Synchronize OpenLDAP with Active Directory with LSC project

  • 11,589 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
11,589
On Slideshare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
138
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Synchronize OpenLDAP with Active Directory The LSC project Clément OUDOT
  • 2.
    • Introduction
    • 3. The LSC project
    • 4. Active Directory specificities
    • 5. Advanced LDAP functionalities
    • 6. Demonstration
    Table of contents
  • 7.
    • Having just one single user database in our information system is a dream
    • 8. Having just Open Source in our information system is dream
    • 9. But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project
    Introduction
  • 10. The LSC project
    • LDAP Synchronization Connector
    • 11. BSD licence
    • 12. Java
    • 13. LDAP provisioning from databases, flat files and LDAP directories
    • 14. Extended functions for Active Directory
    • 15. LDAP Query Language (LQL)
  • 16. Overview
  • 17. Input
    • Two requests methods:
      • LDAP (JNDI)
      • 18. SQL (JDBC)
    • Three inputs:
      • LDAP directories (LDAP queries)
      • 19. Databases (SQL queries)
      • 20. CSV files (injected in local HSQLDB)
  • 21. LSC engine
  • 22. Create a connector
    • Download lsc-sample archive
    • 23. Run maven to get dependencies
    • 24. Run the code generation wizard
    • 25. Configure your rules in lsc.properties
  • 26. LDAP connection
    • Use SSL (ldaps://) or TLS (startTLS)
    • 27. Paged search result
    • 28. Recursive delete
    • 29. All JNDI options:
      • Referrals handling
      • 30. Aliases dereferencing
      • 31. Extended matching filters
    src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory src.java.naming.ldap.derefAliases = never src.java.naming.ldap.version = 3 src.java.naming.provider.url = ldap://localhost/dc=example,dc=com src.java.naming.referral = ignore src.java.naming.security.authentication = simple src.java.naming.security.principal = cn=admin,dc=example,dc=com src.java.naming.security.credentials = secret Example
  • 32. Definition of a task
    • Task name
    • 33. Task type (db2ldap or ldap2ldap)
    • 34. Bean for destination (dstBean)
    • 35. Object for source (mapped in srcBean)
    • 36. DN template
    • 37. Conditions for create/delete/modify/modrdn
    • 38. For source and destination:
  • 42. Definition of a task lsc.tasks = user lsc.tasks.user.type = ldap2ldap lsc.tasks.user.bean = org.lsc.beans.userBean lsc.tasks.user.object = org.lsc.objects.inetOrgPerson lsc.tasks.user.dn = "cn=" + srcBean.getAttributeValueById("cn") + ",ou=users" lsc.tasks.user.srcService = org.lsc.jndi.SimpleJndiSrcService lsc.tasks.user.srcService.attrs = uid cn sn givenName mail o lsc.tasks.user.srcService.baseDn = ou=users lsc.tasks.user.srcService.filterAll = (objectClass=inetOrgPerson) lsc.tasks.user.srcService.filterId = (&(objectClass=inetOrgPerson)(|(uid={samaccountname})(uid={uid}))) lsc.tasks.user.srcService.pivotAttrs = uid lsc.tasks.user.dstService = org.lsc.jndi.SimpleJndiDstService lsc.tasks.user.dstService.attrs = cn sn givenName mail company objectClass sAMAccountName lsc.tasks.user.dstService.baseDn = ou=users lsc.tasks.user.dstService.filterAll = (objectClass=user) lsc.tasks.user.dstService.filterId = (&(objectClass=user)(|(sAMAccountName={uid})(sAMAccountName={samaccountname}))) lsc.tasks.user.dstService.pivotAttrs = sAMAccountName Example
  • 43. Synchronization options
    • Action: Force/Keep/Merge
    • 44. Value modification type: Create/Default/Force
    • 45. SrcBean and dstBean methods:
      • getDistinghuishName
      • 46. getAttributeValueById
    • Multi-valued attributes with configurable delimiter (';' by default)
    • 47. Rhino Javascript engine
  • 48. Synchronization options lsc.syncoptions.user = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions lsc.syncoptions.user.default.action = F lsc.syncoptions.user.company.force_value = srcBean.getAttributeValueById("o") lsc.syncoptions.user.name.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.displayName.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.objectClass.force_value = "top";"user";"person";"organizationalPerson" lsc.syncoptions.user.sAMAccountName.create_value = srcBean.getAttributeValueById("uid") lsc.syncoptions.user.userPrincipalName.create_value = srcBean.getAttributeValueById("uid") + "@example.com" lsc.syncoptions.user.scriptPath.create_value = "demo.bat" Example
  • 49. Active Directory
    • Use Paged Search to bypass 1000 entries limit
    • 50. UserAccountControl:
      • userAccountControlSet
      • 51. userAccountControlCheck
      • 52. userAccountControlToogle
    • Password:
      • GetUnicodePwd
    • LastLogon:
      • getNumberOfWeeksSinceLastLogon
  • 53. LDAP Query Language
    • Access to srcLdap (source) and ldap (destination) connection objects
    • 54. Special functions:
      • attribute(DN, attribute)
      • 55. search(base, filter)
      • 56. list(base, filter)
      • 57. read(base, filter)
      • 58. sup(DN, level)
    lsc.syncoptions.user.givenName.force_value = srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0) Example
  • 59. See also
    • Official LSC page : http://lsc-project.org
    • 60. LDAP Tool Box project :
      • Nagios and Cacti scripts
      • 61. OpenLDAP RPM
      • 62. LDAP scripts
      • 63. Web application for user to change their password (OpenLDAP and Active Directory)
      • 64. http://ltb-project.org
  • 65. Thank you for your attention Visit us at our stand 107 - hall 7.2b