Friday, August 26, 2011

OpenLDAP and password sync

Recently at a client's site and they wanted to flow passwords from AD to their OpenLDAP directory.

Went out to SourceForge and downloaded their latest OpenLDAP XMA which can be found here: http://sourceforge.net/projects/openldap-xma/. Very impressed with it's packaging, just run the MSI installer and puts everything where it needs to be. Even includes some handy user guides. For the most part you configure according to the guides and it works. Except if you want to do password sync. Instead you get a warning 6901: The password extension does not implement the entry point.

This will explain what you need to do to get the password sync functionality working. After cruising around I finally found an entry in the sourceforce forum where Randy Weimer mentions an error with password sync that he had to add some missing code. But this was May of 2010 (over a year ago), I'm sure this has been fixed - but it smells the same. Unfortunately it is the same issue. So here's what you have to do.

1. download the code from Sourceforge which is not an intuitive task. Luckily Carrol explains it nicely here: http://www.wapshere.com/missmiis/compiling-the-openldap-xma-to-use-with-fim-2010 Though it seems when you read her post there was no nice msi installer like there is now. But you can figure out how to get the latest code: Read Get the Right Source Code section.

Now I did the rest on my laptop (without FIM installed).
2. Open up the solution OpenLDAPXMA.sln in Visual Studio and choose the PasswordExtension.cs. Search for the following phrase

ConnectionSecurityLevel GetConnectionSecurityLevel

You'll find the function really doesn't do anything. so you'll need to comment out the throw statement and add a return statement within the function like this:

return ConnectionSecurityLevel.Secure;

See below for Randy's entry and the code.

3 Add the missing reference.
Since I was using my laptop, I needed to copy the Microsoft.MetadirectoryServicesEx.dll file from the FIM server over to my laptop. You can find it at ..\Microsoft Forefront Indentity Manager\2010\Synchronization Service\Bin\Assemblies\ folder.
Then add it as a reference. Build the whole solution. Which by the way is just one file called OpenLDAPXMA.dll. There is no extra password DLL file as the user guide mentions.

4. Put the newly compiled dll in the \extensions\ folder and that's it. All should work.

If by chance you don't want to do through all this just contact me at my hotmail account (pjalaff).

I want to give full credit to Carroll Wapshere - who has save me more times than I want to admit, and to Randy Weimer who figure'd out this bug. If anything this blog puts both pieces together.



Randy's original post: http://sourceforge.net/tracker/?func=detail&aid=2996718&group_id=196847&atid=959098


No comments: