Managing OpenDJ with REST

OpenDJ, the open source LDAP Directory Server, was the first to propose a native HTTP REST / JSON access to the data.

In the next major release, OpenDJ will be providing many enhancements to the REST interface, that I will describe in a series of posts. To start with, let’s talk about the new administrative interfaces added to manage the OpenDJ server.

When the HTTP access is enabled, OpenDJ creates by default 2 administrative endpoints: /admin/config and /admin/monitor.

/admin/config provides a read-write access to the configuration, with the same view and hierarchy of objects as the LDAP access. All of the operations that are possible with the dsconfig command, can be done over LDAP, and now REST.  As a matter of fact, the /admin/config API is automatically generated from the same XML description files that are used to generate the LDAP view and the dsconfig command line utilities. This means that any extension, plugin added to the server will also be exposed via REST without additional code.


Above is an example of query of the /admin/config endpoint, querying for all  backends , done as a user who has the privilege to read the configuration. A similar query done with a user that doesn’t have the config-read privilege does fail as below:

$ curl -s -u user.2 http://localhost:8080/admin/config/backends/userRoot
Enter host password for user 'user.2': 
 "message" : "Insufficient Access Rights: You do not
have sufficient privileges to perform search operations
in the Directory Server configuration",
 "code" : 403,
 "reason" : "Forbidden"

/admin/monitor provides a read-only view on all of the OpenDJ monitoring information that was already accessible via LDAP under the "cn=Monitor" naming context, and JMX.

$ curl -s -u user.0 http://localhost:8080/admin/monitor/
Enter host password for user 'user.0':
 "_id" : "monitor",
 "upTime" : "0 days 2 hours 49 minutes 54 seconds",
 "currentConnections" : "1",
 "totalConnections" : "32",
 "currentTime" : "20161024103215Z",
 "startTime" : "20161024074220Z",
 "productName" : "OpenDJ Server",
 "_rev" : "00000000644a67b2",
 "maxConnections" : "3"

The /admin REST endpoints can be protected with different authorization mechanisms, from HTTP basic to OAuth2. And the whole endpoint can be disabled as well if needed using dsconfig.

These administrative REST endpoints can be tested with the OpenDJ nightly builds. They are also available to ForgeRock customers as part of our latest update of the ForgeRock Identity Platform.

OpenDJ Roadmap Update…

OpenDJ-300x100It took us some time to evaluate and refine the roadmap for OpenDJ, but it’s finally there. We’ve updated the Roadmap on the wiki, and set a date for the next release of OpenDJ.

The first change decided is that the next release will be versioned 2.6. We got the feedback that the versioning scheme with Xpress releases and final releases with the same version number is confusing. Moving forward, we will try to keep the following scheme : a stable release will have an even minor number and development releases will have an odd number.

We’ve also set the date for the release to end of Q2 of 2013 (end of June).

The REST to LDAP service has now been integrated in OpenDJ server, although not fully featured yet. The team is working really hard to deliver the remaining features by June, and closing the few remaining important defects. If you want to start evaluating the REST to LDAP service, just grab a recent nightly build. Mark is doing a great job of documenting the REST features as they become available.

We will soon make the RPM and Debian packages available for tests with the nightly builds, along with the new upgrade mechanism, and then enter a cycle of stabilization before the 2.6.0 release.

Feedback is important for us, so please download and test the nightly builds, report success via email or issues in our bug tracking tool.