LSC - Synchronizing identities @ Loadays 2010

1,280 views

Published on

Sysadmins are often responsible for various identity stores in a company: directories, applications with built-in account databases, etc...

Ldap Synchronization Connector offers a solution to link these repositories and ensure nobody\'s going to get fired because you forgot to disable an account.

LSC is an open source project under the BSD license - http://lsc-project.org/

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,280
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

LSC - Synchronizing identities @ Loadays 2010

  1. 1. 12/04/2010 Jonathan Clarke [email_address]
  2. 2. About the speaker <ul><li>System administrator at heart
  3. 3. Identity management
  4. 4. Contibutor to open source LDAP tools : </li><ul><li>Ldap Synchronization Connector (LSC)
  5. 5. OpenLDAP Team
  6. 6. Ldap ToolBox ( http://ltb-project.org ) </li></ul><li>2009: co-founded Normation </li><ul><li>Software: drift assessment
  7. 7. Consulting: identity management, IT services </li></ul></ul>
  8. 8. Introduction <ul><li>LDAP directories </li><ul><li>Present in a vast majority of corporations
  9. 9. Central authentication, identity management, …
  10. 10. Contain user accounts (identities) </li></ul><li>Simple, right? … well, yes, but … </li><ul><li>« HR already has software that only stores identity information in a database »
  11. 11. « We use Active Directory for our desktops and we need users' identities there too »
  12. 12. « XYZ software only uses a database » </li></ul></ul>
  13. 13. Introduction <ul><li>Several different identity repositories </li><ul><li>How to make sure the same changes apply? </li><ul><li>New employees
  14. 14. Name changes (marriage), transfers...
  15. 15. Employees leaving </li></ul></ul></ul>Jim just got fired. Boss asks you to disable his account. Account S , that is. You do it... All done! But what about the account on the company blog? ARGH! Too late. What now!? FIRE THE SYSADMIN!!!?
  16. 16. Introduction <ul><li>Synchronize the repositories </li><ul><li>Spread the account status, information, etc... </li></ul><li>Manual synchronization? </li><ul><li>Leads to a mess , leaving old accounts active … </li></ul><li>Automatic synchronization? </li></ul>
  17. 17. Introduction <ul><li>Automatic synchronization </li><ul><li>It already exists, and works great </li><ul><li>Directory- / database- specific replication
  18. 18. Application- specific connectors (AD, SAP, etc) </li></ul><li>What about the rest? </li><ul><li>Between different databases, directories, files?
  19. 19. Different data models?
  20. 20. Using standards: LDAP, SQL, etc...? </li></ul></ul></ul>
  21. 21. About LSC Project <ul><li>What is LSC? </li><ul><li>LDAP Synchronization Connector
  22. 22. Open Source project
  23. 23. BSD licence
  24. 24. Written in Java
  25. 25. 4 years in the making
  26. 26. 2 years ago LSC-project.org created
  27. 27. ~10 regular contributors </li></ul><li>Website: http://lsc-project.org </li></ul>
  28. 28. Goals – functionality <ul><li>Read/write to any repository </li><ul><li>Database or LDAP directory or ?
  29. 29. Standard LDAPv3 operations
  30. 30. JDBC connectors for databases </li></ul><li>Transform data on-the-fly </li><ul><li>Adapt to a different data model
  31. 31. JavaScript based engine to manipulate data </li></ul><li>Adjustable updates: force values, insert defaults, merge values, don't touch... </li></ul>
  32. 32. Goals – usability <ul><li>Quickly implement a new synchronization
  33. 33. Highly configurable </li><ul><li>What exactly do we read?
  34. 34. Powerful transformations (correctness is important)
  35. 35. What exactly do we write? </li></ul><li>Run fast (performance is important)
  36. 36. Easy to setup </li></ul>
