synchronizing identities with - accueil - 11es rmll du 6...
TRANSCRIPT
![Page 1: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/1.jpg)
Page 109/07/2010 http://lsc-project.org
09/07/2010
Synchronizing identities with
Jonathan [email protected]
![Page 2: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/2.jpg)
Page 209/07/2010 http://lsc-project.org
About the speaker
Sysadmin, identity management
Contibutor to open source LDAP tools:
Ldap Synchronization Connector (LSC)
OpenLDAP Engineering Team
Company:
Software: IT infrastructure management
Consulting: identity & configuration management
![Page 3: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/3.jpg)
Page 309/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 4: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/4.jpg)
Page 409/07/2010 http://lsc-project.org
Introduction
LDAP directories
Present in a vast majority of corporations
Central authentication, identity management, …
Contain user accounts (identities)
Simple, right? … well, yes, but …
« HR already has software that only stores identity information in a database »
« We use Active Directory for our desktops and we need users' identities there too »
![Page 5: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/5.jpg)
Page 509/07/2010 http://lsc-project.org
Introduction
Several different identity repositories
How to make sure the same changes apply?New employees
Name changes (marriage), transfers...
Employees leaving
Jim just got fired.
Boss asks you to disable his account.
AccountS, that is. You do it... All done!
But what about the account on the company blog?
ARGH! Too late. What now!?
FIRE THE SYSADMIN!!!?
![Page 6: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/6.jpg)
Page 609/07/2010 http://lsc-project.org
Introduction
Synchronize the repositories
Spread identity information from it's source (HR?)
Spread account status
Manage passwords (and their security policies!)
Manual synchronization?
« Please update that user's information now »
Leads to a mess, leaving old accounts active …
Automatic synchronization?
![Page 7: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/7.jpg)
Page 709/07/2010 http://lsc-project.org
Introduction
Automatic synchronization
It already exists, and works greatDirectory- / database-specific replication
Application-specific connectors (AD, SAP, etc)
What about the rest?Between different databases, directories, files?
Different data models?
Using standards: LDAP, SQL, etc...?
Many homegrown scripts written here and there...
OpenLDAP to OpenLDAPMySQL to MySQL
![Page 8: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/8.jpg)
Page 809/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 9: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/9.jpg)
Page 909/07/2010 http://lsc-project.org
What is the LSC Project?
What is LSC?
LDAP Synchronization Connector
Open Source project
BSD licence
4 years in the making
2 years ago LSC-project.org created
Written in Java
Community:
Website: http://lsc-project.org
IRC: #lsc-project (FreeNode), mailing lists ...
![Page 10: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/10.jpg)
Page 1009/07/2010 http://lsc-project.org
What is the LSC Project?
Synchronization connector
Reads entries from a source
Transforms data and makes decisions
Adds, Updates or Deletes entries in a destination
Various uses:
Continuous synchronization
One-shot import
Audit differences
![Page 11: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/11.jpg)
Page 1109/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 12: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/12.jpg)
Page 1209/07/2010 http://lsc-project.org
Features
Read/write to any repository:
Database or LDAP directory or ?
Standard LDAPv3 operations
JDBC connectors for databases (read-only currently)
Transform data on-the-fly:
Adapt to a different data model
JavaScript based engine to manipulate data
Extensions to simplify common tasks (AD, Security, etc)
![Page 13: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/13.jpg)
Page 1309/07/2010 http://lsc-project.org
Features
Make decisions:
Force updates, insert defaults, merge values, don't touch...
Optimal updates:
Compare all data to destination before writing
Audit changes:
Log all modifications
Adaptable formats:
CSV to ease analysis, or LDIF to replay modifications
![Page 14: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/14.jpg)
Page 1409/07/2010 http://lsc-project.org
Standards based – Wide support
Any LDAP server should be supported, tested on:
OpenLDAP
OpenDS
Sun DSEE
Microsoft Active Directory
Novell Directory Services
Any database with a JDBC connector, tested on:
MySQL, PostgreSQL, Oracle, DB2, HSQLDB
![Page 15: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/15.jpg)
Page 1509/07/2010 http://lsc-project.org
Features overview
Syncoptions offer unlimited possibilites
Text transformationscn = givenName + SPACE + SN in caps
Filter accents: convert « Hélène » to « Helene »
Hash passwords (SSHA, MD5, AD, etc)
Simple LDAP bind test
Active Directory specifics:UserAccountControl: deactivate accounts, force password changes,
etc …
UnicodePwd: update passwords in AD-style
Anything else you can write in Java!
