Ldap Synchronization Connector @ 2011.RMLL
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Ldap Synchronization Connector @ 2011.RMLL

on

  • 2,673 views

 

Statistics

Views

Total Views
2,673
Views on SlideShare
2,672
Embed Views
1

Actions

Likes
2
Downloads
27
Comments
0

1 Embed 1

http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Ldap Synchronization Connector @ 2011.RMLL Presentation Transcript

  • 1.
      LSC @ 2011 . RMLL Sébastien Bahloul
    • Jonathan Clarke
  • 2.
      What?
    • LSC @ 2011
    • 3. Why ?
    • 4. Goals
    • 5. 3 minutes quick start
    • 6. New version : 2.0
    • 7. Roadmap
  • 8.
      Why ?
    • LDAP directories
      • Present in a vast majority of corporations
      • 9. Central authentication, identity management, …
      • 10. Contain user accounts (identities)
    • Simple, right? … well, yes, but …
      • « HR already has software that only stores identity information in a database »
      • 11. « We use Active Directory for our desktops and we need users' identities there too »
      • 12. « XYZ software only uses a database »
  • 13.
      Why ?
    • Several different identity repositories
      • How to make sure the same changes apply?
        • New employees
        • 14. Name changes (marriage), transfers...
        • 15. Employees leaving
      Jim just got fired.
      Boss asks you to disable his account.
      Account S , that is. You do it... All done!
      But what about the account on the company blog?
      ARGH! Too late. What now!?
      FIRE THE SYSADMIN!!!?
  • 16.
      Why ?
    • Synchronize the repositories
      • Spread the account status, information, etc...
    • Manual synchronization?
      • Leads to a mess , leaving old accounts active …
    • Automatic synchronization?
  • 17.
      Introduction
    • Automatic synchronization
      • It already exists, and works great
        • Directory- / database- specific replication
        • 18. Application- specific connectors (AD, SAP, etc)
      • What about the rest?
        • Between different databases, directories, files?
        • 19. Different data models?
        • 20. Using standards: LDAP, SQL, etc...?
  • 21.
      About LSC Project
    • What is LSC?
      • LDAP Synchronization Connector
      • 22. Open Source project
      • 23. BSD licence
      • 24. Written in Java
      • 25. 5 years in the making
      • 26. 3 years ago LSC-project.org created
      • 27. ~10 regular contributors
    • Website: http://lsc-project.org
  • 28.
      Goals – functionality
    • Read/write to any repository
      • Database or LDAP directory or ?
      • 29. Standard LDAPv3 operations
      • 30. JDBC connectors for databases
    • Transform data on-the-fly
      • Adapt to a different data model
      • 31. JavaScript based engine to manipulate data
    • Adjustable updates: force values, insert defaults, merge values, don't touch...
  • 32.
      Goals – usability
    • Quickly implement a new synchronization
    • 33. Highly configurable
      • What exactly do we read?
      • 34. Powerful transformations (correctness is important)
      • 35. What exactly do we write?
    • Run fast (performance is important)
    • 36. Easy to setup
  • 37.
      Philosophy
    • Make it possible , now!
    • 38. Make it more stable and safer
      • Open Source benefits over home-grown scripts
      • 39. More secure and better tested
      • 40. Don't reinvent a buggy wheel!
    • Make it faster and simpler
      • Faster than writing home-grown scripts
      • 41. Provide methods for IAM and directory-specific tasks
    • This may not be the ultimate solution …
  • 42.
      LSC synchronization principles
    • Two levels of information per identity
      • Existence – equivalent to an account (object)
      • 43. Identity specific details – names, phone numbers (datasets)
    • A unique ID: the pivot dataset(s)
      • Could be an email address, user ID ...
    • Synchronization operations
      • Create: Add objects from source to destination
      • 44. Delete: Delete objects from destination not in source
      • 45. Update: Compare and set specific details
      • 46. Change ID : Specific update for the main identifier
  • 47.
      LSC synchronization principles
      A task defines :
      • source and destination service
      • 48. pivot datasets
      • 49. synchronization options
      A connector is defined by :
      • A connection for network and general settings (hostname, username, password, ...)
