www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

DNS

OpenDJ replication requires that you use fully qualified domain names, such as opendj.example.com so we'll use,

opendj.krypton.com and www.opendj.krypton.com

For your named server instance and then replication use (ask Dimitri if this makes sense)

opendj1.krypton.com and www.opendj1.krypton.com

Ensure that your dns entries are in your host file,

127.0.0.1   localhost

127.0.1.1   opendj1
127.0.1.1   www.opendj1.krypton.com
127.0.1.1   opendj1.krypton.com
127.0.1.1   www.opendj.krypton.com
127.0.1.1   opendj.krypton.com
127.0.1.1   www.krypton.com
127.0.1.1   krypton.com

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This is the hosts file from Ubuntu 14.x. Currently not sure I need the www.krypton.cm... talk to Dimitri.

Setup Java

Java 8 is not supported with this version so use Java 7.

Make OpenDJ truly zero footprint and specify the exact version of Java to run via the systems configuration file. Will use a Java environment variable to run OpenDJ.

When you try to run the setup,

cd /opt/opendj

./setup --cli
Please set OPENDS_JAVA_HOME to the root of a Java 6 update 10 (or higher) installation or edit the java.properties file and then run the dsjavaproperties script to specify the Java version to be used.

Install Java

Forget about using editing the java.properties. Instead, first install JRE per the Zero Footprint Java on Ubuntu instructions using serveradmin. The only slight change is that we will move the JRE into the following folder using a root enabled account,

sudo mv /home/serveradmin/java/ /opt/java-forgerock/
sudo chown -R serveradmin:staff /opt/java-forgerock/
sudo chmod -R 750 /opt/java-forgerock/

II thought about using oracle server jre edition, but given certificate things, it's best to use the most popular and tested which is standard jre.

Configure Java Environment Path

We set the environment variable for serveradmin by editing the profile for the account running opendj. In this case, serveradmin,

cd ~
vi .profile

At the the following to the end of the file,

export OPENDJ_JAVA_HOME=/opt/java-forgerock

export OPENDS_JAVA_HOME=/opt/java-forgerock

There is still a need for OPENDS environment. Variable. Looks like since 2.4.5 this was somewhat fixed (ie OPENDJ is now being used), but so is OPENDS so you need both. Report this when I have time.

Command Line Setup

Do everything as the user that will be running OpenDJ. In our tutorial we will use serveradmin unless otherwise indicated,

OpenDJ Download and Prep

First grab the software and unzip,

wget http://download.forgerock.org/downloads/opendj/2.4.5/OpenDJ-2.4.5.zip
unzip OpenDJ-2.4.5.zip

Setup folder using a root capable user,

sudo mv /home/serveradmin/opendj/ /opt/
cd /opt
sudo chown -R serveradmin:staff ./opendj/
sudo chmod -R 750 ./opendj/

Now with LXC, you can easily setup multiple machines to try out replication so I have dropped the opendj0 convention. This also makes it easier to compare instances too.

Start the Setup

Run the command line setup using the opendj dedicated account,

cd /opt/opendj
./setup --cli

Unless otherwise indicated select the default option,

What would you like to use as the initial root user DN for the Directory
Server? [cn=Directory Manager]: 
Please provide the password to use for the initial root user: 
Please re-enter the password for confirmation:

Make sure to use a complex password for the initial root user. We'll use the standard T&R password on "Directory Manager".

Provide the fully-qualified directory server host name that will be used when
generating self-signed certificates for LDAP SSL/StartTLS, the administration
connector, and replication [opendj1]: opendj.krpton.com

It is unclear to me if I should use the primary name here or use an instance name.

On which port would you like the Directory Server to accept connections from
LDAP clients? [1389]: 
On which port would you like the Administration Connector to accept
connections? [4444]:

For LDAP client port, unless you are running with root priviledges you cannot use ports 1 through 1024. So rather than use 389, use 1389.

Use the default 4444 port for Administration Connector.