  37. 37. Philosophy <ul><li>Make it possible , now!
  38. 38. Make it more stable and safer </li><ul><li>Open Source benefits over home-grown scripts
  39. 39. More secure and better tested
  40. 40. Don't reinvent a buggy wheel! </li></ul><li>Make it faster and simpler </li><ul><li>Faster than writing home-grown scripts
  41. 41. Provide methods for IAM and directory-specific tasks </li></ul><li>This may not be the ultimate solution … </li></ul>
  42. 42. LSC synchronization principles <ul><li>Two levels of information per identity </li></ul><ul><ul><li>Existence – equivalent to an account (LDAP entry)
  43. 43. Identity specific details – names, phone numbers (LDAP attributes and values) </li></ul></ul><ul><li>A unique ID: the pivot attribute(s) </li><ul><li>Could be an email address, user ID ... </li></ul><li>Synchronization operations </li><ul><li>Create: Add entries from source to destination
  44. 44. Delete: Delete entries from destination not in source
  45. 45. Update: Compare and set specific details </li></ul></ul>
  46. 46. LSC synchronization principles <ul><li>First step: sync </li><ul><li>Get a list of all pivots from the source
  47. 47. For each pivot </li><ul><li>Read the source object
  48. 48. Search for the destination object with pivot
  49. 49. Build up desired destination object by applying transformations to source object
  50. 50. If the destination object exists, calculate modifications
  51. 51. Apply: create or modify </li></ul></ul></ul>
  52. 52. LSC synchronization principles <ul><li>Second step: clean (optional) </li><ul><li>Get a list of all pivots from the destination
  53. 53. For each pivot </li><ul><li>Search for the source object with pivot
  54. 54. If the source object doesn't exists, delete from destination
  55. 55. Apply: delete </li></ul></ul></ul>
  56. 56. Defining a synchronization <ul><li>Source type: LDAP / SQL database / CSV file ?
  57. 57. Population: Which users? Which pivot ?
  58. 58. Information: Attributes? Transformations? </li></ul>
  59. 59. Example: MySQL to OpenLDAP <ul><li>MySQL: a simple users table (HR-style) </li></ul>Field Type Values id INT Auto-increment first_name VARCHAR « Jane » last_name VARCHAR « Doe » marital_status ENUM « Single » / « Married » / « Divorced » salary INT 42000 start_date DATE 1 st October 2009
  60. 60. Example: MySQL to OpenLDAP <ul><li>Configuring the source database </li><ul><li>JDBC connector: com.mysql.jdbc...
  61. 61. URL, username, password
  62. 62. Simple SQL request </li></ul></ul>SELECT id, first_name AS givenName, last_name AS sn, start_date AS startDate FROM users
  63. 63. Example: MySQL to OpenLDAP <ul><li>OpenLDAP: inetOrgPerson entries </li></ul>Field Type Values givenName String first_name (ex: « Jane ») sn String last_name (ex: « Doe ») cn String LAST_NAME first_name (ex: « DOE, Jane ») userPassword Binary string Defaults to « CHANGEME » uid String Unique id from MySQL table
  64. 64. Example: MySQL to OpenLDAP <ul><li>Configuring the destination directory </li></ul>dst.java.naming.provider.url = ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication = simple dst.java.naming.security.principal = cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials = secret
  65. 65. Example: MySQL to OpenLDAP <ul><li>Configure the synchronization task </li><ul><li>Source directory searching
  66. 66. DN generation </li></ul></ul>lsc.tasks = MyTask lsc.tasks.MyTask.type = db2ldap lsc.tasks.MyTask.dstService.baseDn = ou=People lsc.tasks.MyTask.dstService.pivotAttrs = uid lsc.tasks.MyTask.dstService.filterAll = (uid=*) lsc.tasks.MyTask.dstService.attrs = uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId = (uid={uid}) lsc.tasks.MyTask.dn = &quot;uid=&quot; + srcBean.getAttributeValueById(&quot;uid&quot;) + &quot;ou=People&quot;
