Highly-Available LDAP Server in Apache Karaf


OpenDJ & High Availability

OpenDJ is a powerful LDAP server based on the popular OpenDS server.

OpenDJ supports multi-master replication, failure auto-detection and recovery. The replication setup is extensively documented and fairly simple to setup.

Apache Karaf

Apache Karaf is a customizable OSGi container with excellent support for application deployment. The default Karaf installation is very lightweight with a minimal set of libraries installed. Karaf supports ‘features’ which are groups of bundles (JAR files with OSGi headers) that collectively implement a given functionality. Features may also depend on other features.

OpenDJ on Apache Karaf

The OpenDJ distribution by ForgeRock comes either in the form of a standalone tar.gz archive or a web archive that can be deployed on a servlet container (Tomcat, Jetty).

For OSGi application requiring an LDAP server, this creates an extra requirement on the infrastructure setup. In these cases, it would be ideal to deploy OpenDJ as just another feature of the main application in Karaf similarly to how an ActiveMQ broker is deployed.

The opendj-osgi project on GitHub implements exactly this. It takes the existing OpenDJ package and adapts it for Karaf adding a features.xml to it and a custom startup driver.

To deploy it on Karaf, download the project from GitHub, build it, launch Karaf and deploy the codice-opendj feature:

$ git clone git://github.com/codice/opendj-osgi.git

Optionally, remove/rename the file which creates the default users upon startup:

rm embedded/opendj-embedded-server/src/main/resources/default-users.ldif

Build & install to the local maven repository cache:

$ mvn clean install

Start karaf and deploy the opendj-embedded feature:

$ cd ${KARAF_BASE}
$ bin/karaf
karaf@root> addurl mvn:org.codice.opendj.embedded/opendj-embedded-app/1.0.1-SNAPSHOT/xml/features
karaf@root> features:install -v opendj-embedded

Apache Karaf will first look into the local maven repository cache to resolve the features URL and it will be able to locate the features.xml and the associated bundles.

Now, you can hopefully connect to OpenDJ using an LDAP browser (e.g. Apache Directory Studio). The default root user username is ‘cn=admin’ and the default password for the root user is ‘secret’.

Optional tasks

Download the OpenDJ distribution from http://www.forgerock.org/opendj.html to access the scripts under the bin/ directory.

Deployment in a child container

If you plan on deploying the application on the same Karaf instance, then it is recommended to run the LDAP server in a child container rather than the same container as the application. This will allow to stop & restart the application container without having to stop and restart the OpenDJ server.

karaf@root> admin:clone -s 8103 -rs 44446 -r 1101 root opendj
karaf@root> admin:start opendj
karaf@root> admin:connect opendj
karaf@root> addurl mvn:org.codice.opendj.embedded/opendj-embedded-app/1.0.1-SNAPSHOT/xml/features
karaf@root> features:install -v opendj-embedded

admin:create could also have been used, but in this case, any changes to the root configuration directory would need to be replicated to the new instance configuration directory too.

Administrative username & password

You may want to change the default administrator username ‘cn=admin’ to the more conventional ‘cn=Directory Manager’.

Create a file named ‘user.ldif’ with the following content:

dn: cn=Directory Manager,cn=Root DNs,cn=config
changetype: modify
replace: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=Directory Manager

Import the user.ldif file:

$ bin/ldapmodify -h server1 -p 1389 -D "cn=admin" -w secret -a -f user.ldif
$ bin/ldapmodify -h server2 -p 1389 -D "cn=admin" -w secret -a -f user.ldif

Set the root user password:

$ bin/ldappasswordmodify -h server1 -p 1389 -D "cn=Directory Manager" 
-w secret -c secret -n newPassword
$ bin/ldappasswordmodify -h server2 -p 1389 -D "cn=Directory Manager" 
-w secret -c secret -n newPassword

Base DN

Enable the base DN in all servers by running the following command in all servers:

$ bin/dsconfig set-backend-prop --backend-name userRoot 
--add base-dn:dc=mydomain,dc=com --hostname server1 --port 4444 
--bindDN "cn=Directory Manager" --bindPassword secret --trustAll 
--noPropertiesFile --no-prompt

$ bin/dsconfig set-backend-prop --backend-name userRoot 
--add base-dn:dc=mydomain,dc=com --hostname server2 --port 4444 
--bindDN "cn=Directory Manager" --bindPassword secret --trustAll 
--noPropertiesFile --no-prompt

Create the following LDIF file:

dn: dc=mydomain,dc=com
objectClass: domain
objectClass: top
dc: mydomain

Import the LDIF file to all servers:

$ bin/ldapmodify -h server1 -p 1389 -D "cn=Directory Manager" -w secret -a 
-f domain.ldif

$ bin/ldapmodify -h server2 -p 1389 -D "cn=Directory Manager" -w secret -a 
-f domain.ldif

Replicated setup

Assuming that OpenDJ is running in Karaf in servers ‘server1’ & ‘server2’, we need to setup and initialize the cluster.

Setup replication by running the following commands on one of the servers:

$ bin/dsreplication enable --baseDN "dc=mydomain,dc=com" --adminUID admin 
--adminPassword secret --host1 server1 --port1 4444 
--bindDN1 "cn=Directory Manager" --bindPassword1 secret 
--replicationPort1 8989 --host2 server2 --port2 4444 
--bindDN2 "cn=Directory Manager" --bindPassword2 secret 
--replicationPort2 8989 --trustAll --no-prompt

The call will setup a common user (UID ‘admin’) in both servers. It will also open the replication port 8989 on both servers.

Initialize replicated servers:

$ bin/dsreplication initialize-all --baseDN dc=mydomain,dc=com 
--adminUID admin --adminPassword secret --hostname server1 
--port 4444 --trustAll --no-prompt

Leave a Reply

Your email address will not be published. Required fields are marked *