• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ldap Synchronization Connector @ 2011.RMLL
 

Ldap Synchronization Connector @ 2011.RMLL

on

  • 2,424 views

 

Statistics

Views

Total Views
2,424
Views on SlideShare
2,423
Embed Views
1

Actions

Likes
2
Downloads
27
Comments
0

1 Embed 1

http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ldap Synchronization Connector @ 2011.RMLL Ldap Synchronization Connector @ 2011.RMLL Presentation Transcript

      • LSC @ 2011 . RMLL Sébastien Bahloul
      • Jonathan Clarke
      • What?
      • LSC @ 2011
      • Why ?
      • Goals
      • 3 minutes quick start
      • New version : 2.0
      • Roadmap
      • Why ?
      • LDAP directories
        • Present in a vast majority of corporations
        • Central authentication, identity management, …
        • Contain user accounts (identities)
      • Simple, right? … well, yes, but …
        • « HR already has software that only stores identity information in a database »
        • « We use Active Directory for our desktops and we need users' identities there too »
        • « XYZ software only uses a database »
      • Why ?
      • Several different identity repositories
        • How to make sure the same changes apply?
          • New employees
          • Name changes (marriage), transfers...
          • Employees leaving
        Jim just got fired.
        Boss asks you to disable his account.
        Account S , that is. You do it... All done!
        But what about the account on the company blog?
        ARGH! Too late. What now!?
        FIRE THE SYSADMIN!!!?
      • Why ?
      • Synchronize the repositories
        • Spread the account status, information, etc...
      • Manual synchronization?
        • Leads to a mess , leaving old accounts active …
      • Automatic synchronization?
      • Introduction
      • Automatic synchronization
        • It already exists, and works great
          • Directory- / database- specific replication
          • Application- specific connectors (AD, SAP, etc)
        • What about the rest?
          • Between different databases, directories, files?
          • Different data models?
          • Using standards: LDAP, SQL, etc...?
      • About LSC Project
      • What is LSC?
        • LDAP Synchronization Connector
        • Open Source project
        • BSD licence
        • Written in Java
        • 5 years in the making
        • 3 years ago LSC-project.org created
        • ~10 regular contributors
      • Website: http://lsc-project.org
      • Goals – functionality
      • Read/write to any repository
        • Database or LDAP directory or ?
        • Standard LDAPv3 operations
        • JDBC connectors for databases
      • Transform data on-the-fly
        • Adapt to a different data model
        • JavaScript based engine to manipulate data
      • Adjustable updates: force values, insert defaults, merge values, don't touch...
      • Goals – usability
      • Quickly implement a new synchronization
      • Highly configurable
        • What exactly do we read?
        • Powerful transformations (correctness is important)
        • What exactly do we write?
      • Run fast (performance is important)
      • Easy to setup
      • Philosophy
      • Make it possible , now!
      • Make it more stable and safer
        • Open Source benefits over home-grown scripts
        • More secure and better tested
        • Don't reinvent a buggy wheel!
      • Make it faster and simpler
        • Faster than writing home-grown scripts
        • Provide methods for IAM and directory-specific tasks
      • This may not be the ultimate solution …
      • LSC synchronization principles
      • Two levels of information per identity
        • Existence – equivalent to an account (object)
        • Identity specific details – names, phone numbers (datasets)
      • A unique ID: the pivot dataset(s)
        • Could be an email address, user ID ...
      • Synchronization operations
        • Create: Add objects from source to destination
        • Delete: Delete objects from destination not in source
        • Update: Compare and set specific details
        • Change ID : Specific update for the main identifier
      • LSC synchronization principles
        A task defines :
        • source and destination service
        • pivot datasets
        • synchronization options
        A connector is defined by :
        • A connection for network and general settings (hostname, username, password, ...)
