Ldap Synchronization Connector @ 2011.RMLL
Upcoming SlideShare
Loading in...5
×
 

Ldap Synchronization Connector @ 2011.RMLL

on

  • 2,595 views

 

Statistics

Views

Total Views
2,595
Views on SlideShare
2,594
Embed Views
1

Actions

Likes
2
Downloads
27
Comments
0

1 Embed 1

http://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Ldap Synchronization Connector @ 2011.RMLL Ldap Synchronization Connector @ 2011.RMLL Presentation Transcript

    • LSC @ 2011 . RMLL Sébastien Bahloul
    • Jonathan Clarke
    • What?
    • LSC @ 2011
    • Why ?
    • Goals
    • 3 minutes quick start
    • New version : 2.0
    • Roadmap
    • Why ?
    • LDAP directories
      • Present in a vast majority of corporations
      • Central authentication, identity management, …
      • Contain user accounts (identities)
    • Simple, right? … well, yes, but …
      • « HR already has software that only stores identity information in a database »
      • « We use Active Directory for our desktops and we need users' identities there too »
      • « XYZ software only uses a database »
    • Why ?
    • Several different identity repositories
      • How to make sure the same changes apply?
        • New employees
        • Name changes (marriage), transfers...
        • Employees leaving
      Jim just got fired.
      Boss asks you to disable his account.
      Account S , that is. You do it... All done!
      But what about the account on the company blog?
      ARGH! Too late. What now!?
      FIRE THE SYSADMIN!!!?
    • Why ?
    • Synchronize the repositories
      • Spread the account status, information, etc...
    • Manual synchronization?
      • Leads to a mess , leaving old accounts active …
    • Automatic synchronization?
    • Introduction
    • Automatic synchronization
      • It already exists, and works great
        • Directory- / database- specific replication
        • Application- specific connectors (AD, SAP, etc)
      • What about the rest?
        • Between different databases, directories, files?
        • Different data models?
        • Using standards: LDAP, SQL, etc...?
    • About LSC Project
    • What is LSC?
      • LDAP Synchronization Connector
      • Open Source project
      • BSD licence
      • Written in Java
      • 5 years in the making
      • 3 years ago LSC-project.org created
      • ~10 regular contributors
    • Website: http://lsc-project.org
    • Goals – functionality
    • Read/write to any repository
      • Database or LDAP directory or ?
      • Standard LDAPv3 operations
      • JDBC connectors for databases
    • Transform data on-the-fly
      • Adapt to a different data model
      • JavaScript based engine to manipulate data
    • Adjustable updates: force values, insert defaults, merge values, don't touch...
    • Goals – usability
    • Quickly implement a new synchronization
    • Highly configurable
      • What exactly do we read?
      • Powerful transformations (correctness is important)
      • What exactly do we write?
    • Run fast (performance is important)
    • Easy to setup
    • Philosophy
    • Make it possible , now!
    • Make it more stable and safer
      • Open Source benefits over home-grown scripts
      • More secure and better tested
      • Don't reinvent a buggy wheel!
    • Make it faster and simpler
      • Faster than writing home-grown scripts
      • Provide methods for IAM and directory-specific tasks
    • This may not be the ultimate solution …
    • LSC synchronization principles
    • Two levels of information per identity
      • Existence – equivalent to an account (object)
      • Identity specific details – names, phone numbers (datasets)
    • A unique ID: the pivot dataset(s)
      • Could be an email address, user ID ...
    • Synchronization operations
      • Create: Add objects from source to destination
      • Delete: Delete objects from destination not in source
      • Update: Compare and set specific details
      • Change ID : Specific update for the main identifier
    • LSC synchronization principles
      A task defines :
      • source and destination service
      • pivot datasets
      • synchronization options
      A connector is defined by :
      • A connection for network and general settings (hostname, username, password, ...)
