1. 12/04/2010 Jonathan Clarke [email_address]

2. About the speaker

System administrator at heart

3. Identity management 4. Contibutor to open source LDAP tools :

Ldap Synchronization Connector (LSC)

5. OpenLDAP Team 6. Ldap ToolBox ( http://ltb-project.org ) 2009: co-founded Normation

Software: drift assessment

7. Consulting: identity management, IT services 8. Introduction

LDAP directories

Present in a vast majority of corporations

9. Central authentication, identity management, 10. Contain user accounts (identities) Simple, right? well, yes, but

HR already has software that only stores identity information in a database

11. We use Active Directory for our desktops and we need users' identities there too 12. XYZ software only uses a database 13. Introduction

Several different identity repositories

How to make sure the same changes apply?

New employees

14. Name changes (marriage), transfers... 15. Employees leaving Jim just got fired. Boss asks you to disable his account. Account S , that is. You do it... All done! But what about the account on the company blog? ARGH! Too late. What now!? FIRE THE SYSADMIN!!!? 16. Introduction

Synchronize the repositories

Spread the account status, information, etc...

Manual synchronization?

Leads to amess , leaving old accounts active

Automatic synchronization? 17. Introduction

Automatic synchronization

It already exists, and works great

Directory- / database- specificreplication

18. Application- specificconnectors (AD, SAP, etc) What about the rest?

Between different databases, directories, files?

19. Different data models? 20. Using standards: LDAP, SQL, etc...? 21. About LSC Project

What is LSC?

LDAP Synchronization Connector

22. Open Source project 23. BSD licence 24. Written in Java 25. 4 years in the making 26. 2 years agoLSC-project.orgcreated 27. ~10 regular contributors Website:http://lsc-project.org 28. Goals functionality

Read/write to any repository

DatabaseorLDAP directoryor ?

29. Standard LDAPv3 operations 30. JDBC connectors for databases Transformdata on-the-fly

Adapt to a different data model

31. JavaScript based engine to manipulate data Adjustable updates: force values, insert defaults,merge values, don't touch... 32. Goals usability

Quicklyimplement a new synchronization

33. Highlyconfigurable

Whatexactly do we read?

34. Powerfultransformations(correctness is important) 35. Whatexactly do we write? Runfast(performance is important) 36. Easy to setup 37. Philosophy

Make itpossible , now!

38. Make it morestableandsafer

Open Source benefits over home-grown scripts

39. More secure and better tested 40. Don't reinvent a buggy wheel! Make itfasterandsimpler

Faster than writing home-grown scripts

41. Provide methods for IAM and directory-specific tasks This may not be the ultimate solution 42. LSC synchronization principles

Two levels of information per identity

• Existence equivalent to anaccount (LDAP entry)

43. Identity specific details names, phone numbers (LDAP attributes and values)

A unique ID: thepivotattribute(s)

Could be anemail address, user ID...

Synchronization operations

Create: Add entries from source to destination

44. Delete: Delete entries from destination not in source 45. Update: Compare and set specific details 46. LSC synchronization principles

First step: sync

Get a list of all pivots from the source

47. For each pivot

Read the source object

48. Search for the destination object withpivot 49. Build up desired destination object by applyingtransformations to source object 50. If the destination object exists, calculate modifications 51. Apply: create or modify 52. LSC synchronization principles

Second step: clean (optional)

Get a list of all pivots from the destination

53. For each pivot

Search for the source object withpivot

54. If the source object doesn't exists, delete from destination 55. Apply: delete 56. Defining a synchronization

Source type: LDAP / SQL database / CSV file ?

57. Population: Which users? Whichpivot ? 58. Information: Attributes? Transformations? 59. Example: MySQL to OpenLDAP

MySQL: a simple users table (HR-style)

Field Type Values id INT Auto-increment first_name VARCHAR Jane last_name VARCHAR Doe marital_status ENUM Single / Married / Divorced salary INT 42000 start_date DATE 1 stOctober 2009 60. Example: MySQL to OpenLDAP

Configuring the source database

JDBC connector:com.mysql.jdbc...

