Feature / Function/ Requirement
|
Link to Details
|
|
CPS Systems history with GAL synchronization & Provisioning
|
||
SimpleSync Platforms: NT/XP/Win2000/Win2003
|
Yes
|
|
Sync AD, Exchange 5.5, and other DoD and Allied GALs
|
Yes
|
|
AD 'Master' can be used for LDAP access
|
Yes
|
|
Supports ADAM (AD Application Mode)
|
Yes
|
|
Sync CSV files (Including Standard Exchange 5.5)
|
Yes
|
|
Supports International Character sets (LDAP & CSV)
|
Yes
|
|
Sync to/from SQL to 'SCRUB' directory information
|
Yes
|
|
Ease of Backup & Recovery
|
Yes
|
|
Use LDAP Browser to view Master & Local directories
|
Yes
|
|
Supports DoD Standard Attributes
|
Yes
|
|
Automatic DoD Display Name (AD and Exchange 5.5)
|
Yes
|
|
Filter out 'Local Only' addresses
|
Yes
|
|
Selective Sync of Key addresses
|
Yes
|
|
Operational Customers
|
Yes
|
|
Link to pre-existing Contacts or Custom Recipients
|
Yes
|
|
Central Operation
|
Yes
|
|
Local Operation
|
Yes
|
|
Peer <=> Peer Syncing
|
Yes
|
|
Requires scripting
|
No
|
|
Requires DLL writing and updating
|
No
|
|
Requires SQL, DSfW, DSDE, DSML, XML Parser
|
None
|
|
Requires Metadirectory with Connected Directories
|
No
|
|
Requires Enterprise License for Windows, SQL
|
No
|
|
SECURITY
|
||
Requires DoD PKI Cert on local directories
|
No
|
|
Supports LDAP/S with PKI Cert on Hub Master only
|
Yes
|
|
Firewall issues, ports
|
||
SCRUB
SimpleSync can work with an SQL database, such as Access, as though it is just another directory.
SimpleSync can 'Provision' AD Users or Contacts for example, by reading from an SQL source (or CSV export).
You can also use SimpleSync to 'Scrub'directory information to insure that it is accurate and complete.
This is a 3 step process, which may be repeated on a regular basis.
We will use a DoD AD directory and an Access DB as an example.
Step 1: (Run by local SimpleSync administrator)
Sync from AD to an Access DB Table. Attributes in AD are 'mapped' to fields in Access.
For DoD these would include the DoD Standard Attributes.
Step 2:
Review the data in Access. This may be done by a central administrator, or possibly with a web interface to the Access table, where each User updates their own information. A web interface would allow for field level edits.
Correct information which is missing or outdated
Add new data, such as DSN, Emergency Contact, or set values to filter when running GAL sync
When updating is complete, set the current date in a field to indicate that record has been updated
This field will be synced back into AD, so that a record is only 'scrubbed' once
Step 3: (Run by local SimpleSync administrator)
Sync from Access back to AD. Normally the email address is the 'key' between the AD object and the Access record.
Selected attributes can be updated in AD. Attributes can be 'built' with simple mapping, such as the Display Name: displayName#256=^sn^, ^givenname^ ^initials^ ^GenerationQualifier^ ^PersonalTitle^ ^EmployeeType^ ^company^ ^department^
|
DIRECTORIES
There are currently a large number of Exchange 5.5 directories that will not be converted to AD/Exchange 2000/2003 for several years. It is important that these directories be brought up to standards and included in the DoD Directory Initiative.
There are also a substantial number of Netscape directories and Lotus Notes directories to be supported.
There is also the requirement to support International Character sets, both with LDAP directories as well as with CSV file exchange, as our involvement with our Allies increases.
Note: UK Defense and Canadian DoD are current SimpleSync customers, for both CLASS and UNCLASS.
|
PLATFORMS
SimpleSync will run on any Windows XP, NT, Windows 2000 or Windows 2003 client or server.
