webmaster
2014-03-04 16:03:55 UTC
A page in your DokuWiki was added or changed. Here are the details:
Date : 2014/03/04 17:03
Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
IP-Address : 88.173.78.196
Hostname : mne69-10-88-173-78-196.fbx.proxad.net
Old Revision: none
New Revision: http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
Edit Summary: created
User : coudot
====== Populating Active Directory from OpenLDAP ======
===== Presentation =====
This article describes the creation of a connector which synchronizes data from OpenLDAP to Active Directory.
It has been done under Linux Ubuntu 11.04, with LSC v2.0. Everything will be done through the console.
We suppose that you have LSC installed, and OpenLDAP and AD running.
===== Configure your connector =====
Create a configuration directory for your OpenLDAP to AD connector, for example:
<code>
# mkdir /etc/lsc/openldap2ad/
</code>
You need a logback configuration in this directory:
<code>
# cp /etc/lsc/logback.xml /etc/lsc/openldap2ad/
</code>
All configuration is done through the configuration file //etc/lsc/openldap2ad/lsc.xml//. A sample file is provided, so copy it and edit it:
All configuration parameters are described in [[..:latest:configuration:start]].
==== Destination LDAP directory connection settings (Active Directory) ====
Target directory properties:
* **Destination directory authentication mode**: we choose **simple**.
* **LDAP server URL**: a standard LDAP URI. Do not forget the trailing slash. We choose **ldap://adlds.lsc-project.org:389/** (not available online for test !).
* **Naming context root DN**: the data suffix. We choose **dc=lsc-project,dc=org**.
And provide information on the identity used to bind to the target directory:
* **Principal DN**: for example **cn=LSC,dc=lsc-project,dc=org**.
* **Password**: for example **PassW0RD**.
<code xml>
<lsc>
<connections>
<ldapConnection>
<id>AD</id>
<authentication>simple</authentication>
<url>ldap://adlds.lsc-project.org:389/dc=lsc-project,dc=org</url>
<username>cn=LSC,dc=lsc-project,dc=org</username>
<password>PassW0RD</password>
</code>
To manage Active Directory Paged Results Control (which enables to return more than 1000 entries), add:
<code xml>
<pageSize>1000</pageSize>
</code>
And close the XML node :
<code xml>
</ldapConnection>
</code>
As we want to act on the password (the attribute //unicodePwd//), we must use an SSL connection to Active Directory (password modification is not allowed on a clear connection).
The steps are:
* Set and export the CA certificate used in AD (see [[http://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory]])
* Import the certificate in the JVM or in your own SSL truststore (see [[..:howto:ssltls]])
* Use ldaps in the AD URI in lsc.xml (//lsc>connections>ldapConnection>url//)
==== Source LDAP directory settings (OpenLDAP) ====
Source directory properties:
* **Source directory authentication mode**: we choose **Simple bind**.
* **LDAP server URL**: a standard LDAP URI for our OpenLDAP server. Do not forget the trailing slash. We choose **ldap://localhost:389/**.
* **Naming context root DN**: the data suffix. We choose **dc=lsc-project,dc=org**.
* **Principal DN**: for example **cn=Directory Manager,dc=lsc-project,dc=org**.
* **Password**: for example **secret**.
<code xml>
<ldapConnection>
<id>openldap</id>
<authentication>SIMPLE</authentication>
<url>ldap://localhost:389/dc=lsc-project,dc=org</url>
<username>cn=Directory Manager,dc=lsc-project,dc=org</username>
<password>secret</password>
</ldapConnection>
</code>
==== Task ====
You can have multiple tasks in your connector (identified by the //lsc>tasks>task// value). In this tutorial, we have only one task, named //ADuser//.
You have to update the configuration to define basic searches on source and destination, list all source and destination attributes you want to synchronize, set the destination DN creation rule and select the pivot attributes that will link a source entry to a destination entry.
