This document provides an overview of OpenDJ for beginners. It discusses what an LDAP directory is and when it should be used. The key features of OpenDJ are listed, including its scalability, performance, flexibility, and support for LDAP, SPML and SCIM standards. Components of OpenDJ like replication and interfaces for LDAP, DSML and REST are described. The differences between a directory and relational database are outlined. Typical use cases for authentication are discussed. Finally, features of OpenDJ like its administration GUI, command line, SDK, access control, and group/role support are highlighted.
2. Objectives
Upon completion of this module, you should be able to:
â˘
OpenDJ and the OIS
â˘
What is an LDAP Directory
â˘
When to use an LDAP Directory
â˘
Features of OpenDJ
2
7. What is a Directory?
â˘
Special purpose data repository
â˘
Attribute-Value pair type of data
â˘
Hierarchical structure for data modeling
â˘
Traditionally optimized for read through heavy indexes
7
10. LDAP directory can store
â˘
User credentials
â˘
Company employee phone book and organizational chart
â˘
Network information
â˘
Mail routing information
â˘
HR data
â˘
Public security keys and certificates
â˘
External customer contact information
10
12. Schema
⢠A schema is a set of rules that determines what data
can and cannot be stored in a directory
⢠Schemas help maintain the integrity and quality of the
data being stored
⢠A directory server schema consists of:
> Attributes
> Object Classes
> Rules that must be followed before allowing data into the
database
12
13. Attributes
⢠Data elements used to describe something
> First Name, Last Name, City, State, Postal Code
⢠Can contain single or multiple values
⢠Can be grouped with other attributes to describe an
object
> Person, Place, Thing, etc.
⢠Have a particular syntax
⢠Common attributes are defined by RFCs
⢠Organizations may add their own attributes
13
14. Object Classes
⢠Data elements used to group attributes in order to
describe an object
⢠Act as templates that describe directory entries
⢠Defined by the objectClass attribute
⢠Required for all directory server entries
> Entries MUST have at least one object class
> Entries MAY have more than one object class
⢠Two types of object classes: STRUCTURAL and
AUXILIARY
14
15. Todayâs Directory Requirements
â˘
Scalable: Millions of entries
â˘
Fast: sub-second response times
â˘
Flexible: wide and extensible range of attributes
â˘
Standards-compliant (LDAP, SPML,SCIM)
â˘
High availability: replication service
15
16. OpenDJ Drivers
â˘
Lower cost of ownership
⢠Higher performance while consuming less disk, memory and CPU resources
⢠Reduction in administrative overload by automating recurrent tasks (backup or
data exports)
â˘
High availability, failover and disaster recovery for directory service and
data
â˘
Secures identity data through encryption, authentication, authorizations
and access control, password and account management capabilities
â˘
Complies with LDAPv3, DSMLv2 and SCIM standards
â˘
Can be embedded in other Java applications
â˘
Advances as an open source project that allows you the freedom to use,
study or modify the code
16
17. Directory vs Relational Database
â˘
How often does your data change?
â˘
What kind of data are you trying to model?
â˘
Does it make sense to model your data in a
hierarchical structure?
â˘
Does your data need to be available cross-platform?
17
18. Typical Use Case: Authentication
â˘
Very quick for doing identity reads
â˘
Low cost
â˘
Excellent for doing rapid LDAP authentication for any
digitized authentication
â˘
Universal protocol enabling quick interaction and exchange
of identity information
â˘
Can be easily partitioned allowing flexible architecture
â˘
Can be easily replicated providing high availability and
reliability
18
23. OpenDJ Interfaces
â˘
LDAP
⢠The native directory server interface
⢠Based on the DAP protocol
â˘
DSML
⢠Accessed through a gateway (web application)
â˘
REST
⢠Exchange of JSON messages
⢠Native or through a gateway (web application)
23
25. OpenDJ Features
â˘
Admin GU
â˘
Rich admin command line
â˘
LDAP SDK
â˘
Verbose access control
â˘
High availability
â˘
Flexible, and easy to use plug in mechanism
â˘
Pass through authentication
â˘
Optimistic concurrency control (MVCC)
â˘
SAMBA integration
â˘
Static, dynamic and virtual static groups and roles
25
Directory great for some applications, but not others.Possible to create a structure about any kind of data but not necessarily a good ideaOptimized for read (so less efficient in writes). Directories implement extensive indexes. The indexes are tied to a schema which defines attributes. The attributes represent your application. Benefit of hierarchical structure: ability to apply access control to all child elements in the tree structure.
Perfectly suited to handle the kind of traffic you see on the internet.
Most LDAP servers are heavily optimized for read. Big difference when reading data from an LDAP directory versus obtaining the same data from a relational database server optimized for OLTP. That come at the cost of writing operations, so not best suited when data change a lot (e.g not suited for high-volume e-commerce site).Does your data need to be distributed? Do you need fine grained security?
Why Use Ldap Directories For Ldap Authentication?Lightweight Directory Access Protocol (LDAP) directories and LDAP authentication have become one of the enterprise user infrastructure cornerstones. As the enterprise has digitized and opened itself up to customer, business partner, vendor and wide-spread employee access to pieces of most enterprise applications, the need to know who the user is has significantly increased from a security perspective. Who is the user trying to access an application? What is the strength of authentication by which the application can trust the user trying to access the application? What are the user's authorization privileges?â¨â¨The frequency with which to authenticate who a user is has also increased. Thus in medium to large enterprise it is not uncommon to have several thousand to several hundred of thousand identity look-ups per second. â¨â¨The above are the reasons why LDAP directories and authentication have taken on such a dominant role in enterprise authentication. LDAP directories offer the following features:They are very quick for doing identity reads against as compared to traditional databasesThey are low cost - in fact some LDAP directories are available for freeVirtual LDAP directories enable quick linkage between multiple databases and multiple LDAP directoriesLDAP directories are excellent for doing rapid LDAP authentication against for any digitized authenticationLDAP directories have a universal protocol enabling quick interaction and exchange of identity information between enterprisesLDAP directories can be easily partitioned to place the directory close to the end user, thus improving performance and reducing network load