61. URL, username, password 62. Simple SQL request SELECT id, first_name AS givenName,last_name AS sn, start_date AS startDate FROM users 63. Example: MySQL to OpenLDAP

OpenLDAP: inetOrgPerson entries

Field Type Values givenName String first_name (ex: Jane) sn String last_name (ex: Doe) cn String LAST_NAME first_name (ex: DOE, Jane) userPassword Binary string Defaults to CHANGEME uid String Unique id from MySQL table 64. Example: MySQL to OpenLDAP

Configuring the destination directory

dst.java.naming.provider.url =ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication =simple dst.java.naming.security.principal =cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials =secret 65. Example: MySQL to OpenLDAP

Configure the synchronization task

Source directory searching

66. DN generation lsc.tasks =MyTask lsc.tasks.MyTask.type =db2ldap lsc.tasks.MyTask.dstService.baseDn =ou=People lsc.tasks.MyTask.dstService.pivotAttrs =uid lsc.tasks.MyTask.dstService.filterAll =(uid=*) lsc.tasks.MyTask.dstService.attrs =uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId =(uid={uid}) lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid")+ "ou=People" 67. Example: MySQL to OpenLDAP

Configuration data transformations (syncoptions)

lsc.syncoptions.MyTask.default.action =F lsc.syncoptions.MyTask.cn.force_value =srcBean.getAttributeValueById("sn").toUpperCase() + " "+ srcBean.getAttributeValueById("givenName") lsc.syncoptions.MyTask.userPassword.action =K lsc.syncoptions.MyTask.userPassword.default_value =SecurityUtils.hash(SecurityUtils.MD5, " CHANGEME ") 68. Demonstration

Installation

69. Simple CSV to LDAP synchronization

Online tutorial

70. http://lsc-project.org/wiki/documentation/1.2/sample 71. Features overview

Syncoptions offer unlimited possibilites

Text transformations

cn = givenName + SPACE + SN in caps

72. Filter accents: convert Hlne to Helene Hash passwords (SSHA, MD5, etc) 73. Simple LDAP bind test 74. Active Directory specifics:

UserAccountControl: deactivate accounts, force password changes, etc

75. UnicodePwd: update passwords in AD-style Anything else you can write in Java! 76. Features overview

Operation conditions

Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally

Use-cases:

Update-only synchronizations (never create, never delete)

77. Only update the password if it's changed (p erform a LDAP bind operation to check on the fly) 78. Delete an account after 60 days of inactivity 79. Features overview

Attribute-level priorities for update

FORCE: replace the destination value whatever

80. KEEP: leave the destination value as-is 81. DEFAULT: value to use if the destination is empty 82. CREATE: default value for new entries Use cases:

Provide a default password but don't squash real one

83. Force phone numbers if we're authoritative for them 84. Features overview

Detailed and configurable logging

LDIF format (fully RFC-compliant)

85. CSV format Audit or play back modifications 86. Standards based Wide support

Any LDAP server should be supported, tested on:

OpenLDAP

87. OpenDS 88. Sun DSEE 89. Microsoft Active Directory 90. Novell Directory Services Any database with a JDBC connector, tested on:

MySQL, PostgreSQL, Oracle, HSQLDB

91. Perspectives

Project is currently in stable status

Version 1.2.0 (almost) released

Ideas for improvement are everywhere:

Support other connector types

92. Implement directory-specific replication systems

LDAP sync (RFC 4533) for OpenLDAP, ApacheDS

93. DirSync for Microsoft AD 94. Others? Support other scripting languages 95. Anything else 96. Try it out! Get involved!

Main website:http://lsc-project.org /

Tutorials: quickstart demo, detailed tutorials

97. Reference documentation 98. Try it out! Get involved!

Getting help (keep in touch!)

Mailing lists:http://lists.lsc-project.org/

99. IRC:#lsc-projecton Freenode Development tools:

Redmine forge:http://tools.lsc-project.org/

100. Bugtracker, SVN repository 101. Continuous build server

Numerous automated tests

102. Thanks for your attention! Any questions? Jonathan Clarke [email_address]