      • 50. A service for per task connector specific settings (LDAP filter , SQL request, ...)
  • 51.
      LSC synchronization principles
    • First step: sync
      • Get a list of all pivots from the source
      • 52. For each pivot
        • Read the source object
        • 53. Search for the destination object with pivot
        • 54. Build up desired destination object by applying transformations to source object
        • 55. If the destination object exists, calculate modifications
        • 56. Apply: create or modify
  • 57.
      LSC synchronization principles
    • Second step: clean (optional)
      • Get a list of all pivots from the destination
      • 58. For each pivot
        • Search for the source object with pivot
        • 59. If the source object doesn't exists, delete from destination
        • 60. Apply: delete
  • 61.
      Defining a synchronization
    • Source type: LDAP / SQL database / CSV file ?
    • 62. Population: Which users? Which pivot ?
    • 63. Information: Datasets ? Transformations?
  • 64.
      Example: CSV to OpenLDAP
    • CSV: a simple export file (HR for example)
    • CSV is loaded in a temporary database (HSQLDB)
    • Embedded database is considered has a standard implementation
  • 65.
      Example: CSV to OpenLDAP
    • Configuring the source database
      • JDBC connector: org.hsqldb.jdbcDriver
      • 66. URL, username, password
      • 67. Simple SQL request
      SELECT 'inetOrgPerson' objectClass, pers."ID", pers."MAIL",
        • ...
      FROM csvdata pers WHERE ID like #mail#
  • 68.
      Example: CSV to OpenLDAP
    • OpenLDAP: inetOrgPerson entries
  • 69.
      Example: CSV to OpenLDAP
    • Configuring the destination directory
      < ldapConnection id = &quot;4&quot; > < id > dst - ldap </ id > < url > ldap :// localhost :33389/ dc = lsc -project, dc = org </ url > < username > cn =Directory Manager </ username > < password > secret </ password > < authentication > SIMPLE </ authentication > < referral > IGNORE </ referral > < derefAliases > NEVER </ derefAliases > < version > VERSION_3 </ version > < pageSize > -1 </ pageSize > < factory > com.sun.jndi.ldap.LdapCtxFactory </ factory > < tlsActivated > false </ tlsActivated > </ ldapConnection >
  • 70.
      Example: CSV to OpenLDAP
    • Configure the synchronization task
      • Source directory searching
      • 71. DN generation
      < destination class = &quot;ldapDstService&quot; id = &quot;8&quot; > < name > MySyncTask- dst </ name > < connection class = &quot;ldapConnection&quot; reference = &quot;4&quot; ></ connection > < baseDn > ou =Sample </ baseDn > < pivotAttributes id = &quot;9&quot; > < string > mail </ string > </ pivotAttributes > < fetchedAttributes id = &quot;10&quot; > < string > description </ string >< string > cn </ string >< string > sn </ string > < string > userPassword </ string >< string > objectClass </ string > </ fetchedAttributes > < getAllFilter > (objectClass=inetOrgPerson) </ getAllFilter > < getOneFilter > ( &amp; (objectClass=inetOrgPerson)(mail={mail})) </ getOneFilter > </ destination >
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > < dn > &quot;mail=&quot; + srcBean.getAttributeValueById(&quot;mail&quot;) + &quot;, ou =Sample&quot; </ dn > < .../ >
  • 72.
      Example: CSV to OpenLDAP
    • Configuration data transformations (syncoptions)
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > <.../> < defaultPolicy > FORCE </ defaultPolicy > < attribute id = &quot;16&quot; > < name > cn </ name > <force Values id = &quot;19&quot; > < string > srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; srcBean.getAttributeValueById(&quot;givenName&quot;) </ string > </force Values > </ attribute > < attribute id = &quot;24&quot; > < name > userPassword </ name > < policy > KEEP </ policy > < defaultValues id = &quot;25&quot; > < string > SecurityUtils.hash(SecurityUtils.MD5, &quot;CHANGEME&quot;) </ string > </ defaultValues > </ attribute > <.../> </ syncOptions >
  • 73.
      Demonstration
    • Installation
    • 74. Simple CSV to LDAP synchronization
      • Online tutorial
      • 75. http://lsc-project.org/wiki/documentation/2.0/sample (ongoing :)
  • 76.
      Features overview
    • Syncoptions offer unlimited possibilites
      • Text transformations
        • cn = givenName + SPACE + SN in caps
        • 77. Filter accents: convert « Hélène » to « Helene »
      • Hash passwords (SSHA, MD5, etc)
      • 78. Simple LDAP bind test
      • 79. Active Directory specifics:
