<ul>LSC @ 2011 . RMLL Sébastien Bahloul <li>Jonathan Clarke </li></ul>
<ul>What? </ul><ul><li>LSC @ 2011
Why ?
Goals
3 minutes quick start
New version : 2.0
Roadmap </li></ul>
<ul>Why ? </ul><ul><li>LDAP directories </li></ul><ul><ul><li>Present in a vast majority of corporations
Central authentication, identity management, …
Contain user accounts (identities) </li></ul></ul><ul><li>Simple, right? … well, yes, but … </li></ul><ul><ul><li>« HR alr...
« We use Active Directory for our desktops and we need users' identities there too »
« XYZ software only uses a database » </li></ul></ul>
<ul>Why ? </ul><ul><li>Several different identity repositories </li></ul><ul><ul><li>How to make sure the same changes app...
Name changes (marriage), transfers...
Employees leaving </li></ul></ul></ul><ul>Jim just got fired. </ul><ul>Boss asks you to disable his account. </ul><ul>Acco...
<ul>Why ? </ul><ul><li>Synchronize the repositories </li></ul><ul><ul><li>Spread the account status, information, etc... <...
<ul>Introduction </ul><ul><li>Automatic synchronization </li></ul><ul><ul><li>It already exists, and works great </li></ul...
Application- specific  connectors (AD, SAP, etc) </li></ul></ul></ul><ul><ul><li>What about the rest? </li></ul></ul><ul><...
Different data models?
Using standards: LDAP, SQL, etc...? </li></ul></ul></ul>
<ul>About LSC Project </ul><ul><li>What is LSC? </li></ul><ul><ul><li>LDAP Synchronization Connector
Open Source project
BSD licence
Written in Java
5 years in the making
3 years ago  LSC-project.org  created
~10 regular contributors </li></ul></ul><ul><li>Website: http://lsc-project.org </li></ul>
<ul>Goals – functionality </ul><ul><li>Read/write to any repository </li></ul><ul><ul><li>Database  or  LDAP directory  or ?
Standard LDAPv3 operations
JDBC connectors for databases </li></ul></ul><ul><li>Transform  data on-the-fly </li></ul><ul><ul><li>Adapt to a different...
JavaScript based engine to manipulate data </li></ul></ul><ul><li>Adjustable updates: force values, insert defaults,  merg...
<ul>Goals – usability </ul><ul><li>Quickly  implement a new synchronization
Highly  configurable </li></ul><ul><ul><li>What  exactly   do we read?
Powerful  transformations  (correctness is important)
What  exactly   do we write? </li></ul></ul><ul><li>Run  fast  (performance is important)
Easy to setup </li></ul>
<ul>Philosophy </ul><ul><li>Make it  possible , now!
Make it more  stable  and  safer </li></ul><ul><ul><li>Open Source benefits over home-grown scripts
More secure and better tested
Don't reinvent a buggy wheel! </li></ul></ul><ul><li>Make it  faster  and  simpler </li></ul><ul><ul><li>Faster than writi...
Upcoming SlideShare
Loading in...5
×

Ldap Synchronization Connector @ 2011.RMLL

2,428

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,428
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ldap Synchronization Connector @ 2011.RMLL

  1. 1. <ul>LSC @ 2011 . RMLL Sébastien Bahloul <li>Jonathan Clarke </li></ul>
  2. 2. <ul>What? </ul><ul><li>LSC @ 2011
  3. 3. Why ?
  4. 4. Goals
  5. 5. 3 minutes quick start
  6. 6. New version : 2.0
  7. 7. Roadmap </li></ul>
  8. 8. <ul>Why ? </ul><ul><li>LDAP directories </li></ul><ul><ul><li>Present in a vast majority of corporations
  9. 9. Central authentication, identity management, …
  10. 10. Contain user accounts (identities) </li></ul></ul><ul><li>Simple, right? … well, yes, but … </li></ul><ul><ul><li>« HR already has software that only stores identity information in a database »
  11. 11. « We use Active Directory for our desktops and we need users' identities there too »
  12. 12. « XYZ software only uses a database » </li></ul></ul>
  13. 13. <ul>Why ? </ul><ul><li>Several different identity repositories </li></ul><ul><ul><li>How to make sure the same changes apply? </li></ul></ul><ul><ul><ul><li>New employees
  14. 14. Name changes (marriage), transfers...
