rmll 2013 - synchronize openldap and active directory with lsc
DESCRIPTION
LDAP Synchronizarion Connector presentation, and how synchronize OpenLDAP and Active Directory with it.TRANSCRIPT
![Page 1: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/1.jpg)
Synchronize OpenLDAP and AD
Clément OUDOTRMLL 2013
![Page 2: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/2.jpg)
2
Table of contents● LDAP Synchronization Connector (LSC)● Active Directory specificities● Synchronize OpenLDAP and AD
![Page 3: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/3.jpg)
3
Resume
![Page 4: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/4.jpg)
4
Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:
http://ltb-project.org ● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org
![Page 5: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/5.jpg)
5
LDAP Synchronization Connector
![Page 6: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/6.jpg)
LDAP Synchronization Connector● Free software● BSD license● Written in Java● XML configuration files
● http://lsc-project.org
![Page 7: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/7.jpg)
LDAP Synchronization Connector● Synchronization :
● From/To LDAP, SQL, fichiers● One-shot or continuous
● CSV or LDIF exports of what has been synchronized● Data manipulation engine: Javascript (Rhino), Groovy● API LDAP for scripts
![Page 8: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/8.jpg)
Main features● Source and destination connectors:
● LDAPv3 Directories● JDBC compatible data bases● Flat files● Plugins: Google Apps, ...
● LDAPv3 advanced support:● StartTLS, LDAPS● Paged result● LDAP Sync (SyncRepl), Persistent search
![Page 9: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/9.jpg)
How it works● Sync phase:
● Read all entries in source, get the pivot attribute● For each entry, read entry in source and in
destination, using the pivot attribute● Apply modifications or create the entry in
destination
● Clean phase:● Read all entries in destination, get the pivot
attribute● For each entry, read entry in source using the
pivot attribute● Delete entry in destination if not found in source
![Page 10: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/10.jpg)
Configuration overview
<?xml version="1.0" ?><lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd" revision="1"> <connections></connections> <tasks></tasks></lsc>
![Page 11: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/11.jpg)
LDAP connection
<ldapConnection> <name>ldap-dst-conn</name> <url>ldap://HOSTNAME/SUFFIX</url> <username>DN</username> <password>PWD</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated></ldapConnection>
![Page 12: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/12.jpg)
<databaseConnection> <name>jdbc-src-conn</name> <url>jdbc:JDBC_URL</url> <username>USER</username> <password>PWD</password> <driver>JDBC_DRIVER</driver></databaseConnection>
Database connection
![Page 13: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/13.jpg)
Tasks● Several tasks can be defined in one connector● For each task:
● Source service (using a connection definition)● Destination service (using a connection definition)● Synchronization rules
<task> <name>agent</name> <bean>org.lsc.beans.SimpleBean</bean> <databaseSourceService></databaseSourceService> <ldapDestinationService></ldapDestinationService> <propertiesBasedSyncOptions></propertiesBasedSyncOptions></task>
![Page 14: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/14.jpg)
Available services● Source services
● databaseSourceService● ldapSourceService● asyncLdapSourceService
● Destination services● databaseDestinationService● ldapDestinationService
![Page 15: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/15.jpg)
Synchronization rules● <mainIdentifier>: how to compute the main
identifier (DN for an LDAP service)● <conditions>: allowed operations in the task
(create, update, delete, changeId)● <dataset>: mapping definition between
source and destination attribute
![Page 16: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/16.jpg)
Examples<dataset> <name>objectClass</name> <policy>KEEP</policy> <forceValues> <string>"top"</string> <string>"person"</string> <string>"organizationalPerson"</string> <string>"inetOrgPerson"</string> </forceValues></dataset>
<dataset> <name>cn</name> <policy>FORCE</policy> <forceValues> <string><[CDATA[srcBean.getDatasetFirstValueById("FIRSTNAME") + srcBean.getDatasetFirstValueById("NAME"); ]]></string> </forceValues></dataset>
![Page 17: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/17.jpg)