Do you want to create base DNs in the server? (yes / no) [yes]: 
Provide the base DN for the directory data: [dc=example,dc=com]: cd=krypton,dc=com
Options for populating the database:
    1)  Only create the base entry
    2)  Leave the database empty
    3)  Import data from an LDIF file
    4)  Load automatically-generated sample data
Enter choice [1]: 
Do you want to enable SSL? (yes / no) [no]: 
Do you want to enable Start TLS? (yes / no) [no]: 
Do you want to start the server when the configuration is completed? (yes /
no) [yes]: no

Do you want to create base DNs in the server, select yes if you have a real DNS or use host entries on the server and client.

I select no to start the server because I like to we can run the status command even if the server is off and verify the configuration.

Setup Summary
=============
LDAP Listener Port:            1389
Administration Connector Port: 4444
LDAP Secure Access:            disabled
Root User DN:                  cn=Directory Manager
Directory Data:                Create New Base DN cd=krypton,dc=com.
Base DN Data: Only Create Base Entry (cd=krypton,dc=com)


Do not start Server when the configuration is completed
What would you like to do?
    1)  Set up the server with the parameters above
    2)  Provide the setup parameters again
    3)  Print equivalent non-interactive command-line
    4)  Cancel and exit
Enter choice [1]: 

See /tmp/opendj-setup-4401325749445109218.log for a detailed log of this operation.
Configuring Directory Server ..... Done.
Creating Base Entry cd=krypton,dc=com ..... Done.
To see basic server configuration status and configuration you can launch /opt/opendj/bin/status

Verify Configuration with Server Status

You can verify things are good before starting,

cd /opt/opendj/bin
 ./status 
Please set OPENDJ_JAVA_HOME to the root of a Java 6 update 10 (or higher) installation
or edit the java.properties file and then run the dsjavaproperties script to
specify the Java version to be used

In this case it looks like there are still bugs in this area which this step helped identify and then I fixed,

          --- Server Status ---
Server Run Status:        Stopped
Open Connections:         <not available> (*)
          --- Server Details ---
Host Name:                opendj1
Administrative Users:     cn=Directory Manager
Installation Path:        /opt/opendj
Version:                  OpenDJ 2.6.0
Java Version:             <not available> (*)
Administration Connector: Port 4444 (LDAPS)
          --- Connection Handlers ---
Address:Port : Protocol : State
-------------:----------:---------
--           : LDIF     : Disabled
0.0.0.0:161  : SNMP     : Disabled
0.0.0.0:636  : LDAPS    : Disabled
0.0.0.0:1389 : LDAP     : Enabled
0.0.0.0:1689 : JMX      : Disabled
0.0.0.0:8080 : HTTP     : Disabled
          --- Data Sources ---
Base DN:     cd=krypton,dc=com
Backend ID:  userRoot
Entries:     <not available> (*)
Replication: 
* Information only available if server is running and you provide valid
authentication information when launching the status command.

The bug turned out to be OPENDS variable which I documented and fixed above. If you f

Start and Stop

As a reference,

cd /opt/opendj/bin
./start-ds

cd /opt/opendj/bin
./stop-ds

# I think this is verbose mode but not finding docs on it
./start-ds -s

Start the server,

cd /opt/opendj/bin 
./start-ds
See /tmp/opends-setup-7855637320320628455.log for a detailed log of this operation.
Configuring Directory Server ..... Done.
Creating Base Entry dc=tin-pham,dc=com ..... Done.
Starting Directory Server .......... Done.
To see basic server configuration status and configuration you can launch /opt/opendj/bin/status

Create Data Stores

During the OpenAM installation, two data stores will be are created,

  1. Configuration
  2. User

It is recommended by ForgeRock that the configuration use the OpenAM embedded data store for up to 4 OpenAM replicas. ForgeRock further recommends that no more then 4 OpenAM replicas exist for a given installation.

In our own experience, we were not successful when we tried to use OpenDJ for the configuration data store even though we followed the steps to Relax the Restriction on Objects.

References

Not bad but not good manual setup - http://opendj.forgerock.org/docs.html

https://bugster.forgerock.org/jira/browse/OPENDJ-330

Install Guide - http://opendj.forgerock.org/opendj-server/doc/bootstrap/install-guide/

Replication - http://ludopoitou.com/2011/05/10/opendj-quick-replication-setup/

replication - 

  • No labels