If we want to read from the source all Active Directory users with a //sAMAccountName//, and from the destination all //inetOrgPerson// entries from //ou=People// with a uid, and we want to link the source entry to the destination entry saying that source //uid// value is equal to the //sAMAccountName// in the destination:
<code xml>
<tasks>
<task>
<name>adUser</name>
<ldapSourceService>
<name>openldap-dst-service</name>
<baseDn>ou=People</baseDn>
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter>
<pivotAttributes><string>uid</string></pivotAttributes>
</ldapSourceService>
<ldapDestinationService>
<name>ad-src-service</name>
<baseDn>cn=Users</baseDn>
<getAllFilter>(&(sAMAccountName=*)(objectClass=user))</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
<pivotAttributes><string>sAMAccountName</string></pivotAttributes>
</ldapDestinationService>
</code>
<note important>You have to put objectClass in //lsc.tasks.task.adUser.ldapDestinationService.attrs// but be sure to remove it from //lsc.tasks.task.adUser.ldapSourceService.attrs//.</note>
We will also define how the target DN is built. Let's choose that the target DN is composed from the source's attribute //cn// and the destination branch //ou=users//.
The suffix //dc=lsc-project,dc=org// is already configured in //dst.java.naming.provider.url//, so we only have to set up this configuration to build the relative DN:
<code xml>
<lsc>
<.../>
<tasks>
<task>
<.../>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=users"</mainIdentifier>
<.../>
</propertiesBasedSyncOptions>
</task>
</tasks>
</code>
If not successful, check the [[..:requirements]], read the [[..:configuration:start|configuration documentation]] or ask for help on the [[:community#mailing_lists|mailing lists]].
==== Synchronization options ====
This is the last configuration part, but not the least, because we will now describe all our synchronization rules.
In this tutorial, we plan to use these rules:
^ Source attribute ^ Destination attribute ^ Rule ^
| cn | cn | = |
| sn | sn | = |
| uid | uid | = |
| - | objectClass | user/person/organizationalPerson/top |
| uid | sAMAccountName | = |
| uid | userPrincipalName | uid + "@lsc-project.org" |
| - | userAccountControl | Set as "Normal account" |
| - | pwdLastSet | Force password change on creation |
| - | unicodePwd | "changeit" |
These rules are applied through syncoptions:
<code xml>
<lsc>
<tasks>
<task>
<propertiesBasedSyncOptions>
<defaultPolicy>FORCE</defaultPolicy>
<defaultDelimiter>;</defaultDelimiter>
<dataset>
<name>objectClass</name>
<policy>FORCE</policy>
<forceValues>
<string>"top";"user";"person";"organizationalPerson"</string>
</forceValues>
</dataset>
<dataset>
<name>sAMAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<dataset>
<!-- userPrincipalName = uid + "@lsc-project.org" -->
<name>userPrincipalName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid") + "@lsc-project.org"</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<!-- pwdLastSet = 0 to force user to change password on next connection -->
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>"0"</string>
</createValues>
</dataset>
<dataset>
<!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) -->
<name>unicodePwd</name>
<policy>KEEP</policy>
<createValues>
<string>AD.getUnicodePwd("changeit")</string>
</createValues>
</dataset>
</>
</task>
</task>
</lsc>
</code>
You can test your synchronization in "dry-run" mode (-n), which means no modification is done on the target directory:
<code>
$ bin/lsc -f etc -c all -s all -n
</code>
===== Setup and run =====
Install the lsc-openldap2ad directory in /usr/local on the target server.
Install cronjob and logrotate scripts:
<code>
$ sudo cp /usr/local/lsc-openldap2ad/etc/cron.d/lsc-openldap2ad /etc/cron.d
$ sudo cp /usr/local/lsc-openldap2ad/etc/logrotate.d/lsc-openldap2ad /etc/logrotate.d
</code>
Now your connector will run every hour, but you can also launch it manually:
<code>
$ sudo /usr/local/lsc-openldap2ad/bin/lsc -s all -c all
</code>
Date : 2014/03/04 17:03
Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
IP-Address : 88.173.78.196
Hostname : mne69-10-88-173-78-196.fbx.proxad.net
Old Revision: none
New Revision: http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
Edit Summary: created
User : coudot
====== Populating Active Directory from OpenLDAP ======
===== Presentation =====
This article describes the creation of a connector which synchronizes data from OpenLDAP to Active Directory.
