Active Directory to OpenLDAP Sync with LSC
Old Article Comments
I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.
[vinay shetty] - Super explanation.. Thanks lot
[Anderson] - Hi Chris, how I can synchronizing passwords (no plain text) between the openldap and Active Directory ?
Synchronizing users with LSC-project | Opencloud engineering - […] -w ‘xxx’ Useful links: 1) Official LSC tutorial OpenLDAP to AD 2) Good blogpost AD to OpenLDAP 3) Official LSC documentation This entry was posted in Uncategorized and tagged ad, java, ldap, […]
[ebooster] - Hi Chris, Thanks for this. I was curious, did this config allow you to receive event notifications from Active Directory ? Namely, when an entry changed there, did lsc receive that change event automatically and near instantly ? That is what I am looking to do with no luck so far but I’m looking a bit closer at your configuration.
[chrisgilbert42] - Hi, if I remember correctly, this just synced on a schedule. It didn’t have a way of receiving events at the time. I am not sure if LSC can do that or not - it worked well for me as a scheduled tool, and is very flexible, but not that easy to get working for all purposes. It’s worth looking into AD LDS and federation as alternative approaches. If an external organisation needs access to AD records, then something like using federation on Azure is worth a look too (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-azure-adfs/). But in our case we just cared about having a strongly enforced DMZ.
[chrisgilbert42] - Oh, I almost forgot, at Hudl we use Okta as a powerful alternative for authenticating to cloud services. Worth a look.
[ebooster] - Thank you much Chris.
[chrisgilbert42] - I’ve had a quick look around and I can’t find it now either. My article is a few years old now, and I work somewhere different, so can’t be sure I’m giving you great advice. However - first check this method is the best one to meet your use case. Since I wrote it, ADFS (federation services) are much better, and Microsoft also host a Azure based AD which can sync with your on-prem one. We were trying to create a strict DMZ, which we believed at the time was required, but there were other ways of solving the problem too. Also look at using newer real authentication protocols like OAuth, SAML and so on to solve single-sign on problems. LDAP is really an old fall back these days, and is not a particularly secure way of authenticating. Also, check out Okta SSO - this is a good way to control access to cloud products that your team use, hooked into AD auth. It works well and has Chrome/Firefox plugins and mobile apps, that’s something we use at hudl. If you give me a bit more information on the problems you are trying to solve I can maybe help further. For most companies, I’d start looking at a cloud first solution to SSO and authentication sharing because most people are accessing cloud apps all over the place now, with or without the IT department’s consent.
[chrisgilbert42] - Oh, I also found this for a similar comericial tool: https://www.manageengine.com/products/self-service-password/active-directory-password-synchronizer.html
[Jens] - Thanks for the article. I didn’t find anything in the web about hkpassword. Is the tool still available? Are you aware of other ways to sync the passwords from the AD?
Active Directory to OpenLDAP Sync with LSC
I have recently had to sync accounts and groups from Activc Directory to OpenLDAP, for a requirement for a directory server in the DMZ. A DMZ (De-millitarised zone) is an area of the network open to the internet. It’s supposed to be separate from the rest of your LAN, so you can have services running on the internet without fear that people can break into your LAN from these. There are other options for doing this, including a read-only domain controller (RODC), a AD LDS (Lighweight Directory Server) and so on, but they all require connectivity back from the DMZ to the LAN, which is precisely what we are trying to avoid. If you start from the premise that no traffic at all be allowed to flow into the LAN from the DMZ, then how do you authenticate your user’s accounts? The only real answer is a directory server in the DMZ, and to save our own users having to have multiple logins, clearly some sort of account sync would be required. We looked at a tool called LSC (LDAP Syncronisation Connector) which is designed for syncing various directory sources to and from each other. It’s a very capable product, and now I’ve gone through the learning process, I will have to remember if for similar functions in the future (it can’t read/write from databases, CSV files and so on too). In order to get it set up, there are some gotchas, not least password sync, which requires another method. But I will leave discussion of that until later. First of all, I needed to get our users and groups into OpenLDAP from Active Directory. To set this up required a config file, a modified version of which is below: