Synchronizing users from AD to OpenLDAP with LSC-project. Passwords are proxied with SASL.

This post includes:
- LSC-project installation
- Preparing lsc.xml
- saslauthd installation

LSC-project installation

For Ubuntu 12.04.

cat < EOF >> /etc/apt/sources.list.d/lsc-project.list
deb     http://lsc-project.org/debian lsc main
deb-src http://lsc-project.org/debian lsc main
wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -
apt-get update && apt-get install lsc
apt-get install openjdk-6-jre
mkdir /etc/lsc/ad-to-ldap
cp /etc/lsc/logback.xml /etc/lsc/ad-to-ldap/logback.xml

Preparing lsc.xml

You want to modify at least:
- ldapConection (Both source and dest)
- baseDN
- password

Put xml below to /etc/lsc/ad-to-ldap/lsc.xml

<?xml version="1.0"?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
        <connection reference="src-ad"/>
        <connection reference="dst-ldap"/>
        <mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=Users,dc=domain,dc=tld"</mainIdentifier>
            <string>"{SASL}" + srcBean.getDatasetFirstValueById("mail")</string>

To synchronize use (add "-n" for dry-tun):
/usr/bin/lsc -f /etc/lsc/ad-to-ldap/ -s all -c all

saslauthd installation

Configure password proxying with SASL. Installing saslauthd on the same node with OpenLDAP (slapd).

apt-get install libsasl2-modules-ldap sasl2-bin
sed 's/MECHANISMS\=.*/MECHANISMS\=\"ldap\"/' /etc/default/saslauthd

ldap_servers: ldap://
ldap_search_base: cn=users,dc=newdomain,dc=tld
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: cn=romans,cn=users,dc=newdomain,dc=tld
ldap_password: xxx
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

sasl-host       localhost
sasl-secprops   none


usermod -a -G sasl openldap
service saslauthd restart
service slapd restart

Checking installation

check that saslauthd working properly:
testsaslauthd -u test1 -p xxx

check that OpenLDAP able to proxy requests to AD:
ldapsearch -x -LLL \
           -H ldap:// \
           -b ou=users,dc=domain,dc=tld \
           -D 'mail=test1@newdomain.tld,ou=Users,dc=domain,dc=tld' \
           -w 'xxx'

Useful links:
1) Official LSC tutorial OpenLDAP to AD
2) Good blogpost AD to OpenLDAP
3) Official LSC documentation

