LDAPCon 2009
20/09/2009
Jonathan Clarke
jonathan@phillipoux.net
...
LDAPCon 2009
Introduction
● LDAP directories are commonly used to store
identity information
● Provisioning for ...
LDAPCon 2009
Introduction
● Several different identity repositories
– How to make sure the same changes app...
LDAPCon 2009
Introduction
● Automatic synchronization
– It already exists, and works great
●...
LDAPCon 2009
About LSC Project
● What is LSC?
– LDAP Synchronization Connector
– Open Source pro...
LDAPCon 2009
Goals – functionality
● Read/write to any database or LDAP directory
– Standard LDAPv3 operati...
LDAPCon 2009
Goals – usability
● Quickly implement a new synchronization
● Highly configurable
– What exa...
LDAPCon 2009
Philosophy
● Make it possible, now!
● Make it more stable and safer
– Open Source benefits o...
LDAPCon 2009
LSC synchronization principles
● Two levels of information per identity
1. Existence – equivalent...
LDAPCon 2009
LSC synchronization principles
● First step: sync
– Get a list of all pivots from the source
...
LDAPCon 2009
LSC synchronization principles
● Second step: clean (optional)
– Get a list of all pivots from...
LDAPCon 2009
Defining a synchronization
● Source type: LDAP / SQL database / CSV file ?
● Population: Which users? W...
LDAPCon 2009
Software design
Data
Transformation ...
LDAPCon 2009
Example: MySQL to OpenLDAP
● MySQL: a simple users table (HR-style)
Field Type ...
LDAPCon 2009
Example: MySQL to OpenLDAP
● Configuring the source database
– JDBC connector: com.mysql.jdbc....
LDAPCon 2009
Example: MySQL to OpenLDAP
● OpenLDAP: inetOrgPerson entries
Field Type ...
LDAPCon 2009
Example: MySQL to OpenLDAP
● Configuring the destination directory
dst.java.naming.provider.url = ldap:...
LDAPCon 2009
Example: MySQL to OpenLDAP
● Configure the synchronization task
– Source directory searching
...
LDAPCon 2009
Example: MySQL to OpenLDAP
● Configuration data transformations (syncoptions)
lsc.syncoptions.MyTask.de...
LDAPCon 2009
Features overview
● Syncoptions offer unlimited possibilites
– Text transformations
...
LDAPCon 2009
Features overview
● Operation conditions
– Perform ADDs / MODIFYs / MODRDNs / DELETEs
...
LDAPCon 2009
Features overview
● Attribute-level priorities for update
– FORCE: replace the destination val...
LDAPCon 2009
Features overview
● Detailed and configurable logging
– LDIF format (fully RFC-compliant)
...
LDAPCon 2009
Perspectives
● Project is currently in stable status
– Version 1.1.0 released
● Ideas for im...
LDAPCon 2009
Try it out! Get involved!
● Main website: http://lsc-project.org/
– Tutorials: quickstart demo...
LDAPCon 2009
Try it out! Get involved!
● Getting help (keep in touch!)
– Mailing lists: http://lists.lsc-pr...
LDAPCon 2009
Success stories
Private:
Database to directory Active Directory
...
LDAPCon 2009
Thanks for your attention!
Any questions?
Jonathan C...
of 28

