RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC

2,562 views

Published on

LDAP Synchronizarion Connector presentation, and how synchronize OpenLDAP and Active Directory with it.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,562
On SlideShare
0
From Embeds
0
Number of Embeds
442
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RMLL 2013 - Synchronize OpenLDAP and Active Directory with LSC

  1. 1. Synchronize OpenLDAP and AD Clément OUDOT RMLL 2013
  2. 2. 2 Table of contents ● LDAP Synchronization Connector (LSC) ● Active Directory specificities ● Synchronize OpenLDAP and AD
  3. 3. 3 Resume
  4. 4. 4 Clément OUDOT ● Engineer since 2003 at LINAGORA company ● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project: http://ltb-project.org ● Leader of LemonLDAP::NG project: http://lemonldap-ng.org
  5. 5. 5 LDAP Synchronization Connector
  6. 6. LDAP Synchronization Connector ● Free software ● BSD license ● Written in Java ● XML configuration files ● http://lsc-project.org
  7. 7. LDAP Synchronization Connector ● Synchronization : ● From/To LDAP, SQL, fichiers ● One-shot or continuous ● CSV or LDIF exports of what has been synchronized ● Data manipulation engine: Javascript (Rhino), Groovy ● API LDAP for scripts
  8. 8. Main features ● Source and destination connectors: ● LDAPv3 Directories ● JDBC compatible data bases ● Flat files ● Plugins: Google Apps, ... ● LDAPv3 advanced support: ● StartTLS, LDAPS ● Paged result ● LDAP Sync (SyncRepl), Persistent search
  9. 9. How it works ● Sync phase: ● Read all entries in source, get the pivot attribute ● For each entry, read entry in source and in destination, using the pivot attribute ● Apply modifications or create the entry in destination ● Clean phase: ● Read all entries in destination, get the pivot attribute ● For each entry, read entry in source using the pivot attribute ● Delete entry in destination if not found in source
  10. 10. Configuration overview <?xml version="1.0" ?> <lsc xmlns="http://lsc-project.org/XSD/lsc-core- 2.0.xsd" revision="1"> <connections></connections> <tasks></tasks> </lsc>
  11. 11. LDAP connection <ldapConnection> <name>ldap-dst-conn</name> <url>ldap://HOSTNAME/SUFFIX</url> <username>DN</username> <password>PWD</password> <authentication>SIMPLE</authentication> <referral>IGNORE</referral> <derefAliases>NEVER</derefAliases> <version>VERSION_3</version> <pageSize>-1</pageSize> <factory>com.sun.jndi.ldap.LdapCtxFactory</factory> <tlsActivated>false</tlsActivated> </ldapConnection>
  12. 12. <databaseConnection> <name>jdbc-src-conn</name> <url>jdbc:JDBC_URL</url> <username>USER</username> <password>PWD</password> <driver>JDBC_DRIVER</driver> </databaseConnection> Database connection
  13. 13. Tasks ● Several tasks can be defined in one connector ● For each task: ● Source service (using a connection definition) ● Destination service (using a connection definition) ● Synchronization rules <task> <name>agent</name> <bean>org.lsc.beans.SimpleBean</bean> <databaseSourceService></databaseSourceService> <ldapDestinationService></ldapDestinationService> <propertiesBasedSyncOptions></propertiesBasedSyncOptions> </task>
  14. 14. Available services ● Source services ● databaseSourceService ● ldapSourceService ● asyncLdapSourceService ● Destination services ● databaseDestinationService ● ldapDestinationService
  15. 15. Synchronization rules ● <mainIdentifier>: how to compute the main identifier (DN for an LDAP service) ● <conditions>: allowed operations in the task (create, update, delete, changeId) ● <dataset>: mapping definition between source and destination attribute
  16. 16. Examples <dataset> <name>objectClass</name> <policy>KEEP</policy> <forceValues> <string>"top"</string> <string>"person"</string> <string>"organizationalPerson"</string> <string>"inetOrgPerson"</string> </forceValues> </dataset> <dataset> <name>cn</name> <policy>FORCE</policy> <forceValues> <string><[CDATA[ srcBean.getDatasetFirstValueById("FIRSTNAME") + srcBean.getDatasetFirstValueById("NAME"); ]]></string> </forceValues> </dataset>