It has been done under Linux Ubuntu 11.04, with LSC v2.0. Everything will be done through the console.
We suppose that you have LSC installed, and OpenLDAP and AD running.
===== Configure your connector =====
Create a configuration directory for your OpenLDAP to AD connector, for example:
<code>
# mkdir /etc/lsc/openldap2ad/
</code>
You need a logback configuration in this directory:
<code>
# cp /etc/lsc/logback.xml /etc/lsc/openldap2ad/
</code>
All configuration is done through the configuration file //etc/lsc/openldap2ad/lsc.xml//. A sample file is provided, so copy it and edit it:
All configuration parameters are described in [[..:latest:configuration:start]].
==== Destination LDAP directory connection settings (Active Directory) ====
Target directory properties:
* **Destination directory authentication mode**: we choose **simple**.
* **LDAP server URL**: a standard LDAP URI. Do not forget the trailing slash. We choose **ldap://adlds.lsc-project.org:389/** (not available online for test !).
* **Naming context root DN**: the data suffix. We choose **dc=lsc-project,dc=org**.
And provide information on the identity used to bind to the target directory:
* **Principal DN**: for example **cn=LSC,dc=lsc-project,dc=org**.
* **Password**: for example **PassW0RD**.
<code xml>
<lsc>
<connections>
<ldapConnection>
<id>AD</id>
<authentication>simple</authentication>
<url>ldap://adlds.lsc-project.org:389/dc=lsc-project,dc=org</url>
<username>cn=LSC,dc=lsc-project,dc=org</username>
<password>PassW0RD</password>
</code>
To manage Active Directory Paged Results Control (which enables to return more than 1000 entries), add:
<code xml>
<pageSize>1000</pageSize>
</code>
And close the XML node :
<code xml>
</ldapConnection>
</code>
As we want to act on the password (the attribute //unicodePwd//), we must use an SSL connection to Active Directory (password modification is not allowed on a clear connection).
The steps are:
* Set and export the CA certificate used in AD (see [[http://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory]])
* Import the certificate in the JVM or in your own SSL truststore (see [[..:howto:ssltls]])
* Use ldaps in the AD URI in lsc.xml (//lsc>connections>ldapConnection>url//)
==== Source LDAP directory settings (OpenLDAP) ====
Source directory properties:
* **Source directory authentication mode**: we choose **Simple bind**.
* **LDAP server URL**: a standard LDAP URI for our OpenLDAP server. Do not forget the trailing slash. We choose **ldap://localhost:389/**.
* **Naming context root DN**: the data suffix. We choose **dc=lsc-project,dc=org**.
* **Principal DN**: for example **cn=Directory Manager,dc=lsc-project,dc=org**.
* **Password**: for example **secret**.
<code xml>
<ldapConnection>
<id>openldap</id>
<authentication>SIMPLE</authentication>
<url>ldap://localhost:389/dc=lsc-project,dc=org</url>
<username>cn=Directory Manager,dc=lsc-project,dc=org</username>
<password>secret</password>
</ldapConnection>
</code>
==== Task ====
You can have multiple tasks in your connector (identified by the //lsc>tasks>task// value). In this tutorial, we have only one task, named //ADuser//.
You have to update the configuration to define basic searches on source and destination, list all source and destination attributes you want to synchronize, set the destination DN creation rule and select the pivot attributes that will link a source entry to a destination entry.
