SlideShare uma empresa Scribd logo

Linux AD integration with OpenDJ

P
Pieter Baele

FlossUK 2015 presentation Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms. We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts.

Software
1 de 31
Baixar para ler offline
Linux centralized identity and authentication interoperability with AD Pieter Baele – pieter.baele@gmail.com FlossUK DevOps Spring 2015 @ York 25 March, 2015 Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
Presentation overview The history of our implementation Concepts and principles Choices: server and cient-side Tooling The design Monitoring References Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
history of our LDAP implementation Situation in 2009: a growing Linux environment (less then 100 servers), no LDAP. A bigger Unix environment exists with it’s own Sun Directory Server. central management of (some) users: let’s use Puppet manually - with scripts - create users on the Sun Directory Server add them - manually - to Puppet good for application users, not funny when you have 100 real users to add So let’s develop a nice directory architecture! Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
Concepts and requirements HA using replication and load-balancing traceability and auditing secure practical ACL support (only on groups) transport security - TLS, SSF factor some SSO functionality + fallback (PTA) accounts not maintained by us, automatic decommissioning ensuring UID and GID’s are unique across the enterprise applications: local users central store for sudo rules support KISS (complexity introduces risks) no need to duplicate things if they exist already Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
Implementation choice server-side the ’classic’ LDAP approach Samba + Winbind other LDAP servers in general Unix attributes and Active Directory the Red Hat way - IPA realmd the hybrid approach: OpenDJ as Directory Server, AD Kerberos and some duct tape. Tried most of the above... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
Implementation choice server the classic approach everybody knows the classic approach, right? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice server the classic approach everybody knows the classic approach, right? OpenLDAP sometimes with MIT or Heimdal Kerberos and maybe with some bits of Cyrus-SASL - SASLauthd welcome to the world of LDIF almost heaven for LDAP gurus perfect when there is the need for speed (MDB...amazing) perfect for custom implementations (backends - overlays) no special benefit for our case Support: so who is the expert? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
Implementation choice server Winbind / Active Directory Winbind join the system to AD AD SID to Posix Attribute mapping trusted domains do you want those components on your server? Active Directory ID mapping uses SFU/IMU extensions in AD maintained by another team do we really want windows to manage our entries? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
Implementation choice server Realmd offers direct integration to AD by configuring SSSD replaces Winbind detects the domain using DNS identity lookup using AD Kerberos or LDAP authentication you need a Domain Admin Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
Implementation choice server 389 Directory Server used for a subproject of my internship (mmr) based on the Netscape code why? we already have our (Sun) Oracle 11g... which can’t replicate with 389! support from Red Hat no benefit Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
The history of (some) directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship bugs (when I tested it) after release: not supported when you added custom schema’s :-( nowadays: if it can help you, why not? The first product specifically for this use case (!) real Role-Based Access Control Automember Integrated webinterface SELinux integration (confined users / mapping) Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
Implementation choice server OpenDJ rather easy (IMO) has a very complete administrative menu (dsconfig) setting up replication is only 1 command cn=config / LDIF configuration when you need it has a REST interface possibility to integrate with OpenAM (WebSSO is possible) can be monitored in various ways JMX logs SNMP cn=monitor never let us down so far (lost 1 replica once because of a configuration error) fast for dev Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
OpenDJ the future of OpenDJ Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
OpenDJ components Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
architecture / design physical each datacenter its own pair of directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
architecture / design DIT as flat as possible keep organisation structure out of the tree Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
client replace legacy tools System Security Services Daemon A project from Red Hat before: nss ldap, nscd supports a lot of different integrations direct integration with AD IPA using only an LDAP server such as OpenLDAP or something custom ... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
msktutil Active Directory Keytab Management creates user or computer accounts in Active Directory, creates Kerberos keytabs on Unix/Linux sytems adds and removes principals to and from keytabs changes the user or computer account’s password. AD Kerberos =! MIT Kerberos ... ex. each keytab for apache made by Windows also needs a specific user Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
the configuration pt 1: OpenDJ SASL enabled set-sasl-mechanism-handler-prop --handler-name GSSAPI --set enabled:true PTA: AD domain certificate added to keystore protocols, replication Referential Integrity Memberof enabled UID Unique enabled Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
the configuration pt 2: data add host entries, the UID is used as a SASL principal match (HOSTNAME$) a user is added by our tools, data is used from AD and from the Unix directory server if present most real users have PTA enabled, whih is as simple as setting a password policy ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config no password is set for users, application users are not able to login directly users need to be memberof a group that allows access AND we use netgroups we use SUDO directly, to have no impact from SSSD caching Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
the configuration pt 3: client (using cfgmgmt) installation of packages configuration of a (minimal) krb5.conf call to msktutil to create computer account in AD call to authconfig (EL specific) enabling sssd enabling mkhomedir (oddjobd) enabling PAM access setting the NISDOMAIN (RHEL 7: rhel-domainname service Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
tooling Perl Perl-LDAP is perfect first script: with a curses frontend ;-( functionality: added a user to the correct organisation, enabled PTA for other tasks: Apache Directory Studio code not very maintainable for my colleagues... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
tooling Python OpenDJ REST using python-requests some limitations Python LDAP turned out to be the most flexible way today frequent operations are supported: netgroups; sudo; rootaccess... and we have a functional frontend written in Flask :-) Management tools are as important as the underlying technologies used. Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE don’t forget... cn=monitor Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
monitoring cn=monitor LDAP metrics: number of operations (bind, search, modrdn ...) and response times almost no-one uses it (?) protect the tree with ACL there is a nice but older cn=monitor frontend on sourceforge (RPM, DEB...) still thinking about a new cn=monitor frontend Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
some observations and remarks only a very small dataset, but a lot of accesses separate functional users in AD: One that only can create computer account objects (msktutil) One that with (search) access to user OU’s, used for PTA DNS is crucial NTP critical for Kerberos (and log files) local users only possible with recent Puppet versions if present in LDAP (luseradd and alike) SSHD first tries GSSAPI authentication, host-based, public key, passwords Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
What are we still missing? home directories mounted by autofs performance details (from client) a platform to manage public keys OpenSSH LPK project PrivacyIDEA indexes Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
References LDAP Toolbox project to get started quickly with OpenLDAP: http://ltb-project.org/wiki/ FreeIPA: Dmitri Pal, AD Integration options for Linux Systems, Developer Conference. Brno. 2013 Windows Integration Guide, Red Hat official docs Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28