  15. 15. Employees leaving </li></ul></ul></ul><ul>Jim just got fired. </ul><ul>Boss asks you to disable his account. </ul><ul>Account S , that is. You do it... All done! </ul><ul>But what about the account on the company blog? </ul><ul>ARGH! Too late. What now!? </ul><ul>FIRE THE SYSADMIN!!!? </ul>
  16. 16. <ul>Why ? </ul><ul><li>Synchronize the repositories </li></ul><ul><ul><li>Spread the account status, information, etc... </li></ul></ul><ul><li>Manual synchronization? </li></ul><ul><ul><li>Leads to a mess , leaving old accounts active … </li></ul></ul><ul><li>Automatic synchronization? </li></ul>
  17. 17. <ul>Introduction </ul><ul><li>Automatic synchronization </li></ul><ul><ul><li>It already exists, and works great </li></ul></ul><ul><ul><ul><li>Directory- / database- specific replication
  18. 18. Application- specific connectors (AD, SAP, etc) </li></ul></ul></ul><ul><ul><li>What about the rest? </li></ul></ul><ul><ul><ul><li>Between different databases, directories, files?
  19. 19. Different data models?
  20. 20. Using standards: LDAP, SQL, etc...? </li></ul></ul></ul>
  21. 21. <ul>About LSC Project </ul><ul><li>What is LSC? </li></ul><ul><ul><li>LDAP Synchronization Connector
  22. 22. Open Source project
  23. 23. BSD licence
  24. 24. Written in Java
  25. 25. 5 years in the making
  26. 26. 3 years ago LSC-project.org created
  27. 27. ~10 regular contributors </li></ul></ul><ul><li>Website: http://lsc-project.org </li></ul>
  28. 28. <ul>Goals – functionality </ul><ul><li>Read/write to any repository </li></ul><ul><ul><li>Database or LDAP directory or ?
  29. 29. Standard LDAPv3 operations
  30. 30. JDBC connectors for databases </li></ul></ul><ul><li>Transform data on-the-fly </li></ul><ul><ul><li>Adapt to a different data model
  31. 31. JavaScript based engine to manipulate data </li></ul></ul><ul><li>Adjustable updates: force values, insert defaults, merge values, don't touch... </li></ul>
  32. 32. <ul>Goals – usability </ul><ul><li>Quickly implement a new synchronization
  33. 33. Highly configurable </li></ul><ul><ul><li>What exactly do we read?
  34. 34. Powerful transformations (correctness is important)
  35. 35. What exactly do we write? </li></ul></ul><ul><li>Run fast (performance is important)
  36. 36. Easy to setup </li></ul>
  37. 37. <ul>Philosophy </ul><ul><li>Make it possible , now!
  38. 38. Make it more stable and safer </li></ul><ul><ul><li>Open Source benefits over home-grown scripts
  39. 39. More secure and better tested
  40. 40. Don't reinvent a buggy wheel! </li></ul></ul><ul><li>Make it faster and simpler </li></ul><ul><ul><li>Faster than writing home-grown scripts
  41. 41. Provide methods for IAM and directory-specific tasks </li></ul></ul><ul><li>This may not be the ultimate solution … </li></ul>
  42. 42. <ul>LSC synchronization principles </ul><ul><li>Two levels of information per identity </li></ul><ul><ul><li>Existence – equivalent to an account (object)
  43. 43. Identity specific details – names, phone numbers (datasets) </li></ul></ul><ul><li>A unique ID: the pivot dataset(s) </li></ul><ul><ul><li>Could be an email address, user ID ... </li></ul></ul><ul><li>Synchronization operations </li></ul><ul><ul><li>Create: Add objects from source to destination
  44. 44. Delete: Delete objects from destination not in source
  45. 45. Update: Compare and set specific details
  46. 46. Change ID : Specific update for the main identifier </li></ul></ul>
  47. 47. <ul>LSC synchronization principles </ul><ul>A task defines : </ul><ul><ul><li>source and destination service
  48. 48. pivot datasets
  49. 49. synchronization options </li></ul></ul><ul>A connector is defined by : </ul><ul><ul><li>A connection for network and general settings (hostname, username, password, ...)
