LDAP Synchronizarion Connector presentation, and how synchronize OpenLDAP and Active Directory with it.

1. Synchronize OpenLDAP and AD
Clément OUDOT
RMLL 2013

2. 2
Table of contents
● LDAP Synchronization Connector (LSC)
● Active Directory specificities
● Synchronize OpenLDAP and AD

3. 3
Resume

4. 4
Clément OUDOT
● Engineer since 2003 at LINAGORA company
● LinID Dream Team Manager: http://linid.org
● Founder of LDAP Tool Box project:
http://ltb-project.org
● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org

5. 5
LDAP Synchronization Connector

6. LDAP Synchronization Connector
● Free software
● BSD license
● Written in Java
● XML configuration files
● http://lsc-project.org

7. LDAP Synchronization Connector
● Synchronization :
● From/To LDAP, SQL, fichiers
● One-shot or continuous
● CSV or LDIF exports of what has been synchronized
● Data manipulation engine: Javascript (Rhino), Groovy
● API LDAP for scripts

8. Main features
● Source and destination connectors:
● LDAPv3 Directories
● JDBC compatible data bases
● Flat files
● Plugins: Google Apps, ...
● LDAPv3 advanced support:
● StartTLS, LDAPS
● Paged result
● LDAP Sync (SyncRepl), Persistent search

9. How it works
● Sync phase:
● Read all entries in source, get the pivot attribute
● For each entry, read entry in source and in
destination, using the pivot attribute
● Apply modifications or create the entry in
destination
● Clean phase:
● Read all entries in destination, get the pivot
attribute
● For each entry, read entry in source using the
pivot attribute
● Delete entry in destination if not found in source

10. Configuration overview
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-
2.0.xsd" revision="1">
<connections></connections>
<tasks></tasks>
</lsc>

11. LDAP connection
<ldapConnection>
<name>ldap-dst-conn</name>
<url>ldap://HOSTNAME/SUFFIX</url>
<username>DN</username>
<password>PWD</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>

12. <databaseConnection>
<name>jdbc-src-conn</name>
<url>jdbc:JDBC_URL</url>
<username>USER</username>
<password>PWD</password>
<driver>JDBC_DRIVER</driver>
</databaseConnection>
Database connection

13. Tasks
● Several tasks can be defined in one connector
● For each task:
● Source service (using a connection definition)
● Destination service (using a connection definition)
● Synchronization rules
<task>
<name>agent</name>
<bean>org.lsc.beans.SimpleBean</bean>
<databaseSourceService></databaseSourceService>
<ldapDestinationService></ldapDestinationService>
<propertiesBasedSyncOptions></propertiesBasedSyncOptions>
</task>

14. Available services
● Source services
● databaseSourceService
● ldapSourceService
● asyncLdapSourceService
● Destination services
● databaseDestinationService
● ldapDestinationService

15. Synchronization rules
● <mainIdentifier>: how to compute the main
identifier (DN for an LDAP service)
● <conditions>: allowed operations in the task
(create, update, delete, changeId)
● <dataset>: mapping definition between
source and destination attribute

16. Examples
<dataset>
<name>objectClass</name>
<policy>KEEP</policy>
<forceValues>
<string>"top"</string>
<string>"person"</string>
<string>"organizationalPerson"</string>
<string>"inetOrgPerson"</string>
</forceValues>
</dataset>
<dataset>
<name>cn</name>
<policy>FORCE</policy>
<forceValues>
<string><[CDATA[
srcBean.getDatasetFirstValueById("FIRSTNAME") +
srcBean.getDatasetFirstValueById("NAME");
]]></string>
</forceValues>
</dataset>

17. LDAP Query Language
● Access to srcLdap (source) and ldap (destination)
connection objects
● Special functions:
● attribute(DN, attribute)
● search(base, filter)
● list(base, filter)
● read(base, filter)
● sup(DN, level)
srcLdap.attribute( srcLdap.list( "ou=services",
"uniqueMember=" + srcBean.getDistinguishName() + "" ),
'description').get(0)

