OpenDJ, the open source LDAP Directory Server, was the first to propose a native HTTP REST / JSON access to the data.
In the next major release, OpenDJ will be providing many enhancements to the REST interface, that I will describe in a series of posts. To start with, let’s talk about the new administrative interfaces added to manage the OpenDJ server.
When the HTTP access is enabled, OpenDJ creates by default 2 administrative endpoints:
/admin/config provides a read-write access to the configuration, with the same view and hierarchy of objects as the LDAP access. All of the operations that are possible with the
dsconfig command, can be done over LDAP, and now REST. As a matter of fact, the
/admin/config API is automatically generated from the same XML description files that are used to generate the LDAP view and the
dsconfig command line utilities. This means that any extension, plugin added to the server will also be exposed via REST without additional code.
Above is an example of query of the
/admin/config endpoint, querying for all
backends , done as a user who has the privilege to read the configuration. A similar query done with a user that doesn’t have the
config-read privilege does fail as below:
$ curl -s -u user.2 http://localhost:8080/admin/config/backends/userRoot
Enter host password for user 'user.2':
"message" : "Insufficient Access Rights: You do not have sufficient
privileges to perform search operations in the Directory Server
"code" : 403,
"reason" : "Forbidden"
/admin/monitor provides a read-only view on all of the OpenDJ monitoring information that was already accessible via LDAP under the
"cn=Monitor" naming context, and JMX.
$ curl -s -u user.0 http://localhost:8080/admin/monitor/
Enter host password for user 'user.0':
"_id" : "monitor",
"upTime" : "0 days 2 hours 49 minutes 54 seconds",
"currentConnections" : "1",
"totalConnections" : "32",
"currentTime" : "20161024103215Z",
"startTime" : "20161024074220Z",
"productName" : "OpenDJ Server",
"_rev" : "00000000644a67b2",
"maxConnections" : "3"
/admin REST endpoints can be protected with different authorization mechanisms, from HTTP basic to OAuth2. And the whole endpoint can be disabled as well if needed using
These administrative REST endpoints can be tested with the OpenDJ nightly builds. They are also available to ForgeRock customers as part of our latest update of the ForgeRock Identity Platform.
Filed under: Directory Services Tagged: administration, directory, Directory Services, directory-server, ForgeRock, Json, ldap, opensource, REST, rest2ldap
This blog post was first published @ ludopoitou.com, included here with permission.