessary in order to make sure when the groups are removed from the directory all of its references in the users' entries are removed automatically. Otherwise, deleted groups will show up in the users' profile even after the group has been removed from the directory server.
The plugin must be enable by executing the following command.
/opt/OpenDS-2.2.0/bin/dsconfig -h localhost -D "cn=directory manager" -j opends-userstore-manager.secret -n set-plugin-prop --plugin-name "Referential Integrity" --set enabled:true
Enable pre-encoded passwords¶
Enabling pre-encoded password is only required, if you want to import user data from other user databases. Otherwise, e.g. hashed passwords cannot be added or modified to user accounts.
/opt/OpenDS-2.2.0/bin/ldapmodify -Z -X -h localhost -p 4444 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f configure_pre_encoded_passwords.ldif
Add EDIT users and groups to the OpenDS user store¶
Presumed, there are user and group excerpts from another OpenSSO instance, than, these data may be added by simply updating the store by the following commands.
/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f idp-opensso-people.ldif /opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f idp-opensso-groups.ldif
If not, the structure of these files should look like the following example for users
version: 1 dn: ou=people,dc=opensso,dc=e-taxonomy,dc=eu objectClass: organizationalUnit ou: People dn: uid=test,ou=people,dc=opensso,dc=e-taxonomy,dc=eu objectClass: inetorgperson objectClass: person objectClass: sunIdentityServerLibertyPPService objectClass: iplanet-am-user-service objectClass: sunFederationManagerDataStore objectClass: sunFMSAML2NameIdentifier objectClass: top objectClass: inetuser objectClass: organizationalPerson objectClass: iPlanetPreferences objectClass: iplanet-am-managed-person cn: test sn: test givenName: test inetUserStatus: Active iplanet-am-user-password-reset-force-reset: true iplanet-am-user-password-reset-question-answer: AQIChgWNghXpGtwz7lWofWgQk+8RFwDp MeGna3MXAz0Gfx4= mail: sdfg uid: test userPassword:: hashed-password Q==
and groups respectively
version: 1 dn: ou=groups,dc=opensso,dc=e-taxonomy,dc=eu objectClass: organizationalUnit ou: Groups dn: cn=Developer,ou=groups,dc=opensso,dc=e-taxonomy,dc=eu objectClass: groupofuniquenames objectClass: top cn: Developer uniqueMember: uid=test,ou=people,dc=opensso,dc=e-taxonomy,dc=eu uniqueMember: ...