18. Logs
● Logback: http://logback.qos.ch/
● Output formats:
● Standard : org.lsc.utils.output.LdifLayout
● LDIF: org.lsc.utils.output.LdifLayout
– <onlyLdif>true</onlyLdif>
● CSV: org.lsc.utils.output.CsvLayout
– <logOperations>create,update</logOperations>
– <attrs>dn;uid;sn;givenName;description;cn</attrs>
– <separator>;</separator>
– <outputHeader>true</outputHeader>
– <taskNames>MyTask</taskNames>

19. 19
Active Directory

20. 20
Connection
● No anonymous access
● SSL required for some operations (password
change)
● Paged result to avoid 1000 entries limit
● Specific AD configuration to avoir 1500 values
limit (range)

21. 21
Schema
● Non standard objectclass user:
● top
– person
● organizationalPerson
– user
● InetOrgPerson
● Non standard attributes:
● sAMAccountName
● unicodePwd
● ...

22. 22
Password
● Password can be written, cannot be read
● Attribute unicodePwd (~ clear text)
● Old password remain valid for one hour
● Accepted password in the LDAP modify operation
are not always accepted to authenticate (non
ASCII characters...)

23. 23
LSC helpers
aDTimeToUnixTimestamp(long aDTime)
Transform an AD timestamp to a Unix timestamp.
aDTimeToUnixTimestamp(String aDTimeString)
Helper method to automatically parse an AD timestamp from a String before
calling aDTimeToUnixTimestamp(long).
getAccountExpires(String expireDate)
Returns the accountexpires time in Microsoft format
getAccountExpires(String expireDate, String format)
Return the accountexpires time in specified format
getNumberOfWeeksSinceLastLogon(String lastLogonTimestamp)
Return the number of weeks since the last logon
getUnicodePwd(String password)
Encode a password so that it can be updated in Active Directory in the field
unicodePwd.

24. 24
LSC helpers
unixTimestampToADTime(int unixTimestamp)
Transform a Unix timestamp to an AD timestamp.
unixTimestampToADTime(String unixTimestampString)
Helper method to automatically parse a Unix timestamp from a
String before calling unixTimestampToADTime(int).
userAccountControlCheck(int value, String constToCheck)
Check if a bit is set in UserAccountControl
userAccountControlSet(int origValue, String[] constToApply)
Set or unset some bits to a UserAccountControl attribute of an AD
userAccountControlToggle(int value, String constToApply)
Toggle a bit in UserAccountControl

25. 25
Synchronize OpenLDAP and AD

26. 26
Main configuration
● Create a simple LDAP to LDAP connector
● Define specific connection parameters for AD
● Use SSL to AD if you need to manage password
● Define specific attributes needed in AD
● Specify the search filters and the pivot attributes
● Write datasets for non linear attribute mapping

27. 27
The password problem
● Several approaches:
● Use AD as the authentication referential, use SASL
from OpenLDAP to forward the authentication to AD
● Keep a plain text or symmetric hashed password in
OpenLDAP, to push the password with LSC
● Catch the password when it is changed in AD, trough
SFU (Services For Unix), or with a password filter DLL
(example: PasswdHK)

28. 28
Almost the end...

29. 29
18-19 November - PARIS
http://www.ldapcon.org

30. 30
Thanks
● Special thanks to:
● RMLL/LSM and their organizers
● Company LINAGORA
● All LiniD developers
● Keep in touch:
● Identica: @coudot
● Twitter: @clementoudot @LinID_FOSS
● IRC: KPTN #LinID@freenode
● Web: http://linid.org

31. 31
Questions?

32. Thanks for your attention
http://www.linid.org
Logiciels et services Open Source
80 rue Roque de Fillol l 92800 PUTEAUX
Tel : 0810 251 251 l Fax : +33 1 46 96 63 64
www.linagora.com