SlideShare une entreprise Scribd logo

Linux AD integration with OpenDJ

P
Pieter Baele

FlossUK 2015 presentation Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms. We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.

Logiciels
1  sur  31
Télécharger pour lire hors ligne
Linux centralized identity and authentication interoperability with AD Pieter Baele – pieter.baele@gmail.com FlossUK DevOps Spring 2015 @ York 25 March, 2015 Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
Presentation overview The history of our implementation Concepts and principles Choices: server and cient-side Tooling The design Monitoring References Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
history of our LDAP implementation Situation in 2009: a growing Linux environment (less then 100 servers), no LDAP. A bigger Unix environment exists with it’s own Sun Directory Server. central management of (some) users: let’s use Puppet manually - with scripts - create users on the Sun Directory Server add them - manually - to Puppet good for application users, not funny when you have 100 real users to add So let’s develop a nice directory architecture! Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
Concepts and requirements HA using replication and load-balancing traceability and auditing secure practical ACL support (only on groups) transport security - TLS, SSF factor some SSO functionality + fallback (PTA) accounts not maintained by us, automatic decommissioning ensuring UID and GID’s are unique across the enterprise applications: local users central store for sudo rules support KISS (complexity introduces risks) no need to duplicate things if they exist already Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
Implementation choice server-side the ’classic’ LDAP approach Samba + Winbind other LDAP servers in general Unix attributes and Active Directory the Red Hat way - IPA realmd the hybrid approach: OpenDJ as Directory Server, AD Kerberos and some duct tape. Tried most of the above... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
Implementation choice server the classic approach everybody knows the classic approach, right? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice server the classic approach everybody knows the classic approach, right? OpenLDAP sometimes with MIT or Heimdal Kerberos and maybe with some bits of Cyrus-SASL - SASLauthd welcome to the world of LDIF almost heaven for LDAP gurus perfect when there is the need for speed (MDB...amazing) perfect for custom implementations (backends - overlays) no special benefit for our case Support: so who is the expert? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice server Winbind / Active Directory Winbind join the system to AD AD SID to Posix Attribute mapping trusted domains do you want those components on your server? Active Directory ID mapping uses SFU/IMU extensions in AD maintained by another team do we really want windows to manage our entries? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
Implementation choice server Realmd offers direct integration to AD by configuring SSSD replaces Winbind detects the domain using DNS identity lookup using AD Kerberos or LDAP authentication you need a Domain Admin Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
Implementation choice server 389 Directory Server used for a subproject of my internship (mmr) based on the Netscape code why? we already have our (Sun) Oracle 11g... which can’t replicate with 389! support from Red Hat no benefit Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
The history of (some) directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship bugs (when I tested it) after release: not supported when you added custom schema’s :-( nowadays: if it can help you, why not? The first product specifically for this use case (!) real Role-Based Access Control Automember Integrated webinterface SELinux integration (confined users / mapping) Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice server OpenDJ rather easy (IMO) has a very complete administrative menu (dsconfig) setting up replication is only 1 command cn=config / LDIF configuration when you need it has a REST interface possibility to integrate with OpenAM (WebSSO is possible) can be monitored in various ways JMX logs SNMP cn=monitor never let us down so far (lost 1 replica once because of a configuration error) fast for dev Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
OpenDJ the future of OpenDJ Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
OpenDJ components Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
architecture / design physical each datacenter its own pair of directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
architecture / design DIT as flat as possible keep organisation structure out of the tree Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
client replace legacy tools System Security Services Daemon A project from Red Hat before: nss ldap, nscd supports a lot of different integrations direct integration with AD IPA using only an LDAP server such as OpenLDAP or something custom ... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
msktutil Active Directory Keytab Management creates user or computer accounts in Active Directory, creates Kerberos keytabs on Unix/Linux sytems adds and removes principals to and from keytabs changes the user or computer account’s password. AD Kerberos =! MIT Kerberos ... ex. each keytab for apache made by Windows also needs a specific user Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
the configuration pt 1: OpenDJ SASL enabled set-sasl-mechanism-handler-prop --handler-name GSSAPI --set enabled:true PTA: AD domain certificate added to keystore protocols, replication Referential Integrity Memberof enabled UID Unique enabled Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
the configuration pt 2: data add host entries, the UID is used as a SASL principal match (HOSTNAME$) a user is added by our tools, data is used from AD and from the Unix directory server if present most real users have PTA enabled, whih is as simple as setting a password policy ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config no password is set for users, application users are not able to login directly users need to be memberof a group that allows access AND we use netgroups we use SUDO directly, to have no impact from SSSD caching Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
the configuration pt 3: client (using cfgmgmt) installation of packages configuration of a (minimal) krb5.conf call to msktutil to create computer account in AD call to authconfig (EL specific) enabling sssd enabling mkhomedir (oddjobd) enabling PAM access setting the NISDOMAIN (RHEL 7: rhel-domainname service Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
tooling Perl Perl-LDAP is perfect first script: with a curses frontend ;-( functionality: added a user to the correct organisation, enabled PTA for other tasks: Apache Directory Studio code not very maintainable for my colleagues... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
tooling Python OpenDJ REST using python-requests some limitations Python LDAP turned out to be the most flexible way today frequent operations are supported: netgroups; sudo; rootaccess... and we have a functional frontend written in Flask :-) Management tools are as important as the underlying technologies used. Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE don’t forget... cn=monitor Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoring cn=monitor LDAP metrics: number of operations (bind, search, modrdn ...) and response times almost no-one uses it (?) protect the tree with ACL there is a nice but older cn=monitor frontend on sourceforge (RPM, DEB...) still thinking about a new cn=monitor frontend Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
some observations and remarks only a very small dataset, but a lot of accesses separate functional users in AD: One that only can create computer account objects (msktutil) One that with (search) access to user OU’s, used for PTA DNS is crucial NTP critical for Kerberos (and log files) local users only possible with recent Puppet versions if present in LDAP (luseradd and alike) SSHD first tries GSSAPI authentication, host-based, public key, passwords Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
What are we still missing? home directories mounted by autofs performance details (from client) a platform to manage public keys OpenSSH LPK project PrivacyIDEA indexes Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
References LDAP Toolbox project to get started quickly with OpenLDAP: http://ltb-project.org/wiki/ FreeIPA: Dmitri Pal, AD Integration options for Linux Systems, Developer Conference. Brno. 2013 Windows Integration Guide, Red Hat official docs Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28

