OpenIdentityPlatform · vharseko · Jun 26, 2026 · Jun 28, 2026 · Jun 28, 2026 · Jun 28, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -441,3 +441,106 @@ jobs:
           timeout 3m bash -c 'until docker inspect --format="{{json .State.Health.Status}}" test_custom | grep -q \"healthy\"; do sleep 10; done'
           docker exec test_custom 'sh' '-c' '/opt/opendj/bin/ldapsearch --hostname localhost --port 1636 --bindDN "cn=Directory Manager" --bindPassword custom_password --useSsl --trustAll --baseDN "dc=example,dc=com" --searchScope base "(objectClass=*)" 1.1'
           docker kill test_custom
+
+  test-deb:
+    needs: build-maven
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v8
+        with:
+          name: ubuntu-latest-11
+      - name: Clean-room install + SysV start/stop (debian:12 container)
+        shell: bash
+        run: |
+          docker run --rm -v "$PWD:/work" -w /work debian:12 bash -c '
+            set -e
+            export DEBIAN_FRONTEND=noninteractive
+            DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1)
+            echo "Found $DEB"
+            apt-get update
+            apt-get install -y lintian
+            lintian --info --no-tag-display-limit "$DEB" || true
+            dpkg-deb -I "$DEB"
+            dpkg-deb -c "$DEB" | grep -E "lib/systemd/system/opendj.service|etc/init.d/opendj"
+            apt-get install -y "./$DEB"
+            id opendj
+            test "$(stat -c %U /opt/opendj)" = opendj
+            # No JAVA_HOME and no "which" in this clean container: Java must resolve
+            # from config/java.properties (default.java-home set by postinst).
+            runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \
+              --rootUserDN "cn=Directory Manager" --rootUserPassword password \
+              --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \
+              --baseDN dc=example,dc=com --addBaseEntry
+            /etc/init.d/opendj start
+            OK=0
+            for i in $(seq 1 20); do
+              if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi
+              sleep 3
+            done
+            /etc/init.d/opendj status
+            test "$OK" = 1
+            /etc/init.d/opendj stop
+            apt-get purge -y opendj
+          '
+      - name: Live systemd install + start/stop (runner)
+        shell: bash
+        run: |
+          DEB=$(ls opendj-packages/opendj-deb/opendj-deb-standard/target/*.deb | head -1)
+          sudo apt-get update
+          sudo apt-get install -y "$PWD/$DEB"
+          test "$(stat -c '%U' /opt/opendj)" = opendj
+          # sudo/runuser/systemd strip JAVA_HOME -> also relies on config/java.properties
+          sudo runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \
+            --rootUserDN "cn=Directory Manager" --rootUserPassword password \
+            --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \
+            --baseDN dc=example,dc=com --addBaseEntry
+          sudo systemctl enable --now opendj
+          OK=0
+          for i in $(seq 1 20); do
+            if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi
+            sleep 3
+          done
+          sudo systemctl is-active --quiet opendj
+          test "$OK" = 1
+          echo "OpenDJ is active under systemd"
+          sudo systemctl stop opendj
+          sleep 3
+          if sudo systemctl is-active --quiet opendj; then echo "still active"; exit 1; fi
+          sudo apt-get purge -y opendj
+
+  test-rpm:
+    needs: build-maven
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v8
+        with:
+          name: ubuntu-latest-11
+      - name: Install and start/stop in Rocky Linux 9
+        shell: bash
+        run: |
+          docker run --rm -v "$PWD:/work" -w /work rockylinux:9 bash -c '
+            set -e
+            RPM=$(ls opendj-packages/opendj-rpm/opendj-rpm-standard/target/rpm/opendj/RPMS/noarch/*.rpm | head -1)
+            echo "Found $RPM"
+            dnf install -y java-21-openjdk-headless util-linux initscripts >/dev/null
+            dnf install -y "$RPM"
+            id opendj
+            test "$(stat -c %U /opt/opendj)" = opendj
+            # Java must come from config/java.properties (no JAVA_HOME and no "which" here)
+            runuser -u opendj -- /opt/opendj/setup --cli --no-prompt --acceptLicense --doNotStart \
+              --rootUserDN "cn=Directory Manager" --rootUserPassword password \
+              --hostname localhost --ldapPort 1389 --adminConnectorPort 4444 \
+              --baseDN dc=example,dc=com --addBaseEntry
+            /etc/init.d/opendj start
+            OK=0
+            for i in $(seq 1 20); do
+              if /opt/opendj/bin/ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password -b "dc=example,dc=com" -s base "(objectClass=*)" 1.1 >/dev/null 2>&1; then OK=1; break; fi
+              sleep 3
+            done
+            /etc/init.d/opendj status
+            test "$OK" = 1
+            /etc/init.d/opendj stop
+            rpm -e opendj
+          '
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-install.adoc
@@ -432,48 +432,26 @@ You can install OpenDJ in unattended and silent fashion, too. See the procedure,
 ====
 On Debian and related Linux distributions such as Ubuntu, you can install OpenDJ directory server from the Debian package:
 
