Ldap Synchronization Connector @ 2011.RMLL
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,727
On Slideshare
2,726
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
27
Comments
0
Likes
2

Embeds 1

http://twitter.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1.
      LSC @ 2011 . RMLL Sébastien Bahloul
    • Jonathan Clarke
  • 2.
      What?
  • 8.
      Why ?
    • LDAP directories
      • Present in a vast majority of corporations
      • 9. Central authentication, identity management, …
      • 10. Contain user accounts (identities)
    • Simple, right? … well, yes, but …
      • « HR already has software that only stores identity information in a database »
      • 11. « We use Active Directory for our desktops and we need users' identities there too »
      • 12. « XYZ software only uses a database »
  • 13.
      Why ?
    • Several different identity repositories
      • How to make sure the same changes apply?
        • New employees
        • 14. Name changes (marriage), transfers...
        • 15. Employees leaving
      Jim just got fired.
      Boss asks you to disable his account.
      Account S , that is. You do it... All done!
      But what about the account on the company blog?
      ARGH! Too late. What now!?
      FIRE THE SYSADMIN!!!?
  • 16.
      Why ?
    • Synchronize the repositories
      • Spread the account status, information, etc...
    • Manual synchronization?
      • Leads to a mess , leaving old accounts active …
    • Automatic synchronization?
  • 17.
      Introduction
    • Automatic synchronization
      • It already exists, and works great
        • Directory- / database- specific replication
        • 18. Application- specific connectors (AD, SAP, etc)
      • What about the rest?
        • Between different databases, directories, files?
        • 19. Different data models?
        • 20. Using standards: LDAP, SQL, etc...?
  • 21.
      About LSC Project
    • What is LSC?
      • LDAP Synchronization Connector
      • 22. Open Source project
      • 23. BSD licence
      • 24. Written in Java
      • 25. 5 years in the making
      • 26. 3 years ago LSC-project.org created
      • 27. ~10 regular contributors
    • Website: http://lsc-project.org
  • 28.
      Goals – functionality
    • Read/write to any repository
      • Database or LDAP directory or ?
      • 29. Standard LDAPv3 operations
      • 30. JDBC connectors for databases
    • Transform data on-the-fly
      • Adapt to a different data model
      • 31. JavaScript based engine to manipulate data
    • Adjustable updates: force values, insert defaults, merge values, don't touch...
  • 32.
      Goals – usability
    • Quickly implement a new synchronization
    • 33. Highly configurable
      • What exactly do we read?
      • 34. Powerful transformations (correctness is important)
      • 35. What exactly do we write?
    • Run fast (performance is important)
    • 36. Easy to setup
  • 37.
      Philosophy
    • Make it possible , now!
    • 38. Make it more stable and safer
      • Open Source benefits over home-grown scripts
      • 39. More secure and better tested
      • 40. Don't reinvent a buggy wheel!
    • Make it faster and simpler
      • Faster than writing home-grown scripts
      • 41. Provide methods for IAM and directory-specific tasks
    • This may not be the ultimate solution …
  • 42.
      LSC synchronization principles
    • Two levels of information per identity
      • Existence – equivalent to an account (object)
      • 43. Identity specific details – names, phone numbers (datasets)
    • A unique ID: the pivot dataset(s)
      • Could be an email address, user ID ...
    • Synchronization operations
      • Create: Add objects from source to destination
      • 44. Delete: Delete objects from destination not in source
      • 45. Update: Compare and set specific details
      • 46. Change ID : Specific update for the main identifier
  • 47.
      LSC synchronization principles
      A task defines :
      • source and destination service
      • 48. pivot datasets
      • 49. synchronization options
      A connector is defined by :
      • A connection for network and general settings (hostname, username, password, ...)
      • 50. A service for per task connector specific settings (LDAP filter , SQL request, ...)
  • 51.
      LSC synchronization principles
    • First step: sync
      • Get a list of all pivots from the source
      • 52. For each pivot
        • Read the source object
        • 53. Search for the destination object with pivot
        • 54. Build up desired destination object by applying transformations to source object
        • 55. If the destination object exists, calculate modifications
        • 56. Apply: create or modify
  • 57.
