Help Needed to Setup REST API for Identity Management in OpenDJ

anees.am · July 1, 2024, 12:40pm

Hello,

I have configured OpenDJ in Docker and have successfully set up the LDAP server using the following command:

docker exec -it opendj-server-ui /opt/opendj/setup \
  --cli \
  --baseDN "dc=example,dc=com" \
  --addBaseEntry \
  --ldapPort 389 \
  --adminConnectorPort 5444 \
  --rootUserDN "cn=Directory Manager" \
  --rootUserPassword secret \
  --enableStartTLS \
  --acceptLicense

I am able to create identities using LDAP with the following command:

ldapmodify -H ldap://opendj.intbrains.com:389 -D "cn=Directory Manager" -w secret -a <<EOF
dn: uid=anees6,ou=people,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Anees6
sn: User6
uid: anees6
mail: anees6@example.com
userPassword: password123
EOF

The identities are created successfully, and I can list them without any issues.

However, I am having trouble setting up the corresponding REST API for identity management. I have enabled the HTTP connection handler with the following command:

sudo docker exec -it opendj-server-ui /opt/opendj/bin/dsconfig set-connection-handler-prop \
--handler-name "HTTP Connection Handler" \
--set enabled:true \
--hostname localhost \
--port 5444 \
--bindDN "cn=Directory Manager" \
--bindPassword "secret" \
--trustAll

When I try to create an identity using the REST API with the following curl command, it fails:

curl -X POST \
  -H "Content-Type: application/json" \
  -u "cn=Directory Manager:secret" \
  -d '{
  "dn": "uid=anees7,ou=people,dc=example,dc=com",
  "objectClass": ["inetorgperson", "organizationalPerson", "person", "top"],
  "cn": "Anees7",
  "sn": "User7",
  "uid": "anees7",
  "mail": "anees7@example.com",
  "userPassword": "password123"
}' "http://opendj.intbrains.com:8082/admin/rest/resource?_action=create"

The response I receive is:
{"code":401,"reason":"Unauthorized","message":"Invalid Credentials"}

I have checked the configured endpoints and authorization mechanisms:

sudo docker exec -it opendj-server-ui /opt/opendj/bin/dsconfig list-http-authorization-mechanisms --hostname localhost --port 5444 --bindDN "cn=Directory Manager" --bindPassword secret --trustAll

HTTP Authorization Mechanism              : Type
------------------------------------------:--------------------------------------------------------
HTTP Anonymous                            : http-anonymous-authorization-mechanism
HTTP Basic                                : http-basic-authorization-mechanism
HTTP OAuth2 CTS                           : http-oauth2-cts-authorization-mechanism
HTTP OAuth2 File                          : http-oauth2-file-authorization-mechanism
HTTP OAuth2 OpenAM                        : http-oauth2-openam-authorization-mechanism
HTTP OAuth2 Token Introspection (RFC7662) : http-oauth2-token-introspection-authorization-mechanism
HTTP_BASIC                                : http-basic-authorization-mechanism

sudo docker exec -it opendj-server-ui /opt/opendj/bin/dsconfig list-http-endpoints --hostname localhost --port 5444 --bindDN "cn=Directory Manager" --bindPassword secret --trustAll

HTTP Endpoint : Type               : enabled
--------------:--------------------:--------
/admin        : admin-endpoint     : true
/api          : rest2ldap-endpoint : true

Could anyone please guide me on how to correctly set up the REST API to create and manage identities? Any help would be greatly appreciated.

Thank you.
Anees

anees.am · July 2, 2024, 11:27am

Could anyone please guide me on how to correctly set up the REST API to create and manage identities? Any help would be greatly appreciated.

Thank you.
Anees

mwtech · July 2, 2024, 4:40pm

Hi @anees.am

As is often the case with these types of questions, it helps to know what version of DS you are using. Please share that when possible.

Did you follow the guide here: HTTP access :: PingDS

Did you take a look at the section on using HTTP Basic? HTTP access :: PingDS
One key item of note in that link is this:

By default, DS uses the exact match identity mapper with its default configuration to map the HTTP Basic username to an LDAP uid . DS searches all local public naming contexts to find the user’s entry based in the uid value. For details, refer to Identity mappers.

This means that you need to use your identity mapper configuration to map the username provided for HTTP Basic back to an actual user object with proper permissions in your directory. You cannot simply provide the distinguished name of the object.

anees.am · July 2, 2024, 7:10pm

Hi @mwtech,

Thanks for your reply.

The version I am using is OpenDJ Server 4.6.4

My OpenDJ configuration is,

      --- Server Status ---
Server Run Status: Started
Open Connections: 3
      --- Server Details ---
Host Name: d8c94b3097a2
Administrative Users: cn=Directory Manager
Installation Path: /opt/opendj
Instance Path: /opt/opendj/data
Version: OpenDJ Server 4.6.4
Java Version: 19.0.2
Administration Connector: Port 5444 (LDAPS)
      --- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
– : LDIF : Disabled
0.0.0.0:389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:636 : LDAPS : Disabled
0.0.0.0:1689 : JMX : Disabled
0.0.0.0:8080 : HTTP : Enabled
      --- Data Sources ---
Base DN: dc=example,dc=com
Backend ID: userRoot
Entries: 1
Replication:

The link that you shared is giving steps to setup DS with certificate verification. But with SSL enabled and certificate verification, I am unable to connect OpenAM with this DS.

I have already raised a query and is still open on this (How to Integrate OpenAM 7.4.0 with OpenIDM 7.4.1 for User Authentication? Encountering Connection Error - #12 by anees.am).

Could you please help me to fix that also?

Regards,
Anees

mwtech · July 2, 2024, 7:30pm

Please re-read the documentation links I’ve provided. I don’t think anything I’ve shared requires you to use certificates, and this has nothing to do with IDM. You don’t have to follow everything you see in the documentation, just the parts that apply to what you are trying to do.

Also, to the best of my knowledge ForgeRock never released 4.6.4 of DS. Is it correct to state that you are attempting this with the Open Identity Platform? If so, my insight is reduced as I do not know any details around what may deviate from the official ForgeRock products, of which DS is now on version 7.5.

Did you look into the identity mappers, as I suggested? If the Open Identity Platform uses those, that may be the source of your problem since that is a crucial part of how basic authentication takes place.

salbertelli01 · July 3, 2024, 3:46pm

Hi @anees.am

Based on your product name (OpenDJ) and the version you are running, it appears you are using the community edition of the Open Identity Platform, which is available here: Open Identity Platform on GitHub.

Please note that our products have undergone significant changes, and the community editions differ greatly from our standard products. As a result, our ability to offer accurate support for the community edition may be limited. For detailed guidance, we suggest seeking assistance from the Open Identity community forum.

For specific questions about the community edition, please visit the dedicated community forum: Open Identity Platform Community.

I hope this helps.
Sheila