– All urls that hit OpenIG, containing a string ‘openam’ getting redirected to OpenAM URL
– All urls that hit OpenIG, that does not contain the string ‘openam’ getting redirected to:
OpenAM for Authentication if there is no valid User session and then on to OpenIDM UI
2. OpenIDM UI if there is a valid User sessionOpenIDM UI
The short video log that follows was prepared to answer a question raised in the Forum on the ForgeRock Community Website. It’s an easy one on how to configure two separate BaseDNs of single ForgeRock OpenDJ instance as Identity Repository for two separate Realms in ForgeRock OpenAM.
– How do we set a Minimum/Maximum Password length in ForgeRock OpenDJ?
– How do we impose the Users to use certain Special characters in their OpenDJ password?
– How do we have the Users use a alphanumberic string as their OpenDJ password?
– How do we create a Custom Password Validator (one that validates a Password against certain rules as the ones above)?
Well if these questions bother you, just like it happened to a friend of mine a day ago, the following video might help get some answers:
If you’re in a hurry to know what each of the ForgeRock Identity Platform Components is meant to do, try the Full Stack Configuration. In just over fifteen minutes, you’ll see:
– Installation of ForgeRock OpenDJ
– Deployment of ForgeRock OpenAM
– Configuration of OpenDJ as an Identity Repository in ForgeRock OpenAM
– Installation of ForgeRock OpenIDM
– Configuring OpenDJ as External Resource in OpenIDM
– Running a reconciliation in OpenIDM from OpenDJ
– Provisioning a User from OpenIDM to OpenDJ
– Using OpenAM as the Authentication Module for OpenIDM
With a much awaited weekend around the corner, I couldn’t really get over the laziness to create a better illustration than the one below to help visualize what’s mentioned above.
If you’re in possession of a Smart Phone that runs either the Apple iOS or Android, you may probably be interested to know that the ForgeRock’s newer version of its Access Management solution now has an Authenticator App for you. Once installed and the device registered with ForgeRock OpenAM 13, one could use this Mobile App to generate One Time Password to validate his/her identity and thereby gain access to resources protected by the OpenAM. Needless to add, the ForgeRock Authenticator Mobile App is available on Apple iTunes Store for the iOS users and the Google Playstore for the Android fans.
Once installed, you’ll see on your phone something close to what is in the picture below:
Here’s what I did with my copy of ForgeRock Authenticator App on my iPhone:
– Configured an Authentication Chain ‘myAuthChain’ in my OpenAM 13 instance
– The said chain consisted of two Authentication Modules namely DataStore & ForgeRock Authenticator (OATH)
– When a subject authenticates against the ‘myAuthChain’ Authentication Chain in OpenAM, he/she is prompted for the DataStore credentials (an embedded OpenDJ instance), which on success is followed by another prompt where the user can register his/her device (using QR Code), generate an OTP that can be used to gain access to the resources protected by OpenAM.
If you are interested to see all of this in action, please spare five minutes to watch the video below.
ForgeRock OpenIDM, the Identity Management solution from ForgeRock offers nice and easy way to perform most of the common scenarios one can think of in the Identity Management domain. Once such commonly occurring situations is to link an account of a User in IDM with his/her Multiple accounts in a resource such as LDAP Server like ForgeRock OpenDJ. Let’s try to understand how that’s achieved in OpenIDM using the illustration below:
As you can make out, OpenIDM is connected to an OpenDJ instance. You could also see two OpenIDM Roles defined namely ‘Agent’ and ‘Insurer’. Each of the Role is attached to a Managed Assignment. And the Managed Assignment in turn has Attributes and Link Qualifiers. The Attribute refers to a User Attribute in OpenDJ with a corresponding value (say cn=Chat Users, ou=Groups,dc=example,dc=com) and Link Qualifier is used to construct a DN (say uid=bjensen,ou=Customers,dc=example,dc=com).