LDAP Synchronization Connector presentation at LDAPCon 2009

Published on: Mar 4, 2016
Source: www.slideshare.net


Transcripts - LDAP Synchronization Connector presentation at LDAPCon 2009

  • 1. LDAPCon 2009 20/09/2009 Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 1
  • 2. LDAPCon 2009 Introduction ● LDAP directories are commonly used to store identity information ● Provisioning for identity management is easy … – Just put all employee information in a directory! ● Simple, right? … well, yes, but … – « HR already has software that only stores identity  information in a database » – « We use Active Directory for our desktops and we  need users' identities there too » – « XYZ software already uses a different directory » 20/09/2009 http://lsc-project.org Page 2
  • 3. LDAPCon 2009 Introduction ● Several different identity repositories – How to make sure the same changes apply? ● New employees ● Name changes (marriage), transfers... ● Employees leaving ● Manual synchronization? – Leads to a mess, leaving old accounts active … ● Automatic synchronization? 20/09/2009 http://lsc-project.org Page 3
  • 4. LDAPCon 2009 Introduction ● Automatic synchronization – It already exists, and works great ● Directory- / database-specific replication ● Application-specific connectors (AD, SAP, etc) – What about the rest? ● Between different databases, directories, files? ● Different data models? ● Using standards: LDAP, SQL, etc...? 20/09/2009 http://lsc-project.org Page 4
  • 5. LDAPCon 2009 About LSC Project ● What is LSC? – LDAP Synchronization Connector – Open Source project – BSD licence – Written in Java – 4 years in the making – 1 year ago LSC-project.org created – 6 regular contributors ● Website: http://lsc-project.org 20/09/2009 http://lsc-project.org Page 5
  • 6. LDAPCon 2009 Goals – functionality ● Read/write to any database or LDAP directory – Standard LDAPv3 operations – JDBC connectors for databases ● Transform data on-the-fly – Adapt to a different data model – JavaScript based engine to manipulate data ● Adjustable updates: default, keep, force or merge 20/09/2009 http://lsc-project.org Page 6
  • 7. LDAPCon 2009 Goals – usability ● Quickly implement a new synchronization ● Highly configurable – What exactly do we read? – Powerful transformations (correctness is important) – What exactly do we write? ● Run fast (performance is important) ● Easy to setup 20/09/2009 http://lsc-project.org Page 7
  • 8. LDAPCon 2009 Philosophy ● Make it possible, now! ● Make it more stable and safer – Open Source benefits over home-grown scripts – More secure and better tested – Don't reinvent a buggy wheel! ● Make it faster and simpler – Faster than writing home-grown scripts – Provide methods for IAM and directory-specific tasks ● This is not the ultimate solution … 20/09/2009 http://lsc-project.org Page 8
  • 9. LDAPCon 2009 LSC synchronization principles ● Two levels of information per identity 1. Existence – equivalent to an account (LDAP entry) 2. Identity specific details – names, phone numbers (LDAP attributes and values) ● A unique ID: the pivot attribute(s) ● Synchronization operations ● Create: Add entries from source to destination ● Delete: Delete entries from destination not in source ● Update: Compare and set specific details 20/09/2009 http://lsc-project.org Page 9
  • 10. LDAPCon 2009 LSC synchronization principles ● First step: sync – Get a list of all pivots from the source – For each pivot ● Read the source object ● Search for the destination object with pivot ● Build up desired destination object by applying transformations to source object ● If the destination object exists, calculate modifications ● Apply: create or modify 20/09/2009 http://lsc-project.org Page 10
  • 11. LDAPCon 2009 LSC synchronization principles ● Second step: clean (optional) – Get a list of all pivots from the destination – For each pivot ● Search for the source object with pivot ● If the source object doesn't exists, delete from destination ● Apply: delete 20/09/2009 http://lsc-project.org Page 11
  • 12. LDAPCon 2009 Defining a synchronization ● Source type: LDAP / SQL database / CSV file ? ● Population: Which users? Which pivot? ● Information: Attributes? Transformations? 20/09/2009 http://lsc-project.org Page 12
  • 13. LDAPCon 2009 Software design Data Transformation Target Source Base de données Abstraction SQL Interface (IBATIS) Objet JDBC Sérialisation (XML) Objet LDAP BEAN Annuaire Traitement LSC Moteur Objet JNDI Objet LDAP 20/09/2009 http://lsc-project.org Page 13
  • 14. LDAPCon 2009 Example: MySQL to OpenLDAP ● MySQL: a simple users table (HR-style) Field Type Values id INT Auto-increment first_name VARCHAR « Jane » last_name VARCHAR « Doe » marital_status ENUM « Single » / « Married » / « Divorced » salary INT 42000 start_date DATE 1st October 2009 20/09/2009 http://lsc-project.org Page 14
