Embedded LDAP Configuration
- Shaun Morris
- Harrison Tarr (Deactivated)
- Alexander Lamar (Unlicensed)
Description
The Embedded LDAP application contains an LDAP server (OpenDJ version 2.4.6) that has a default set of schemas and users loaded to help facilitate authentication and authorization testing.
Default Settings
Ports
| Protocol | Default Port |
|---|---|
| LDAP | 1389 |
| LDAPS | 1636 |
| StartTLS | 1389 |
Users
LDAP Users
| Username | Password | Groups | Description |
|---|---|---|---|
| testuser1 | password1 | General test user for authentication | |
| testuser2 | password2 | General test user for authentication | |
| nromanova | password1 | avengers | General test user for authentication |
| lcage | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| jhowlett | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| pparker | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| jdrew | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| tstark | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| bbanner | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| srogers | password1 | admin, avengers | General test user for authentication, Admin user for karaf |
| admin | admin | admin | Admin user for karaf |
LDAP Admin
| Username | Password | Groups | Attributes | Description |
|---|---|---|---|---|
| admin | secret | Administrative User for LDAP |
Schemas
The default schemas loaded into the LDAP instance are the same defaults that come with OpenDJ.
| Schema File Name | Schema Description (http://opendj.forgerock.org/doc/admin-guide/index/chap-schema.html) |
|---|---|
| 00-core.ldif | This file contains a core set of attribute type and objectlass definitions from several standard LDAP documents, including draft-ietf-boreham-numsubordinates, draft-findlay-ldap-groupofentries, draft-furuseth-ldap-untypedobject, draft-good-ldap-changelog, draft-ietf-ldup-subentry, draft-wahl-ldap-adminaddr, RFC 1274, RFC 2079, RFC 2256, RFC 2798, RFC 3045, RFC 3296, RFC 3671, RFC 3672, RFC 4512, RFC 4519, RFC 4523, RFC 4524, RFC 4530, RFC 5020, and X.501. |
| 01-pwpolicy.ldif | This file contains schema definitions from draft-behera-ldap-password-policy, which defines a mechanism for storing password policy information in an LDAP directory server. |
| 02-config.ldif | This file contains the attribute type and objectclass definitions for use with the directory server configuration. |
| 03-changelog.ldif | This file contains schema definitions from draft-good-ldap-changelog, which defines a mechanism for storing information about changes to directory server data. |
| 03-rfc2713.ldif | This file contains schema definitions from RFC 2713, which defines a mechanism for storing serialized Java objects in the directory server. |
| 03-rfc2714.ldif | This file contains schema definitions from RFC 2714, which defines a mechanism for storing CORBA objects in the directory server. |
| 03-rfc2739.ldif | This file contains schema definitions from RFC 2739, which defines a mechanism for storing calendar and vCard objects in the directory server. Note that the definition in RFC 2739 contains a number of errors, and this schema file has been altered from the standard definition in order to fix a number of those problems. |
| 03-rfc2926.ldif | This file contains schema definitions from RFC 2926, which defines a mechanism for mapping between Service Location Protocol (SLP) advertisements and LDAP. |
| 03-rfc3112.ldif | This file contains schema definitions from RFC 3112, which defines the authentication password schema. |
| 03-rfc3712.ldif | This file contains schema definitions from RFC 3712, which defines a mechanism for storing printer information in the directory server. |
| 03-uddiv3.ldif | This file contains schema definitions from RFC 4403, which defines a mechanism for storing UDDIv3 information in the directory server. |
| 04-rfc2307bis.ldif | This file contains schema definitions from the draft-howard-rfc2307bis specification, used to store naming service information in the directory server. |
| 05-rfc4876.ldif | This file contains schema definitions from RFC 4876, which defines a schema for storing Directory User Agent (DUA) profiles and preferences in the directory server. |
| 05-samba.ldif | This file contains schema definitions required when storing Samba user accounts in the directory server. |
| 05-solaris.ldif | This file contains schema definitions required for Solaris and OpenSolaris LDAP naming services. |
| 06-compat.ldif | This file contains the attribute type and objectclass definitions for use with the directory server configuration. |
Configuration
Starting / Stopping
The embedded ldap application installs a feature with the name ldap-embedded. Installing and Uninstalling this feature will start and stop the embedded ldap server. This will also install a fresh instance of the server each time. If changes need to persist, stopping and starting the embedded-ldap-opendj bundle should be done (rather than installing/uninstalling the feature).
All settings, configurations, and changes made to the embedded LDAP instances are persisted across DDF restarts. If DDF is stopped while the the LDAP feature is installed and started, it will automatically restart with the saved settings on the next DDF start.
Settings
The configuration options are located on the standard DDF configuration web console under the title LDAP Server. It currently contains three configuration options.
| Configuration Name | Description |
|---|---|
| LDAP Port | Sets the port for LDAP (plaintext and StartTLS). 0 will disable the port. |
| LDAPS Port | Sets the port for LDAPS. 0 will disable the port. |
| Base LDIF File | Location on the server for a LDIF file. This file will be loaded into the LDAP and overwrite any existing entries. This option should be used when updating the default groups/users with a new ldif file for testing. The LDIF file being loaded may contain any ldap entries (schemas, users, groups..etc). If the location is left blank, the default base LDIF file will be used that comes with DDF. |
Limitations
Current limitations for the embedded LDAP instances include:
- Inability to store the LDAP files / storage outside of the DDF installation directory. This results in any LDAP data (i.e. LDAP user information) being lost when the ldap-embedded feature is uninstalled.
- Cannot be run standalone from DDF. In order to run embedded-ldap, the DDF must be started.
Windows Workaround
The LDAP can sometimes not work properly on Windows. This is caused by a directory/file permissions issue.
To fix either:
- Log in to Windows as the admin user
Or, if the DDF has to be run from a specific user account:
- Start DDF normally
- Attempt to start LDAP feature (it should fail)
- Stop DDF and change permissions on the entire DDF directory to allow the user to have full permissions.
- Restart DDF, LDAP feature should be started.
- Edit the LDAP configuration with a path to an LDIF file. The original one gets ignored
- LDAP should now work properly
External Links
Location to the default base LDIF file in the DDF source code: https://github.com/codice/ddf/blob/master/ldap/embedded/ldap-embedded-opendj/src/main/resources/default-users.ldif
OpenDJ Documentation: http://opendj.forgerock.org/docs.html