LDAP Query Language● Access to srcLdap (source) and ldap (destination)
connection objects● Special functions:
● attribute(DN, attribute) ● search(base, filter) ● list(base, filter) ● read(base, filter)● sup(DN, level)
srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0)
![Page 18: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/18.jpg)
Logs● Logback: http://logback.qos.ch/● Output formats:
● Standard : org.lsc.utils.output.LdifLayout● LDIF: org.lsc.utils.output.LdifLayout
– <onlyLdif>true</onlyLdif>● CSV: org.lsc.utils.output.CsvLayout
– <logOperations>create,update</logOperations>– <attrs>dn;uid;sn;givenName;description;cn</attrs>– <separator>;</separator>– <outputHeader>true</outputHeader>– <taskNames>MyTask</taskNames>
![Page 19: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/19.jpg)
19
Active Directory
![Page 20: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/20.jpg)
20
Connection● No anonymous access● SSL required for some operations (password
change)● Paged result to avoid 1000 entries limit● Specific AD configuration to avoir 1500 values
limit (range)
![Page 21: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/21.jpg)
21
Schema● Non standard objectclass user:
● top– person
● organizationalPerson– user
● InetOrgPerson
● Non standard attributes:● sAMAccountName● unicodePwd● ...
![Page 22: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/22.jpg)
22
Password● Password can be written, cannot be read● Attribute unicodePwd (~ clear text)● Old password remain valid for one hour● Accepted password in the LDAP modify operation
are not always accepted to authenticate (non ASCII characters...)
![Page 23: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/23.jpg)
23
LSC helpersaDTimeToUnixTimestamp(long aDTime) Transform an AD timestamp to a Unix timestamp.aDTimeToUnixTimestamp(String aDTimeString) Helper method to automatically parse an AD timestamp from a String before calling aDTimeToUnixTimestamp(long).getAccountExpires(String expireDate) Returns the accountexpires time in Microsoft formatgetAccountExpires(String expireDate, String format) Return the accountexpires time in specified formatgetNumberOfWeeksSinceLastLogon(String lastLogonTimestamp) Return the number of weeks since the last logongetUnicodePwd(String password) Encode a password so that it can be updated in Active Directory in the field unicodePwd.
![Page 24: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/24.jpg)
24
LSC helpersunixTimestampToADTime(int unixTimestamp) Transform a Unix timestamp to an AD timestamp.unixTimestampToADTime(String unixTimestampString) Helper method to automatically parse a Unix timestamp from a String before calling unixTimestampToADTime(int).userAccountControlCheck(int value, String constToCheck) Check if a bit is set in UserAccountControluserAccountControlSet(int origValue, String[] constToApply) Set or unset some bits to a UserAccountControl attribute of an ADuserAccountControlToggle(int value, String constToApply) Toggle a bit in UserAccountControl
![Page 25: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/25.jpg)
25
Synchronize OpenLDAP and AD
![Page 26: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/26.jpg)
26
Main configuration● Create a simple LDAP to LDAP connector● Define specific connection parameters for AD● Use SSL to AD if you need to manage password● Define specific attributes needed in AD● Specify the search filters and the pivot attributes● Write datasets for non linear attribute mapping
![Page 27: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/27.jpg)
27
The password problem● Several approaches:
● Use AD as the authentication referential, use SASL from OpenLDAP to forward the authentication to AD
● Keep a plain text or symmetric hashed password in OpenLDAP, to push the password with LSC
● Catch the password when it is changed in AD, trough SFU (Services For Unix), or with a password filter DLL (example: PasswdHK)
![Page 28: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/28.jpg)
28
Almost the end...
![Page 30: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/30.jpg)
30
Thanks● Special thanks to:
● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers
● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org
![Page 31: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/31.jpg)
31
Questions?
![Page 32: RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC](https://reader034.vdocuments.net/reader034/viewer/2022042606/546d75feb4af9f612c8b5346/html5/thumbnails/32.jpg)
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com