Child pages
  • OpenDJ User FAQ
Skip to end of metadata
Go to start of metadata

This page is for frequently asked questions about using OpenDJ.

OpenDJ is open source and free for developer use. For answers related to subscriptions and licensing, see

Why would I want to use OpenDJ?

OpenDJ is a new LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available and secure store for the identities managed by your enterprise. Its easy installation takes OpenDJ the simplest and fastest directory server to deploy and manage.

What are the prerequisites for installing OpenDJ?

At minimum, you need Java 6. If you have Java WebStart configured, you can install OpenDJ server starting with a single click in your web browser.

For hardware, you can do an evaluation install on a netbook by default using 256 MB free RAM and less than 100 MB free disk space. How much hardware you need for deployment depends on your requirements. See the Before You Install chapter in the Installation Guide for more.

OpenDJ directory server is also available in .deb and .rpm packages for easy installation and upgrade on many Linux systems.

Which version of OpenDJ should I use?

Download nightly builds from

For ForgeRock supported builds, see

If you would rather roll your own, check out .

How can I find out more about OpenDJ?

Sign up for OpenDJ mailing list at

Join the project at

Find OpenDJ Wiki documentation under

Chat on #opendj.

Get the in-progress documentation for the next release on the OpenDJ community site.

I want to use OpenDJ. How do I get started?

Evaluate OpenDJ directory services starting with a QuickSetup install, see the Installation Guide.

After you install, check out the Administration Guide, or the Developer's Guide, depending on what you want to do.

How do I configure replication after setup?

You can configure replication using the command line, too, starting with a tool called dsreplication.

See the Admin Guide chapter on replication.

How do I import data into OpenDJ?

I want to add data (from an SQL database, CSV, spreadsheet, LDIF, etc.) to OpenDJ/provision user accounts now that I have it installed?

One way is to move your content to LDAP Data Interchange Format, and then import. See the Admin Guide chapter on importing LDIF.

Longer term, consider OpenIDM for provisioning.

How do I store my data in OpenDJ?

Make sure that your data is organized hierarchically – though the hierarchy might be fairly flat – and make sure that the content can be stored as object attributes.

LDAP directory servers such as OpenDJ store data in entry objects. The entry objects are arranged hierarchically, sort of like the folders and files in a file system. Entry names – called their distinguished names – indicate where the entries are in the hierarchy. For example, if the top entry in the hierarchy is named dc=example,dc=com, ou=people,dc=example,dc=com indicates an entry one level below, and uid=bjensen,ou=people,dc=example,dc=com indicates an entry two levels below.

Entry content is stored in attributes. The user entry, uid=bjensen,ou=people,dc=example,dc=com, shows an example of this.

dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
userPassword: {SSHA}btruftlJQINrW4YoDiz4SzJZpto6lTUpJchSpg==
givenName: Barbara
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
telephoneNumber: +1 408 555 1862
ou: People

Attributes take sets of values. The set size can be 1, though many attributes can have multiple values. The order of the values is not defined. Furthermore, attributes do not take duplicate values.

Another thing to notice here is the objectClass attribute. Object classes define what sort of attributes must and may be stored on an entry. Object class definitions are found in the server's LDAP schema (details found in the Admin Guide).

A cool feature of LDAP servers and in particular OpenDJ is the capability to extend the schema on the fly, while the server is running. Then – because object classes are stored on attributes – you can therefore add to the list of possible attributes on an entry while the server is running.

So once you envision how to store your data in a hierarchy of entries whose content is stored on attributes, check whether the schema delivered out of the box with OpenDJ directory server under opendj/config/schema already fit your needs. If not, you can add schema for your data. You will find examples of additional schema on the Extend OpenDJ Schema wiki page.

If you have client applications that need to access the data over HTTP rather than LDAP, also see the Admin Guide appendix on REST LDAP Configuration for mapping LDAP entries to REST resources.

How do I upgrade?

I have OpenDJ up and running, but there are some new features and fixed in the latest release.

You can upgrade from an earlier version of OpenDJ either directly from within the Java WebStart installer, or on the command-line using the upgrade command. Have a look at the Installation Guide.

What's the OpenDJ roadmap?

OpenDJ is actively developed, see

The roadmap lives on a wiki page, OpenDJ Roadmap.

How do I get involved?

I want to contribute a patch (a feature, a test, a plug-in) to OpenDJ.

Great. Come discuss your work on the dev mailing list,

Join the project at

How do I use the control panel without being the same user who installed OpenDJ?

