OpenDS Installation on Debian Lenny

OpenDS is a fully LDAPv3 compatible directory server, which is particularly recommended to be used as user store with OpenAM. Though, beside general installation instruction, this document will describe configuration issue regarding its usage with an OpenAM Identity Provider Installation.


In preparation of the OpenDS setup, the following software packages should be installed and configured

  • Sun JDK 6 (Java)

Installing Sun JDK 6 (Java)

Java 6 is required to run OpenDS

Please follow the instructions Java Development Kit 6 Installation on Debian Lenny.

Installing the OpenDS distribution

OpenDS": provides current and previous releases as "promoted builds": We will use "release 2.3.0-build003 here. So, download and unzip the distribution to the directory /opt and create a symbolic link /opt/OpenDS targeting to the current installation directory. That way, the currently used OpenDS installation can now always be addressed by the link /opt/OpenDS.

unzip -d /opt
link -s /opt/OpenDS-2.3.0-build003/ /opt/OpenDS

Next, OpenDS": must be deployed by running the setup command. For instance, the following command initialises "OpenDS as a user data store for an OpenAM Identity Provider Installation supporting the ldap and ldaps protocols listening on ports 50389 and 50636 respectively.

/opt/OpenDS/setup --cli --baseDN dc=opensso,dc=e-taxonomy,dc=eu --addBaseEntry --ldapPort 50389 --adminConnectorPort 5444 --rootUserDN cn=Directory\ Manager --rootUserPasswordFile opends-userstore-manager.secret --no-prompt --noPropertiesFile --enableStartTLS --ldapsPort 50636 --usePkcs12keyStore /etc/ssl/private/ --keyStorePasswordFile --certNickname 

Here is a brief description of the basic setup parameters.


Command line mode


Base DN for user information


Create baseDN in the directory server database


Port for LDAP communication


Port for administration connector (Don't know if this is necessary)


DN for the root user of this directory service


File containing the password for the root user


Enable non-interactive mode


Disable properties file


Activate StartTLS to enable secure communication on ldap port

In order to run OpenDS in secure communication mode, the following parameters must be configured.


Activate SSL and configure ldaps communication if port is explicitly stated here


File of a PKCS12 keystore containing key and certificate required for SSL or StartTLS connections.

Please refer to PKCS!#12 Keystore creation to find out how to create PKCS!#12 keystores.


File containing the password for the key store


Name of the certificate within the keystore to be used for secure communications.

Please find more detailed information about setup options by running the following command.

/opt/OpenDS/setup --help

Uninstalling OpenDS

Uninstalling OpenDS is quite simple. First, run the uninstall command, select option "1" to uninstall completely and answer "Yes" in order to stop the server as well. Then remove any remaining distribution files.

/opt/OpenDS/uninstall --cli
rm -R /opt/OpenDS-2.3.0-build003/

Prepare OpenDS as OpenAM user store

Next, OpenDS must be prepared to be compatible with OpenAM. This includes the actions described in the following subsections.

add OpenSSO schema

There are few extra objectclasses/attributes are required to be added to the OpenDS to fully exploit the OpenSSO's functionality.

Download the required OpenSSO schema attachment:am_remote_opends_schema.ldif"("original location.)

Next, apply the following command to add the schema to OpenDS.

/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -f am_remote_opends_schema.ldif
add OpenDS configuration data

Download the required OpenSSO schema attachment:am_remote_opends_schema.ldif"("original location.)

Next, apply the following command to add the schema to OpenDS.

/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f configure_opends_userstore.ldif

This will configure the following issues

Adding the basic configuration users

For profile read and write permissions are required. There will be two users created under the root suffix (openssouser and ldapuser).

Adding the privilege to enable password reset for the other users

There is a special privilege that needs to be assigned for an user to reset password of other users. We need to add the password-reset privilege to the openssouser.

Adding the Access Control Instructions(ACIs)

There are four ACIs are required to make the OpenDS work with OpenSSO as user store.

  • ACI to allow read and search permissions for the ldapuser

  • ACI to allow all permissions under the root suffix

  • Add ACI to allow persistent search connection to the datastore configuration DN

  • Add ACI to prevent self modification of certain OpenSSO user attributes

enable Referential Integrity Plugin

This plugin is necessary in order to make sure when the groups are removed from the directory all of its references in the users' entries are removed automatically. Otherwise, deleted groups will show up in the users' profile even after the group has been removed from the directory server.

The plugin must be enable by executing the following command.

/opt/OpenDS-2.2.0/bin/dsconfig -h localhost -D "cn=directory manager" -j opends-userstore-manager.secret -n set-plugin-prop --plugin-name "Referential Integrity" --set enabled:true
Enable pre-encoded passwords

Enabling pre-encoded password is only required, if you want to import user data from other user databases. Otherwise, e.g. hashed passwords cannot be added or modified to user accounts.

/opt/OpenDS-2.2.0/bin/ldapmodify -Z -X -h localhost -p 4444 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f configure_pre_encoded_passwords.ldif

Add EDIT users and groups to the OpenDS user store

Presumed, there are user and group excerpts from another OpenSSO instance, than, these data may be added by simply updating the store by the following commands.

/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f idp-opensso-people.ldif
/opt/OpenDS-2.2.0/bin/ldapmodify -h localhost -p 389 -D "cn=directory manager" -j opends-userstore-manager.secret -c -a -f idp-opensso-groups.ldif

If not, the structure of these files should look like the following example for users

version: 1

dn: ou=people,dc=opensso,dc=e-taxonomy,dc=eu
objectClass: organizationalUnit
ou: People

dn: uid=test,ou=people,dc=opensso,dc=e-taxonomy,dc=eu
objectClass: inetorgperson
objectClass: person
objectClass: sunIdentityServerLibertyPPService
objectClass: iplanet-am-user-service
objectClass: sunFederationManagerDataStore
objectClass: sunFMSAML2NameIdentifier
objectClass: top
objectClass: inetuser
objectClass: organizationalPerson
objectClass: iPlanetPreferences
objectClass: iplanet-am-managed-person
cn: test
sn: test
givenName: test
inetUserStatus: Active
iplanet-am-user-password-reset-force-reset: true
iplanet-am-user-password-reset-question-answer: AQIChgWNghXpGtwz7lWofWgQk+8RFwDp
mail: sdfg
uid: test
userPassword:: hashed-password

and groups respectively

version: 1

dn: ou=groups,dc=opensso,dc=e-taxonomy,dc=eu
objectClass: organizationalUnit
ou: Groups

dn: cn=Developer,ou=groups,dc=opensso,dc=e-taxonomy,dc=eu
objectClass: groupofuniquenames
objectClass: top
cn: Developer
uniqueMember: uid=test,ou=people,dc=opensso,dc=e-taxonomy,dc=eu
uniqueMember: ...

Updated by Lutz Suhrbier over 11 years ago ยท 18 revisions