  • 15. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the source database – JDBC connector: com.mysql.jdbc... – URL, username, password – Simple SQL request SELECT id AS uid, first_name AS givenName, last_name AS sn, start_date AS startDate FROM users 20/09/2009 http://lsc-project.org Page 15
  • 16. LDAPCon 2009 Example: MySQL to OpenLDAP ● OpenLDAP: inetOrgPerson entries Field Type Values givenName String first_name (ex: « Jane ») sn String last_name (ex: « Doe ») cn String LAST_NAME, first_name (ex: « DOE, Jane ») userPassword Binary string Defaults to « CHANGEME » uid String Unique id from MySQL table 20/09/2009 http://lsc-project.org Page 16
  • 17. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuring the destination directory dst.java.naming.provider.url = ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication = simple dst.java.naming.security.principal = cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials = secret 20/09/2009 http://lsc-project.org Page 17
  • 18. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configure the synchronization task – Source directory searching lsc.tasks = MyTask lsc.tasks.MyTask.type = db2ldap lsc.tasks.MyTask.dstService.baseDn = ou=People lsc.tasks.MyTask.dstService.pivotAttrs = uid lsc.tasks.MyTask.dstService.filterAll = (uid=*) lsc.tasks.MyTask.dstService.attrs = uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId = (uid={uid}) – DN generation lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid") + "ou=People" 20/09/2009 http://lsc-project.org Page 18
  • 19. LDAPCon 2009 Example: MySQL to OpenLDAP ● Configuration data transformations (syncoptions) lsc.syncoptions.MyTask.default.action = F lsc.syncoptions.MyTask.cn.force_value = srcBean.getAttributeValueById("sn").toUpperCase() + ", " + srcBean.getAttributeValueById("givenName") lsc.syncoptions.MyTask.userPassword.action = K lsc.syncoptions.MyTask.userPassword.default_value = SecurityUtils.hash(SecurityUtils.MD5, "CHANGEME") 20/09/2009 http://lsc-project.org Page 19
  • 20. LDAPCon 2009 Features overview ● Syncoptions offer unlimited possibilites – Text transformations ● cn = givenName + SPACE + SN in caps ● Filter accents: convert « Hélène » to « Helene » – Hash passwords (SSHA, MD5, etc) – Simple LDAP bind test – Active Directory specifics: ● UserAccountControl: deactivate accounts, force password changes, etc … ● UnicodePwd: update passwords in AD-style – Anything else you can write in Java! 20/09/2009 http://lsc-project.org Page 20
  • 21. LDAPCon 2009 Features overview ● Operation conditions – Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally ● Use-cases: – Update-only synchronizations (never create, never delete) – Only update the password if it's changed (perform a LDAP bind operation to check on the fly) – Delete an account after 60 days of inactivity 20/09/2009 http://lsc-project.org Page 21
  • 22. LDAPCon 2009 Features overview ● Attribute-level priorities for update – FORCE: replace the destination value whatever – KEEP: leave the destination value as-is – DEFAULT: value to use if the destination is empty – CREATE: default value for new entries ● Use cases: – Provide a default password but don't squash real one – Force phone numbers if we're authoritative for them 20/09/2009 http://lsc-project.org Page 22
  • 23. LDAPCon 2009 Features overview ● Detailed and configurable logging – LDIF format (fully RFC-compliant) – CSV format ● Audit or play back modifications 20/09/2009 http://lsc-project.org Page 23
  • 24. LDAPCon 2009 Perspectives ● Project is currently in stable status – Version 1.1.0 released ● Ideas for improvement are everywhere: – Implement directory-specific replication systems ● LDAP sync (RFC 4533) for OpenLDAP, ApacheDS ● DirSync for Microsoft AD ● Others? – Support other scripting languages – Plugins to integrate into entreprise workflows – Anything else … 20/09/2009 http://lsc-project.org Page 24
  • 25. LDAPCon 2009 Try it out! Get involved! ● Main website: http://lsc-project.org/ – Tutorials: quickstart demo, detailed tutorials – Reference documentation 20/09/2009 http://lsc-project.org Page 25
  • 26. LDAPCon 2009 Try it out! Get involved! ● Getting help (keep in touch!) – Mailing lists: http://lists.lsc-project.org/ – IRC: #lsc-project on Freenode ● Development tools: – Redmine forge: http://tools.lsc-project.org/ – Bugtracker, SVN repository … – Continuous build server ● Lots of tests based on OpenDS 20/09/2009 http://lsc-project.org Page 26
  • 27. LDAPCon 2009 Success stories Private: Database to directory Active Directory 8 different instances to OpenLDAP Public: Oracle and MySQL to OpenLDAP CSV files to OpenLDAP 250 000 entries 20/09/2009 http://lsc-project.org Page 27
  • 28. LDAPCon 2009 Thanks for your attention! Any questions? Jonathan Clarke jonathan@phillipoux.net 20/09/2009 http://lsc-project.org Page 28

Related Documents