Synchronize OpenLDAP with Active Directory The LSC project Clément OUDOT
<ul><li>Introduction
The LSC project
Active Directory specificities
Advanced LDAP functionalities
Demonstration </li></ul>Table of contents
<ul><li>Having just one single user database in our information system is a dream
Having just Open Source in our information system is dream
But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project </li></ul>Introduction
The LSC project <ul><li>LDAP Synchronization Connector
BSD licence
Java
LDAP provisioning from databases, flat files and LDAP directories
Extended functions for Active Directory
LDAP Query Language (LQL) </li></ul>
Overview
Input <ul><li>Two requests methods: </li><ul><li>LDAP (JNDI)
Upcoming SlideShare
Loading in...5
×

Synchronize OpenLDAP with Active Directory with LSC project

12,127

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
12,127
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
143
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Synchronize OpenLDAP with Active Directory with LSC project

  1. 1. Synchronize OpenLDAP with Active Directory The LSC project Clément OUDOT
  2. 2. <ul><li>Introduction
  3. 3. The LSC project
  4. 4. Active Directory specificities
  5. 5. Advanced LDAP functionalities
  6. 6. Demonstration </li></ul>Table of contents
  7. 7. <ul><li>Having just one single user database in our information system is a dream
  8. 8. Having just Open Source in our information system is dream
  9. 9. But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project </li></ul>Introduction
  10. 10. The LSC project <ul><li>LDAP Synchronization Connector
  11. 11. BSD licence
  12. 12. Java
  13. 13. LDAP provisioning from databases, flat files and LDAP directories
  14. 14. Extended functions for Active Directory
  15. 15. LDAP Query Language (LQL) </li></ul>
  16. 16. Overview
  17. 17. Input <ul><li>Two requests methods: </li><ul><li>LDAP (JNDI)
  18. 18. SQL (JDBC) </li></ul><li>Three inputs: </li><ul><li>LDAP directories (LDAP queries)
  19. 19. Databases (SQL queries)
  20. 20. CSV files (injected in local HSQLDB) </li></ul></ul>
  21. 21. LSC engine
  22. 22. Create a connector <ul><li>Download lsc-sample archive
  23. 23. Run maven to get dependencies
  24. 24. Run the code generation wizard
  25. 25. Configure your rules in lsc.properties </li></ul>
  26. 26. LDAP connection <ul><li>Use SSL (ldaps://) or TLS (startTLS)
  27. 27. Paged search result
  28. 28. Recursive delete
  29. 29. All JNDI options: </li><ul><li>Referrals handling
  30. 30. Aliases dereferencing
  31. 31. Extended matching filters </li></ul></ul>src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory src.java.naming.ldap.derefAliases = never src.java.naming.ldap.version = 3 src.java.naming.provider.url = ldap://localhost/dc=example,dc=com src.java.naming.referral = ignore src.java.naming.security.authentication = simple src.java.naming.security.principal = cn=admin,dc=example,dc=com src.java.naming.security.credentials = secret Example
  32. 32. Definition of a task <ul><li>Task name
  33. 33. Task type (db2ldap or ldap2ldap)
  34. 34. Bean for destination (dstBean)
  35. 35. Object for source (mapped in srcBean)
  36. 36. DN template
  37. 37. Conditions for create/delete/modify/modrdn
  38. 38. For source and destination: </li><ul><li>Base
  39. 39. Filter (All and and Id)
  40. 40. Attributes
  41. 41. Pivot attributes </li></ul></ul>