-. (Optional)  Before you install OpenDJ, install a Java runtime environment if none is installed yet:
-+
-
-[source, console]
-----
-$ sudo apt-get install default-jre
-----
-
-. Install the OpenDJ directory server package:
+. Install the OpenDJ directory server package. Use `apt-get install ./<file>.deb` (rather than `dpkg -i`) so the required Java runtime dependency (`default-jre-headless`) is resolved and installed automatically:
 +
 
 [source, console, subs="attributes"]
 ----
-$ sudo dpkg -i opendj_{opendj-version}-1_all.deb
-Selecting previously unselected package opendj.
-(Reading database ... 185569 files and directories currently installed.)
-Unpacking opendj (from opendj_{opendj-version}-1_all.deb) ...
-
-Setting up opendj ({opendj-version}) ...
- Adding system startup for /etc/init.d/opendj ...
-   /etc/rc0.d/K20opendj -> ../init.d/opendj
-   /etc/rc1.d/K20opendj -> ../init.d/opendj
-   /etc/rc6.d/K20opendj -> ../init.d/opendj
-   /etc/rc2.d/S20opendj -> ../init.d/opendj
-   /etc/rc3.d/S20opendj -> ../init.d/opendj
-   /etc/rc4.d/S20opendj -> ../init.d/opendj
-   /etc/rc5.d/S20opendj -> ../init.d/opendj
-
-Processing triggers for ureadahead ...
-ureadahead will be reprofiled on next reboot
+$ sudo apt-get install ./opendj_{opendj-version}-1_all.deb
 ----
 +
-The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`.
+The Debian package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), adds documentation files under `/usr/share/doc/opendj`, and adds man pages under `/opt/opendj/share/man`.
++
+The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024.
 +
-The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636.
+To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/default/opendj`.
 
-. Configure OpenDJ directory server by using the command `sudo /opt/opendj/setup`:
+. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service):
 +
 
 [source, console]
 ----
-$ sudo /opt/opendj/setup --cli
+$ sudo -u opendj /opt/opendj/setup --cli
 ...
 To see basic server configuration status and configuration you can launch
  /opt/opendj/bin/status
@@ -484,9 +462,9 @@ To see basic server configuration status and configuration you can launch
 
 [source, console, subs="attributes"]
 ----
-$ service opendj status
-opendj status: > Running.
-$ sudo /opt/opendj/bin/status
+$ systemctl is-active opendj
+active
+$ sudo -u opendj /opt/opendj/bin/status
 
 
 >>>> Specify OpenDJ LDAP connection parameters
@@ -541,38 +519,28 @@ Password:
 #
 ----
 
-. Before you install OpenDJ, install a Java runtime environment if none is installed yet.
-+
-You might need to download an RPM to install the Java runtime environment, and then install the RPM by using the `rpm` command:
-+
-
-[source, console]
-----
-# rpm -ivh jre-*.rpm
-----
-
-. Install the OpenDJ directory server package:
+. Install the OpenDJ directory server package. Use `dnf install ./<file>.rpm` (rather than `rpm -i`) so the required Java runtime dependency (`java-headless >= 11`) is resolved and installed automatically:
 +
 
