Child pages
  • Setup OpenDJ for Synchronization
Skip to end of metadata
Go to start of metadata

Generic Description

The changes in OpenDJ are detected using External Change Log (ECL) mechanism, similar mechanism to the one that was known as Retro Change Log in Sun Directory Servers. The ECL is presented as an LDAP subtree with base DN of cn=changelog. Each change is represented as an entry in that subtree and it remains in that subtree for few days.

OpenIDM scans the cn=changelog subtree for new entries in regular interval (in fact, the scan is done by the LDAP connector).

OpenIDM is using a special user for accessing OpenDJ: uid=idm,ou=Administrators,dc=example,dc=com, it is not using the cn=directory manager superuser. Firstly, this is a best practice. Secondly, OpenIDM is making the changes to the LDAP itself, during provisioning. We do not want to detect these changes in LDAP, as it may cause loops in the business logic. Therefore connector is filtering out all changes made by this user. Therefore, this user should be dedicated to OpenIDM.

Setting Up OpenDJ

On Initial Installation

When installing OpenDJ, make sure to enable replication by checking the "Server part of replication topology". This will enable External Change Log (ECL, cn=changelog LDAP subtree).

On an existing Instance

Execute the following (adjusted where needed) commands:

Creating Global Administrator in OpenDJ
./dsframework create-admin-user \-X \--hostname localhost \--port 4444 \--bindDN "cn=Directory Manager" \--bindPassword secret  \--userID admin2 \--set password:opends2
Activating replication
./dsreplication enable --host1 localhost --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 secret --trustAll --onlyReplicationServer1 --replicationPort1 8989 --baseDN dc=example,dc=com --onlyReplicationServer1 --no-prompt --adminUID admin2 --adminPassword opends2

This will also activate the ECL.

Each change of a user will then be reflected with it's own entry under cn=changelog!

Import Data

Make sure that you import example-base-only.ldif file that contains user uid=idm,ou=Administrators,dc=example,dc=com.

Set Up Access Control

The access to the ECL is controlled by OpenDJ global ACIs. We need to modify the ACIs to allow

Remove default deny ACI. This would otherwise override the other allow ACIs that we want to place on cn=changelog, so it needs to be removed.

TOTO: Need to figure out how to deny unauthorized access here.

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X
-n set-access-control-handler-prop --remove global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*\")(version 3.0; acl \"External changelog access\"; deny (all) userdn=\"ldap:///anyone\";)" -n

Add allow ACI that will provide access to cn=changelog to the IDM admin.

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///cn=changelog\")(targetattr=\"*||+\")(version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n

Add another allow ACI that will provide access to root DSE attributes changeLog, firstChangeNumber and lastChangeNumber to the IDM admin.

dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -w secret -X -n set-access-control-handler-prop --add global-aci:"(target=\"ldap:///\")(targetattr=\"changeLog || firstChangeNumber || lastChangeNumber\")(version 3.0; acl \"IDM Access to ChangeLog\"; allow (read,search,compare) userdn=\"ldap:///uid=idm,ou=Administrators,dc=example,dc=com\";)" -n

  • No labels