Prsentation PowerPoint
LSC @ 2011 . RMLL
Sbastien BahloulJonathan Clarke
What?
LSC @ 2011
Why?
Goals
3 minutes quick start
New version : 2.0
Roadmap
Why ?
LDAP directories
Present in a vast majority of corporations
Central authentication, identity management,
Contain user accounts (identities)
Simple, right? well, yes, but
HR already has software that only stores identity information in
a database
We use Active Directory for our desktops and we need users'
identities there too
XYZ software only uses a database
Why ?
Several different identity repositories
How to make sure the same changes apply?
New employees
Name changes (marriage), transfers...
Employees leaving
Jim just got fired.
Boss asks you to disable his account.
AccountS, that is. You do it... All done!
But what about the account on the company blog?
ARGH! Too late. What now!?
FIRE THE SYSADMIN!!!?
Why ?
Synchronize the repositories
Spread the account status, information, etc...
Manual synchronization?
Leads to a mess, leaving old accounts active
Automatic synchronization?
Introduction
Automatic synchronization
It already exists, and works great
Directory- / database-specific replication
Application-specific connectors (AD, SAP, etc)
What about the rest?
Between different databases, directories, files?
Different data models?
Using standards: LDAP, SQL, etc...?
About LSC Project
What is LSC?
LDAP Synchronization Connector
Open Source project
BSD licence
Written in Java
5 years in the making
3 years ago LSC-project.org created
~10 regular contributors
Website: http://lsc-project.org
Goals functionality
Read/write to any repository
Database or LDAP directory or ?
Standard LDAPv3 operations
JDBC connectors for databases
Transform data on-the-fly
Adapt to a different data model
JavaScript based engine to manipulate data
Adjustable updates: force values, insert defaults, merge values,
don't touch...
Goals usability
Quickly implement a new synchronization
Highly configurable
What exactly do we read?
Powerful transformations (correctness is important)
What exactly do we write?
Run fast (performance is important)
Easy to setup
Philosophy
Make it possible, now!
Make it more stable and safer
Open Source benefits over home-grown scripts
More secure and better tested
Don't reinvent a buggy wheel!
Make it faster and simpler
Faster than writing home-grown scripts
Provide methods for IAM and directory-specific tasks
This may not be the ultimate solution
LSC synchronization principles
Two levels of information per identity
Existence equivalent to an account (object)
Identity specific details names, phone numbers (datasets)
A unique ID: the pivot dataset(s)
Could be an email address, user ID ...
Synchronization operations
Create: Add objects from source to destination
Delete: Delete objects from destination not in source
Update: Compare and set specific details
Change ID: Specific update for the main identifier
LSC synchronization principles
A taskdefines:
source and destination service
pivot datasets
synchronization options
A connectoris defined by :
A connection for network and general settings (hostname,
username, password, ...)
A service for per task connector specific settings (LDAP filter
, SQL request, ...)
LSC synchronization principles
First step: sync
Get a list of all pivots from the source
For each pivot
Read the source object
Search for the destination object with pivot
Build up desired destination object by applying
transformations to source object
If the destination object exists, calculate modifications
Apply: create or modify
LSC synchronization principles
Second step: clean (optional)
Get a list of all pivots from the destination
For each pivot
Search for the source object with pivot
If the source object doesn't exists, delete from destination
Apply: delete
Defining a synchronization
Source type: LDAP / SQL database / CSV file ?
Population: Which users? Which pivot?
Information: Datasets ? Transformations?
Example: CSV to OpenLDAP
CSV: a simple export file (HR for example)
CSV is loaded in a temporary database (HSQLDB)
Embedded database is considered has a standard
implementation
Example: CSV to OpenLDAP
Configuring the source database
JDBC connector: org.hsqldb.jdbcDriver
URL, username, password
Simple SQL request
SELECT 'inetOrgPerson' objectClass, pers."ID", pers."MAIL",
...
