Read "LDAP Server Configuration" for any samples that require an LDAP server.
Run the Samples
Each sample directory in
openidm/samples/ contains a number of subdirectories, such as
script/. To start IDM with a sample configuration, navigate to the
/path/to/openidm directory and use the
-p option of the startup command to point to the sample whose configuration you want to use. Some samples require additional software, such as an external LDAP server or database.
Many of the procedures in this guide refer to paths such as
samples/sample-name. In each of these cases, the complete path is assumed to be
When you move from one sample to the next, you are changing the IDM configuration. For more information, see "Configuration Changes".
The command-line examples in the IDM documentation assume a UNIX shell. To run the samples on Windows, adjust the commands, as necessary.
Install an instance of IDM specifically to experiment with the samples and easily discard the result when you finish.
If you are using the same IDM instance for multiple samples, clear the repository between samples. To do so, shut down IDM and delete the
rm -rf /path/to/openidm/db/openidm
LDAP Server Configuration
For samples in this guide that require an LDAP server, ForgeRock recommends using ForgeRock Directory Services (DS).
The LDAP server runs on the local host.
The LDAP server listens on port 1389.
The replication port is 8989.
Servers with replication ports maintain a changelog for their own use. The changelog is exposed over LDAP under the base DN,
cn=changelog. For samples that demonstrate liveSync with an LDAP server, you must configure a replication port when you set up DS. For ease of use, all the LDAP samples assume that you have configured a replication port, even if you don't use liveSync.
A user with DN
passwordhas read access to the LDAP server.
Directory data for that server is stored under base DN
User objects for that server are stored under base DN
User objects have the object class
User objects have the following attributes:
dn: uid=bjensen,ou=People,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top givenName: Barbara uid: bjensen cn: Barbara Jensen telephoneNumber: 1-360-229-7105 sn: Jensen mail: email@example.com description: Created for OpenIDM userPassword: password
If you are using the same DS instance for multiple samples, delete the DS configuration between samples:
rm -rf /path/to/opendj/db
rm -rf /path/to/opendj/config
Samples that use an LDAP server require existing user data. The example procedure below corresponds to the
sync-with-ldap sample and imports user data (
openidm/samples/sync-with-ldap/data/Example.ldif) during DS setup. For other samples, replace the path to the sample data, as necessary.
The following procedure provides setup instructions for DS 7. For older versions of DS, or an alternative LDAP server, modify the instructions, as necessary.
Download the DS and IDM .zip archives.
Extract the .zip archives.
/path/to/opendj/setup \ --serverId evaluation-only \ --deploymentKeyPassword password \ --rootUserDN uid=admin \ --rootUserPassword password \ --hostname localhost \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --replicationPort 8989 \ --httpPort 8090 \ --profile ds-user-data:7.0.0 \ --set ds-user-data/baseDn:dc=com \ --set ds-user-data/ldifFile:/path/to/openidm/samples/sync-with-ldap/data/Example.ldif \ --acceptLicense \ --start
Validating parameters..... Done Configuring certificates....... Done Store the following deployment key in a safe place and re-use it when configuring other servers in the topology: your-deployment-key Configuring server..... Done Configuring profile DS application data store....... Done Starting directory server.............. Done To see basic server status and configuration, you can launch /path/to/opendj/bin/status
Every DS deployment requires a deployment key and a deployment key password to secure network connections. The deployment key is a random string generated by DS software. The deployment key password is a secret string that you choose. It must be at least 8 characters long. The deployment key and password automate key pair generation and signing without storing the CA private key. For more information, see Deployment Keys in the DS Security Guide.
Import the DS CA certificate into the IDM truststore:
/path/to/opendj/bin/dskeymgr \ export-ca-cert \ --deploymentKey your-deployment-key \ --deploymentKeyPassword password \ --alias dscert \ --keyStoreFile /path/to/openidm/security/truststore \ --keyStorePasswordFile /path/to/openidm/security/storepass
Because each new deployment of DS has a unique deployment key, the same certificate does not work from one sample to the next. To handle this scenario, do one of the following:
Give each subsequent sample certificate a unique alias. For example:
Delete the old certificate from the trust store:
keytool \ -delete \ -keystore /path/to/openidm/security/truststore \ -alias dscert