Recomendados

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudLDAPCon
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!Guido Schmutz
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceLuca Mattia Ferrari
 
The Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and ServicesThe Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and Servicesconfluent
 
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaSolutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaGuido Schmutz
 
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Ben Stopford
 
Jupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceJupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceGlobus
 
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineMoving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineLightbend
 

Recomendados

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudLDAPCon
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!Guido Schmutz
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceLuca Mattia Ferrari
 
The Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and ServicesThe Data Dichotomy- Rethinking the Way We Treat Data and Services
The Data Dichotomy- Rethinking the Way We Treat Data and Servicesconfluent
 
Solutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaSolutions for bi-directional Integration between Oracle RDMBS & Apache Kafka
Solutions for bi-directional Integration between Oracle RDMBS & Apache KafkaGuido Schmutz
 
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...
Building Event Driven Services with Apache Kafka and Kafka Streams - Devoxx B...Ben Stopford
 
Jupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceJupyter + Globus: The Foundation for Interactive Data Science
Jupyter + Globus: The Foundation for Interactive Data ScienceGlobus
 
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineMoving from Big Data to Fast Data? Here's How To Pick The Right Streaming Engine
Moving from Big Data to Fast Data? Here's How To Pick The Right Streaming EngineLightbend
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overviewconfluent
 
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021StreamNative
 
Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformGuido Schmutz
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsGuido Schmutz
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Getting value from IoT, Integration and Data Analytics
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreGuido Schmutz
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningApache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningGuido Schmutz
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsconfluent
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Guido Schmutz
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...StreamNative
 
Stream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStreamlio
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobLightbend
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processingconfluent
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Getting value from IoT, Integration and Data Analytics
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...HostedbyConfluent
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...confluent
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalGetting value from IoT, Integration and Data Analytics
 
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...confluent
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
Enterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEEnterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEAlexander Bokovoy
 

Mais conteúdo relacionado

Mais procurados

Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overviewconfluent
 
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021StreamNative
 
Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformGuido Schmutz
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsGuido Schmutz
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreGuido Schmutz
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningApache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningGuido Schmutz
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsconfluent
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Guido Schmutz
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...StreamNative
 
Stream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStreamlio
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobLightbend
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processingconfluent
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...HostedbyConfluent
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...confluent
 
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...confluent
 

Mais procurados (20)

Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
 
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
Using the JMS 2.0 API with Apache Pulsar - Pulsar Virtual Summit Europe 2021
 
Apache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing PlatformApache Kafka - A modern Stream Processing Platform
Apache Kafka - A modern Stream Processing Platform
 
Spark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka StreamsSpark (Structured) Streaming vs. Kafka Streams
Spark (Structured) Streaming vs. Kafka Streams
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka coreKafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
Kafka Connect & Kafka Streams/KSQL - powerful ecosystem around Kafka core
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & PartitioningApache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
 
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIsLeveraging Microservice Architectures & Event-Driven Systems for Global APIs
Leveraging Microservice Architectures & Event-Driven Systems for Global APIs
 
Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!Apache Kafka - Scalable Message Processing and more!
Apache Kafka - Scalable Message Processing and more!
 