        • A service for per task connector specific settings (LDAP filter , SQL request, ...)
      • LSC synchronization principles
      • First step: sync
        • Get a list of all pivots from the source
        • For each pivot
          • Read the source object
          • Search for the destination object with pivot
          • Build up desired destination object by applying transformations to source object
          • If the destination object exists, calculate modifications
          • Apply: create or modify
      • LSC synchronization principles
      • Second step: clean (optional)
        • Get a list of all pivots from the destination
        • For each pivot
          • Search for the source object with pivot
          • If the source object doesn't exists, delete from destination
          • Apply: delete
      • Defining a synchronization
      • Source type: LDAP / SQL database / CSV file ?
      • Population: Which users? Which pivot ?
      • Information: Datasets ? Transformations?
      • Example: CSV to OpenLDAP
      • CSV: a simple export file (HR for example)
      • CSV is loaded in a temporary database (HSQLDB)
      • Embedded database is considered has a standard implementation
      • Example: CSV to OpenLDAP
      • Configuring the source database
        • JDBC connector: org.hsqldb.jdbcDriver
        • URL, username, password
        • Simple SQL request
        SELECT 'inetOrgPerson' objectClass, pers."ID", pers."MAIL",
          • ...
        FROM csvdata pers WHERE ID like #mail#
      • Example: CSV to OpenLDAP
      • OpenLDAP: inetOrgPerson entries
      • Example: CSV to OpenLDAP
      • Configuring the destination directory
        < ldapConnection id = &quot;4&quot; > < id > dst - ldap </ id > < url > ldap :// localhost :33389/ dc = lsc -project, dc = org </ url > < username > cn =Directory Manager </ username > < password > secret </ password > < authentication > SIMPLE </ authentication > < referral > IGNORE </ referral > < derefAliases > NEVER </ derefAliases > < version > VERSION_3 </ version > < pageSize > -1 </ pageSize > < factory > com.sun.jndi.ldap.LdapCtxFactory </ factory > < tlsActivated > false </ tlsActivated > </ ldapConnection >
      • Example: CSV to OpenLDAP
      • Configure the synchronization task
        • Source directory searching
        • DN generation
        < destination class = &quot;ldapDstService&quot; id = &quot;8&quot; > < name > MySyncTask- dst </ name > < connection class = &quot;ldapConnection&quot; reference = &quot;4&quot; ></ connection > < baseDn > ou =Sample </ baseDn > < pivotAttributes id = &quot;9&quot; > < string > mail </ string > </ pivotAttributes > < fetchedAttributes id = &quot;10&quot; > < string > description </ string >< string > cn </ string >< string > sn </ string > < string > userPassword </ string >< string > objectClass </ string > </ fetchedAttributes > < getAllFilter > (objectClass=inetOrgPerson) </ getAllFilter > < getOneFilter > ( &amp; (objectClass=inetOrgPerson)(mail={mail})) </ getOneFilter > </ destination >
        < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > < dn > &quot;mail=&quot; + srcBean.getAttributeValueById(&quot;mail&quot;) + &quot;, ou =Sample&quot; </ dn > < .../ >
      • Example: CSV to OpenLDAP
      • Configuration data transformations (syncoptions)
        < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > <.../> < defaultPolicy > FORCE </ defaultPolicy > < attribute id = &quot;16&quot; > < name > cn </ name > <force Values id = &quot;19&quot; > < string > srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; srcBean.getAttributeValueById(&quot;givenName&quot;) </ string > </force Values > </ attribute > < attribute id = &quot;24&quot; > < name > userPassword </ name > < policy > KEEP </ policy > < defaultValues id = &quot;25&quot; > < string > SecurityUtils.hash(SecurityUtils.MD5, &quot;CHANGEME&quot;) </ string > </ defaultValues > </ attribute > <.../> </ syncOptions >
      • Demonstration
      • Installation
      • Simple CSV to LDAP synchronization
        • Online tutorial
        • http://lsc-project.org/wiki/documentation/2.0/sample (ongoing :)
      • Features overview
      • Syncoptions offer unlimited possibilites
        • Text transformations
          • cn = givenName + SPACE + SN in caps
          • Filter accents: convert « Hélène » to « Helene »
        • Hash passwords (SSHA, MD5, etc)
