Why Switch to OpenDJ
OpenLDAP is a reliable and widely used directory server, but it lacks modern features without complex configuration. If your use case involves integrating with Keycloak, Jenkins, or any system requiring dynamic group memberships or nested roles, then OpenDJ is a much better fit.
- Install Java
sudo apt install -y openjdk-21-jdk
Verify Java:
java -version
- Download and Install OpenDJ 4.9.4
cd /tmp
wget https://github.com/OpenIdentityPlatform/OpenDJ/releases/download/4.9.4/opendj_4.9.4-1_all.deb
sudo dpkg -i ./opendj_4.9.4-1_all.deb
- Run the CLI-Based Setup
sudo /opt/opendj/setup
Follow the prompts:
| Prompt | Response |
|---|---|
| Root DN | cn=Directory Manager |
| Password | choose a strong password |
| Hostname | ldap.maksonlee.com |
| LDAP Port | 389 |
| Admin Port | 4444 |
| Create base DN | yes |
| Base DN | dc=maksonlee,dc=com |
| Backend type | JE Backend |
| Initial data | Only create base entry |
| SSL / StartTLS | no |
| Start server | yes |
After setup, the server will automatically start.
- Verify LDAP Service Locally
/opt/opendj/bin/ldapsearch \
--hostname 127.0.0.1 \
--port 389 \
--bindDN "cn=Directory Manager" \
--bindPassword '<your-password>' \
--baseDN "dc=maksonlee,dc=com" \
"(objectClass=*)"
- LDAPS via OPNsense HAProxy
Instead of configuring SSL inside OpenDJ, we reuse the exact HAProxy setup from this guide:
Install OpenLDAP on Ubuntu 24.04 with LDAPS via OPNsense HAProxy
- Nested Group
isMemberOf
Here’s the structure:
dc=maksonlee,dc=com
└── ou=groups
├── ou=organization
│ └── cn=engineering
│ └── member: uid=maksonlee,ou=people,...
└── ou=system
└── cn=gerrit-users
└── member: cn=engineering,...
To test it:
/opt/opendj/bin/ldapsearch \
--hostname 127.0.0.1 \
--port 389 \
--bindDN "cn=Directory Manager" \
--bindPassword '<your-password>' \
--baseDN "dc=maksonlee,dc=com" \
"(uid=maksonlee)" \
isMemberOf
Output:
isMemberOf: cn=engineering,ou=organization,ou=groups,dc=maksonlee,dc=com
isMemberOf: cn=gerrit-users,ou=system,ou=groups,dc=maksonlee,dc=com