  50. 50. A service for per task connector specific settings (LDAP filter , SQL request, ...) </li></ul></ul>
  51. 51. <ul>LSC synchronization principles </ul><ul><li>First step: sync </li></ul><ul><ul><li>Get a list of all pivots from the source
  52. 52. For each pivot </li></ul></ul><ul><ul><ul><li>Read the source object
  53. 53. Search for the destination object with pivot
  54. 54. Build up desired destination object by applying transformations to source object
  55. 55. If the destination object exists, calculate modifications
  56. 56. Apply: create or modify </li></ul></ul></ul>
  57. 57. <ul>LSC synchronization principles </ul><ul><li>Second step: clean (optional) </li></ul><ul><ul><li>Get a list of all pivots from the destination
  58. 58. For each pivot </li></ul></ul><ul><ul><ul><li>Search for the source object with pivot
  59. 59. If the source object doesn't exists, delete from destination
  60. 60. Apply: delete </li></ul></ul></ul>
  61. 61. <ul>Defining a synchronization </ul><ul><li>Source type: LDAP / SQL database / CSV file ?
  62. 62. Population: Which users? Which pivot ?
  63. 63. Information: Datasets ? Transformations? </li></ul>
  64. 64. <ul>Example: CSV to OpenLDAP </ul><ul><li>CSV: a simple export file (HR for example) </li></ul><ul><li>CSV is loaded in a temporary database (HSQLDB) </li></ul><ul><li>Embedded database is considered has a standard implementation </li></ul>
  65. 65. <ul>Example: CSV to OpenLDAP </ul><ul><li>Configuring the source database </li></ul><ul><ul><li>JDBC connector: org.hsqldb.jdbcDriver
  66. 66. URL, username, password
  67. 67. Simple SQL request </li></ul></ul><ul>SELECT 'inetOrgPerson' objectClass, pers.&quot;ID&quot;, pers.&quot;MAIL&quot;, </ul><ul><ul><ul><li>... </li></ul></ul></ul><ul>FROM csvdata pers WHERE ID like #mail# </ul>
  68. 68. <ul>Example: CSV to OpenLDAP </ul><ul><li>OpenLDAP: inetOrgPerson entries </li></ul>
  69. 69. <ul>Example: CSV to OpenLDAP </ul><ul><li>Configuring the destination directory </li></ul><ul>< ldapConnection id = &quot;4&quot; > < id > dst - ldap </ id > < url > ldap :// localhost :33389/ dc = lsc -project, dc = org </ url > < username > cn =Directory Manager </ username > < password > secret </ password > < authentication > SIMPLE </ authentication > < referral > IGNORE </ referral > < derefAliases > NEVER </ derefAliases > < version > VERSION_3 </ version > < pageSize > -1 </ pageSize > < factory > com.sun.jndi.ldap.LdapCtxFactory </ factory > < tlsActivated > false </ tlsActivated > </ ldapConnection > </ul>
  70. 70. <ul>Example: CSV to OpenLDAP </ul><ul><li>Configure the synchronization task </li></ul><ul><ul><li>Source directory searching
  71. 71. DN generation </li></ul></ul><ul>< destination class = &quot;ldapDstService&quot; id = &quot;8&quot; > < name > MySyncTask- dst </ name > < connection class = &quot;ldapConnection&quot; reference = &quot;4&quot; ></ connection > < baseDn > ou =Sample </ baseDn > < pivotAttributes id = &quot;9&quot; > < string > mail </ string > </ pivotAttributes > < fetchedAttributes id = &quot;10&quot; > < string > description </ string >< string > cn </ string >< string > sn </ string > < string > userPassword </ string >< string > objectClass </ string > </ fetchedAttributes > < getAllFilter > (objectClass=inetOrgPerson) </ getAllFilter > < getOneFilter > ( &amp; (objectClass=inetOrgPerson)(mail={mail})) </ getOneFilter > </ destination > </ul><ul>< syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > < dn > &quot;mail=&quot; + srcBean.getAttributeValueById(&quot;mail&quot;) + &quot;, ou =Sample&quot; </ dn > < .../ > </ul>
