20120404 installing opendj - plembo/onemoretech GitHub Wiki

title: Installing OpenDJ author: phil description: post_id: 2473 created: 2012/04/04 16:20:10 created_gmt: 2012/04/04 20:20:10 comment_status: closed post_name: installing-opendj status: publish post_type: post updated: 2020/03/25 17:52:00

Installing OpenDJ

This is a brief article on how OpenDJ Community Edition gets installed around here.

NOTE: The order of operations described below IS significant.

Introduction

This page documents a standard build of the OpenDJ Community Edition server on Red Hat Enterprise Linux (RHEL) 6. The procedure that follows was developed from material contained in the OpenDJ Installation Guide.

NOTE: The last version of the OpenDJ Community Edition available is OpenDJ 2.6.4. It is no longer being actively maintained, but an active fork has been created by the Open Identity Platform project. Their latest release is 4.4.5.

Standard practice for most organizations is to run directory servers on port 389. This practice will be followed below with a twist: the server itself will run as a non-root user on ports above 1000, but the local server firewall (in Linux, iptables) will be used to redirect traffic coming in on standard ports 389 {for LDAP) and 636 (for LDAPS, or LDAP over SSL). Read about how to set that up here.

File system layouts are also specified below. These should be followed to avoid the necessity of customizing maintenance scripts (and documented procedures) to accommodate serendipitous installations. Use of the volume name "/opt/" is for illustrative purposes only. For example, you could substitute "/u01/" if your shop is married to that convention.

Note that because OpenDJ is a Java application it cannot be started as a non-privileged user if it is to listen on the standard LDAP/LDAPS ports 389/636. To run on ports lower than 1000, it must be owned by, and run as, root. The trick of using port redirection referred to above is used to get around this limitation. The steps described here must be performed on all nodes unless otherwise noted.

Preparation

Create auxiliary directory for the download: /data/install/opendj.

OpenDJ version 2.6.4 works with either Java 1.6 or 1.7. The standard RHEL OpenJDK is preferred. Version 1.7 is not set as the default java on RHEL 6. You must use "/sbin/alternatives --configure" to do this. Check that "$JAVA_HOME/bin/java -version" returns the correct version and platform. Java 1.8 is recommended for the latest version (4.4.5) of the Open Identity Platform fork of the server.

Create application group and user opendj as root:

groupadd -g 2017 opendj
useradd -g opendj -u 2017 -c "OpenDJ Application User" opendj

(note that the group and user id should always be the same on all servers for interoperability and recovery purposes) Set opendj's password. Create the backup directory and make opendj the owner:

mkdir /data/backup/ldap
chown opendj:opendj /data/backup/ldap

Create directory structure for application:

/opt/opendj

Download

You can download the ForgeRock version of the software from here. The last version file is OpenDJ-2.6.4.zip.

The latest version (4.4.5) of the Open Identity Platform fork can be downloaded from here. I recommend the zip archive format rather than any of the distribution packages.

Setup

Unzip OpenDJ distribution into /opt/opendj. Rename to type of directory server being configured, for a user store:

/opt/opendj/ds-user1

or an application configuration store:

/opt/opendj/ds-app1

Change ownership recursively on the unzipped distribution for a user store:

chown -R opendj:opendj ds-user1

Set permissions recursively on the installation directory:

chmod -R g+rw ds-user1

Create an .env file for the instance (e.g. ds-user1.env or ds-app1.env) in opendj's home:

JAVA_HOME=/usr/lib/jvm/java
DSHOME=/opt/opendj/ds-user1
PATH=$DSHOME/bin:$JAVA_HOME/bin:$PATH
export JAVA_HOME DSHOME PATH

echo "$DSHOME environment set"

The above assumes use of the default RHEL 6 system java. To use the 3rd party Sun/Oracle Java "JAVA_HOME" would be set to "/usr/java/default". Note that the below example shows the setup of a user directory. The two main differences between this and the setup of a configuration directory is that the latter: (a) will be run as opendj, not root and; (b) configuration directories are not set up to do TLS or LDAPS. Source this environment and then change directory into $DSHOME/bin. Run the setup routine in command line mode ("setup --cli"):

[opendj@testhost ds-user1]$ ./setup --cli

OpenDJ 2.6.0
Please wait while the setup program initializes...