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
Apache Pulsar: Why Unified Messaging and Streaming Is the Future - Pulsar Sum...
 
Stream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar FunctionsStream-Native Processing with Pulsar Functions
Stream-Native Processing with Pulsar Functions
 
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the JobAkka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
Akka, Spark or Kafka? Selecting The Right Streaming Engine For the Job
 
The State of Stream Processing
The State of Stream ProcessingThe State of Stream Processing
The State of Stream Processing
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
Writing Blazing Fast, and Production-Ready Kafka Streams apps in less than 30...
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
 
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
Apache kafka meet_up_zurich_at_swissre_from_zero_to_hero_with_kafka_connect_2...
 
Oracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node finalOracle application container cloud back end integration using node final
Oracle application container cloud back end integration using node final
 
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
KSQL Performance Tuning for Fun and Profit ( Nick Dearden, Confluent) Kafka S...
 

Destaque

Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
Enterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEEnterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEAlexander Bokovoy
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)Jonathan Clarke
 
Happy Citizen
Happy CitizenHappy Citizen
Happy Citizenangryserj
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them AllTim Fairweather
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Alex S
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOpsОмские ИТ-субботники
 

Destaque (8)

Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Enterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOMEEnterprise desktop at home with FreeIPA and GNOME
Enterprise desktop at home with FreeIPA and GNOME
 
LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)LDAP Synchronization Connector (LSC)
LDAP Synchronization Connector (LSC)
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
Happy Citizen
Happy CitizenHappy Citizen
Happy Citizen
 
Ansible Automation to Rule Them All
Ansible Automation to Rule Them AllAnsible Automation to Rule Them All
Ansible Automation to Rule Them All
 
Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015Ansible is the simplest way to automate. MoldCamp, 2015
Ansible is the simplest way to automate. MoldCamp, 2015
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 

Semelhante a Linux AD integration with OpenDJ

Intro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 WebinarIntro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 WebinarCloudify Community
 
Codemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and DockerCodemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and Dockergjuljo
 
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...Andrew Ly
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorKlaus Bild
 
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk ServicesGlobal Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk ServicesSandro Pereira
 
Chicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and FeedingChicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and FeedingAngela Dugan
 
Tspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentumTspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentumamitvasu
 
Integration with Dynamics CRM
Integration with Dynamics CRMIntegration with Dynamics CRM
Integration with Dynamics CRMBizTalk360
 
SQL Server 2008 for Developers
SQL Server 2008 for DevelopersSQL Server 2008 for Developers
SQL Server 2008 for Developersukdpe
 
Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...Erwin de Kreuk
 
Powering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack TrovePowering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack TroveTesora
 
On the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stackOn the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stackАртём Барановский
 
Get Ready for SharePoint 2016
Get Ready for SharePoint 2016Get Ready for SharePoint 2016
Get Ready for SharePoint 2016Trigent_Senthil
 
FME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in actionFME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in actionGIM_nv
 
Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015Cihan Biyikoglu
 
Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe) Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe) Codit
 
Btug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter VandenheedeBtug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter VandenheedePieter Vandenheede
 

Semelhante a Linux AD integration with OpenDJ (20)

Desktop integration & ECM
Desktop integration & ECMDesktop integration & ECM
Desktop integration & ECM
 
Intro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 WebinarIntro to Environment as a Service - Cloudify 5.0.5 Webinar
Intro to Environment as a Service - Cloudify 5.0.5 Webinar
 
Codemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and DockerCodemotion Rome 2015 IBM Bluemix and Docker
Codemotion Rome 2015 IBM Bluemix and Docker
 
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
Summit Australia 2019 - PowerApps Component Framework (PCF) - Andrew Ly & Aun...
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
 
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk ServicesGlobal Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
Global Windows Azure Bootcamp – Lisboa - Windows Azure Biztalk Services
 
Chicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and FeedingChicago Code Camp 2014 TFS Care and Feeding
Chicago Code Camp 2014 TFS Care and Feeding
 
Tspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentumTspug 2015 dirsync_amit_v_momentum
Tspug 2015 dirsync_amit_v_momentum
 
Integration with Dynamics CRM
Integration with Dynamics CRMIntegration with Dynamics CRM
Integration with Dynamics CRM
 
Sql Azure
Sql AzureSql Azure
Sql Azure
 
SQL Server 2008 for Developers
SQL Server 2008 for DevelopersSQL Server 2008 for Developers
SQL Server 2008 for Developers
 
Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...Is there a way that we can build our Azure Synapse Pipelines all with paramet...
Is there a way that we can build our Azure Synapse Pipelines all with paramet...
 