  72. 72. <ul>Example: CSV to OpenLDAP </ul><ul><li>Configuration data transformations (syncoptions) </li></ul><ul>< syncOptions class = &quot;org.lsc.configuration.objects.syncoptions.PropertiesBasedSyncOptions&quot; id = &quot;12&quot; > <.../> < defaultPolicy > FORCE </ defaultPolicy > < attribute id = &quot;16&quot; > < name > cn </ name > <force Values id = &quot;19&quot; > < string > srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; srcBean.getAttributeValueById(&quot;givenName&quot;) </ string > </force Values > </ attribute > < attribute id = &quot;24&quot; > < name > userPassword </ name > < policy > KEEP </ policy > < defaultValues id = &quot;25&quot; > < string > SecurityUtils.hash(SecurityUtils.MD5, &quot;CHANGEME&quot;) </ string > </ defaultValues > </ attribute > <.../> </ syncOptions > </ul>
  73. 73. <ul>Demonstration </ul><ul><li>Installation
  74. 74. Simple CSV to LDAP synchronization </li></ul><ul><ul><li>Online tutorial
  75. 75. http://lsc-project.org/wiki/documentation/2.0/sample (ongoing :) </li></ul></ul>
  76. 76. <ul>Features overview </ul><ul><li>Syncoptions offer unlimited possibilites </li></ul><ul><ul><li>Text transformations </li></ul></ul><ul><ul><ul><li>cn = givenName + SPACE + SN in caps
  77. 77. Filter accents: convert « Hélène » to « Helene » </li></ul></ul></ul><ul><ul><li>Hash passwords (SSHA, MD5, etc)
  78. 78. Simple LDAP bind test
  79. 79. Active Directory specifics: </li></ul></ul><ul><ul><ul><li>UserAccountControl: deactivate accounts, force password changes, etc …
  80. 80. UnicodePwd: update passwords in AD-style </li></ul></ul></ul><ul><ul><li>Anything else you can write in Java! </li></ul></ul>
  81. 81. <ul>Features overview </ul><ul><li>Operation conditions </li></ul><ul><ul><li>Perform CREATE / UPDATE / DELETE / Change ID conditionally </li></ul></ul><ul><li>Use-cases: </li></ul><ul><ul><li>Update-only synchronizations (never create, never delete)
  82. 82. Only update the password if it's changed (perform a LDAP bind operation to check on the fly)
  83. 83. Delete an account after 60 days of inactivity </li></ul></ul>
  84. 84. <ul>Features overview </ul><ul><li>Dataset-level priorities for update </li></ul><ul><ul><li>FORCE: replace the destination value whatever
  85. 85. KEEP: leave the destination value as-is
  86. 86. DEFAULT: value to use if the destination is empty
  87. 87. CREATE: default value for new entries </li></ul></ul><ul><li>Use cases: </li></ul><ul><ul><li>Provide a default password but don't squash real one
  88. 88. Force phone numbers if we're authoritative for them </li></ul></ul>
  89. 89. <ul>Features overview </ul><ul><li>Detailed and configurable logging </li></ul><ul><ul><li>LDIF format (fully RFC-compliant)
  90. 90. CSV format </li></ul></ul><ul><li>Audit or play back modifications </li></ul><ul><ul><li>Dryrun mode
  91. 91. Block create/delete/update/changeid operation per task </li></ul></ul>
  92. 92. <ul>Standards based – Wide support </ul><ul><li>Any LDAP server should be supported, tested on: </li></ul><ul><ul><li>OpenLDAP
  93. 93. OpenDS
  94. 94. Sun DSEE
  95. 95. Microsoft Active Directory
  96. 96. Novell Directory Services </li></ul></ul><ul><li>Any database with a JDBC connector, tested on: </li></ul><ul><ul><li>MySQL, PostgreSQL, Oracle, HSQLDB </li></ul></ul>
  97. 97. <ul>Latest version LSC 2.0 </ul><ul><li>A major new release for new features : </li></ul><ul><ul><li>Daemon mode with on the fly updates
  98. 98. Support for scripting languages (JSR 223)
  99. 99. Read and write everywhere
  100. 100. Plugin API : connectors, libraries, scripting engine, …
  101. 101. Graphical interface </li></ul></ul>
  102. 102. <ul>LSC : a connected entity ! </ul><ul><li>Start LSC to benefit of asynchronous mode : detect and propagate on the fly update events for supported datasource (currently Web Service and LDAP) </li></ul><ul><li>Interact with LSC instance through command line tool or JMX </li></ul>
  103. 103. <ul>LSC : scripting </ul><ul><li>Use your prefered language to write LSC rules !