What would you like to use as the initial root user DN for the Directory
Server? [cn=Directory Manager]: 
Please provide the password to use for the initial root user: 
Please re-enter the password for confirmation: 

On which port would you like the Directory Server to accept connections from
LDAP clients? [1389]: 1389

On which port would you like the Administration Connector to accept
connections? [4444]: 5444
Do you want to create base DNs in the server? (yes / no) [yes]: 

Provide the base DN for the directory data: [dc=example,dc=com]: dc=bigcorp,dc=com
Options for populating the database:

    1)  Only create the base entry
    2)  Leave the database empty
    3)  Import data from an LDIF file
    4)  Load automatically-generated sample data

Enter choice [1]: 

Do you want to enable SSL? (yes / no) [no]: yes
On which port would you like the Directory Server to accept connections from
LDAPS clients? [1636]: 1636

Do you want to enable Start TLS? (yes / no) [no]: yes
Certificate server options:

    1)  Generate self-signed certificate (recommended for testing purposes
        only)
    2)  Use an existing certificate located on a Java Key Store (JKS)
    3)  Use an existing certificate located on a JCEKS key store
    4)  Use an existing certificate located on a PKCS#12 key store
    5)  Use an existing certificate on a PKCS#11 token

Enter choice [1]: 
Provide the fully-qualified host name or IP address that will be used to
generate the self-signed certificate [ldap1.example.com]: 

Do you want to start the server when the configuration is completed? (yes /
no) [yes]: 


Setup Summary
=============
LDAP Listener Port:            1389
Administration Connector Port: 5444
LDAP Secure Access:            Enable StartTLS
                               Enable SSL on LDAP Port 1636
                               Create a new Self-Signed Certificate
Root User DN:                  cn=Directory Manager
Directory Data:                Create New Base DN dc=bigcorp,dc=com.
Base DN Data: Only Create Base Entry (dc=bigcorp,dc=com)

Start Server when the configuration is completed


What would you like to do?

    1)  Set up the server with the parameters above
    2)  Provide the setup parameters again
    3)  Print equivalent non-interactive command-line
    4)  Cancel and exit

Enter choice [1]: 

No protocol specified
See /tmp/opends-setup-7070027805426919888.log for a detailed log of this operation.

Configuring Directory Server ..... Done.
Configuring Certificates ..... Done.
Creating Base Entry dc=bigcorp,dc=com ..... Done.
Starting Directory Server ...... Done.

To see basic server configuration status and configuration you can launch /opt/opendj/ds-user1/bin/status
[root@philx ds-user1]# 

Configuration

Check the OpenDJ Cheat Sheet for more details on performing the procedures described here. NOTE: The following assumes the target directory is owned by root and listening on port 389, requiring that many commands be run sudo root. If directory is listening on a port higher than 1000 and the owner is the opendj system user you may dispense with using sudo.

Create and deploy init script

su -
. /home/opendj/ds-user1.env
cd $DSHOME/bin
./create-rc-script 
-j /usr/lib/jvm/java 
-u opendj
-f /etc/init.d/ds-user1

Deploy Initial Configuration

1. Load opendj-initial-config.ldif using ldapmodify.

ldapmodify -h localhost -p 1389 -D "cn=directory manager" 
-w [password] -c -f opendj-initial-config.ldif

2. Rebuild indexes.

sudo $DSHOME/bin/rebuild-index 
-p 5444 -X 
-j /home/opendj/etc/pwd.txt 
-b dc=bigcorp,dc=com 
--rebuildAll 
-t 0

Add Custom Schema

Add any 99-user.ldif custom schema to directory.

Copyright 2004-2021 Phil Lembo