      LSC synchronization principles
    • Second step: clean (optional)
      • Get a list of all pivots from the destination
      • 58. For each pivot
        • Search for the source object with pivot
        • 59. If the source object doesn't exists, delete from destination
        • 60. Apply: delete
  • 61.
      Defining a synchronization
    • Source type: LDAP / SQL database / CSV file ?
    • 62. Population: Which users? Which pivot ?
    • 63. Information: Datasets ? Transformations?
  • 64.
      Example: CSV to OpenLDAP
    • CSV: a simple export file (HR for example)
    • CSV is loaded in a temporary database (HSQLDB)
    • Embedded database is considered has a standard implementation
  • 65.
      Example: CSV to OpenLDAP
    • Configuring the source database
      • JDBC connector: org.hsqldb.jdbcDriver
      • 66. URL, username, password
      • 67. Simple SQL request
      SELECT 'inetOrgPerson' objectClass, pers."ID", pers."MAIL",
        • ...
      FROM csvdata pers WHERE ID like #mail#
  • 68.
      Example: CSV to OpenLDAP
    • OpenLDAP: inetOrgPerson entries
  • 69.
      Example: CSV to OpenLDAP
    • Configuring the destination directory
      < ldapConnection id = &quot;4&quot; > < id > dst - ldap </ id > < url > ldap :// localhost :33389/ dc = lsc -project, dc = org </ url > < username > cn =Directory Manager </ username > < password > secret </ password > < authentication > SIMPLE </ authentication > < referral > IGNORE </ referral > < derefAliases > NEVER </ derefAliases > < version > VERSION_3 </ version > < pageSize > -1 </ pageSize > < factory > com.sun.jndi.ldap.LdapCtxFactory </ factory > < tlsActivated > false </ tlsActivated > </ ldapConnection >
  • 70.
      Example: CSV to OpenLDAP
    • Configure the synchronization task
      • Source directory searching
      • 71. DN generation
      < destination class = &quot;ldapDstService&quot; id = &quot;8&quot; > < name > MySyncTask- dst </ name > < connection class = &quot;ldapConnection&quot; reference = &quot;4&quot; ></ connection > < baseDn > ou =Sample </ baseDn > < pivotAttributes id = &quot;9&quot; > < string > mail </ string > </ pivotAttributes > < fetchedAttributes id = &quot;10&quot; > < string > description </ string >< string > cn </ string >< string > sn </ string > < string > userPassword </ string >< string > objectClass </ string > </ fetchedAttributes > < getAllFilter > (objectClass=inetOrgPerson) </ getAllFilter > < getOneFilter > ( &amp; (objectClass=inetOrgPerson)(mail={mail})) </ getOneFilter > </ destination >
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > < dn > &quot;mail=&quot; + srcBean.getAttributeValueById(&quot;mail&quot;) + &quot;, ou =Sample&quot; </ dn > < .../ >
  • 72.
      Example: CSV to OpenLDAP
    • Configuration data transformations (syncoptions)
      < syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > <.../> < defaultPolicy > FORCE </ defaultPolicy > < attribute id = &quot;16&quot; > < name > cn </ name > <force Values id = &quot;19&quot; > < string > srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; srcBean.getAttributeValueById(&quot;givenName&quot;) </ string > </force Values > </ attribute > < attribute id = &quot;24&quot; > < name > userPassword </ name > < policy > KEEP </ policy > < defaultValues id = &quot;25&quot; > < string > SecurityUtils.hash(SecurityUtils.MD5, &quot;CHANGEME&quot;) </ string > </ defaultValues > </ attribute > <.../> </ syncOptions >
  • 73.
      Demonstration
    • Installation
    • 74. Simple CSV to LDAP synchronization
      • Online tutorial
      • 75. http://lsc-project.org/wiki/documentation/2.0/sample (ongoing :)
  • 76.