Powering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack TrovePowering the Cisco Intercloud Service using OpenStack Trove
Powering the Cisco Intercloud Service using OpenStack Trove
 
On the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stackOn the way to Azure: monitoring and analytics based on Elastic stack
On the way to Azure: monitoring and analytics based on Elastic stack
 
Get Ready for SharePoint 2016
Get Ready for SharePoint 2016Get Ready for SharePoint 2016
Get Ready for SharePoint 2016
 
FME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in actionFME World Tour 2015: (EN) FME 2015 in action
FME World Tour 2015: (EN) FME 2015 in action
 
Serverless
ServerlessServerless
Serverless
 
Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015Under the Hood - Couchbase Server Architecture - June 2015
Under the Hood - Couchbase Server Architecture - June 2015
 
Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe) Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
Integrate 2016 recap (Pieter Vandenheede @BTUGbe)
 
Btug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter VandenheedeBtug.be - Integrate 2016 Recap by Pieter Vandenheede
Btug.be - Integrate 2016 Recap by Pieter Vandenheede
 

Último

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 

Último (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 

Linux AD integration with OpenDJ

  • 1. Linux centralized identity and authentication interoperability with AD Pieter Baele – pieter.baele@gmail.com FlossUK DevOps Spring 2015 @ York 25 March, 2015 Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 1 / 28
  • 2. Presentation overview The history of our implementation Concepts and principles Choices: server and cient-side Tooling The design Monitoring References Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 2 / 28
  • 3. history of our LDAP implementation Situation in 2009: a growing Linux environment (less then 100 servers), no LDAP. A bigger Unix environment exists with it’s own Sun Directory Server. central management of (some) users: let’s use Puppet manually - with scripts - create users on the Sun Directory Server add them - manually - to Puppet good for application users, not funny when you have 100 real users to add So let’s develop a nice directory architecture! Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 3 / 28
  • 4. Concepts and requirements HA using replication and load-balancing traceability and auditing secure practical ACL support (only on groups) transport security - TLS, SSF factor some SSO functionality + fallback (PTA) accounts not maintained by us, automatic decommissioning ensuring UID and GID’s are unique across the enterprise applications: local users central store for sudo rules support KISS (complexity introduces risks) no need to duplicate things if they exist already Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 4 / 28
  • 5. Implementation choice server-side the ’classic’ LDAP approach Samba + Winbind other LDAP servers in general Unix attributes and Active Directory the Red Hat way - IPA realmd the hybrid approach: OpenDJ as Directory Server, AD Kerberos and some duct tape. Tried most of the above... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 5 / 28
  • 6. Implementation choice server the classic approach everybody knows the classic approach, right? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  • 7. Implementation choice server the classic approach everybody knows the classic approach, right? OpenLDAP sometimes with MIT or Heimdal Kerberos and maybe with some bits of Cyrus-SASL - SASLauthd welcome to the world of LDIF almost heaven for LDAP gurus perfect when there is the need for speed (MDB...amazing) perfect for custom implementations (backends - overlays) no special benefit for our case Support: so who is the expert? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 6 / 28
  • 8. Implementation choice server Winbind / Active Directory Winbind join the system to AD AD SID to Posix Attribute mapping trusted domains do you want those components on your server? Active Directory ID mapping uses SFU/IMU extensions in AD maintained by another team do we really want windows to manage our entries? Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 7 / 28
  • 9. Implementation choice server Realmd offers direct integration to AD by configuring SSSD replaces Winbind detects the domain using DNS identity lookup using AD Kerberos or LDAP authentication you need a Domain Admin Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 8 / 28
  • 10. Implementation choice server 389 Directory Server used for a subproject of my internship (mmr) based on the Netscape code why? we already have our (Sun) Oracle 11g... which can’t replicate with 389! support from Red Hat no benefit Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 9 / 28
  • 11. The history of (some) directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 10 / 28
  • 12. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  • 13. Implementation choice server (Free)IPA Complete IdM with DS, NTP, PKI, KDC, HTTPD and DNS it’s free on RHEL especially made for the need of Linux AuthN/AuthZ choices for integrating with AD synchronization service - on each domain controller (also possible with 388, which is part of FreeIPA) a subdomain (or a new domain) + AD trust relationship bugs (when I tested it) after release: not supported when you added custom schema’s :-( nowadays: if it can help you, why not? The first product specifically for this use case (!) real Role-Based Access Control Automember Integrated webinterface SELinux integration (confined users / mapping) Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 11 / 28