![Page 16: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/16.jpg)
Page 1609/07/2010 http://lsc-project.org
Goals
Quickly implement a new synchronization
Highly configurable
What exactly do we read?
Powerful transformations (correctness is important)
What exactly do we write?
Run fast (performance is important)
Easy to setup
![Page 17: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/17.jpg)
Page 1709/07/2010 http://lsc-project.org
Philosophy
Make it possible, now!
Make it more stable and safer
Open Source benefits over home-grown scripts
More secure and better tested
Don't reinvent a buggy wheel!
Make it faster and simpler
Faster than writing home-grown scripts
Provide methods for IAM and directory-specific tasks
This may not be the ultimate solution …
![Page 18: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/18.jpg)
Page 1809/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 19: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/19.jpg)
Page 1909/07/2010 http://lsc-project.org
LSC synchronization principles
Two levels of information per identity
Existence – equivalent to an account (LDAP entry)
Identity specific details – names, phone numbers(LDAP attributes and values)
A unique ID: the pivot attribute(s)
Could be an email address, user ID ...
![Page 20: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/20.jpg)
Page 2009/07/2010 http://lsc-project.org
LSC synchronization principles
What do I need to implement a synchronization?
Source type: LDAP / SQL database / other?
Population: Which users? Which pivot?
Information: Attributes? Transformations?
![Page 21: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/21.jpg)
Page 2109/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 22: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/22.jpg)
Page 2209/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
MySQL: a simple users table (HR-style)Field Type Values
id INT Auto-increment
first_name VARCHAR « Jane »
last_name VARCHAR « Doe »
marital_status ENUM « Single » / « Married » / « Divorced »
salary INT 42000
start_date DATE 1st October 2009
![Page 23: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/23.jpg)
Page 2309/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
Configuring the source database
JDBC connector: com.mysql.jdbc...
URL, username, password
Simple SQL request
SELECT id, first_name AS givenName, last_name AS sn, start_date AS startDate FROM users
![Page 24: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/24.jpg)
Page 2409/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
OpenLDAP: inetOrgPerson entries
Field Type Values
givenName String first_name (ex: « Jane »)
sn String last_name (ex: « Doe »)
cn String LAST_NAME, first_name (ex: « DOE, Jane »)
userPassword Binary string Defaults to « CHANGEME »
uid String Unique id from MySQL table
![Page 25: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/25.jpg)
Page 2509/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
Configuring the destination directory
dst.java.naming.provider.url = ldap://localhost/dc=lsc-project,dc=orgdst.java.naming.security.principal = cn=Manager,dc=lsc-project,dc=orgdst.java.naming.security.credentials = secret
![Page 26: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/26.jpg)
Page 2609/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
Configure the synchronization task
Source directory searching
DN generation
lsc.tasks = MyTasklsc.tasks.MyTask.dstService.baseDn = ou=Peoplelsc.tasks.MyTask.dstService.pivotAttrs = uidlsc.tasks.MyTask.dstService.filterAll = (uid=*)lsc.tasks.MyTask.dstService.attrs = uid sn cn givenName userPasswordlsc.tasks.MyTask.dstService.filterId = (uid={uid})
lsc.tasks.MyTask.dn = "uid=" + srcBean.getAttributeValueById("uid") \+ "ou=People"
![Page 27: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/27.jpg)
Page 2709/07/2010 http://lsc-project.org
Example: MySQL to OpenLDAP
Configure data transformations (syncoptions)
lsc.syncoptions.MyTask.default.action = F
# cn = NAME Firstnamelsc.syncoptions.MyTask.cn.force_value = \
srcBean.getAttributeValueById("sn").toUpperCase() + ", " \+ srcBean.getAttributeValueById("givenName")
lsc.syncoptions.MyTask.userPassword.action = Klsc.syncoptions.MyTask.userPassword.default_value = \
SecurityUtils.hash(SecurityUtils.MD5, "CHANGEME")
