Synchronize OpenLDAP with Active Directory The LSC project Clément OUDOT

Introduction The LSC project Active Directory specificities Advanced LDAP functionalities Demonstration Table of contents

Introduction

The LSC project

Active Directory specificities

Advanced LDAP functionalities

Demonstration

Having just one single user database in our information system is a dream Having just Open Source in our information system is dream But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project Introduction

Having just one single user database in our information system is a dream

Having just Open Source in our information system is dream

But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project

The LSC project LDAP Synchronization Connector BSD licence Java LDAP provisioning from databases, flat files and LDAP directories Extended functions for Active Directory LDAP Query Language (LQL)

LDAP Synchronization Connector

BSD licence

Java

LDAP provisioning from databases, flat files and LDAP directories

Extended functions for Active Directory

LDAP Query Language (LQL)

Overview

Input Two requests methods: LDAP (JNDI) SQL (JDBC) Three inputs: LDAP directories (LDAP queries) Databases (SQL queries) CSV files (injected in local HSQLDB)

Two requests methods:

LDAP (JNDI)

SQL (JDBC)

Three inputs:

LDAP directories (LDAP queries)

Databases (SQL queries)

CSV files (injected in local HSQLDB)

LSC engine

Create a connector Download lsc-sample archive Run maven to get dependencies Run the code generation wizard Configure your rules in lsc.properties

Download lsc-sample archive

Run maven to get dependencies

Run the code generation wizard

Configure your rules in lsc.properties

LDAP connection Use SSL (ldaps://) or TLS (startTLS) Paged search result Recursive delete All JNDI options: Referrals handling Aliases dereferencing Extended matching filters src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory src.java.naming.ldap.derefAliases = never src.java.naming.ldap.version = 3 src.java.naming.provider.url = ldap://localhost/dc=example,dc=com src.java.naming.referral = ignore src.java.naming.security.authentication = simple src.java.naming.security.principal = cn=admin,dc=example,dc=com src.java.naming.security.credentials = secret Example

Use SSL (ldaps://) or TLS (startTLS)

Paged search result

Recursive delete

All JNDI options:

Referrals handling

Aliases dereferencing

Extended matching filters

Definition of a task Task name Task type (db2ldap or ldap2ldap) Bean for destination (dstBean) Object for source (mapped in srcBean) DN template Conditions for create/delete/modify/modrdn For source and destination: Base Filter (All and and Id) Attributes Pivot attributes

Task name

Task type (db2ldap or ldap2ldap)

Bean for destination (dstBean)

Object for source (mapped in srcBean)

DN template

Conditions for create/delete/modify/modrdn

For source and destination:

Base

Filter (All and and Id)

Attributes

Pivot attributes

Definition of a task lsc.tasks = user lsc.tasks.user.type = ldap2ldap lsc.tasks.user.bean = org.lsc.beans.userBean lsc.tasks.user.object = org.lsc.objects.inetOrgPerson lsc.tasks.user.dn = "cn=" + srcBean.getAttributeValueById("cn") + ",ou=users" lsc.tasks.user.srcService = org.lsc.jndi.SimpleJndiSrcService lsc.tasks.user.srcService.attrs = uid cn sn givenName mail o lsc.tasks.user.srcService.baseDn = ou=users lsc.tasks.user.srcService.filterAll = (objectClass=inetOrgPerson) lsc.tasks.user.srcService.filterId = (&(objectClass=inetOrgPerson)(|(uid={samaccountname})(uid={uid}))) lsc.tasks.user.srcService.pivotAttrs = uid lsc.tasks.user.dstService = org.lsc.jndi.SimpleJndiDstService lsc.tasks.user.dstService.attrs = cn sn givenName mail company objectClass sAMAccountName lsc.tasks.user.dstService.baseDn = ou=users lsc.tasks.user.dstService.filterAll = (objectClass=user) lsc.tasks.user.dstService.filterId = (&(objectClass=user)(|(sAMAccountName={uid})(sAMAccountName={samaccountname}))) lsc.tasks.user.dstService.pivotAttrs = sAMAccountName Example

Synchronization options Action: Force/Keep/Merge Value modification type: Create/Default/Force SrcBean and dstBean methods: getDistinghuishName getAttributeValueById Multi-valued attributes with configurable delimiter (';' by default) Rhino Javascript engine

Action: Force/Keep/Merge

Value modification type: Create/Default/Force

SrcBean and dstBean methods:

getDistinghuishName

getAttributeValueById

Multi-valued attributes with configurable delimiter (';' by default)

Rhino Javascript engine

Synchronization options lsc.syncoptions.user = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions lsc.syncoptions.user.default.action = F lsc.syncoptions.user.company.force_value = srcBean.getAttributeValueById("o") lsc.syncoptions.user.name.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.displayName.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.objectClass.force_value = "top";"user";"person";"organizationalPerson" lsc.syncoptions.user.sAMAccountName.create_value = srcBean.getAttributeValueById("uid") lsc.syncoptions.user.userPrincipalName.create_value = srcBean.getAttributeValueById("uid") + "@example.com" lsc.syncoptions.user.scriptPath.create_value = "demo.bat" Example

Active Directory Use Paged Search to bypass 1000 entries limit UserAccountControl: userAccountControlSet userAccountControlCheck userAccountControlToogle Password: GetUnicodePwd LastLogon: getNumberOfWeeksSinceLastLogon

Use Paged Search to bypass 1000 entries limit

UserAccountControl:

userAccountControlSet

userAccountControlCheck

userAccountControlToogle

Password:

GetUnicodePwd

LastLogon:

getNumberOfWeeksSinceLastLogon

LDAP Query Language Access to srcLdap (source) and ldap (destination) connection objects Special functions: attribute(DN, attribute) search(base, filter) list(base, filter) read(base, filter) sup(DN, level) lsc.syncoptions.user.givenName.force_value = srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0) Example

Access to srcLdap (source) and ldap (destination) connection objects

Special functions:

attribute(DN, attribute)

search(base, filter)

list(base, filter)

read(base, filter)

sup(DN, level)

See also Official LSC page : http://lsc-project.org LDAP Tool Box project : Nagios and Cacti scripts OpenLDAP RPM LDAP scripts Web application for user to change their password (OpenLDAP and Active Directory) http://ltb-project.org

Official LSC page : http://lsc-project.org

LDAP Tool Box project :

Nagios and Cacti scripts

OpenLDAP RPM

LDAP scripts

Web application for user to change their password (OpenLDAP and Active Directory)

http://ltb-project.org

Thank you for your attention Visit us at our stand 107 - hall 7.2b