      • A service for per task connector specific settings (LDAP filter , SQL request, ...)
    • LSC synchronization principles
    • First step: sync
      • Get a list of all pivots from the source
      • For each pivot
        • Read the source object
        • Search for the destination object with pivot
        • Build up desired destination object by applying transformations to source object
        • If the destination object exists, calculate modifications
        • Apply: create or modify
    • LSC synchronization principles
    • Second step: clean (optional)
      • Get a list of all pivots from the destination
      • For each pivot
        • Search for the source object with pivot
        • If the source object doesn't exists, delete from destination
        • Apply: delete
    • Defining a synchronization
    • Source type: LDAP / SQL database / CSV file ?
    • Population: Which users? Which pivot ?
    • Information: Datasets ? Transformations?
    • Example: CSV to OpenLDAP
    • CSV: a simple export file (HR for example)
    • CSV is loaded in a temporary database (HSQLDB)
    • Embedded database is considered has a standard implementation
    • Example: CSV to OpenLDAP
    • Configuring the source database
      • JDBC connector: org.hsqldb.jdbcDriver
      • URL, username, password
      • Simple SQL request
      SELECT 'inetOrgPerson' objectClass, pers."ID", pers."MAIL",
        • ...
      FROM csvdata pers WHERE ID like #mail#
    • Example: CSV to OpenLDAP
    • OpenLDAP: inetOrgPerson entries
    • Example: CSV to OpenLDAP
    • Configuring the destination directory
      < ldapConnection id = &quot;4&quot; > < id > dst - ldap </ id > < url > ldap :// localhost :33389/ dc = lsc -project, dc = org </ url > < username > cn =Directory Manager </ username > < password > secret </ password > < authentication > SIMPLE </ authentication > < referral > IGNORE </ referral > < derefAliases > NEVER </ derefAliases > < version > VERSION_3 </ version > < pageSize > -1 </ pageSize > < factory > com.sun.jndi.ldap.LdapCtxFactory </ factory > < tlsActivated > false </ tlsActivated > </ ldapConnection >
    • Example: CSV to OpenLDAP
    • Configure the synchronization task
      • Source directory searching
      • DN generation
      < destination class = &quot;ldapDstService&quot; id = &quot;8&quot; > < name > MySyncTask- dst </ name > < connection class = &quot;ldapConnection&quot; reference = &quot;4&quot; ></ connection > < baseDn > ou =Sample </ baseDn > < pivotAttributes id = &quot;9&quot; > < string > mail </ string > </ pivotAttributes > < fetchedAttributes id = &quot;10&quot; > < string > description </ string >< string > cn </ string >< string > sn </ string > < string > userPassword </ string >< string > objectClass </ string > </ fetchedAttributes > < getAllFilter > (objectClass=inetOrgPerson) </ getAllFilter > < getOneFilter > ( &amp; (objectClass=inetOrgPerson)(mail={mail})) </ getOneFilter > </ destination >
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > < dn > &quot;mail=&quot; + srcBean.getAttributeValueById(&quot;mail&quot;) + &quot;, ou =Sample&quot; </ dn > < .../ >
    • Example: CSV to OpenLDAP
    • Configuration data transformations (syncoptions)
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > <.../> < defaultPolicy > FORCE </ defaultPolicy > < attribute id = &quot;16&quot; > < name > cn </ name > <force Values id = &quot;19&quot; > < string > srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; srcBean.getAttributeValueById(&quot;givenName&quot;) </ string > </force Values > </ attribute > < attribute id = &quot;24&quot; > < name > userPassword </ name > < policy > KEEP </ policy > < defaultValues id = &quot;25&quot; > < string > SecurityUtils.hash(SecurityUtils.MD5, &quot;CHANGEME&quot;) </ string > </ defaultValues > </ attribute > <.../> </ syncOptions >
    • Demonstration
    • Installation
    • Simple CSV to LDAP synchronization
      • Online tutorial
      • http://lsc-project.org/wiki/documentation/2.0/sample (ongoing :)
    • Features overview
    • Syncoptions offer unlimited possibilites
      • Text transformations
        • cn = givenName + SPACE + SN in caps
        • Filter accents: convert « Hélène » to « Helene »
      • Hash passwords (SSHA, MD5, etc)
