OpenDJ 2.6.4 on Ubuntu 16.04 LTS Notes - plembo/onemoretech GitHub Wiki

OpenDJ 2.6.4 Community Edition sets up on Ubuntu 16.04 LTS about the same as the zip distribution does on RHEL/CentOS/Fedora (the Community Edition binaries currently only come in zip format). Still, there were a couple of tweaks I had to make in order to get things running smoothly.

The Init Script

I like init scripts. They allow me to get through an entire weekend without being called by the Help Desk to start some service after a bunch of servers were rebooted.

My current practice is to create an opendj user and group with a home directory of /opt/opendj, and then to unzip the OpenDJ distribution into that home directory:

groupadd -g 1017 opendj
useradd -g opendj -u 1017 -c "OpenDJ Server" -d /opt/opendj -m opendj
unzip OpenDJ-2.6.4.zip
cd opendj
mv * /opt/opendj/

I never run OpenDJ as root. Anyone who has ever had to fight off a remote exploit knows why.

Generating the init script on Ubuntu is done the same way as on other platforms, using the script under $DSHOME/bin:

create-rc-script \
-f /etc/init.d/opendj \
-u opendj \
-j /usr/lib/jvm/java-1.8.0-opendjdk-amd

Note: OpenDJ 2.6.4 should work just fine using Java 8 (2.6.0 had issues with anything more recent than 7). But I have no experience with Java 9, so proceed with caution if that's what you decide to deploy.

To integrate this script properly on Ubuntu, you need to insert the following just below the CDDL Header at the top of the script:

### BEGIN INIT INFO
# Provides:          opendj
# Required-Start:    $remote_fs $network $syslog $named
# Required-Stop:     $remote_fs $network $syslog $named
# Should-Start:      $network $time
# Should-Stop:       $network $time
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start and stop the opendj ldap server daemon
# Description:       Controls the main opendj ldap server daemon
### END INIT INFO

Before going further, shut down OpenDJ using the "stop-ds" command.

Once that's done you should issue to "update-rc.d opendj defaults" and "systemctl enable opendj", and then use systemctl to start the server back up.

LDAP Port Redirection

One final step is to modify the the Ubuntu host Uncomplicated FireWall (ufw) "before" rules to redirect incoming traffic from standard LDAP (and LDAPS) ports 389 and 636 to OpenDJ's ports 1389 and 1636. Java software daemons running as a non-root user on Linux normally can't use ports below 1000. This is an artifact of the bad old days on Unix. That's why OpenDJ sets up on ports 1389 and 1636 by default on Linux when you install as a non-root user.

The workaround to allow clients access to the server over the standard LDAP ports is to use PREROUTING REDIRECT rules on the host firewall. On Red Hat systems we would do this in iptables or firewalld. On Ubuntu we modify the before and before6 rule files for ufw. Here are the lines to insert in /etc/ufw/before.rules and /etc/ufw/before6.rules just above the line "Don't delete these required lines...":

# PREROUTING for OpenDJ Directory
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -d 10.2.0.12 --dport 636 -j REDIRECT --to-port 1636
-A PREROUTING -p tcp -d 10.2.0.12 -dport 389 -j REDIRECT --to-port 1389
COMMIT

# Don't delete these required lines, otherwise there will be errors

Note that the LDAP server (destination) IP is being specified to confine prerouting to that specific host (in case you're running bridged virtual machines or containers on the same machine).

Restart ufw after saving your changes to these files.