This bug is fixed for 2.5, see

How do I help test OpenDJ?

Start with the QA documentation on the wiki.

Join the project at

Come discuss what you want to do on the dev mailing list,

How do I get my LDAP application working with OpenDJ?

(How do I get started with the OpenDJ SDK? What if I want to use C, Perl, Python, PHP, JavaScript, etc.?)

If you want to get started with the OpenDJ Java SDK, start with the SDK page on the community site, where you can download the latest build, integrate the SDK using Maven, and find examples and Javadoc.

For C, Perl, Python, and others you can also find LDAP

For other languages, you might want to use the RESTful API that works with JSON resources. See the Admin Guide

How do I use my application with OpenDJ without knowing LDAP?

You might want to use the RESTful API that works with JSON resources. See the Admin Guide

If you want to learn something about LDAP, have a look at this introduction to LDAP in the Developer's Guide. If you then want to add LDAP support to your application, see these examples and the Javadoc for the OpenDJ SDK.

If your application is already set up to use LDAP, check your application's documentation for suggestions. LDAP is as standard protocol, so there's a chance it already works out of the box.

How do I certify my application with OpenDJ?


Does OpenDJ support standard XYZ?

See the supported standards chapter in the Administration Guide.

Is my LDAPv3/DSML v2 application supported with OpenDJ?

OpenDJ directory server has extensive support for LDAPv3. OpenDJ DSML gateway, a web application you install separately, supports DSMLv2.

How do I get OpenDJ working with other applications?

Such as OpenIDM, OpenAM, GlassFish, Tomcat, WebLogic, Web Sphere, Thunderbird, sendmail, ...

See Configure OpenDJ Client Applications. Feel free to add your findings to the list.

What can I do to get OpenDJ tuned and performing optimally?

Start with the Admin Guide chapter on tuning.

How do I make sure OpenDJ is highly available?

You need OpenDJ replication (and good operational practices to avoid inadvertently bringing the service down).

Where should I post my explanation of how to do XYZ with OpenDJ.

A great place to start is this wiki, the OpenDJ Wiki. Feel free to sign up, and then edit the wiki.

How do I get support?

You're going to be using OpenDJ in production? OpenDJ works fine for you now, but you want to make sure you get expert help if you run into any issues?

Check this out:

How do I get feature XYZ?

If somebody else needs that feature, they might have already entered a request in JIRA for OpenDJ.

If not, you can sign up to create a New Feature or Improvement entry in JIRA.

Next, you can lobby on the OpenDJ mailing list or the #opendj IRC chat on to have someone develop the feature.

If you can pay for somebody to develop the feature you need, then contact ForgeRock.

How do I get OpenDJ in my language?

OpenDJ software has been localized in the following languages (for the directory administrator).

  • French
  • German
  • Japanese
  • Simplified Chinese
  • Spanish
    Certain messages have also been translated into Catalan, Korean, Polish, and Traditional Chinese. Some error messages including messages labeled SEVERE and FATAL are provided only in English.
  • Furthermore, OpenDJ supports many locales for user data.

How do I change the OpenDJ logging volume?

The Admin Guide chapter on monitoring explains the logs available,  how to filter the logs, adjust the logging level, rotate logs, and so forth. You configure logging using the dsconfig command.

How do I do NIS to LDAP with OpenDJ?

See Using OpenDJ for N2L; and

How do I change/reset a user's password in OpenDJ?

(Better yet, how do I let users update their own passwords? How do I let them know that their password is about to expire?)

To change a user's password, you need to work as a user with the password-reset privilege and access rights to modify the userPassword attribute values, as described in the Admin Guide chapter on Privileges and Access Control. That chapter also shows an access control instruction that allows users to modify their own passwords. You can configure OpenDJ to send mail about expiration - see the end of the password policy chapter of the Admin Guide - if you have an SMTP server that will let OpenDJ send the mail.

How do I configure OpenDJ password validation and other password policies? 

Configuring password policies is explained in the Admin Guide chapter on password policy

How do I import existing passwords?

See this blog entry that mentions importing existing passwords.

How do I protect data in OpenDJ for use in production?

Also: How do I secure access to OpenDJ? How do I turn off anonymous access? How do I safely allow proxy authorization?

Use access control and privileges as described in the Admin Guide.

Install OpenDJ to run as a user without a login shell, and prevent data and configuration files from being readable for other users.

Use access control to require that administrative connections are made using TLS or SSL.

