Synchronizing users from AD to OpenLDAP with LSC-project. Passwords are proxied with SASL.
This post includes:
- LSC-project installation
- Preparing lsc.xml
- saslauthd installation
LSC-project installation
For Ubuntu 12.04.
cat < EOF >> /etc/apt/sources.list.d/lsc-project.list
deb http://lsc-project.org/debian lsc main
deb-src http://lsc-project.org/debian lsc main
EOFwget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -apt-get update && apt-get install lscapt-get install openjdk-6-jremkdir /etc/lsc/ad-to-ldapcp /etc/lsc/logback.xml /etc/lsc/ad-to-ldap/logback.xml
Preparing lsc.xml
You want to modify at least:
- ldapConection (Both source and dest)
- baseDN
- password
Put xml below to /etc/lsc/ad-to-ldap/lsc.xml
<?xml version="1.0"?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<connections>
<ldapConnection>
<name>dst-ldap</name>
<url>ldap://10.20.0.3:389/DC=domain,DC=tld</url>
<username>cn=admin,DC=domain,DC=tld</username>
<password>xxx</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
<saslMutualAuthentication>false</saslMutualAuthentication>
</ldapConnection>
<ldapConnection>
<name>src-ad</name>
<url>ldap://172.18.160.38:389/DC=newdomain,DC=tld</url>
<username>admin-user@newdomain.tld</username>
<password>xxx</password>
<authentication>SIMPLE</authentication>
<pageSize>1000</pageSize>
</ldapConnection>
</connections>
<audits/>
<tasks>
<task>
<name>MySyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>MySyncTask-src</name>
<connection reference="src-ad"/>
<baseDn>cn=Users,DC=newdomain,DC=tld</baseDn>
<pivotAttributes>
<string>mail</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>givenName</string>
<string>mail</string>
<string>sAMAccountName</string>
<string>userPrincipalName</string>
</fetchedAttributes>
<getAllFilter>(&(mail=*)(objectClass=user))</getAllFilter>
<getOneFilter>(&(mail={mail})(objectClass=user))</getOneFilter>
<cleanFilter>(&(mail={mail})(objectClass=user))</cleanFilter>
<interval>6</interval>
</ldapSourceService>
<ldapDestinationService>
<name>MySyncTask-dst</name>
<connection reference="dst-ldap"/>
<baseDn>ou=Users,DC=domain,DC=tld</baseDn>
<pivotAttributes>
<string>mail</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>objectClass</string>
<string>userPassword</string>
<string>givenName</string>
<string>mail</string>
<string>uid</string>
</fetchedAttributes>
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson))</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(mail={mail}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=Users,dc=domain,dc=tld"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<name>objectClass</name>
<policy>FORCE</policy>
<forceValues>
<string>"inetOrgPerson"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
</forceValues>
<delimiter>,</delimiter>
</dataset>
<dataset>
<name>userPassword</name>
<policy>KEEP</policy>
<createValues>
<string>"{SASL}" + srcBean.getDatasetFirstValueById("mail")</string>
</createValues>
</dataset>
<dataset>
<name>sn</name>
<policy>FORCE</policy>
<forceValues>
<string>
srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</forceValues>
</dataset>
<dataset>
<name>uid</name>
<policy>FORCE</policy>
<forceValues>
<string>
srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</forceValues>
</dataset>
<dataset>
<name>default</name>
<policy>FORCE</policy>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
To synchronize use (add "-n" for dry-tun):
/usr/bin/lsc -f /etc/lsc/ad-to-ldap/ -s all -c all
saslauthd installation
Configure password proxying with SASL. Installing saslauthd on the same node with OpenLDAP (slapd).
apt-get install libsasl2-modules-ldap sasl2-binsed 's/MECHANISMS\=.*/MECHANISMS\=\"ldap\"/' /etc/default/saslauthd
/etc/saslauthd.conf:
ldap_servers: ldap://172.18.160.38
ldap_search_base: cn=users,dc=newdomain,dc=tld
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: cn=romans,cn=users,dc=newdomain,dc=tld
ldap_password: xxx
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
/usr/lib/sasl2/slapd.conf:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
/etc/ldap/slapd.conf:
sasl-host localhost
sasl-secprops none
Execute:
usermod -a -G sasl openldap
service saslauthd restart
service slapd restart
Checking installation
check that saslauthd working properly:
testsaslauthd -u test1 -p xxx
check that OpenLDAP able to proxy requests to AD:
ldapsearch -x -LLL \ -H ldap://127.0.0.1/ \ -b ou=users,dc=domain,dc=tld \ -D 'mail=test1@newdomain.tld,ou=Users,dc=domain,dc=tld' \ -w 'xxx'
Useful links:1) Official LSC tutorial OpenLDAP to AD2) Good blogpost AD to OpenLDAP
3) Official LSC documentation