![Page 28: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/28.jpg)
Page 2809/07/2010 http://lsc-project.org
Demonstration
Installation
Simple CSV to LDAP synchronization
Online tutorial
http://lsc-project.org/wiki/documentation/1.2/sample
![Page 29: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/29.jpg)
Page 2909/07/2010 http://lsc-project.org
Features overview
Operation conditions
Perform ADDs / MODIFYs / MODRDNs / DELETEs conditionally
Use-cases:
Update-only synchronizations(never create, never delete)
Only update the password if it's changed(perform a LDAP bind operation to check on the fly)
Delete an account after 60 days of inactivity
![Page 30: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/30.jpg)
Page 3009/07/2010 http://lsc-project.org
Features overview
Attribute-level priorities for update
FORCE: replace the destination value whatever
KEEP: leave the destination value as-is
DEFAULT: value to use if the destination is empty
CREATE: default value for new entries
Use cases:
Provide a default password but don't squash real one
Force phone numbers if we're authoritative for them
![Page 31: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/31.jpg)
Page 3109/07/2010 http://lsc-project.org
Features overview
Detailed and configurable logging
LDIF format (fully RFC-compliant)
CSV format
Audit or play back modifications
![Page 32: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/32.jpg)
Page 3209/07/2010 http://lsc-project.org
Outline
Introduction: Synchronization for identity management
What is the LSC project?
Features, Goals & Philosophy
LSC synchronization principles
An example: MySQL to OpenLDAP
Perspectives
![Page 33: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/33.jpg)
Page 3309/07/2010 http://lsc-project.org
Perspectives
Project is currently in stable status
Version 1.2.0 released, 1.2.1 very soon
Version 1.3.0 coming (Q3 2010)
Focus: new features!
Multi-threaded synchronization
Samba integration: LM/NT passwords
AD integration: date & time, large attribute sets
LDAP: find next UID for account creation
New destinations: scriptable interface
![Page 34: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/34.jpg)
Page 3409/07/2010 http://lsc-project.org
Perspectives
Ideas for improvement are everywhere:
Support other connector types
Implement directory-specific replication systems
LDAP sync (RFC 4533) for OpenLDAP, ApacheDS
DirSync for Microsoft AD
Others?
Web interface for administration
Support other scripting languages
Anything else …
![Page 35: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/35.jpg)
Page 3509/07/2010 http://lsc-project.org
Try it out! Get involved!
Main website: http://lsc-project.org/
Tutorials: quickstart demo, detailed tutorials
Reference documentation
![Page 36: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/36.jpg)
Page 3609/07/2010 http://lsc-project.org
Try it out! Get involved!
Getting help (keep in touch!)
Mailing lists: http://lists.lsc-project.org/
IRC: #lsc-project on Freenode
Development tools:
Redmine forge: http://tools.lsc-project.org/
Bugtracker, SVN repository …
Continuous build serverNumerous automated tests
![Page 37: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/37.jpg)
Page 3709/07/2010 http://lsc-project.org
Thanks for your attention!Any questions?
Jonathan [email protected]
![Page 38: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/38.jpg)
Page 3809/07/2010 http://lsc-project.org
LSC synchronization principles
First step: sync
Get a list of all pivots from the source
For each pivotRead the source object
Search for the destination object with pivot
Build up desired destination object by applying transformations to source object
If the destination object exists, calculate modifications
Apply: create or modify
![Page 39: Synchronizing identities with - Accueil - 11es RMLL du 6 ...2010.rmll.info/IMG/pdf/lsc-rmll2010.pdf · Synchronizing identities with ... « We use Active Directory for our desktops](https://reader031.vdocuments.us/reader031/viewer/2022022523/5b345caa7f8b9aa0238dd991/html5/thumbnails/39.jpg)
Page 3909/07/2010 http://lsc-project.org
LSC synchronization principles
Second step: clean (optional)
Get a list of all pivots from the destination
For each pivotSearch for the source object with pivot
If the source object doesn't exists, delete from destination
Apply: delete