        • Simple LDAP bind test
        • Active Directory specifics:
          • UserAccountControl: deactivate accounts, force password changes, etc …
          • UnicodePwd: update passwords in AD-style
        • Anything else you can write in Java!
      • Features overview
      • Operation conditions
        • Perform CREATE / UPDATE / DELETE / Change ID conditionally
      • Use-cases:
        • Update-only synchronizations (never create, never delete)
        • Only update the password if it's changed (perform a LDAP bind operation to check on the fly)
        • Delete an account after 60 days of inactivity
      • Features overview
      • Dataset-level priorities for update
        • FORCE: replace the destination value whatever
        • KEEP: leave the destination value as-is
        • DEFAULT: value to use if the destination is empty
        • CREATE: default value for new entries
      • Use cases:
        • Provide a default password but don't squash real one
        • Force phone numbers if we're authoritative for them
      • Features overview
      • Detailed and configurable logging
        • LDIF format (fully RFC-compliant)
        • CSV format
      • Audit or play back modifications
        • Dryrun mode
        • Block create/delete/update/changeid operation per task
      • Standards based – Wide support
      • Any LDAP server should be supported, tested on:
        • OpenLDAP
        • OpenDS
        • Sun DSEE
        • Microsoft Active Directory
        • Novell Directory Services
      • Any database with a JDBC connector, tested on:
        • MySQL, PostgreSQL, Oracle, HSQLDB
      • Latest version LSC 2.0
      • A major new release for new features :
        • Daemon mode with on the fly updates
        • Support for scripting languages (JSR 223)
        • Read and write everywhere
        • Plugin API : connectors, libraries, scripting engine, …
        • Graphical interface
      • LSC : a connected entity !
      • Start LSC to benefit of asynchronous mode : detect and propagate on the fly update events for supported datasource (currently Web Service and LDAP)
      • Interact with LSC instance through command line tool or JMX
      • LSC : scripting
      • Use your prefered language to write LSC rules !
      • LSC builtin and historical support for JavaScript
      • Extensible to any JSR 223 compliant engines :
        • Php
        • Groovy
        • Unix tools (awk, TCL),
        • Python, Ruby, Scheme (Lisp)
        • ...
      • LSC : read and write everywhere
      • Original and best supported connector to LDAP directories
      • Additional sources : NIS, database, CSV, Web Services, LDAP through Syncrepl
      • Additional destinations : Scripting destination
      • And many other to come :)
      • LSC : builtin extensibility API
      • Write your own connector to read or write inside your custom space
        public class My Source Service { public IBean getBean (...) ; public Map<...> getListPivots (...)   ; }
        public class My Target Service { public IBean getBean(...) ; public Map<...> getListPivots ; public boolean apply(...) }
        public class MyServiceConfiguration { private String mySpecialParameter ; public String getMySpecialParameter(); public void setMySpecialParameter(...); }
      • LSC : graphical interface
      • LSC : graphical interface
      • LSC : graphical interface
      • Perspectives
      • Project is currently in stable status
        • Version 1.2.1
      • This presentation is based on the beta version
        • Version 2.0 (almost) released
      • Perspectives
      • Ideas for improvement are everywhere:
        • Event based model (ESB)
        • DirSync support for Microsoft AD
        • Datasource aggregation on the fly
        • Scheduler integration (ongoing)
        • Data « reconciliation »
        • Anything else …
      • Try it out! Get involved!
      • Main website: http://lsc-project.org/
        • Tutorials: quickstart demo, detailed tutorials
        • Reference documentation
      • Try it out! Get involved!
      • Getting help (keep in touch!)
        • Mailing lists: http://lists.lsc-project.org/
        • IRC: #lsc-project on Freenode
      • Development tools:
        • Redmine forge: http://tools.lsc-project.org/
        • Bugtracker, SVN repository …
        • Continuous build server
          • Numerous automated tests
      • Thanks for your attention! Any questions? Sebastien Bahloul [email_address]