 [source, console, subs="attributes"]
 ----
-# rpm -i opendj-{opendj-version}-1.noarch.rpm
+# dnf install ./opendj-{opendj-version}-1.noarch.rpm
 Pre Install - initial install
 Post Install - initial install
-
-#
 ----
 +
-The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, generates service management scripts, and adds man pages under `/opt/opendj/share/man`.
+The RPM package installs OpenDJ directory server in the `/opt/opendj` directory, registers the service with systemd (`opendj.service`, with a SysV init script kept as a fallback on non-systemd hosts), and adds man pages under `/opt/opendj/share/man`.
 +
-The files are owned by root by default, making it easier to have OpenDJ listen on ports 389 and 636.
+The package creates a dedicated `opendj` system user; the files under `/opt/opendj` are owned by it and the service runs as that user. The systemd service is granted `CAP_NET_BIND_SERVICE`, so it can bind privileged ports such as LDAP 389 and LDAPS 636 even though it runs as a non-root user. On non-systemd hosts that use the SysV init script, grant the capability another way (for example `authbind` or an `iptables` redirect) or use ports above 1024.
++
+To pin or override the Java runtime used by the service, set `OPENDJ_JAVA_HOME` (or `OPENDJ_JAVA_ARGS`) in `/etc/sysconfig/opendj`.
 
-. Configure OpenDJ directory server by using the command `/opt/opendj/setup`:
+. Configure OpenDJ directory server by running `setup` as the `opendj` user (the account that owns the files and runs the service):
 +
 
 [source, console]
 ----
-# /opt/opendj/setup --cli
+# runuser -u opendj -- /opt/opendj/setup --cli
 ...
 To see basic server configuration status and configuration you can launch
  /opt/opendj/bin/status
@@ -583,9 +551,9 @@ To see basic server configuration status and configuration you can launch
 
 [source, console, subs="attributes"]
 ----
-# service opendj status
-opendj status: > Running.
-# /opt/opendj/bin/status
+# systemctl is-active opendj
+active
+# runuser -u opendj -- /opt/opendj/bin/status
 
 
 >>>> Specify OpenDJ LDAP connection parameters
@@ -623,14 +591,13 @@ Entries:     2002
 Replication:
 ----
 +
-By default OpenDJ starts in run levels 2, 3, 4, and 5:
+The service is enabled to start at boot:
 +
 
 [source, console]
 ----
-# chkconfig --list | grep opendj
-...
-opendj         0:off    1:off    2:on    3:on    4:on    5:on    6:off
+# systemctl is-enabled opendj
+enabled
 ----
 
 ====

diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-uninstall.adoc
@@ -127,7 +127,7 @@ Stopping Server...
 $
 ----
 +
-Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files.
+Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it.
 
 ====
 
@@ -153,7 +153,7 @@ OpenDJ successfully removed.
 #
 ----
 +
-Removing the package does not remove your data or configuration. You must remove `/opt/opendj` manually to get rid of all files.
+Removing the package stops the server but does not remove your data or configuration, nor the dedicated `opendj` system user it created. Remove `/opt/opendj` manually to delete all files, and remove the `opendj` user if you no longer need it.
 
 ====
 
diff --git a/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc b/opendj-doc-generated-ref/src/main/asciidoc/install-guide/chap-upgrade.adoc
@@ -89,7 +89,7 @@ Due to changes to the backup archive format, make sure you stop OpenDJ directory
 ====
 Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"].
 
-To upgrade to OpenDJ directory server installed from native packages (.deb, .rpm), use the command-line package management tools provided by the system.
+To upgrade OpenDJ directory server installed from native packages (.deb, .rpm), install the newer package with the system package manager (`sudo apt-get install ./opendj_{opendj-version}-1_all.deb` or `sudo dnf install ./opendj-{opendj-version}-1.noarch.rpm`). The package stops the running server, runs the `upgrade` tool as the dedicated `opendj` user, migrates file ownership under `/opt/opendj` to that user, and restarts the service (systemd, with a SysV init fallback) if it was running before the upgrade. Back up the installation directory first, as described in xref:#before-you-upgrade["Before You Upgrade"].
 
