samba – synchroniser OpenLDAP depuis AD avec LSC
LDAP Synchronization Connector (LSC) est un connecteur libre permettant de synchroniser les identités entre un annuaire LDAP et n’importe quelle source de données, y compris toute base de données avec un connecteur JDBC, un autre serveur LDAP, des fichiers plats … Depuis debian 9, lsc est disponible en 2.1.4 via apt-get install lsc. La documentation est disponible : https://lsc-project.org/
# more /etc/apt/sources.list.d/lsc-project.list
deb http://lsc-project.org/debian lsc main
deb-src http://lsc-project.org/debian lsc main
# wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -
# apt-get update
# apt-get install lsc
# lsc
2019/10/22 18:35:56 [lsc] No java executable found on PATH or in JAVA_HOME! Aborting.
2019/10/22 18:35:56 [lsc] Define JAVA_HOME or adjust your PATH variable to include java.
# apt-get install openjdk-8-jre
Comment utiliser la commande
# lsc
usage: lsc
-a,--asynchronous-synchronize <arg> Asynchronous synchronization task
(one of the available tasks or
'all')
-c,--clean <arg> Cleaning type (one of the available
tasks or 'all')
-f,--config <arg> Specify configuration directory
-h,--help Get this text
-i,--time-limit <arg> Time limit in parallel server mode
in seconds (default: 3600)
-n,--dryrun Don't update the directory at all
-nc,--nocreate Don't create any entry
-nd,--nodelete Don't delete
-nr,--nomodrdn Don't rename (MODRDN)
-nu,--noupdate Don't update
-s,--synchronize <arg> Synchronization task (one of the
available tasks or 'all')
-t,--threads <arg> Number of parallel threads to
synchronize a task (default: 5)
-v,--validate Validate configuration (check
connections ...)
-x,--convert Convert lsc.properties to lsc.xml
(-f is mandatory while converting)
Exemple de fichier lsc.xml
# more /etc/lsc/lsc.xml
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<!-- connections -->
<connections>
<ldapConnection>
<name>ad-src-conn</name>
<url>ldap://xxx.xxx.xxx.xxx:389/DC=formation,DC=fr</url>
<username>CN=Administrator,CN=Users,DC=formation,DC=fr</username>
<password>Pa$$w0rd</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>ldap-dst-conn</name>
<url>ldap://localhost:389/dc=formation,dc=fr</url>
<username>cn=admin,dc=formation,dc=fr</username>
<password>Pa$$w0rd</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<!-- tasks -->
<tasks>
<task>
<name>ADSyncTask</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>ad-src-service</name>
<connection reference="ad-src-conn" />
<baseDn>CN=Users,DC=formation,DC=fr</baseDn>
<pivotAttributes>
<string>sAMAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>sAMAccountName</string>
</fetchedAttributes>
<getAllFilter>(&(objectClass=user)(!(sAMAccountName=Administrator))(!(sAMAccountName=Guest))(!(sAMAccountName=dns-dc1ad))(!(sAMAccountName=krbtgt)))</getAllFilter>
<getOneFilter>(&(objectClass=user)(sAMAccountName={sAMAccountName}))</getOneFilter>
<cleanFilter>(&(objectClass=user)(sAMAccountName={uid}))</cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>ldap-dst-service</name>
<connection reference="ldap-dst-conn" />
<baseDn>ou=users,dc=formation,dc=fr</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>objectClass</string>
<string>cn</string>
<string>sn</string>
<string>uid</string>
</fetchedAttributes>
<getAllFilter>(objectClass=inetOrgPerson)</getAllFilter>
<getOneFilter>(&(objectClass=inetOrgPerson)(uid={sAMAccountName}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"uid=" + srcBean.getDatasetFirstValueById("sAMAccountName") + ",ou=users,dc=formation,dc=fr"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>objectClass</name>
<policy>KEEP</policy>
<defaultValues></defaultValues>
<forceValues>
<string>"top"</string>
<string>"person"</string>
<string>"organizationalPerson"</string>
<string>"inetOrgPerson"</string>
<string>"extensibleObject"</string>
</forceValues>
</dataset>
<dataset>
<name>uid</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("sAMAccountName")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
Lancer une synchronisation manuelle
# /usr/bin/lsc -c all -s all