SimpleSync will also run on Linux
SimpleSync can run on an Exchange 5.5 Server or on an Active Directory Domain Controller, but this is not a requirement.
|
MASTER-LDAP
When more than 3 local directories are involved it becomes efficient and simple to use a 'Hub & Spoke' configuration for GAL sync. This applies to most of the GAL sync products, including SimpleSync and MIIS/IIFP.
SimpleSync normally uses a 'stand alone' AD or AD/AM as the 'Hub' or 'Master' directory. These are known products, well supported, and just happen to have a good way of storing directory data in a hierarchial format.
With this type of configuration you can use SimpleSync to sync each local directory into it's own OU in the Master.
Note: 'Hub & Spoke' takes 2 sync processes for each local directory.
(For 7 directories, 14 sync processes)
Note: 'Peer to Peer' Number of directories, squared, minus the number of directories.
(For 7 directories, 42 sync processes)
The result is that after the first phase of the sync process the AD/ADAM Master looks like:
At the 'Hub' AD/ADAM Master:
OU=Master
OU=Directory 1 Contacts (CSV input file)
OU=Directory 2 Contacts (Exchange 5.5 local directory)
OU=Directory 3 Contacts (AD local directory)
OU=Directory 4 Contacts (Netscape local directory)
etc....
Once all of the Local directories or CSV files have been synced to the 'Master', the second phase reverses the process. All of the Master OU=Master is synced back to each local directory, except it's own OU (prevent directory loop).
The Display Name is modified to match the local directory standard, such as Last, First or First Last.
Syncing back to Directories 2 & 3 above:
Directory 2 (Exchange 5.5)
cn=Recipients (Local mailboxes)
cn=External Contacts
CN=Directory 1 (Custom Recipients)
(OU=Directory 2 is excluded)
CN=Directory 3 (Custom Recipients)
CN=Directory 4 (Custom Recipients)
Directory 3 (AD)
CN=Users (Yes, CN.. why ?, beats us !)
OU=External Contacts
OU=Directory 1 (Contacts)
OU=Directory 2 (Contacts)
(OU=Directory 3 is excluded)
OU=Directory 4 (Contacts)
How about Directory 1 (CSV input) ?
Will get a CSV file with all of the data, except OU=Directory 1, in whatever format is needed.
|
ADAM
SimpleSync provides support for AD Application Mode (ADAM), and we are testing using AD/AM as the 'Hub' Master directory. After all, GAL sync is an 'application' !
For this purpose, the ADAM schema must support all of the attributes that will be synchronized between the various directories. SimpleSync can map 'employeeNumber' from Exchange 5.5 to 'employeeId' in AD, but it makes more sense for the attribute labels to be consistent.
Beyond that, ADAM is ideally suited to be the Master, since it is a stand alone directory and does not conflict with your domain structure or DNS processing.
|
CSV (Import & Export)
GAL synchronization using LDAP is the most efficient way to keep directories in sync. But there are situations where the only method available is to exchange CSV files.
SimpleSync has been designed to support both receiving and creating CSV files as part of it's sync process.
In a 'Master' environment a CSV file is treated as 'just another directory', and is synced into it's own OU in the Master. Exporting back to a CSV file is treated in the same way.
As with SQL, SimpleSync mapping file relate attributes in LDAP with column headers in a CSV file. Multi-line and multi-valued attributes are supported. ASCI, ANSI, and UTF-8 encoding are supported.
Interestingly, Microsoft does not provide a utility to sync a Standard Exchange 5.5 exported CSV file, due to a column which has multiple EMail addresses, separated by % signs.
SimpleSync does support this type of input CSV file. It also supports the reverse - that is exporting a Standard Exchange 5.5 CSV file to be sent to an Exchange 5.5 server for importing.
|
BACKUP
Backup & Recovery are 'simple' with SimpleSync.
The entire product and all of it's underlying files are stored in a single folder on the SimpleSync server.
Backup: Copy the entire folder to a backup media (USB or network drive)
Restore: Copy the folder back onto the original server or a new server - DONE !
Note: The software is licensed to a specific Machine Name, so restoring to a new server will require a new license key, which is normally delivered within hours. A temp key can be used immediately.
|
SOFTERRA
When working with multiple LDAP directories we have found that it is valuable to have a single program that can be used to view all of the directories, including their structure and object attribute values.