 [NOTE]
 ======

diff --git a/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml b/opendj-packages/opendj-deb/opendj-deb-standard/pom.xml
@@ -13,6 +13,7 @@
   information: "Portions Copyright [year] [name of copyright owner]".
 
   Copyright 2015 ForgeRock AS.
+  Portions Copyright 2018-2026 3A Systems, LLC
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -33,6 +34,8 @@
 
     <properties>
         <sysv.file.location>${project.parent.parent.basedir}/resources/sysv/opendj</sysv.file.location>
+        <systemd.file.location>${project.parent.parent.basedir}/resources/systemd/opendj.service</systemd.file.location>
+        <env.file.location>${project.parent.parent.basedir}/resources/env/opendj</env.file.location>
         <deb.product.name>${product.name}</deb.product.name>
         <deb.product.name.lowercase>${product.name.lowercase}</deb.product.name.lowercase>
         <deb.product.summary>This OpenDJ package includes the Berkeley JE Backend and cannot be redistributed without a suitable license</deb.product.summary>

diff --git a/opendj-packages/opendj-deb/pom.xml b/opendj-packages/opendj-deb/pom.xml
@@ -13,6 +13,7 @@
   information: "Portions Copyright [year] [name of copyright owner]".
 
   Copyright 2015-2016 ForgeRock AS.
+  Portions Copyright 2018-2026 3A Systems, LLC
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -146,7 +147,7 @@
                 <plugin>
                     <groupId>org.vafer</groupId>
                     <artifactId>jdeb</artifactId>
-                    <version>1.3</version>
+                    <version>1.14</version>
                     <executions>
                         <execution>
                             <id>generate-deb-package</id>
@@ -158,7 +159,7 @@
                                 <deb>${project.build.directory}/${deb.product.name.lowercase}_${project.version}-${deb.release}_all.deb</deb>
                                 <controlDir>${project.build.directory}/deb/control</controlDir>
                                 <dataSet>
-                                    <!-- OpenDJ service file -->
+                                    <!-- OpenDJ SysV init service file (fallback for non-systemd hosts) -->
                                     <data>
                                         <src>${sysv.file.location}</src>
                                         <type>file</type>
@@ -169,6 +170,28 @@
                                         </mapper>
                                     </data>
 
+                                    <!-- OpenDJ systemd service unit (native service management) -->
+                                    <data>
+                                        <src>${systemd.file.location}</src>
+                                        <type>file</type>
+                                        <mapper>
+                                            <type>perm</type>
+                                            <prefix>/lib/systemd/system</prefix>
+                                            <filemode>644</filemode>
+                                        </mapper>
+                                    </data>
+
+                                    <!-- Service environment override (jdeb auto-marks files under /etc as conffiles) -->
+                                    <data>
+                                        <src>${env.file.location}</src>
+                                        <type>file</type>
+                                        <mapper>
+                                            <type>perm</type>
+                                            <prefix>/etc/default</prefix>
+                                            <filemode>644</filemode>
+                                        </mapper>
+                                    </data>
+
                                     <!-- Debian copyright file in documentation -->
                                     <data>
                                         <src>${basedir}/resources/copyright</src>
-Original file line number
+Diff line change
@@ Expand Up @@
     ====
     Before starting this procedure, follow the steps in xref:#before-you-upgrade["Before You Upgrade"].
-    To upgrade to OpenDJ directory server installed from native packages (.deb, .rpm), use the command-line package management tools provided by the system.
+    To upgrade OpenDJ directory server installed from native packages (.deb, .rpm), install the newer package with the system package manager (`sudo apt-get install ./opendj_{opendj-version}-1_all.deb` or `sudo dnf install ./opendj-{opendj-version}-1.noarch.rpm`). The package stops the running server, runs the `upgrade` tool as the dedicated `opendj` user, migrates file ownership under `/opt/opendj` to that user, and restarts the service (systemd, with a SysV init fallback) if it was running before the upgrade. Back up the installation directory first, as described in xref:#before-you-upgrade["Before You Upgrade"].
     [NOTE]
     ======
@@ Expand Down @@