  • 14. Implementation choice server OpenDJ rather easy (IMO) has a very complete administrative menu (dsconfig) setting up replication is only 1 command cn=config / LDIF configuration when you need it has a REST interface possibility to integrate with OpenAM (WebSSO is possible) can be monitored in various ways JMX logs SNMP cn=monitor never let us down so far (lost 1 replica once because of a configuration error) fast for dev Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 12 / 28
  • 15. OpenDJ the future of OpenDJ Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 13 / 28
  • 16. OpenDJ components Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 14 / 28
  • 17. architecture / design physical each datacenter its own pair of directory servers Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 15 / 28
  • 18. architecture / design DIT as flat as possible keep organisation structure out of the tree Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 16 / 28
  • 19. client replace legacy tools System Security Services Daemon A project from Red Hat before: nss ldap, nscd supports a lot of different integrations direct integration with AD IPA using only an LDAP server such as OpenLDAP or something custom ... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 17 / 28
  • 20. msktutil Active Directory Keytab Management creates user or computer accounts in Active Directory, creates Kerberos keytabs on Unix/Linux sytems adds and removes principals to and from keytabs changes the user or computer account’s password. AD Kerberos =! MIT Kerberos ... ex. each keytab for apache made by Windows also needs a specific user Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 18 / 28
  • 21. the configuration pt 1: OpenDJ SASL enabled set-sasl-mechanism-handler-prop --handler-name GSSAPI --set enabled:true PTA: AD domain certificate added to keystore protocols, replication Referential Integrity Memberof enabled UID Unique enabled Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 19 / 28
  • 22. the configuration pt 2: data add host entries, the UID is used as a SASL principal match (HOSTNAME$) a user is added by our tools, data is used from AD and from the Unix directory server if present most real users have PTA enabled, whih is as simple as setting a password policy ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config no password is set for users, application users are not able to login directly users need to be memberof a group that allows access AND we use netgroups we use SUDO directly, to have no impact from SSSD caching Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 20 / 28
  • 23. the configuration pt 3: client (using cfgmgmt) installation of packages configuration of a (minimal) krb5.conf call to msktutil to create computer account in AD call to authconfig (EL specific) enabling sssd enabling mkhomedir (oddjobd) enabling PAM access setting the NISDOMAIN (RHEL 7: rhel-domainname service Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 21 / 28
  • 24. tooling Perl Perl-LDAP is perfect first script: with a curses frontend ;-( functionality: added a user to the correct organisation, enabled PTA for other tasks: Apache Directory Studio code not very maintainable for my colleagues... Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 22 / 28
  • 25. tooling Python OpenDJ REST using python-requests some limitations Python LDAP turned out to be the most flexible way today frequent operations are supported: netgroups; sudo; rootaccess... and we have a functional frontend written in Flask :-) Management tools are as important as the underlying technologies used. Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 23 / 28
  • 26. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  • 27. monitoring primary monitoring of service / daemon log files: parsing with Logstash, especially access (audit) log correlation SNMP: using your beloved monitoring platform JMX: Java Management Extensions, perfect for some internals about the JRE don’t forget... cn=monitor Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 24 / 28
  • 28. monitoring cn=monitor LDAP metrics: number of operations (bind, search, modrdn ...) and response times almost no-one uses it (?) protect the tree with ACL there is a nice but older cn=monitor frontend on sourceforge (RPM, DEB...) still thinking about a new cn=monitor frontend Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 25 / 28
  • 29. some observations and remarks only a very small dataset, but a lot of accesses separate functional users in AD: One that only can create computer account objects (msktutil) One that with (search) access to user OU’s, used for PTA DNS is crucial NTP critical for Kerberos (and log files) local users only possible with recent Puppet versions if present in LDAP (luseradd and alike) SSHD first tries GSSAPI authentication, host-based, public key, passwords Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 26 / 28
  • 30. What are we still missing? home directories mounted by autofs performance details (from client) a platform to manage public keys OpenSSH LPK project PrivacyIDEA indexes Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 27 / 28
  • 31. References LDAP Toolbox project to get started quickly with OpenLDAP: http://ltb-project.org/wiki/ FreeIPA: Dmitri Pal, AD Integration options for Linux Systems, Developer Conference. Brno. 2013 Windows Integration Guide, Red Hat official docs Pieter Baele – pieter.baele@gmail.com (FlossUK DevOps Spring 2015 @ York)A directory server integration with AD 25 March, 2015 28 / 28