So a Role that has the Managed Assignments with the said Attributes and Link Qualifier would (i) be a member of ‘cn=Chat Users, ou=Groups,dc=example,dc=com‘ and will belong to a branch that’s determined by the DN uid=bjensen,ou=Customers,dc=example,dc=com. Clearly, multiple OpenIDM Role assignments to a single OpenIDM User will link that User’s account with multiple DNs in the OpenDJ instance. Please note that the LDAP group is omitted from the illustration above for brevity. The following equation might give us a rough translation of the above statements:
OpenIDM User (bjensen) <---- OpenIDM Role (Insurer) <---- Managed Assignment (cn=Chat Users,ou=Groups,dc=example,dc=com Attribute && dn: uid=?,ou=Customers,dc=example,dc=comLink Qualifier) ===> bjensen user in the ou=Customers branch of OpenDJ instance DIT (uid=bjensen, ou=Customers,dc=example,dc=com) and the user’s subscription to a LDAP Group cn=Chat Users, ou=Groups,dc=example,dc=com)
Not clear? Have a screen-cast for you. Please take a look and see if it gives you a clearer picture.
For those interested to know how to configure Roles in ForgeRock OpenIDM, here’s my Christmas gift. A video at the end of this post will walk you through the installation of both ForgeRock OpenIDM and ForgeRock OpenDJ, configure the latter as an external resource in OpenIDM, performing reconciliation to bring in users from OpenDJ to OpenIDM. That’s not it, because all of that I’ve shown you earlier as well. Then, what’s more? Here it is:
So we go on and create Roles in OpenIDM, which has Managed Assignments that in turn has Attributes associated with an external resource (ForgeRock OpenDJ). So when a Role is assigned to a user in OpenIDM, based on the value of Attribute that is attached to the Role, the user will be subscribed to a group in the OpenDJ. If it sounds confusing,please don’t waste time reading it again, instead watch the video below, it’ll all be crystal clear.
It’s not for no reason that I picked up ‘Whistling Down the Road’ by Silent Partner (Courtesy: Google YouTube Audio Library) as the audio background for the screen-cast embedded on this blog post. The installation of ForgeRock OpenIDM 4 is one such experience, as in like just whistling away down the road! See it to believe it and don’t forget to try it.
I’ve done a similar screen-cast before, but that’s using OpenIDM 3.x. Be wary of the fact that the software used in this screen-cast is not yet read for Production. But now that the ForgeRock Management have given us this clue on the road ahead for the ForgeRock Products, it makes sense to start exploring it (if not already done).
So in the video below, you’ll see the lightning fast installation of both OpenIDM and OpenDJ and configuration of OpenDJ as an External Resource for OpenIDM.
In a couple of blog posts published in the recent past, One on ForgeRock OpenAM and another on ForgeRock OpenIDM, we had a look at configuring E-mail Services in the aforesaid Products. And it’ll be grossly unfair, if we don’t touch upon the same topic in ForgeRock’s Directory Services solution: OpenDJ
This post picks up from where we left last time and takes the next step to demonstrate Subentry Based Password Policy in ForgeRock OpenDJ. I owe a great detail of gratitude to the ForgeRock documentation team for this neat write up on OpenDJ Password Policy as well to Ludovic Poitou for his blog post. So in under 5 minutes time, we take our discussion on OpenDJ Password Policy to conclusion.
Someone asked me if I could do a video on ForgeRock OpenDJ Password Policy. Though it took me a while to get over my laziness to do one, finally I’ve the first of two part video that demonstrates the Password Policy in OpenDJ. In the first part that’s embedded below, we get to know about the System based Password Policy in OpenDJ and how to make changes to it. OpenDJ installation is covered very quickly, so if you aren’t too comfortable with the OpenDJ installation or the basic LDAP commands for that matter, I humbly suggest you take a quick look here first.
This post in inspired by Ludovic Poitou’s reply to a thread in the ForgeRock OpenDJ Forum around DSEE to ForgeRock OpenDJ migration. Consider this to be just a hint, and not an answer. In a video log that’s embedded just below this write up, you’ll see some clues on a couple of different methods that you could consider to move away from a product that’s now in sustaining stage to ForgeRock’s Directory Services Solution. I don’t need to mention here how important a task it is to carefully draft a plan for migration from one product to another, and I’m sure you’ll not take this video log as the only reference while doing so.