  42. 42. Definition of a task lsc.tasks = user lsc.tasks.user.type = ldap2ldap lsc.tasks.user.bean = org.lsc.beans.userBean lsc.tasks.user.object = org.lsc.objects.inetOrgPerson lsc.tasks.user.dn = &quot;cn=&quot; + srcBean.getAttributeValueById(&quot;cn&quot;) + &quot;,ou=users&quot; lsc.tasks.user.srcService = org.lsc.jndi.SimpleJndiSrcService lsc.tasks.user.srcService.attrs = uid cn sn givenName mail o lsc.tasks.user.srcService.baseDn = ou=users lsc.tasks.user.srcService.filterAll = (objectClass=inetOrgPerson) lsc.tasks.user.srcService.filterId = (&(objectClass=inetOrgPerson)(|(uid={samaccountname})(uid={uid}))) lsc.tasks.user.srcService.pivotAttrs = uid lsc.tasks.user.dstService = org.lsc.jndi.SimpleJndiDstService lsc.tasks.user.dstService.attrs = cn sn givenName mail company objectClass sAMAccountName lsc.tasks.user.dstService.baseDn = ou=users lsc.tasks.user.dstService.filterAll = (objectClass=user) lsc.tasks.user.dstService.filterId = (&(objectClass=user)(|(sAMAccountName={uid})(sAMAccountName={samaccountname}))) lsc.tasks.user.dstService.pivotAttrs = sAMAccountName Example
  43. 43. Synchronization options <ul><li>Action: Force/Keep/Merge
  44. 44. Value modification type: Create/Default/Force
  45. 45. SrcBean and dstBean methods: </li><ul><li>getDistinghuishName
  46. 46. getAttributeValueById </li></ul><li>Multi-valued attributes with configurable delimiter (';' by default)
  47. 47. Rhino Javascript engine </li></ul>
  48. 48. Synchronization options lsc.syncoptions.user = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions lsc.syncoptions.user.default.action = F lsc.syncoptions.user.company.force_value = srcBean.getAttributeValueById(&quot;o&quot;) lsc.syncoptions.user.name.force_value = srcBean.getAttributeValueById(&quot;cn&quot;) lsc.syncoptions.user.displayName.force_value = srcBean.getAttributeValueById(&quot;cn&quot;) lsc.syncoptions.user.objectClass.force_value = &quot;top&quot;;&quot;user&quot;;&quot;person&quot;;&quot;organizationalPerson&quot; lsc.syncoptions.user.sAMAccountName.create_value = srcBean.getAttributeValueById(&quot;uid&quot;) lsc.syncoptions.user.userPrincipalName.create_value = srcBean.getAttributeValueById(&quot;uid&quot;) + &quot;@example.com&quot; lsc.syncoptions.user.scriptPath.create_value = &quot;demo.bat&quot; Example
  49. 49. Active Directory <ul><li>Use Paged Search to bypass 1000 entries limit
  50. 50. UserAccountControl: </li><ul><li>userAccountControlSet
  51. 51. userAccountControlCheck
  52. 52. userAccountControlToogle </li></ul><li>Password: </li><ul><li>GetUnicodePwd </li></ul><li>LastLogon: </li><ul><li>getNumberOfWeeksSinceLastLogon </li></ul></ul>
  53. 53. LDAP Query Language <ul><li>Access to srcLdap (source) and ldap (destination) connection objects
  54. 54. Special functions: </li><ul><li>attribute(DN, attribute)
  55. 55. search(base, filter)
  56. 56. list(base, filter)
  57. 57. read(base, filter)
  58. 58. sup(DN, level) </li></ul></ul>lsc.syncoptions.user.givenName.force_value = srcLdap.attribute( srcLdap.list( &quot;ou=services&quot;, &quot;uniqueMember=&quot; + srcBean.getDistinguishName() + &quot;&quot; ), 'description').get(0) Example
  59. 59. See also <ul><li>Official LSC page : http://lsc-project.org
  60. 60. LDAP Tool Box project : </li><ul><li>Nagios and Cacti scripts
  61. 61. OpenLDAP RPM
  62. 62. LDAP scripts
  63. 63. Web application for user to change their password (OpenLDAP and Active Directory)
  64. 64. http://ltb-project.org </li></ul></ul>
  65. 65. Thank you for your attention Visit us at our stand 107 - hall 7.2b
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×