Directory Services 7.4.3

Install DS for use with DS proxy

  1. Before proceeding, install the server files.
    For details, refer to Unpack files.

  2. Run the setup command with the --profile ds-proxied-server option.

    The example shows the profile used with the evaluation profile. Add this profile to the list so proxy servers can access other profiles' data:

    $ /path/to/opendj/setup \
     --deploymentId $DEPLOYMENT_ID \
     --deploymentIdPassword password \
     --rootUserDN uid=admin \
     --rootUserPassword str0ngAdm1nPa55word \
     --monitorUserPassword str0ngMon1torPa55word \
     --hostname ds.example.com \
     --adminConnectorPort 4444 \
     --ldapPort 1389 \
     --enableStartTls \
     --ldapsPort 1636 \
     --httpsPort 8443 \
     --replicationPort 8989 \
     --bootstrapReplicationServer rs1.example.com:8989 \
     --bootstrapReplicationServer rs2.example.com:8989 \
     --profile ds-evaluation \
     --profile ds-proxied-server \
     --set ds-proxied-server/baseDn:dc=example,dc=com \
     --acceptLicense
    • The deployment ID for installing the server is stored in the environment variable DEPLOYMENT_ID. Install all servers in the same deployment with the same deployment ID and deployment ID password. For details, read Deployment IDs.

    • The account the DS proxy can use to connect to DS replicas has:

      • Bind DN: The DN from the --set ds-proxied-server/proxyUserDn option.

        Default: uid=proxy.

      • Certificate subject DN: The DN from the --set ds-proxied-server/proxyUserCertificateSubjectDn option.

        Default: CN=DS, O=ForgeRock.com.

      • Access to use proxied authorization in the base DNs specified by the multivalued --set ds-proxied-server/baseDn option.

        If you do not specify any values for ds-proxied-server/baseDn, the proxy user can perform operations with any account as authorization identity. This includes administrator accounts.

        To understand what this means, read Proxied authorization.

    • The DS proxy server binds using certificate-based authentication with the SASL EXTERNAL mechanism.

      Make sure that the DS replicas' truststores lets them trust the proxy’s certificate.

    • The DS proxy server uses proxied authorization to perform operations on the DS replicas.

      The authorization identity for the operations must have appropriate access to the data on the DS replicas.

    For the full list of profiles and parameters, refer to Default setup profiles.

  3. Finish configuring the server before you start it.

    For a list of optional steps at this stage, refer to Install DS for custom cases.

  4. Start the server:

    $ /path/to/opendj/bin/start-ds