So if you’ve half an hour to spare, you’ll see in the video: Act 1:
– A ‘Flash Back’ on DSEE installation and configuration
– Exporting the data from the DSEE instance
– Installation & Configuration of ForgeRock OpenDJ
– Importing the DSEE instance backup to ForgeRock OpenDJ Act 2:
– Installation of ForgeRock OpenIDM
– Configuration of External LDAP Server (DSEE instance) as a Managed Resource in ForgeRock OpenIDM (using samples)
– Configuration of OpenDJ instance as a Managed Resource in ForgeRock OpenIDM (using the UI)
– Reconciliation between the DSEE instance (source) and OpenDJ instance (target)
If this was a book, what we have here is a prologue. Just as you don’t expect the prologue to throw a full story at you, so does this web log unveil absolutely no details around Certification in ForgeRock OpenIDM. What it does though is to setup a ‘plot’ for a possible video demonstration on Certification facility in ForgeRock’s Identity Management Solution. And that’s coming soon…
So in the video log, that’s actually a visual representation of the brilliant ForgeRock Documentation on OpenIDM, you’ll see:
– Installation of ForgeRock OpenDJ
– Configuration of OpenDJ as an external resource managed by OpenIDM (using sample files)
– Performing the initial reconciliation using REST to load users from OpenDJ to OpenIDM
Soon we’ll put all those users in action for Certification in OpenIDM. For now, just as you’d skim through the prologue of a book, take a quick look at the ~5 minute video
I’m a big fan of Brendan Gregg. The DTrace Book that he co-authored with Jim Mauro stands one of the best I’ve read in Computer Science. While I continue to take my baby steps in DTrace, I thought I’d share with you my video log on attempting to explore ForgeRock OpenDJ using the pid provider in DTrace. Brendan Gregg has published a number of blogs around the pid provider, all of which is accessible from his consolidated blog entry here. OTN has very generously published one chapter from the DTrace Book that talks of using DTrace on Applications, in which the pid provider and its use is detailed.
And with the source code of all ForgeRock Products accessible to the public for study, DTrace might just be the tool that you may want to get your hands on for some fun.
In my earlier blog post titled Extending the ForgeRock OpenDJ Schema there was an embedded screen-cast that demonstrated how a new attribute could be added to the user profile in OpenDJ. We take one step further in this section to modify at Service in ForgeRock OpenAM to display that attribute in OpenAM Console. So if you’ve watched or if you know how to extend the OpenDJ schema to add a new user attribute, the following video log will tell you what you need to do on OpenAM to display it in the console.
I had made a promise in my earlier post. This one is intended to fulfill it. One of the common requirements of any Directory Services solution is to extend the attributes that it supports. In the following video log that has a running time of just over a dozen minutes, you’ll see how to add a new attribute to the OpenDJ instance.
You will find an entry on my blogs that talked about the installation of Linux Container and further demonstrated ForgeRock OpenDJ installation and configuration in it. In the last several days, though I posted some contents on OpenDJ, I never introduced my kind readers to the Administration GUI that the OpenDJ product comes with. That was mainly because I was struggling to get the GUI from a Linux Container. This morning I was determined more than ever before to get over this roadblock, and, boy, did manage to figure out, perhaps, one among the many ways of doing it. In the following screen-cast, you’ll see me installing VNC Server on my Linux Container (Ubuntu 14.04.2 LTS) that has OpenDJ in it and then use a VNC client from the Host OS (Ubuntu 14.10) to access the OpenDJ Control Panel, a very convenient tool to browse the OpenDJ Directory data. Very soon, you’ll see me using OpenDJ control panel for a serious reason. Thank you for your patience.
This is a sequel to my earlier blog update on ForgeRock OpenDJ Replication and is largely inspired by a question raised in the ForgeRock Community Website. So if you are not very familiar with the steps involved in configuring OpenDJ Replication, I suggest you read/watch it before watching the embedded video below:
One-liner about the infrastructure used: two Linux Containers, each running an instance of ForgeRock OpenDJ is already replicating the OpenDJ data, but the replication traffic is not secure. In the video demonstration that follows, we’ll tighten the security a bit by encrypting the replication traffic as well as monitor the same using wireshark running on the host OS. Well, the diagram below indicates the end state of our screen-cast:
The following video log is a very light one, partly because I haven’t done a video on REST interface around OpenIDM, but have done similiar ones for both OpenDJ and OpenAM, and partly because I’m feeling too sleepy to do a screen-cast on tougher topics. Talking of REST, in case if you haven’t seen my earlier reference to a neat and curt introduction to ForgeRock Common REST API, read it here.
Again, for those who are not familiar with REST calls to OpenIDM, the embedded video below might just give an idea of how to create a user and fetch a user profile in OpenIDM using REST.