If we want to read from the source all Active Directory users with a //sAMAccountName//, and from the destination all //inetOrgPerson// entries from //ou=People// with a uid, and we want to link the source entry to the destination entry saying that source //uid// value is equal to the //sAMAccountName// in the destination:
<code xml>
<tasks>
<task>
<name>adUser</name>
<ldapSourceService>
<name>openldap-dst-service</name>
<baseDn>ou=People</baseDn>
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={uid}))</getOneFilter>
<pivotAttributes><string>uid</string></pivotAttributes>
</ldapSourceService>
<ldapDestinationService>
<name>ad-src-service</name>
<baseDn>cn=Users</baseDn>
<getAllFilter>(&(sAMAccountName=*)(objectClass=user))</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={uid}))</getOneFilter>
<pivotAttributes><string>sAMAccountName</string></pivotAttributes>
</ldapDestinationService>
</code>
<note important>You have to put objectClass in //lsc.tasks.task.adUser.ldapDestinationService.attrs// but be sure to remove it from //lsc.tasks.task.adUser.ldapSourceService.attrs//.</note>
We will also define how the target DN is built. Let's choose that the target DN is composed from the source's attribute //cn// and the destination branch //ou=users//.
The suffix //dc=lsc-project,dc=org// is already configured in //dst.java.naming.provider.url//, so we only have to set up this configuration to build the relative DN:
<code xml>
<lsc>
<.../>
<tasks>
<task>
<.../>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=users"</mainIdentifier>
<.../>
</propertiesBasedSyncOptions>
</task>
</tasks>
</code>
If not successful, check the [[..:requirements]], read the [[..:configuration:start|configuration documentation]] or ask for help on the [[:community#mailing_lists|mailing lists]].
==== Synchronization options ====
This is the last configuration part, but not the least, because we will now describe all our synchronization rules.
In this tutorial, we plan to use these rules:
^ Source attribute ^ Destination attribute ^ Rule ^
| cn | cn | = |
| sn | sn | = |
| uid | uid | = |
| - | objectClass | user/person/organizationalPerson/top |
| uid | sAMAccountName | = |
| uid | userPrincipalName | uid + "@lsc-project.org" |
| - | userAccountControl | Set as "Normal account" |
| - | pwdLastSet | Force password change on creation |
| - | unicodePwd | "changeit" |
These rules are applied through syncoptions:
<code xml>
<lsc>
<tasks>
<task>
<propertiesBasedSyncOptions>
<defaultPolicy>FORCE</defaultPolicy>
<defaultDelimiter>;</defaultDelimiter>
<dataset>
<name>objectClass</name>
<policy>FORCE</policy>
<forceValues>
<string>"top";"user";"person";"organizationalPerson"</string>
</forceValues>
</dataset>
<dataset>
<name>sAMAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<dataset>
<!-- userPrincipalName = uid + "@lsc-project.org" -->
<name>userPrincipalName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid") + "@lsc-project.org"</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>KEEP</policy>
<createValues>
<string>AD.userAccountControlSet( "0", [AD.UAC_SET_NORMAL_ACCOUNT])</string>
</createValues>
</dataset>
<dataset>
<!-- pwdLastSet = 0 to force user to change password on next connection -->
<name>pwdLastSet</name>
<policy>KEEP</policy>
<createValues>
<string>"0"</string>
</createValues>
</dataset>
<dataset>
<!-- unicodePwd = "changeit" at creation (requires SSL connection to AD) -->
<name>unicodePwd</name>
<policy>KEEP</policy>
<createValues>
<string>AD.getUnicodePwd("changeit")</string>
</createValues>
</dataset>
</>
</task>
</task>
</lsc>
</code>
You can test your synchronization in "dry-run" mode (-n), which means no modification is done on the target directory:
<code>
$ bin/lsc -f etc -c all -s all -n
</code>
===== Setup and run =====
Install the lsc-openldap2ad directory in /usr/local on the target server.
Install cronjob and logrotate scripts:
<code>
$ sudo cp /usr/local/lsc-openldap2ad/etc/cron.d/lsc-openldap2ad /etc/cron.d
$ sudo cp /usr/local/lsc-openldap2ad/etc/logrotate.d/lsc-openldap2ad /etc/logrotate.d
</code>
Now your connector will run every hour, but you can also launch it manually:
<code>
$ sudo /usr/local/lsc-openldap2ad/bin/lsc -s all -c all
</code>
--
This mail was generated by DokuWiki at
http://lsc-project.org/wiki/
This mail was generated by DokuWiki at
http://lsc-project.org/wiki/