Softerra offers a free LDAP browser that is configured in the same way as SimpleSync:
IP address, LDAP port, logon/password, search base.
|
ZOOMIT
Zoomit EDMS (Banyan) => Zoomit VIA (NT) => MMS => MIIS => IIFP
CPS Systems has worked with GAL sync since our early days as the Zoomit US Sales and Suport arm. We are huge fans of the early Metadirectory pioneers, Kim, Andy, Jackson, Luc, and the rest of the Zoomit family in Toronto.
MIIS is a great Metadirectory product and we recommend it to customers who need Metadirectory functions.
When it comes to GAL sync, and simple HR => AD Provisoniing however, we agree with an MCS rep:
"Using a Metadirectory for GAL sync is like using a sledgehammer to open a peanut!"
|
DOD Standard Attributes and Display Name Formatting
The DoD Active Directory Interoperability Working Group (DADIWG) has established a set of Standard User Object Attributes.
SimpleSync provides support for synchronization of these attribues between any combination of Active Directory, ADAM, and Exchange 5.5. It can also be used for similar synchronization of these attributes with Netscape, Notes and other LDAP directories, if a set of comparable attributes is established for these LDAP directories.
There are 12 Standard User Object Attributes, such as Last Name, First Name, Rank, DoD Component.
One is the Standard Display Name, which is 'built' from a set of 8 standard attributes. If the underlying attibutes are accurate, SimpleSync can automatically 'build' the Display Name. SimpleSync can also be used to 'scrun' User objects so that they are complete and accurate.
It is also suggested that several other attributes be identified:
Field for DSN
Field to use as 'filter' to control sync status:
(1) Exclude from sycn, such as local only object
(2) Selected 'critical' objects for high-level synchronization to external organizations.
|
Filter objects or OUs to include or exclude from sync processing
SimpleSync provides the ability to include or exclude objects based on:
Types of objects (Users, Contacts, Groups)
Part of directory (Domain, OU)
Attribute values (uses standard LDAP attribute filters)
Examples:
When syncing back to Local Directory from Hub Master - exclude OU which has Local Users as Contacts
If attributes are set properly, exclude objects which are for local use only.
If attributes are set properly, include only selected objects for 'Key' Users in directory.
|
Customers
SimpleSync is operational with over 250 major customers worldwide, including the USMC and most of the DoD operational commands (CENTCOM, FORSCOM, SOCOM, SouthCOM, US Forces Korea, CENTCOM/Iraq).
|
Link to and take control of pre-existing Contacts or Custom Recipients
Deleting Contacts from AD, or Custom Recipients from Exchange 5.5, can wreck havoc on Groups and Lists.
Any object which is deleted that is part of a Group or List will lose it's membership.
SimpleSync provides a method to search for pre-existing Contacts or Custom Recipients and 'link' to them and take over control. From this point on, SimpleSync is responsible for modifications to the object, and for deleting the object if it's original User or Mailbox is deleted.
This is accomplished by 'reading before adding' a new object. SimpleSync takes an indexed attribute in the 'Source' object and reads the 'Destination' directory to search for a match. If it finds a match it (1) links and takes control of this object (wherever it is) and does not add a new object. If it does not find a match it adds a new Contact or Custom Recipient.
|
Mapping
SimpleSync does not require scripting or DLLs.
It uses a set of Source Definition files to read each LDAP directory type. This file provides a list of attributes to be read from the directory.
It uses text mapping files to translate attributes between directories.
If the directories are the same type, attribute matching is 1-1
If the directories are of different types, the mapping translates.
Example: EployeeNumber in Exchange 5.5 maps to EmployeeID in AD
Standard mapping files are provided 'out of the box', so that only customer changes require any modifications to the mapping.
The mapping files are simple, but quite powerful. Some examples:
o Comment out attributes so they do not sync (like home phone numbers).
o Combine attributes, such as building a Display Name from several attributes (DOD Display Name).
o Build OU structure 'on the fly' by including attributes such as company or department
o When syncing to/from an SQL DB, or a CSV file, mapping matches the LDAP attribute name with
the field name or column header.
|
Moving parts...