      Features overview
    • Syncoptions offer unlimited possibilites
      • Text transformations
        • cn = givenName + SPACE + SN in caps
        • 77. Filter accents: convert « Hélène » to « Helene »
      • Hash passwords (SSHA, MD5, etc)
      • 78. Simple LDAP bind test
      • 79. Active Directory specifics:
        • UserAccountControl: deactivate accounts, force password changes, etc …
        • 80. UnicodePwd: update passwords in AD-style
      • Anything else you can write in Java!
  • 81.
      Features overview
    • Operation conditions
      • Perform CREATE / UPDATE / DELETE / Change ID conditionally
    • Use-cases:
      • Update-only synchronizations (never create, never delete)
      • 82. Only update the password if it's changed (perform a LDAP bind operation to check on the fly)
      • 83. Delete an account after 60 days of inactivity
  • 84.
      Features overview
    • Dataset-level priorities for update
      • FORCE: replace the destination value whatever
      • 85. KEEP: leave the destination value as-is
      • 86. DEFAULT: value to use if the destination is empty
      • 87. CREATE: default value for new entries
    • Use cases:
      • Provide a default password but don't squash real one
      • 88. Force phone numbers if we're authoritative for them
  • 89.
      Features overview
    • Detailed and configurable logging
      • LDIF format (fully RFC-compliant)
      • 90. CSV format
    • Audit or play back modifications
      • Dryrun mode
      • 91. Block create/delete/update/changeid operation per task
  • 92.
      Standards based – Wide support
    • Any LDAP server should be supported, tested on:
    • Any database with a JDBC connector, tested on:
      • MySQL, PostgreSQL, Oracle, HSQLDB
  • 97.
      Latest version LSC 2.0
    • A major new release for new features :
      • Daemon mode with on the fly updates
      • 98. Support for scripting languages (JSR 223)
      • 99. Read and write everywhere
      • 100. Plugin API : connectors, libraries, scripting engine, …
      • 101. Graphical interface
  • 102.
      LSC : a connected entity !
    • Start LSC to benefit of asynchronous mode : detect and propagate on the fly update events for supported datasource (currently Web Service and LDAP)
    • Interact with LSC instance through command line tool or JMX
  • 103.
      LSC : scripting
    • Use your prefered language to write LSC rules !
    • 104. LSC builtin and historical support for JavaScript
    • 105. Extensible to any JSR 223 compliant engines :
  • 110.
      LSC : read and write everywhere
    • Original and best supported connector to LDAP directories
    • 111. Additional sources : NIS, database, CSV, Web Services, LDAP through Syncrepl
    • 112. Additional destinations : Scripting destination
    • 113. And many other to come :)
  • 114.
      LSC : builtin extensibility API
    • Write your own connector to read or write inside your custom space
      public class My Source Service { public IBean getBean (...) ; public Map<...> getListPivots (...)   ; }
      public class My Target Service { public IBean getBean(...) ; public Map<...> getListPivots ; public boolean apply(...) }
      public class MyServiceConfiguration { private String mySpecialParameter ; public String getMySpecialParameter(); public void setMySpecialParameter(...); }
  • 115.
      LSC : graphical interface
  • 116.
      LSC : graphical interface
  • 117.
      LSC : graphical interface
  • 118.
      Perspectives
    • Project is currently in stable status
      • Version 1.2.1
    • This presentation is based on the beta version
      • Version 2.0 (almost) released
  • 119.
      Perspectives
    • Ideas for improvement are everywhere:
      • Event based model (ESB)
      • 120. DirSync support for Microsoft AD
      • 121. Datasource aggregation on the fly
      • 122. Scheduler integration (ongoing)
      • 123. Data « reconciliation »
      • 124. Anything else …
  • 125.
      Try it out! Get involved!
    • Main website: http://lsc-project.org/
      • Tutorials: quickstart demo, detailed tutorials
      • 126. Reference documentation
  • 127.
      Try it out! Get involved!
    • Getting help (keep in touch!)
      • Mailing lists: http://lists.lsc-project.org/
      • 128. IRC: #lsc-project on Freenode
    • Development tools:
      • Redmine forge: http://tools.lsc-project.org/
      • 129. Bugtracker, SVN repository …
      • 130. Continuous build server
        • Numerous automated tests
  • 131.
      Thanks for your attention! Any questions? Sebastien Bahloul [email_address]