Recommandé

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!
Guido Schmutz
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
The Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and ServicesThe Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and Services
confluent
 
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaSolutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Guido Schmutz
 
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Ben Stopford
 
Jupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceJupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data Science
Globus
 
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineMoving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Lightbend
 

Recommandé

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!
Guido Schmutz
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
The Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and ServicesThe Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and Services
confluent
 
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaSolutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Guido Schmutz
 
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Ben Stopford
 
Jupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceJupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data Science
Globus
 
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineMoving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Lightbend
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
confluent
 
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
StreamNative
 
Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing Platform
Guido Schmutz
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka Streams
Guido Schmutz
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
Araf Karsh Hamid
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Getting value from IoT, Integration and Data Analytics
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Guido Schmutz
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningApache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Guido Schmutz
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
confluent
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!
Guido Schmutz
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
StreamNative
 
Stream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar Functions
Streamlio
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Lightbend
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processing
confluent
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
Getting value from IoT, Integration and Data Analytics
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
HostedbyConfluent
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
Guozhang Wang
 
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
confluent
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node final
Getting value from IoT, Integration and Data Analytics
 
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
confluent
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 
Enterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEEnterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOME
Alexander Bokovoy
 

Contenu connexe

Tendances

Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing Platform
Guido Schmutz
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka Streams
Guido Schmutz
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Guido Schmutz
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
confluent
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!
Guido Schmutz
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
StreamNative
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Lightbend
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processing
confluent
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
HostedbyConfluent
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
Guozhang Wang
 

Tendances (20)

Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
 
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
 
Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing Platform
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka Streams
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningApache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
 
Stream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar Functions
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processing
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
 
