How to setup OpenDJ as an external Identity Store/Repository for OpenAM?

Question

How do you set up the LDAPv3 compliant directory service OpenDJ as an external Identity store for the Access Management solution OpenAM?

Answer 1

Disclaimer: This answer is only supposed to serve as a starting point as I could not find any good information on the subject after two days of digging. As Bernhard pointed out in the comments, you e.g. should not use the user RootDN in production.

1. Start both services using docker:

version: "3.4"
services:
  openam:
    image: openidentityplatform/openam
    container_name: am
    hostname: openam.example.com
    network_mode: host
    ports:
        - 8080:8080
  opendj:
    image: openidentityplatform/opendj
    container_name: dj
    hostname: cts.example.com
    network_mode: host
    user: root
    ports:
        - 1389:1389

2. Add the following line to your /etc/hosts file:

127.0.0.1 localhost openam.example.com cts.example.com

3. Run docker-compose up -d within in the folder of the docker-compose.yml file.
4. Wait until both services started up. Then run docker exec -it dj /bin/bash to start the interactive mode for your OpenDJ container. The OpenDJ image already comes with a preconfigured Identity Store. To retrieve all the relevant information for configuring OpenAM enter the opendj folder within the container (cd opendj) and run:

$ bin/status --bindDN "cn=Directory Manager" --bindPassword password

          --- Connection Handlers ---
Address:Port : Protocol : State
-------------:----------:---------
--           : LDIF     : Disabled
0.0.0.0:636  : LDAPS    : Disabled
0.0.0.0:1389 : LDAP     : Enabled
0.0.0.0:1689 : JMX      : Disabled
0.0.0.0:8080 : HTTP     : Disabled

          --- Data Sources ---
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     203
Replication:

For more commands like the above and to configure the server by your self have a look at OpenDJ's community How To.

5. Open up your browser and go to http://openam.example.com:8080/openam. Should you run on a headless VM have a look at this Stackoverflow question of mine, as I ran into the same problem.

6. Select "Create New Configuration":

7. Accept the terms and click "Continue". When prompted to enter a password for the default user [amAdmin] enter e.g. OpenAM's amAdmin's default password changeit and click "next":

8. In the "Server Setting" tab leave everything except the cookie domain. Change the cookie domain to .example.com and click "next".

9. Do not change anything in the "Configuration Store" tab and click "next".

10. In the "User Store" tab enter the information from the configured OpenDJ server, the default password password of the OpenDJ server, and the directory name cts.example.com set in the docker-compose.yml file and then click "next":

11. Do not change anything in the "Site Configuration" tab and click "next".

12. In the "Agent Information" tab enter a password (like e.g. password) and click next.

13. Check the Summary and click "Create Configuration":

14. Done!

To check your work login to OpenAM as user amadmin with the previous set password changeit. Then go to Top Level Realm > Data Store > Subjects: Careful: In your case you will only see the user "Admin" and "Anonymous" as you did not populate your identity store yet.

Answer 2

Follow the official documentation of forgerock directory server, and forgerock AM, its still configured the same way even in the payed version.

More Here