I’ll keep this one short. Below you’ll find a screen-cast on ForgeRock OpenDJ backup and restoration commands. A detailed documentation on backup and restoration in OpenDJ can be found at ForgeRock documentation site.
Other blog entries (video logs) related to OpenDJ are appended below:
In an earlier blog update we saw how we could interact with ForgeRock OpenAM using REST. In this episode, we’ll look at the RESTful Operations on ForgeRock’s Directory Services solution OpenDJ. If you’re like me, you would have probably used commands like ‘ldapsearch’, ‘ldapmodify’ to operate on the Directory Server data, but may not have tried alternate ways of interacting with the product. In the screen-cast below, let’s explore how REST calls can be made instead of LDAP on to an OpenDJ instance to perform some of basic Directory Services operation. For a detailed study on the topic, I’d always recommend ForgeRock documentation on the topic.
I’ve tried my level best to keep this post as complete in itself as possible to be able to go through without having to read/watch any of my earlier posts/video logs. So while it is not strictly required to read/watch my earlier posts/video logs on this blog to go through this one, at least to understand the infrastructure used, it’s desired that you take a look at a couple of my earlier posts on OpenAM and OpenDJ at the links below:
I’ve already posted an entry on ForgeRock OpenDJ Installation in a Linux Container. If interested, you can read/watch it here. If you are already familiar with OpenDJ installation as a stand alone Directory Server instance and would like to know the very simple steps involved in setting up data replication, the following video log might be useful for you. The screen-cast below uses two OpenDJ instances running on two different Linux Containers to set up data replication. A great deal of information required for performing this demo was fetched from Ludo’s Sketches. ForgeRock Documentation that talks of OpenDJ Data Replication can be found here.
This post picks up from an earlier one and maybe it makes sense to have look at that first before going through this one. So now that we have ForgeRock OpenIDM running inside a Linux Container, in the video log embedded below, we integrate it with ForgeRock OpenDJ. We’ll then use OpenIDM to provision users on to the OpenDJ. Here’s a summary of what you get to see in the video:
– A quick look at the existing installation of ForgeRock OpenIDM and ForgeRock OpenDJ
– Configuring OpenIDM with LDAP connector during startup using available sample files
– Reconciliation of identifies from ForgeRock OpenDJ to ForgeRock OpenIDM
– Provisioning users from ForgeRock OpenIDM to ForgeRock OpenDJ
So after I bid farewell to over a decade long teaching profession, I’ve now joined the band @ ForgeRock. Feels at home, as I now find myself amongst some familiar folks, doing activities on popular open source products on Identity Management that has always been so dear to me.
Without any further ado, let me do my bit to introduce the ForgeRock products to you. To start with, I’ll help you setup ForgeRock’s directory service solution ‘OpenDJ’. Because I’ve a plan to show you the entire ForgeRock product portfolio over the next few weeks, I’ve setup the OpenDJ component in an OS virtualization solution. I’ve my own OS preferences, but for the sake of demonstration, I’ve decided to use the freely available Ubuntu OS. And in Ubuntu, we will create Linux Containers (a.k.a LXC), light weight OS virtualization solution. Over the next few weeks, we’ll have one container for each of the ForgeRock product.
Rather than writing a lengthy essay on the steps to create/configure Linux containers (LXC) and then install/configure ForgeRock’s OpenDJ, I’ve decided to publish my video logs here, which I think might turn out to be more convenient for you sit back and watch.
So here’s what I’ve done:
– Installed Ubuntu 14.04 LTS on a VirtualBox. [Video 00]
– Performed Package updates post installation.[Video 01]
– Installed the packages required for creating LXC.[Video 01]
– Installed the LXC Web Console package (to access LXC using BUI). [Video 01]
– Upgraded the host OS from 14.04 to 14.10 [not shown in the video]
– Cloned the LXC to create a new Linux Container for installing ForgeRock’s OpenDJ. [Video 02]
– Downloaded the OpenDJ software. [Video 02]
– Installed / Configured OpenDJ in a Linux Container [Video 02]
In case you are familiar with the Linux and Linux Container installation, feel free to skip the video 00 and video 01. Please also note that video recording was paused during the lengthy package installation procedure, which otherwise would have put you to sleep.
Video 00
Video 01
Video 02
For a detailed introduction on OpenDJ, watch this video
