# Install DS

### Tip

DS software has no GUI. Instead, DS software is bundled with command-line tools.

Because LDAP is standard, you can use third-party GUI tools to view and edit directory data. For a short list, see "Try Third-Party Tools".

To get started:

Prepare For Installation
1. To evaluate DS software, make sure you have 10 GB free disk space for the software and for sample data.

2. Verify that you have a supported Java version installed on your local computer:

Supported Java Versions
VendorVersions

OpenJDK, including OpenJDK-based distributions:

• Amazon Corretto

• Azul Zulu

• Red Hat OpenJDK

11

Oracle Java

11

3. If you plan to run the Bash-based REST API examples, make sure the curl command is available.

For details, see https://curl.haxx.se.

Directory Services software is free to download, evaluate, and use in development:

1. If you do not have an account on ForgeRock BackStage, https://backstage.forgerock.com, sign up for one.

Install a Directory Server
1. Unzip the .zip file into the file system directory where you want to install the server.

Unzipping the .zip file creates a top-level opendj directory in the directory where you unzipped the file. On Windows systems if you unzip the file with Right-Click > Extract All, remove the trailing opendj-7.0.2 directory from the folder you specify.

The documentation shows the installation file system directory as /path/to/opendj.

For example:

$unzip ~/Downloads/DS-7.0.0.zip -d /path/to PS C:\path\to> Expand-Archive DS-7.0.0.zip C:\path\to % unzip ~/Downloads/DS-7.0.0.zip -d /path/to 2. Use the setup command to set up a server with the ds-evaluation profile. The evaluation profile includes Example.com sample data, more lenient access control, and some other features. The following example runs the command non-interactively. Use the same settings shown here to be able to copy and paste the commands shown in this guide: $ /path/to/opendj/setup \
--serverId first-ds \
--hostname localhost \
--ldapPort 1389 \
--ldapsPort 1636 \
--httpsPort 8443 \
--replicationPort 8989 \
--profile ds-evaluation \
--start \
--acceptLicense
Validating parameters..... Done
Configuring certificates..... Done

Store the following deployment key in a safe place and re-use it when
configuring other servers in the topology:

<deployment-key>

Configuring server... Done
Configuring profile DS evaluation..................... Done
Starting directory server............... Done

To see basic server status and configuration, you can launch
/path/to/opendj/bin/status
PS C:\path\to> C:\path\to\opendj\setup 
--serverId first-ds
--deploymentKeyPassword password 
--rootUserPassword password 
--hostname localhost 
--ldapPort 1389
--ldapsPort 1636 
--httpsPort 8443
--adminConnectorPort 4444 
--replicationPort 8989
--profile ds-evaluation 
--start
--acceptLicense
% /path/to/opendj/setup \
--serverId first-ds \
--hostname localhost \
--ldapPort 1389 \
--ldapsPort 1636 \
--httpsPort 8443 \
--replicationPort 8989 \
--profile ds-evaluation \
--start \
--acceptLicense

Save the generated <deployment-key>. You will use this key later when setting up a second server for replication.

The setup command shown here has the following options:

--rootUserDn uid=admin, --rootUserPassword password

These options set the credentials for the directory superuser. This user has privileges to perform any and all administrative operations, and is not subject to access control. It is called the root user due to the similarity to the UNIX root user.

The root user distinguished name (DN) identifies the directory superuser. In LDAP, a DN is the fully qualified name for a directory entry. The name used here is the default name: uid=admin.

--monitorUserPassword password

The monitor user has the privilege to read monitoring data. No --monitorUserDn option is set, so the DN defaults to uid=Monitor.

--hostname localhost

The server uses the fully qualified domain name for identification between replicated servers.

Using localhost is a shortcut suitable only for evaluation on your local computer. In production, set this to the fully qualified domain name, such as ds.example.com.

--ldapPort 1389

The reserved port for LDAP is 389. Connections to this port can be secured with StartTLS, but are not secure by default.

Examples in the documentation use 1389, which is accessible to non-privileged users.

--ldapsPort 1636

The reserved port for LDAPS is 636. Connections to this port are secured with TLS.

Examples in the documentation use 1636, which is accessible to non-privileged users.

--httpsPort 8443

The reserved port for HTTPS is 443.

HTTP client applications access directory data and monitoring information on this port.

Examples in the documentation use 8443, which is accessible to non-privileged users.

--adminConnectorPort 4444

This is the service port used to configure the server and to run tasks. Connections to this port are secured with TLS.

The port used in the documentation is 4444, which is the initial port suggested during interactive setup.

--replicationPort 8989

This is the service port used for replication messages.

The port used in the documentation is 8989, which is the initial port suggested during interactive setup.

--profile ds-evaluation

The setup profile adds hard-coded entries for users like Babs Jensen, and groups like Directory Administrators. It also generates 100,000 sample LDAP user entries. All generated users have the same password, literally password. The generated user accounts are helpful for performance testing.

All entries are added under the base DN dc=example,dc=com. A base DN is the suffix shared by all DNs in a set of directory data.

LDAP entries are arranged hierarchically in the directory. The hierarchical organization resembles a file system on a PC or a web server, often visualized as an upside down tree structure, or a pyramid. In the same way a full path uniquely identifies each file or folder in a file system, a DN uniquely identifies each LDAP entry.

Each DN consists of components separated by commas, such as uid=bjensen,ou=People,dc=example,dc=com. The base DN matches the final components of each DN in that branch of the directory. A DN's components reflect the hierarchy of directory entries. The user entry with DN uid=bjensen,ou=People,dc=example,dc=com is said to be under the organizational unit entry ou=People,dc=example,dc=com, which in turn is under dc=example,dc=com.

Basic components have the form attribute-name=attribute-value, such as dc=com. In the example dc=com, the attribute dc (DNS domain component) has the value com. The DN dc=example,dc=com reflects the DNs domain name example.com.

--start

By default, the setup command does not start the server. This lets you complete any necessary configuration steps before starting the server for the first time, which may initiate the replication process.

In this case, you have no further configuration to do. This option causes the server to start immediately.

--acceptLicense

Remove this option to read the license and then accept it interactively.

Alternatively, you can run the setup command interactively by starting it without options.

3. Add the DS tools to your PATH to avoid having to specify the full path for each command:

$export PATH=/path/to/opendj/bin:${PATH}
PS C:\path\to> $env:PATH += ";C:\path\to\opendj\bat" % export PATH=/path/to/opendj/bin:${PATH}
4. Run the status command:

\$ status \
--hostname localhost \
--port 4444 \
--usePkcs12TrustStore /path/to/opendj/config/keystore \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin
PS C:\path\to> status 
--bindPassword password 
--hostname localhost
--port 4444 
--usePkcs12TrustStore C:\path\to\opendj\config\keystore
--trustStorePasswordFile C:\path\to\opendj\config\keystore.pin
% status \
--trustStorePasswordFile /path/to/opendj/config/keystore.pin