To turn off anonymous access, set the reject-unauthenticated-requests global configuration property with the dsconfig command.

Proxy auth is described in the LDAP operations chapter of the Admin Guide.

How should I monitor OpenDJ to be sure the service is working properly?

Also: If there's a problem, how do I get started troubleshooting?

Have a look at the Admin Guide chapters on monitoring and troubleshooting.

What is the right policy for storing log files in a production environment?

Also: How do I implement that policy with OpenDJ?

There is probably not a one-size-fits-all "right" policy, but you will want to rotate logs and move old ones off the production systems. Have a look at the Admin Guide chapter on Monitoring.

How do I backup and restore OpenDJ?

Also: How about in a highly available configuration with replication? What do I do during backup to ensure my applications keep getting access to the directory? What are the caveats?

Check out the Administration Guide chapter on Backup and Restore, in particular the procedure on restoring directory server replicas. Even if you take one server replica offline during backup (not required), the other server replicas can still server directory client applications. The current caveat with backup is that in order to backup certificates used for SSL and so forth, you should perform not only backups of the data, but also file system backups that include your OpenDJ configuration.

What are all the port numbers and protocols OpenDJ uses?

OpenDJ server software uses the following TCP/IP ports by default.

  • LDAP: 389 (1389) - OpenDJ directory server listens for LDAP requests from client applications on port 389 by default. OpenDJ directory server uses port 1389 by default for non-root users. LDAP is enabled by default.
  • LDAPS: 636 (1636) - OpenDJ directory server listens for LDAPS requests from client applications on port 636 by default. OpenDJ directory server uses port 1636 by default for non-root users. LDAPS is not enabled by default.
  • Administrative connections: 4444 - OpenDJ directory server listens for administrative traffic on port 4444 by default. The administration connector is enabled by default.
  • SNMP: 161 - OpenDJ directory server listens for SNMP traffic on port 161 by default. SNMP is not enabled by default.
  • JMX: 1689 - OpenDJ directory server listens for Java Management eXtension traffic on port 1689 by default. JMX is not enabled by default.
  • HTTP: 8080 - OpenDJ directory server can listen for HTTP client requests to the RESTful API. The default port is 8080, but HTTP access is not enabled by default.
  • Replication: 8989 - OpenDJ directory server listens for replication traffic on port 8989 by default. Replication is not enabled by default.

How do I set up my IDE to develop OpenDJ or OpenDJ plug-ins?

See Developing OpenDJ with NetBeans IDE, and Developing OpenDJ with Eclipse IDE.

How do I build OpenDJ from source myself?

Get Java 7 or later. Then for OpenDJ server, get the code from the code repository and build it (see Developing OpenDJ with Maven).

For OpenDJ SDK, see Getting Started With OpenDJ SDK.

How do I use my own certificates with OpenDJ?

The self-signed ones are fine for testing, but they might not work in production.

Take a look at the admin guide on setting up server certs, and on changing server certs.

How do I use OpenDJ in an Active Directory shop?

How you use OpenDJ with Active Directory depends on what you are trying to do.

Perhaps you've figured out Linux MIT Kerberos and Windows Kerberos integration, and you want OpenDJ to permit authentication through Kerberos, and you want to use OpenDJ as a Kerberos principal store to benefit from easy replication of data for high availability.

The Admin Guide shows an example of using the pass through authentication to let OpenDJ authenticate users against Active Directory.

If you are trying to solve the problem of single sign on, for example to let users logged on to Windows desktops (or Linux with Kerberos) get access to applications without having to provide credentials again, have a look at OpenAM's Windows Desktop SSO feature.


How do I use a different database other than Berkeley DB Java Edition with OpenDJ? 

See "How can OpenDJ store user data in another application ?" below

How can OpenDJ store user data in another application?

For example Oracle DB, MySQL, PeopleSoft, Google Apps, 

Currently OpenDJ provides a directory server and data stores based on LDIF files or Berkeley DB Java Edition. The LDIF file data store is meant for small number of entries and very infrequent changes such as configuration or schema.

Future versions of OpenDJ will provide Virtual Directory capabilities and allow to store user data to external data stores. Check the roadmap for the details.

Note that in the past, we made an attempt to use an external distributed database as the user store (Network DB, providing similar services as what OpenLDAP was also trying to build). The level of performances and the reliability of the service didn't match our expectations, and in the end, the code was removed and is not supported. You may still find it in the b2.4 branch, in the backends/ndb directory.