  17. 17. LDAP Query Language ● Access to srcLdap (source) and ldap (destination) connection objects ● Special functions: ● attribute(DN, attribute) ● search(base, filter) ● list(base, filter) ● read(base, filter) ● sup(DN, level) srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0)
  18. 18. Logs ● Logback: http://logback.qos.ch/ ● Output formats: ● Standard : org.lsc.utils.output.LdifLayout ● LDIF: org.lsc.utils.output.LdifLayout – <onlyLdif>true</onlyLdif> ● CSV: org.lsc.utils.output.CsvLayout – <logOperations>create,update</logOperations> – <attrs>dn;uid;sn;givenName;description;cn</attrs> – <separator>;</separator> – <outputHeader>true</outputHeader> – <taskNames>MyTask</taskNames>
  19. 19. 19 Active Directory
  20. 20. 20 Connection ● No anonymous access ● SSL required for some operations (password change) ● Paged result to avoid 1000 entries limit ● Specific AD configuration to avoir 1500 values limit (range)
  21. 21. 21 Schema ● Non standard objectclass user: ● top – person ● organizationalPerson – user ● InetOrgPerson ● Non standard attributes: ● sAMAccountName ● unicodePwd ● ...
  22. 22. 22 Password ● Password can be written, cannot be read ● Attribute unicodePwd (~ clear text) ● Old password remain valid for one hour ● Accepted password in the LDAP modify operation are not always accepted to authenticate (non ASCII characters...)
  23. 23. 23 LSC helpers aDTimeToUnixTimestamp(long aDTime) Transform an AD timestamp to a Unix timestamp. aDTimeToUnixTimestamp(String aDTimeString) Helper method to automatically parse an AD timestamp from a String before calling aDTimeToUnixTimestamp(long). getAccountExpires(String expireDate) Returns the accountexpires time in Microsoft format getAccountExpires(String expireDate, String format) Return the accountexpires time in specified format getNumberOfWeeksSinceLastLogon(String lastLogonTimestamp) Return the number of weeks since the last logon getUnicodePwd(String password) Encode a password so that it can be updated in Active Directory in the field unicodePwd.
  24. 24. 24 LSC helpers unixTimestampToADTime(int unixTimestamp) Transform a Unix timestamp to an AD timestamp. unixTimestampToADTime(String unixTimestampString) Helper method to automatically parse a Unix timestamp from a String before calling unixTimestampToADTime(int). userAccountControlCheck(int value, String constToCheck) Check if a bit is set in UserAccountControl userAccountControlSet(int origValue, String[] constToApply) Set or unset some bits to a UserAccountControl attribute of an AD userAccountControlToggle(int value, String constToApply) Toggle a bit in UserAccountControl
  25. 25. 25 Synchronize OpenLDAP and AD
  26. 26. 26 Main configuration ● Create a simple LDAP to LDAP connector ● Define specific connection parameters for AD ● Use SSL to AD if you need to manage password ● Define specific attributes needed in AD ● Specify the search filters and the pivot attributes ● Write datasets for non linear attribute mapping
  27. 27. 27 The password problem ● Several approaches: ● Use AD as the authentication referential, use SASL from OpenLDAP to forward the authentication to AD ● Keep a plain text or symmetric hashed password in OpenLDAP, to push the password with LSC ● Catch the password when it is changed in AD, trough SFU (Services For Unix), or with a password filter DLL (example: PasswdHK)
  28. 28. 28 Almost the end...
  29. 29. 29 18-19 November - PARIS http://www.ldapcon.org
  30. 30. 30 Thanks ● Special thanks to: ● RMLL/LSM and their organizers ● Company LINAGORA ● All LiniD developers ● Keep in touch: ● Identica: @coudot ● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode ● Web: http://linid.org
  31. 31. 31 Questions?
  32. 32. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com

×