SimpleSync has been written by CPS Systems and does not require any other software or utilities.
When a Master directroy is required for a 'Hub Master', we recommend AD or AD/AM. They do a great job and are well known by custoemers. They also provide the additional benefit of serving as LDAP directories for queries if you choose.
No schema changes are required in any LDAP directory. But if any schema extensions have been implemented, SimpleSync can handle them with text mapping.
If SimpleSync is run in a Central mode there is NOTHING that needs to be run at the Local directory sites. The only requirement is LDAP listening, the firewall configured, and a local domain account with appropriate priviledges.
SimpleSync does NOT require: SQL, HTTP/S, IIS, XML or XML Parsing, DSML, or even 'JoeWare'.
|
PKI
SimpleSync supports the use of PKI Certificates (including DoD certs) for LDAP/S.
Due to a recent request we are looking into doing certificate expiration and/or revocation.
Certificate validation is greatly simplified when SimpleSync is implemented in a Local mode, where SimpleSync and the Local directory are inside the same firewall. In fact, they may be on the same server. In this case all LDAP/S traffic is encrypted using the PKI certificate on the Central Master. Insuring that the Master directory has a valid certificate is much easier to manage than certs at each directory.
This is particularly important where it would be difficult to install and validate a PKI certificate on the local directory servers.
|
FIREWALL
Using Firewalls for security has become a critical part of network security.
SimpleSync has been designed to simplify the Firewall configuration requirements.
Key Points:
The SimpleSync server acts as an LDAP client.
All LDAP or LDAP/S connections go FROM SimpleSync TO Directories.
This is true whether SimpleSync is reading from the directory, or writing to the directory.
SimpleSync can be configured to use any LDAP ports, but normally uses only the following:
LDAP 389
LDAP SSL 636
Global Catalog 3268 (Used to read entire Forest from GCS on DC)
Global Catalog SSL 3269 (Used to read entire Forest from GCS on DC)
|
Central Operation & Control
Running a single copy at a central location is the easiest and most cost effective way to implement SimpleSync.
Central Administrator:
1. Sets up the 'Hub Master' directory and then installs SimpleSync.
2. Configure Central Firewall for OUTBOUND LDAP, to Local directory IP and LDAP port below (PKI).
3. Configures 2 'connections' are required for each Local directory:
Pull directory information from Local to Master.
Push all other Master directory information back to Local directory.
Each Local Administrator:
1. Configure Local firewall for INBOUND LDAP or LDAPS, from SimpleSync IP, to local directory IP, Port=xxx
2. Configures a local Container to receive directory information from Master.
3. Configure a User account for use by SimpleSync on the Master:
Suggest User object go in Container in (2)
Local domain account - so can read from Local Directory
Full permissions ONLY on Container for Contacts
3. Specify
What Display Name format should be used for Contacts
What Containers or objects should be excluded from sync, based on Container or LDAP attributes
How many levels of Structure should be synced back to local directory from Master
|
Local Operation & Control
Running a copy of SimpleSync at each Local directory location has several advantages:
Local Admin has full control of (1) what objects and attributes are synced, (2) When they are synced.
ALL communications are initiated from Local SimpleSync server, as OUTBOUND LDAP (even though data moves in and out).
IF LDAP/S is installed on the 'Hub Master', all traffic to/from the Master to the SimpleSync server will be encrypted. Please see PKI.
Connection from the SimpleSync server to the Local directory so normally does not required encryption. This is particularly important with current Exchange 5.5 directories as LDAP/S can not be retro-fitted.
NO external access is required to the Local directory.
The 2 SimpleSync connections to/from the Master can be configured locally, or they can be configured at the Central location and then sent down to the Local administrator. An entire configuration for both sync processes consists of 3 small text files.
|
Peer <=> Peer Sync
Setting up a GAL sync between just 2 directories can be done with 1 copy of SimpleSync or with a copy at each Local directory.
Using 1 copy, you would configure 2 sync processes, one in each direction.
With 2 copies, each side would 'pull' from the other, using 'read only' accounts.
|