        • UserAccountControl: deactivate accounts, force password changes, etc …
        • 80. UnicodePwd: update passwords in AD-style
      • Anything else you can write in Java!
  • 81.
      Features overview
    • Operation conditions
      • Perform CREATE / UPDATE / DELETE / Change ID conditionally
    • Use-cases:
      • Update-only synchronizations (never create, never delete)
      • 82. Only update the password if it's changed (perform a LDAP bind operation to check on the fly)
      • 83. Delete an account after 60 days of inactivity
  • 84.
      Features overview
    • Dataset-level priorities for update
      • FORCE: replace the destination value whatever
      • 85. KEEP: leave the destination value as-is
      • 86. DEFAULT: value to use if the destination is empty
      • 87. CREATE: default value for new entries
    • Use cases:
      • Provide a default password but don't squash real one
      • 88. Force phone numbers if we're authoritative for them
  • 89.
      Features overview
    • Detailed and configurable logging
      • LDIF format (fully RFC-compliant)
      • 90. CSV format
    • Audit or play back modifications
      • Dryrun mode
      • 91. Block create/delete/update/changeid operation per task
  • 92.
      Standards based – Wide support
    • Any LDAP server should be supported, tested on:
      • OpenLDAP
      • 93. OpenDS
      • 94. Sun DSEE
      • 95. Microsoft Active Directory
      • 96. Novell Directory Services
    • Any database with a JDBC connector, tested on:
      • MySQL, PostgreSQL, Oracle, HSQLDB
  • 97.
      Latest version LSC 2.0
    • A major new release for new features :
      • Daemon mode with on the fly updates
      • 98. Support for scripting languages (JSR 223)
      • 99. Read and write everywhere
      • 100. Plugin API : connectors, libraries, scripting engine, …
      • 101. Graphical interface
  • 102.
      LSC : a connected entity !
    • Start LSC to benefit of asynchronous mode : detect and propagate on the fly update events for supported datasource (currently Web Service and LDAP)
    • Interact with LSC instance through command line tool or JMX
  • 103.
      LSC : scripting
    • Use your prefered language to write LSC rules !
    • 104. LSC builtin and historical support for JavaScript
    • 105. Extensible to any JSR 223 compliant engines :
      • Php
      • 106. Groovy
      • 107. Unix tools (awk, TCL),
      • 108. Python, Ruby, Scheme (Lisp)
      • 109. ...
  • 110.
      LSC : read and write everywhere
    • Original and best supported connector to LDAP directories
    • 111. Additional sources : NIS, database, CSV, Web Services, LDAP through Syncrepl
    • 112. Additional destinations : Scripting destination
    • 113. And many other to come :)
  • 114.
      LSC : builtin extensibility API
    • Write your own connector to read or write inside your custom space
      public class My Source Service { public IBean getBean (...) ; public Map<...> getListPivots (...)   ; }
      public class My Target Service { public IBean getBean(...) ; public Map<...> getListPivots ; public boolean apply(...) }
      public class MyServiceConfiguration { private String mySpecialParameter ; public String getMySpecialParameter(); public void setMySpecialParameter(...); }
  • 115.
      LSC : graphical interface
  • 116.
      LSC : graphical interface
  • 117.
      LSC : graphical interface
  • 118.
      Perspectives
    • Project is currently in stable status
      • Version 1.2.1
    • This presentation is based on the beta version
      • Version 2.0 (almost) released
  • 119.
      Perspectives
    • Ideas for improvement are everywhere:
      • Event based model (ESB)
      • 120. DirSync support for Microsoft AD
      • 121. Datasource aggregation on the fly
      • 122. Scheduler integration (ongoing)
      • 123. Data « reconciliation »
      • 124. Anything else …
  • 125.
      Try it out! Get involved!
    • Main website: http://lsc-project.org/
      • Tutorials: quickstart demo, detailed tutorials
      • 126. Reference documentation
  • 127.
      Try it out! Get involved!
    • Getting help (keep in touch!)
      • Mailing lists: http://lists.lsc-project.org/
      • 128. IRC: #lsc-project on Freenode
    • Development tools:
      • Redmine forge: http://tools.lsc-project.org/
      • 129. Bugtracker, SVN repository …
      • 130. Continuous build server
        • Numerous automated tests
  • 131.
      Thanks for your attention! Any questions? Sebastien Bahloul [email_address]