      • Simple LDAP bind test
      • Active Directory specifics:
        • UserAccountControl: deactivate accounts, force password changes, etc …
        • UnicodePwd: update passwords in AD-style
      • Anything else you can write in Java!
    • Features overview
    • Operation conditions
      • Perform CREATE / UPDATE / DELETE / Change ID conditionally
    • Use-cases:
      • Update-only synchronizations (never create, never delete)
      • Only update the password if it's changed (perform a LDAP bind operation to check on the fly)
      • Delete an account after 60 days of inactivity
    • Features overview
    • Dataset-level priorities for update
      • FORCE: replace the destination value whatever
      • KEEP: leave the destination value as-is
      • DEFAULT: value to use if the destination is empty
      • CREATE: default value for new entries
    • Use cases:
      • Provide a default password but don't squash real one
      • Force phone numbers if we're authoritative for them
    • Features overview
    • Detailed and configurable logging
      • LDIF format (fully RFC-compliant)
      • CSV format
    • Audit or play back modifications
      • Dryrun mode
      • Block create/delete/update/changeid operation per task
    • Standards based – Wide support
    • Any LDAP server should be supported, tested on:
      • OpenLDAP
      • OpenDS
      • Sun DSEE
      • Microsoft Active Directory
      • Novell Directory Services
    • Any database with a JDBC connector, tested on:
      • MySQL, PostgreSQL, Oracle, HSQLDB
    • Latest version LSC 2.0
    • A major new release for new features :
      • Daemon mode with on the fly updates
      • Support for scripting languages (JSR 223)
      • Read and write everywhere
      • Plugin API : connectors, libraries, scripting engine, …
      • Graphical interface
    • LSC : a connected entity !
    • Start LSC to benefit of asynchronous mode : detect and propagate on the fly update events for supported datasource (currently Web Service and LDAP)
    • Interact with LSC instance through command line tool or JMX
    • LSC : scripting
    • Use your prefered language to write LSC rules !
    • LSC builtin and historical support for JavaScript
    • Extensible to any JSR 223 compliant engines :
      • Php
      • Groovy
      • Unix tools (awk, TCL),
      • Python, Ruby, Scheme (Lisp)
      • ...
    • LSC : read and write everywhere
    • Original and best supported connector to LDAP directories
    • Additional sources : NIS, database, CSV, Web Services, LDAP through Syncrepl
    • Additional destinations : Scripting destination
    • And many other to come :)
    • LSC : builtin extensibility API
    • Write your own connector to read or write inside your custom space
      public class My Source Service { public IBean getBean (...) ; public Map<...> getListPivots (...)   ; }
      public class My Target Service { public IBean getBean(...) ; public Map<...> getListPivots ; public boolean apply(...) }
      public class MyServiceConfiguration { private String mySpecialParameter ; public String getMySpecialParameter(); public void setMySpecialParameter(...); }
    • LSC : graphical interface
    • LSC : graphical interface
    • LSC : graphical interface
    • Perspectives
    • Project is currently in stable status
      • Version 1.2.1
    • This presentation is based on the beta version
      • Version 2.0 (almost) released
    • Perspectives
    • Ideas for improvement are everywhere:
      • Event based model (ESB)
      • DirSync support for Microsoft AD
      • Datasource aggregation on the fly
      • Scheduler integration (ongoing)
      • Data « reconciliation »
      • Anything else …
    • Try it out! Get involved!
    • Main website: http://lsc-project.org/
      • Tutorials: quickstart demo, detailed tutorials
      • Reference documentation
    • Try it out! Get involved!
    • Getting help (keep in touch!)
      • Mailing lists: http://lists.lsc-project.org/
      • IRC: #lsc-project on Freenode
    • Development tools:
      • Redmine forge: http://tools.lsc-project.org/
      • Bugtracker, SVN repository …
      • Continuous build server
        • Numerous automated tests
    • Thanks for your attention! Any questions? Sebastien Bahloul [email_address]