FROM csvdata pers WHERE ID like #mail#
Example: CSV to OpenLDAP
OpenLDAP: inetOrgPerson entries
Example: CSV to OpenLDAP
Configuring the destination directory
dst-ldap ldap://localhost:33389/dc=lsc-project,dc=org
cn=Directory Manager secret SIMPLE IGNORE NEVER VERSION_3 -1
com.sun.jndi.ldap.LdapCtxFactory false
Example: CSV to OpenLDAP
Configure the synchronization task
Source directory searching
DN generation
MySyncTask-dst ou=Sample mail descriptioncnsn
userPasswordobjectClass (objectClass=inetOrgPerson)
(&(objectClass=inetOrgPerson)(mail={mail}))
"mail=" + srcBean.getAttributeValueById("mail") +
",ou=Sample"
Example: CSV to OpenLDAP
Configuration data transformations (syncoptions)
FORCE cn srcBean.getAttributeValueById("sn").toUpperCase() + " "
srcBean.getAttributeValueById("givenName") userPassword KEEP
SecurityUtils.hash(SecurityUtils.MD5, "CHANGEME")
Demonstration
Installation
Simple CSV to LDAP synchronization
Online tutorial
http://lsc-project.org/wiki/documentation/2.0/sample (ongoing
:)
Features overview
Syncoptions offer unlimited possibilites
Text transformations
cn = givenName + SPACE + SN in caps
Filter accents: convert Hlne to Helene
Hash passwords (SSHA, MD5, etc)
Simple LDAP bind test
Active Directory specifics:
UserAccountControl: deactivate accounts, force password changes,
etc
UnicodePwd: update passwords in AD-style
Anything else you can write in Java!
Features overview
Operation conditions
Perform CREATE / UPDATE / DELETE / Change ID conditionally
Use-cases:
Update-only synchronizations
(never create, never delete)
Only update the password if it's changed
(perform a LDAP bind operation to check on the fly)
Delete an account after 60 days of inactivity
Features overview
Dataset-level priorities for update
FORCE: replace the destination value whatever
KEEP: leave the destination value as-is
DEFAULT: value to use if the destination is empty
CREATE: default value for new entries
Use cases:
Provide a default password but don't squash real one
Force phone numbers if we're authoritative for them
Features overview
Detailed and configurable logging
LDIF format (fully RFC-compliant)
CSV format
Audit or play back modifications
Dryrun mode
Block create/delete/update/changeid operation per task
Standards based Wide support
Any LDAP server should be supported, tested on:
OpenLDAP
OpenDS
Sun DSEE
Microsoft Active Directory
Novell Directory Services
Any database with a JDBC connector, tested on:
MySQL, PostgreSQL, Oracle, HSQLDB
Latest version LSC 2.0
A major new release for new features :
Daemon mode with on the fly updates
Support for scripting languages (JSR 223)
Read and write everywhere
Plugin API : connectors, libraries, scripting engine,
Graphical interface
LSC: a connected entity!
Start LSC to benefit of asynchronous mode: detect and propagate
on the fly update events for supported datasource (currently Web
Service and LDAP)
Interact with LSC instance through command line tool or JMX
LSC: scripting
Use your prefered language to write LSC rules!
LSC builtin and historical support for JavaScript
Extensible to any JSR 223 compliant engines:
Php
Groovy
Unix tools (awk, TCL),
Python, Ruby, Scheme (Lisp)
...
LSC: read and write everywhere
Original and best supported connector to LDAP directories
Additional sources: NIS, database, CSV, Web Services, LDAP
through Syncrepl
Additional destinations: Scripting destination
And many other to come :)
LSC: builtin extensibility API
Write your own connector to read or write inside your custom
space
public class MySourceService {public IBean getBean(...);
public Map getListPivots(...);
}
public class MyTargetService {public IBean getBean(...);
public Map getListPivots;
public boolean apply(...)
}
public class MyServiceConfiguration {private String
mySpecialParameter;
public String getMySpecialParameter();public void
setMySpecialParameter(...);}
LSC: graphical interface
LSC: graphical interface
LSC: graphical interface
Perspectives
Project is currently in stable status
Version 1.2.1
This presentation is based on the beta version
Version 2.0 (almost) released
Perspectives
Ideas for improvement are everywhere:
Event based model (ESB)
DirSync support for Microsoft AD
Datasource aggregation on the fly
Scheduler integration (ongoing)
Data reconciliation
Anything else
Try it out! Get involved!
Main website: http://lsc-project.org/
Tutorials: quickstart demo, detailed tutorials
Reference documentation
Try it out! Get involved!
Getting help (keep in touch!)
Mailing lists: http://lists.lsc-project.org/
IRC: #lsc-project on Freenode
Development tools:
Redmine forge: http://tools.lsc-project.org/
Bugtracker, SVN repository
Continuous build server
Numerous automated tests
Thanks for your attention!Any questions?
Sebastien [email protected]
Page
13/07/11
http://lsc-project.org