If you want to use both OpenDJ and another application for user authentication, check out OpenAM.

How can I change where OpenDJ instance and log files are stored?


How can my application get notified of changes made to OpenDJ?

See the Admin Guide on using the external change log. Hint: It's at the end of the chapter on replication.

How can I embed OpenDJ in my application?

Also: What if I am embedding OpenDJ in a commercial application? 


How can I get the clear text for passwords stored in OpenDJ entries?

By default, you cannot get the clear text for passwords that OpenDJ stores. The default user storage scheme for userPassword values is Salted SHA-1, which uses a one way hash function before storing passwords. In many deployments, one way hashing prevents everyone, even root and Directory Manager, from reading your password, yet still allows you to login. This works for simple authentication, for example. OpenDJ compares your user credentials (DN and password) against the values stored on your entry. The password comes in as clear text, protected over the wire using a secured connection. OpenDJ hashes your password, and compares the hashed value with the value of userPassword. If the hashed values match, then your login (technically your bind) succeeds.

Some deployments however need to fetch the actual password, perhaps to replay a login against other software. To fit such cases, use a reversible password storage scheme in the password policy you assign to users. See the configuration reference for a list of available storage schemes. One caveat: you have to modify userPassword values themselves in order to apply a new storage scheme. In other words, if all your passwords are hashed with the default Salted SHA-1, OpenDJ cannot recover the clear text any more than you can, and so cannot automatically convert them to Triple DES for example.

How can I do DSML with OpenDJ?

DSML support comes in the form of a web application that you can run in an application server like Apache Tomcat or Oracle GlassFish. That web application then points to the directory service. For brief instructions on setup, see the installation guide, and then see the admin guide section on configuring DSML client access.

How do I upgrade to OpenDJ from Sun DSEE? From OpenDS? From OpenLDAP?


How do I use Sun DSEE roles with OpenDJ?


How can I use an in-memory backend? Will my data be highly available?


How do I use OpenDJ with Kerberos?

Check out the example of OpenDJ allowing users to authenticate to OpenDJ through Kerberos on CentOS. Alternatively, see this example on using OpenDJ as a principal store for Kerberos on CentOS. By the way, if you are striving for some sort of single sign on in this area, have you checked out OpenAM's Windows Desktop SSO feature?

What application should I use with OpenDJ for user management?

Check out OpenIDM (provisioning, work flows), and OpenAM (access management).

Where can I get OpenDJ packaged as a VMWare app?


How do I lock/unlock a user account in OpenDJ?

The following commands demonstrate how to disable Babs Jensen's account, and then to enable her account.

$ ./OpenDJ/bin/manage-account set-account-is-disabled --operationValue true --targetDN uid=bjensen,ou=people,dc=example,dc=com -p 4444 -h localhost -D cn=Directory\ Manager -w password
Account Is Disabled:  true
$ ./OpenDJ/bin/manage-account clear-account-is-disabled --targetDN uid=bjensen,ou=people,dc=example,dc=com -p 4444 -h localhost -D cn=Directory\ Manager -w password
Account Is Disabled:  false

How do I do partial replication with OpenDJ?

See the Admin Guide chapter on replication.

How do I replicate to a OpenDJ server outside the firewall?

Also: How do I set up a replica to be read-only?

If you are going through the firewall, you will need to open the ports used for replication (by default, 8989). To set up a replica to be read-only, check the Admin Guide chapter on replication.

How do I remove a directory server or replication server from the replication topology?

Also: What do I have to do to the replication topology if I move an instance from one host to another?

Disable replication for the server. A good way to move an instance is to set up a new server on the new host, take a backup from an existing replica, and restore the new server from the existing backup as described in the Admin Guide chapter on replication.

How can I get OpenDJ to use syslog?


How do I handle groups with OpenDJ?

Also: What's the right way to handle large groups in OpenDJ? What about referential integrity? 

Have a look at the Admin Guide chapter on groups.

How can I replicate across the firewall, ideally over port 80?

Although you could potentially have the replication service listen on port 80, replication is not an HTTP-based protocol. You can however replicate across the firewall, encrypting what goes over the wire, and making your external replica read only and perhaps fractional replicas. See the Admin Guide chapter on replication.

How do I connect to OpenDJ with JConsole?

On the OpenDJ side, this involves configuring JMX access as described in the Monitoring chapter of the Admin Guide.

How can I have OpenDJ listen on multiple ports?

Create a new Connection Handler using dsconfig for each port.

  • No labels