  104. 104. LSC builtin and historical support for JavaScript
  105. 105. Extensible to any JSR 223 compliant engines : </li></ul><ul><ul><li>Php
  106. 106. Groovy
  107. 107. Unix tools (awk, TCL),
  108. 108. Python, Ruby, Scheme (Lisp)
  109. 109. ... </li></ul></ul>
  110. 110. <ul>LSC : read and write everywhere </ul><ul><li>Original and best supported connector to LDAP directories
  111. 111. Additional sources : NIS, database, CSV, Web Services, LDAP through Syncrepl
  112. 112. Additional destinations : Scripting destination
  113. 113. And many other to come :) </li></ul>
  114. 114. <ul>LSC : builtin extensibility API </ul><ul><li>Write your own connector to read or write inside your custom space </li></ul><ul>public class My Source Service { public IBean getBean (...) ; public Map<...> getListPivots (...)   ; } </ul><ul>public class My Target Service { public IBean getBean(...) ; public Map<...> getListPivots ; public boolean apply(...) } </ul><ul>public class MyServiceConfiguration { private String mySpecialParameter ; public String getMySpecialParameter(); public void setMySpecialParameter(...); } </ul>
  115. 115. <ul>LSC : graphical interface </ul>
  116. 116. <ul>LSC : graphical interface </ul>
  117. 117. <ul>LSC : graphical interface </ul>
  118. 118. <ul>Perspectives </ul><ul><li>Project is currently in stable status </li></ul><ul><ul><li>Version 1.2.1 </li></ul></ul><ul><li>This presentation is based on the beta version </li></ul><ul><ul><li>Version 2.0 (almost) released </li></ul></ul>
  119. 119. <ul>Perspectives </ul><ul><li>Ideas for improvement are everywhere: </li></ul><ul><ul><li>Event based model (ESB)
  120. 120. DirSync support for Microsoft AD
  121. 121. Datasource aggregation on the fly
  122. 122. Scheduler integration (ongoing)
  123. 123. Data « reconciliation »
  124. 124. Anything else … </li></ul></ul>
  125. 125. <ul>Try it out! Get involved! </ul><ul><li>Main website: http://lsc-project.org/ </li></ul><ul><ul><li>Tutorials: quickstart demo, detailed tutorials
  126. 126. Reference documentation </li></ul></ul>
  127. 127. <ul>Try it out! Get involved! </ul><ul><li>Getting help (keep in touch!) </li></ul><ul><ul><li>Mailing lists: http://lists.lsc-project.org/
  128. 128. IRC: #lsc-project on Freenode </li></ul></ul><ul><li>Development tools: </li></ul><ul><ul><li>Redmine forge: http://tools.lsc-project.org/
  129. 129. Bugtracker, SVN repository …
  130. 130. Continuous build server </li></ul></ul><ul><ul><ul><li>Numerous automated tests </li></ul></ul></ul>
  131. 131. <ul>Thanks for your attention! Any questions? Sebastien Bahloul [email_address] </ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×