  67. 67. Example: MySQL to OpenLDAP <ul><li>Configuration data transformations (syncoptions) </li></ul>lsc.syncoptions.MyTask.default.action = F lsc.syncoptions.MyTask.cn.force_value = srcBean.getAttributeValueById(&quot;sn&quot;).toUpperCase() + &quot; &quot; + srcBean.getAttributeValueById(&quot;givenName&quot;) lsc.syncoptions.MyTask.userPassword.action = K lsc.syncoptions.MyTask.userPassword.default_value = SecurityUtils.hash(SecurityUtils.MD5, &quot; CHANGEME &quot;)
  68. 68. Demonstration <ul><li>Installation
  69. 69. Simple CSV to LDAP synchronization </li><ul><li>Online tutorial
  70. 70. http://lsc-project.org/wiki/documentation/1.2/sample </li></ul></ul>
  71. 71. Features overview <ul><li>Syncoptions offer unlimited possibilites </li><ul><li>Text transformations </li><ul><li>cn = givenName + SPACE + SN in caps
  72. 72. Filter accents: convert « Hélène » to « Helene » </li></ul><li>Hash passwords (SSHA, MD5, etc)
  73. 73. Simple LDAP bind test
  74. 74. Active Directory specifics: </li><ul><li>UserAccountControl: deactivate accounts, force password changes, etc …
  75. 75. UnicodePwd: update passwords in AD-style </li></ul><li>Anything else you can write in Java! </li></ul></ul>
  76. 76. Features overview <ul><li>Operation conditions </li><ul><li>Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally </li></ul><li>Use-cases: </li><ul><li>Update-only synchronizations (never create, never delete)
  77. 77. Only update the password if it's changed (p erform a LDAP bind operation to check on the fly)
  78. 78. Delete an account after 60 days of inactivity </li></ul></ul>
  79. 79. Features overview <ul><li>Attribute-level priorities for update </li><ul><li>FORCE: replace the destination value whatever
  80. 80. KEEP: leave the destination value as-is
  81. 81. DEFAULT: value to use if the destination is empty
  82. 82. CREATE: default value for new entries </li></ul><li>Use cases: </li><ul><li>Provide a default password but don't squash real one
  83. 83. Force phone numbers if we're authoritative for them </li></ul></ul>
  84. 84. Features overview <ul><li>Detailed and configurable logging </li><ul><li>LDIF format (fully RFC-compliant)
  85. 85. CSV format </li></ul><li>Audit or play back modifications </li></ul>
  86. 86. Standards based – Wide support <ul><li>Any LDAP server should be supported, tested on: </li><ul><li>OpenLDAP
  87. 87. OpenDS
  88. 88. Sun DSEE
  89. 89. Microsoft Active Directory
  90. 90. Novell Directory Services </li></ul><li>Any database with a JDBC connector, tested on: </li><ul><li>MySQL, PostgreSQL, Oracle, HSQLDB </li></ul></ul>
  91. 91. Perspectives <ul><li>Project is currently in stable status </li><ul><li>Version 1.2.0 (almost) released </li></ul><li>Ideas for improvement are everywhere: </li><ul><li>Support other connector types
  92. 92. Implement directory-specific replication systems </li><ul><li>LDAP sync (RFC 4533) for OpenLDAP, ApacheDS
  93. 93. DirSync for Microsoft AD
  94. 94. Others? </li></ul><li>Support other scripting languages
  95. 95. Anything else … </li></ul></ul>
  96. 96. Try it out! Get involved! <ul><li>Main website: http://lsc-project.org / </li><ul><li>Tutorials: quickstart demo, detailed tutorials
  97. 97. Reference documentation </li></ul></ul>
  98. 98. Try it out! Get involved! <ul><li>Getting help (keep in touch!) </li><ul><li>Mailing lists: http://lists.lsc-project.org/
  99. 99. IRC: #lsc-project on Freenode </li></ul><li>Development tools: </li><ul><li>Redmine forge: http://tools.lsc-project.org/
  100. 100. Bugtracker, SVN repository …
  101. 101. Continuous build server </li><ul><li>Numerous automated tests </li></ul></ul></ul>
  102. 102. Thanks for your attention! Any questions? Jonathan Clarke [email_address]

×