If you can't read please download the document
Upload
jonathan-clarke
View
1.005
Download
3
Embed Size (px)
DESCRIPTION
Sysadmins are often responsible for various identity stores in a company: directories, applications with built-in account databases, etc...Ldap Synchronization Connector offers a solution to link these repositories and ensure nobody\'s going to get fired because you forgot to disable an account.LSC is an open source project under the BSD license - http://lsc-project.org/
Citation preview
2. About the speaker
3. Identity management 4. Contibutor to open source LDAP tools :
5. OpenLDAP Team 6. Ldap ToolBox ( http://ltb-project.org ) 2009: co-founded Normation
7. Consulting: identity management, IT services 8. Introduction
9. Central authentication, identity management, 10. Contain user accounts (identities) Simple, right? well, yes, but
11. We use Active Directory for our desktops and we need users' identities there too 12. XYZ software only uses a database 13. Introduction
14. Name changes (marriage), transfers... 15. Employees leaving Jim just got fired. Boss asks you to disable his account. Account S , that is. You do it... All done! But what about the account on the company blog? ARGH! Too late. What now!? FIRE THE SYSADMIN!!!? 16. Introduction
Manual synchronization?
Automatic synchronization? 17. Introduction
18. Application- specificconnectors (AD, SAP, etc) What about the rest?
19. Different data models? 20. Using standards: LDAP, SQL, etc...? 21. About LSC Project
22. Open Source project 23. BSD licence 24. Written in Java 25. 4 years in the making 26. 2 years agoLSC-project.orgcreated 27. ~10 regular contributors Website:http://lsc-project.org 28. Goals functionality
29. Standard LDAPv3 operations 30. JDBC connectors for databases Transformdata on-the-fly
31. JavaScript based engine to manipulate data Adjustable updates: force values, insert defaults,merge values, don't touch... 32. Goals usability
33. Highlyconfigurable
34. Powerfultransformations(correctness is important) 35. Whatexactly do we write? Runfast(performance is important) 36. Easy to setup 37. Philosophy
38. Make it morestableandsafer
39. More secure and better tested 40. Don't reinvent a buggy wheel! Make itfasterandsimpler
41. Provide methods for IAM and directory-specific tasks This may not be the ultimate solution 42. LSC synchronization principles
Synchronization operations
44. Delete: Delete entries from destination not in source 45. Update: Compare and set specific details 46. LSC synchronization principles
47. For each pivot
48. Search for the destination object withpivot 49. Build up desired destination object by applyingtransformations to source object 50. If the destination object exists, calculate modifications 51. Apply: create or modify 52. LSC synchronization principles
53. For each pivot
54. If the source object doesn't exists, delete from destination 55. Apply: delete 56. Defining a synchronization
57. Population: Which users? Whichpivot ? 58. Information: Attributes? Transformations? 59. Example: MySQL to OpenLDAP
Field Type Values id INT Auto-increment first_name VARCHAR Jane last_name VARCHAR Doe marital_status ENUM Single / Married / Divorced salary INT 42000 start_date DATE 1 stOctober 2009 60. Example: MySQL to OpenLDAP
61. URL, username, password 62. Simple SQL request SELECT id, first_name AS givenName,last_name AS sn, start_date AS startDate FROM users 63. Example: MySQL to OpenLDAP
Field Type Values givenName String first_name (ex: Jane) sn String last_name (ex: Doe) cn String LAST_NAME first_name (ex: DOE, Jane) userPassword Binary string Defaults to CHANGEME uid String Unique id from MySQL table 64. Example: MySQL to OpenLDAP
dst.java.naming.provider.url =ldap://localhost/dc=lsc-project,dc=org dst.java.naming.security.authentication =simple dst.java.naming.security.principal =cn=Manager,dc=lsc-project,dc=org dst.java.naming.security.credentials =secret 65. Example: MySQL to OpenLDAP
66. DN generation lsc.tasks =MyTask lsc.tasks.MyTask.type =db2ldap lsc.tasks.MyTask.dstService.baseDn =ou=People lsc.tasks.MyTask.dstService.pivotAttrs =uid lsc.tasks.MyTask.dstService.filterAll =(uid=*) lsc.tasks.MyTask.dstService.attrs =uid sn cn givenName userPassword lsc.tasks.MyTask.dstService.filterId =(uid={uid}) lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid")+ "ou=People" 67. Example: MySQL to OpenLDAP
lsc.syncoptions.MyTask.default.action =F lsc.syncoptions.MyTask.cn.force_value =srcBean.getAttributeValueById("sn").toUpperCase() + " "+ srcBean.getAttributeValueById("givenName") lsc.syncoptions.MyTask.userPassword.action =K lsc.syncoptions.MyTask.userPassword.default_value =SecurityUtils.hash(SecurityUtils.MD5, " CHANGEME ") 68. Demonstration
69. Simple CSV to LDAP synchronization
70. http://lsc-project.org/wiki/documentation/1.2/sample 71. Features overview
72. Filter accents: convert Hlne to Helene Hash passwords (SSHA, MD5, etc) 73. Simple LDAP bind test 74. Active Directory specifics:
75. UnicodePwd: update passwords in AD-style Anything else you can write in Java! 76. Features overview
Use-cases:
77. Only update the password if it's changed (p erform a LDAP bind operation to check on the fly) 78. Delete an account after 60 days of inactivity 79. Features overview
80. KEEP: leave the destination value as-is 81. DEFAULT: value to use if the destination is empty 82. CREATE: default value for new entries Use cases:
83. Force phone numbers if we're authoritative for them 84. Features overview
85. CSV format Audit or play back modifications 86. Standards based Wide support
87. OpenDS 88. Sun DSEE 89. Microsoft Active Directory 90. Novell Directory Services Any database with a JDBC connector, tested on:
91. Perspectives
Ideas for improvement are everywhere:
92. Implement directory-specific replication systems
93. DirSync for Microsoft AD 94. Others? Support other scripting languages 95. Anything else 96. Try it out! Get involved!
97. Reference documentation 98. Try it out! Get involved!
99. IRC:#lsc-projecton Freenode Development tools:
100. Bugtracker, SVN repository 101. Continuous build server
102. Thanks for your attention! Any questions? Jonathan Clarke [email_address]