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node final
 
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
 

En vedette

Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 

En vedette (8)

Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Enterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEEnterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOME
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
Happy Citizen
Happy CitizenHappy Citizen
Happy Citizen
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 

Similaire à Linux AD integration with OpenDJ

Similaire à Linux AD integration with OpenDJ (20)

Desktop integration & ECM
Desktop integration & ECMDesktop integration & ECM
Desktop integration & ECM
 
Intro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 WebinarIntro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 Webinar
 
Codemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and DockerCodemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and Docker
 
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
 
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk ServicesGlobal Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
 
Chicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and FeedingChicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and Feeding
 
Tspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentumTspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentum
 
Integration with Dynamics CRM
Integration with Dynamics CRMIntegration with Dynamics CRM
Integration with Dynamics CRM
 
Sql Azure
Sql AzureSql Azure
Sql Azure
 
SQL Server 2008 for Developers
SQL Server 2008 for DevelopersSQL Server 2008 for Developers
SQL Server 2008 for Developers
 
Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...
 
Powering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack TrovePowering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack Trove
 
On the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stackOn the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stack
 
Get Ready for SharePoint 2016
Get Ready for SharePoint 2016Get Ready for SharePoint 2016
Get Ready for SharePoint 2016
 
FME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in actionFME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in action
 
Serverless
ServerlessServerless
Serverless
 
Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015
 
Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe) Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
 
Btug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter VandenheedeBtug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter Vandenheede
 

Dernier

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Dernier (20)

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Linux AD integration with OpenDJ

