Active Directory to OpenLDAP Sync with LSC

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[vinay shetty] - Nov 1, 2014 Super explanation.. Thanks lot

[Anderson] - Mar 5, 2015 Hi Chris, how I can synchronizing passwords (no plain text) between the openldap and Active Directory ?

Synchronizing users with LSC-project | Opencloud engineering - Sep 1, 2015 […]  -w ‘xxx’ Useful links: 1) Official LSC tutorial OpenLDAP to AD 2) Good blogpost AD to OpenLDAP 3) Official LSC documentation This entry was posted in Uncategorized and tagged ad, java, ldap, […]

[ebooster] - Nov 5, 2016 Hi Chris, Thanks for this. I was curious, did this config allow you to receive event notifications from Active Directory ? Namely, when an entry changed there, did lsc receive that change event automatically and near instantly ? That is what I am looking to do with no luck so far but I’m looking a bit closer at your configuration.

[chrisgilbert42] - Nov 5, 2016 Hi, if I remember correctly, this just synced on a schedule. It didn’t have a way of receiving events at the time. I am not sure if LSC can do that or not - it worked well for me as a scheduled tool, and is very flexible, but not that easy to get working for all purposes. It’s worth looking into AD LDS and federation as alternative approaches. If an external organisation needs access to AD records, then something like using federation on Azure is worth a look too (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-azure-adfs/). But in our case we just cared about having a strongly enforced DMZ.

[chrisgilbert42] - Nov 5, 2016 Oh, I almost forgot, at Hudl we use Okta as a powerful alternative for authenticating to cloud services. Worth a look.

[ebooster] - Nov 5, 2016 Thank you much Chris.

[chrisgilbert42] - Mar 3, 2017 I’ve had a quick look around and I can’t find it now either. My article is a few years old now, and I work somewhere different, so can’t be sure I’m giving you great advice. However - first check this method is the best one to meet your use case. Since I wrote it, ADFS (federation services) are much better, and Microsoft also host a Azure based AD which can sync with your on-prem one. We were trying to create a strict DMZ, which we believed at the time was required, but there were other ways of solving the problem too. Also look at using newer real authentication protocols like OAuth, SAML and so on to solve single-sign on problems. LDAP is really an old fall back these days, and is not a particularly secure way of authenticating. Also, check out Okta SSO - this is a good way to control access to cloud products that your team use, hooked into AD auth. It works well and has Chrome/Firefox plugins and mobile apps, that’s something we use at hudl. If you give me a bit more information on the problems you are trying to solve I can maybe help further. For most companies, I’d start looking at a cloud first solution to SSO and authentication sharing because most people are accessing cloud apps all over the place now, with or without the IT department’s consent.

[chrisgilbert42] - Mar 3, 2017 Oh, I also found this for a similar comericial tool: https://www.manageengine.com/products/self-service-password/active-directory-password-synchronizer.html

[Jens] - Mar 3, 2017 Thanks for the article. I didn’t find anything in the web about hkpassword. Is the tool still available? Are you aware of other ways to sync the passwords from the AD?

• active_directory
• ldap
• Linux
• lsc
• openldap