LdapSync
- Synchronise users and other data from an Active Directory / LDAP server
- Distribute to clients to automate user onboarding in a SaaS
- Available as embeddable white-label software
LDAP agent for automated user provisioning and sync
Enterprise SaaS for payroll, expense tracking, document management and other business related applications often requires continuous access to the most current snapshot of company employees and personnel. The LdapSync agent is a software solution by Connect2id to securely provision and synchronise users, groups and other types of data from an LDAP directory, such as Microsoft Active Directory or OpenLDAP.
The universal and highly configurable algorithm of LdapSync is capable of catering for applications with different data models and requirements. It is based on the LDAP v3 standard and thus compatible with all directory servers on the market today.
As a SaaS provider you can distribute the LdapSync agent to your customers and subscribers in a pre-configured package. The white label license allows you to to brand and customise the software to suit your specific product vision and requirements. Contact Connect2id sales to find out more.
Deployment
Directory data can be synchronised from hundreds or thousands independent LDAP servers. The LdapSync agents talk to the HTTPS endpoint of a Json2Ldap gateway, configured to enforce a strict connection and authentication policy for the LdapSync agents, and ideally placed in a network DMZ, isolating the target directory server from direct Internet access.
Capabilities
Synchronisation direction:
- One-way
Synchronised directory changes:
User account addition (LDAP ADD)
User account updates (LDAP MODIFY)
User account deletion (LDAP DELETE)
Groups and group membership updates
Supported LDAP data types:
Text attributes
Binary attributes
Attributes with international characters
Directories can have different schemas for representing user data. To ensure interoperability the LdapSync agent can be configured to map the attribute names between the source and the target LDAP directory.
The attribute values can be transformed with a regular expression. Such transformations can be used to change the base DN of group members when the target LDAP directory has a different base DN (domain).
The synchronisation algorithm of the LdapSync agent is universal and can handle other types of LDAP data besides user and group entries. Note that user passwords are often secured by special directory policies to prevent LDAP clients from reading their values and therefore cannot be synced.
The sync interval is freely configurable. The sync runs can be performed in a well-defined order to ensure the referential integrity of directory data when dealing with groups and group membership.
Customise, brand and package
The LdapSync agent is shipped as a standard Java application package (JAR) and a simple command-line utility. Its configuration and monitoring API is designed to allow easy customisation and branding.
Examples:
- Furnish the agent with a branded UI to match the application appearance.
- Add a configuration wizard for the designated administrators.
- Add reporting and monitoring screens.
- Embed it into a Docker container, web or desktop application.
Supported LDAP directories
The LdapSync agent supports any LDAP v3 compatible directory.
Popular directory servers:
Security
- The LdapSync agents talk to a Json2Ldap gateway, leaving the target directory server protected from direct access over the Internet.
- Set a strict Json2Ldap gateway policy to always require HTTPS and LDAP client authentication. An IP whitelist can also be configured.
- Each LdapSync agent can be provisioned with individual LDAP bind credentials for the target directory, which in combination with a suitable directory ACL ensures the uploaded data is isolated and inaccessible to other agents.
Runtime
- Java 8+
Configuration
The LdapSync agent can be configured by the following means:
- Text file
- Standard input
- Java system properties
- Environment variables
Add-ons
JavaDocs
Browse the LdapSync API docs online.
Download
Ready to try out LdapSync? You are welcome to download an evaluation copy. No registration is required for that.
LdapSync is offered under an affordable license which also provides 12 months of maintenance, updates and our support. Attractive license packages are available if you wish to run multiple LdapSync instances or would like to integrate it into your own product or service offerings. We also offer various dedicated professional services such as integration assistance, training and custom add-on development. Get in touch with Connect2id sales to describe your case and request a quote.