  • 1. Linux centralized identity and authentication interoperability with AD Pieter Baele – pieter.baele@gmail.com FlossUK DevOps Spring 2015 @ York 25 March, 2015 Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
  • 2. Presentation overview The history of our implementation Concepts and principles Choices: server and cient-side Tooling The design Monitoring References Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
  • 3. history of our LDAP implementation Situation in 2009: a growing Linux environment (less then 100 servers), no LDAP. A bigger Unix environment exists with it’s own Sun Directory Server. central management of (some) users: let’s use Puppet manually - with scripts - create users on the Sun Directory Server add them - manually - to Puppet good for application users, not funny when you have 100 real users to add So let’s develop a nice directory architecture! Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
  • 4. Concepts and requirements HA using replication and load-balancing traceability and auditing secure practical ACL support (only on groups) transport security - TLS, SSF factor some SSO functionality + fallback (PTA) accounts not maintained by us, automatic decommissioning ensuring UID and GID’s are unique across the enterprise applications: local users central store for sudo rules support KISS (complexity introduces risks) no need to duplicate things if they exist already Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
  • 5. Implementation choice server-side the ’classic’ LDAP approach Samba + Winbind other LDAP servers in general Unix attributes and Active Directory the Red Hat way - IPA realmd the hybrid approach: OpenDJ as Directory Server, AD Kerberos and some duct tape. Tried most of the above... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
  • 6. Implementation choice server the classic approach everybody knows the classic approach, right? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  • 7. Implementation choice server the classic approach everybody knows the classic approach, right? OpenLDAP sometimes with MIT or Heimdal Kerberos and maybe with some bits of Cyrus-SASL - SASLauthd welcome to the world of LDIF almost heaven for LDAP gurus perfect when there is the need for speed (MDB...amazing) perfect for custom implementations (backends - overlays) no special benefit for our case Support: so who is the expert? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  • 8. Implementation choice server Winbind / Active Directory Winbind join the system to AD AD SID to Posix Attribute mapping trusted domains do you want those components on your server? Active Directory ID mapping uses SFU/IMU extensions in AD maintained by another team do we really want windows to manage our entries? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
  • 9. Implementation choice server Realmd offers direct integration to AD by configuring SSSD replaces Winbind detects the domain using DNS identity lookup using AD Kerberos or LDAP authentication you need a Domain Admin Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
  • 10. Implementation choice server 389 Directory Server used for a subproject of my internship (mmr) based on the Netscape code why? we already have our (Sun) Oracle 11g... which can’t replicate with 389! support from Red Hat no benefit Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
  • 11. The history of (some) directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
  • 12. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  • 13. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship bugs (when I tested it) after release: not supported when you added custom schema’s :-( nowadays: if it can help you, why not? The first product specifically for this use case (!) real Role-Based Access Control Automember Integrated webinterface SELinux integration (confined users / mapping) Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  • 14. Implementation choice server OpenDJ rather easy (IMO) has a very complete administrative menu (dsconfig) setting up replication is only 1 command cn=config / LDIF configuration when you need it has a REST interface possibility to integrate with OpenAM (WebSSO is possible) can be monitored in various ways JMX logs SNMP cn=monitor never let us down so far (lost 1 replica once because of a configuration error) fast for dev Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
  • 15. OpenDJ the future of OpenDJ Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
  • 16. OpenDJ components Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
  • 17. architecture / design physical each datacenter its own pair of directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
  • 18. architecture / design DIT as flat as possible keep organisation structure out of the tree Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
  • 19. client replace legacy tools System Security Services Daemon A project from Red Hat before: nss ldap, nscd supports a lot of different integrations direct integration with AD IPA using only an LDAP server such as OpenLDAP or something custom ... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
  • 20. msktutil Active Directory Keytab Management creates user or computer accounts in Active Directory, creates Kerberos keytabs on Unix/Linux sytems adds and removes principals to and from keytabs changes the user or computer account’s password. AD Kerberos =! MIT Kerberos ... ex. each keytab for apache made by Windows also needs a specific user Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
  • 21. the configuration pt 1: OpenDJ SASL enabled set-sasl-mechanism-handler-prop --handler-name GSSAPI --set enabled:true PTA: AD domain certificate added to keystore protocols, replication Referential Integrity Memberof enabled UID Unique enabled Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
  • 22. the configuration pt 2: data add host entries, the UID is used as a SASL principal match (HOSTNAME$) a user is added by our tools, data is used from AD and from the Unix directory server if present most real users have PTA enabled, whih is as simple as setting a password policy ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config no password is set for users, application users are not able to login directly users need to be memberof a group that allows access AND we use netgroups we use SUDO directly, to have no impact from SSSD caching Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
  • 23. the configuration pt 3: client (using cfgmgmt) installation of packages configuration of a (minimal) krb5.conf call to msktutil to create computer account in AD call to authconfig (EL specific) enabling sssd enabling mkhomedir (oddjobd) enabling PAM access setting the NISDOMAIN (RHEL 7: rhel-domainname service Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
  • 24. tooling Perl Perl-LDAP is perfect first script: with a curses frontend ;-( functionality: added a user to the correct organisation, enabled PTA for other tasks: Apache Directory Studio code not very maintainable for my colleagues... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
  • 25. tooling Python OpenDJ REST using python-requests some limitations Python LDAP turned out to be the most flexible way today frequent operations are supported: netgroups; sudo; rootaccess... and we have a functional frontend written in Flask :-) Management tools are as important as the underlying technologies used. Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
  • 26. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  • 27. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE don’t forget... cn=monitor Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  • 28. monitoring cn=monitor LDAP metrics: number of operations (bind, search, modrdn ...) and response times almost no-one uses it (?) protect the tree with ACL there is a nice but older cn=monitor frontend on sourceforge (RPM, DEB...) still thinking about a new cn=monitor frontend Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
  • 29. some observations and remarks only a very small dataset, but a lot of accesses separate functional users in AD: One that only can create computer account objects (msktutil) One that with (search) access to user OU’s, used for PTA DNS is crucial NTP critical for Kerberos (and log files) local users only possible with recent Puppet versions if present in LDAP (luseradd and alike) SSHD first tries GSSAPI authentication, host-based, public key, passwords Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
  • 30. What are we still missing? home directories mounted by autofs performance details (from client) a platform to manage public keys OpenSSH LPK project PrivacyIDEA indexes Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
  • 31. References LDAP Toolbox project to get started quickly with OpenLDAP: http://ltb-project.org/wiki/ FreeIPA: Dmitri Pal, AD Integration options for Linux Systems, Developer Conference. Brno. 2013 Windows Integration Guide, Red Hat official docs Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28