Synchronize OpenLDAP with Active Directory with LSC project
Upcoming SlideShare
Loading in...5
×
 

Synchronize OpenLDAP with Active Directory with LSC project

on

  • 16,924 views

 

Statistics

Views

Total Views
16,924
Views on SlideShare
15,181
Embed Views
1,743

Actions

Likes
2
Downloads
137
Comments
0

9 Embeds 1,743

http://www.toolinux.com 801
http://linagora.org 711
http://www.linagora.org 96
http://www.slideshare.net 82
http://toolinux.com 49
http://www.toolinux.net 1
https://services.linagora.net 1
https://duckduckgo.com 1
http://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Synchronize OpenLDAP with Active Directory with LSC project Synchronize OpenLDAP with Active Directory with LSC project Presentation Transcript

  • Synchronize OpenLDAP with Active Directory The LSC project Clément OUDOT
    • Introduction
    • The LSC project
    • Active Directory specificities
    • Advanced LDAP functionalities
    • Demonstration
    Table of contents
    • Having just one single user database in our information system is a dream
    • Having just Open Source in our information system is dream
    • But drive Active Directory from OpenLDAP is now a reality, thanks to LSC project
    Introduction
  • The LSC project
    • LDAP Synchronization Connector
    • BSD licence
    • Java
    • LDAP provisioning from databases, flat files and LDAP directories
    • Extended functions for Active Directory
    • LDAP Query Language (LQL)
  • Overview
  • Input
    • Two requests methods:
      • LDAP (JNDI)
      • SQL (JDBC)
    • Three inputs:
      • LDAP directories (LDAP queries)
      • Databases (SQL queries)
      • CSV files (injected in local HSQLDB)
  • LSC engine
  • Create a connector
    • Download lsc-sample archive
    • Run maven to get dependencies
    • Run the code generation wizard
    • Configure your rules in lsc.properties
  • LDAP connection
    • Use SSL (ldaps://) or TLS (startTLS)
    • Paged search result
    • Recursive delete
    • All JNDI options:
      • Referrals handling
      • Aliases dereferencing
      • Extended matching filters
    src.java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory src.java.naming.ldap.derefAliases = never src.java.naming.ldap.version = 3 src.java.naming.provider.url = ldap://localhost/dc=example,dc=com src.java.naming.referral = ignore src.java.naming.security.authentication = simple src.java.naming.security.principal = cn=admin,dc=example,dc=com src.java.naming.security.credentials = secret Example
  • Definition of a task
    • Task name
    • Task type (db2ldap or ldap2ldap)
    • Bean for destination (dstBean)
    • Object for source (mapped in srcBean)
    • DN template
    • Conditions for create/delete/modify/modrdn
    • For source and destination:
      • Base
      • Filter (All and and Id)
      • Attributes
      • Pivot attributes
  • Definition of a task lsc.tasks = user lsc.tasks.user.type = ldap2ldap lsc.tasks.user.bean = org.lsc.beans.userBean lsc.tasks.user.object = org.lsc.objects.inetOrgPerson lsc.tasks.user.dn = "cn=" + srcBean.getAttributeValueById("cn") + ",ou=users" lsc.tasks.user.srcService = org.lsc.jndi.SimpleJndiSrcService lsc.tasks.user.srcService.attrs = uid cn sn givenName mail o lsc.tasks.user.srcService.baseDn = ou=users lsc.tasks.user.srcService.filterAll = (objectClass=inetOrgPerson) lsc.tasks.user.srcService.filterId = (&(objectClass=inetOrgPerson)(|(uid={samaccountname})(uid={uid}))) lsc.tasks.user.srcService.pivotAttrs = uid lsc.tasks.user.dstService = org.lsc.jndi.SimpleJndiDstService lsc.tasks.user.dstService.attrs = cn sn givenName mail company objectClass sAMAccountName lsc.tasks.user.dstService.baseDn = ou=users lsc.tasks.user.dstService.filterAll = (objectClass=user) lsc.tasks.user.dstService.filterId = (&(objectClass=user)(|(sAMAccountName={uid})(sAMAccountName={samaccountname}))) lsc.tasks.user.dstService.pivotAttrs = sAMAccountName Example
  • Synchronization options
    • Action: Force/Keep/Merge
    • Value modification type: Create/Default/Force
    • SrcBean and dstBean methods:
      • getDistinghuishName
      • getAttributeValueById
    • Multi-valued attributes with configurable delimiter (';' by default)
    • Rhino Javascript engine
  • Synchronization options lsc.syncoptions.user = org.lsc.beans.syncoptions.PropertiesBasedSyncOptions lsc.syncoptions.user.default.action = F lsc.syncoptions.user.company.force_value = srcBean.getAttributeValueById("o") lsc.syncoptions.user.name.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.displayName.force_value = srcBean.getAttributeValueById("cn") lsc.syncoptions.user.objectClass.force_value = "top";"user";"person";"organizationalPerson" lsc.syncoptions.user.sAMAccountName.create_value = srcBean.getAttributeValueById("uid") lsc.syncoptions.user.userPrincipalName.create_value = srcBean.getAttributeValueById("uid") + "@example.com" lsc.syncoptions.user.scriptPath.create_value = "demo.bat" Example
  • Active Directory
    • Use Paged Search to bypass 1000 entries limit
    • UserAccountControl:
      • userAccountControlSet
      • userAccountControlCheck
      • userAccountControlToogle
    • Password:
      • GetUnicodePwd
    • LastLogon:
      • getNumberOfWeeksSinceLastLogon
  • LDAP Query Language
    • Access to srcLdap (source) and ldap (destination) connection objects
    • Special functions:
      • attribute(DN, attribute)
      • search(base, filter)
      • list(base, filter)
      • read(base, filter)
      • sup(DN, level)
    lsc.syncoptions.user.givenName.force_value = srcLdap.attribute( srcLdap.list( "ou=services", "uniqueMember=" + srcBean.getDistinguishName() + "" ), 'description').get(0) Example
  • See also
    • Official LSC page : http://lsc-project.org
    • LDAP Tool Box project :
      • Nagios and Cacti scripts
      • OpenLDAP RPM
      • LDAP scripts
      • Web application for user to change their password (OpenLDAP and Active Directory)
      • http://ltb-project.org
  • Thank you for your attention Visit us at our stand 107 - hall 7.2b