If you are using samba 4 see : https://github.com/sfonteneau/AzureADConnect_Samba4
apt-get install git
git clone https://github.com/sfonteneau/AzureADConnect_Ldap.git /opt/sync-azure
git -C /opt/sync-azure submodule update --progress --init -- "AADInternals_python"
git -C /opt/sync-azure/AADInternals_python submodule update --progress --init -- "python_wcfbin"
mkdir /etc/azureconf/
cp -f /opt/sync-azure/azure.conf.exemple /etc/azureconf/azure.conf
cp -f /opt/sync-azure/mapping.json.exemple /etc/azureconf/mapping.json
apt-get install python3-peewee python3-passlib python3-xmltodict python3-requests python3-msal python3-ldap3 -y
If you are not under debian or if you do not have the packages available :
apt-get install python3-pip
pip3 install -r /opt/sync-azure/requirements.txt
pip3 install -r /opt/sync-azure/AADInternals_python/requirements.txt
- Configure /etc/azureconf/azure.conf
You can try like this:
python3 /opt/sync-azure/run_sync.py
The script sends all users and groups a first time and then only sends what has been modified since the last send during the next launch.
-
Please note that this project uses Microsoft APIs not officially documented. Microsoft may break compatibility at any time
-
mail is used for the email address
-
"password writeback" not supported
-
User and group management only
| Params | Value exemple | Description |
|---|---|---|
| server_ldap | 192.168.154.172 | Name or ip or the complete url in the scheme://hostname:hostport format of the server (required) - port and scheme (ldap or ldaps) defined here have precedence over the parameters port and use_ssl |
| port_ldap | 389 | The port where the DSA server is listening (defaults to 389, for a cleartext connection, 636 for a secured connection) |
| use_ssl_ldap | False | Specifies if the connection is on a secure port (defaults to False). When True the secure port is usually set to 636 |
| verify_cert_ldap | False | Defined if the ldap ssl/tls connection should be verified and validated |
| path_to_bundle_crt_ldap | /root/ldap.crt | If verify_cert_ldap is True then you must define a certificate bundle path with which the connection will be verified, "lib_python_certifi" indicates to check with the "certifi" library |
| user_ldap | cn=admin,dc=demo,dc=lan | login for ldap connection |
| password_ldap | password | password for ldap connection |
| basedn_user | OU=USER,DC=DEMO,DC=LAN | indicate several bases dn , separate them with | |
| basedn_group | OU=GROUP,DC=DEMO,DC=LAN | indicate several bases dn , separate them with | |
| filter_user | (objectClass=posixAccount) | Specifies the ldap filter to use to find users |
| filter_group | (objectClass=posixGroup) | Specifies the ldap filter to use to find groups |
| Params | Value exemple | Description |
|---|---|---|
| do_delete | True | defined if objects found online on Azure and not present locally must be deleted. |
| hash_synchronization | True | hash_synchronization set whether passwords should be synchronized. |
| dry_run | True | he script will display the actions but will not perform the action |
| dbpath | /root/last_send_azuread.db | the last data sent is stored there. |
| proxy | 192.168.1.2:3128 | define the proxy to use |
| tenant_id | 6121018c-f311-9999-9999-ec17bba6e422 | indicate the tenant_id here |
| credential_cache_file | /root/last_token_azuread.json | indicates the path to the credentials cache |
| calculate_deletions_based_on_last_sync | False | allows you not to retrieve the list of users and groups from Azure, thereby limiting the number of requests to Azure , Can only be triggered after a first successful synchronization |
The default sourceanchor for user and group in azure.conf.exemple is sambaSID
If "sourceanchor" changes, it will initiate object deletions and then object recreations. You must therefore choose your sourceanchor well and not change it
A dry_run mode allows you to run the script without making any changes
You can indicate that the attribute you have chosen is a "sid" with the parameter "sourceanchorattr_user_is_sid" and "sourceanchorattr_group_is_sid" for conform to how Azure Ad Connect windows works (base64 encoding of a binary attribute, sid is binary)
The password sent to azure ad is an "NTLM hash", if you are using an openldap with samba3 schema then that hash is the sambaNTPassword, configure it with "hashnt" in the mapping.json file.
As far as I know , there is currently no other type of hash supported by microsoft, the other alternative is the plaintext password...
Novell :
Using use_novell_get_universal_password allows you to use ldap3's get_universal_password function with novell. With this operation the password is recovered in plain text and then converted to hashing automatically.
You must specify the attribute mapping in this file
https://github.com/sfonteneau/AzureADConnect_Ldap/blob/main/mapping.json.exemple
| Args | Description | Default Value |
|---|---|---|
| --conf | path to conf file | /etc/azureconf/azure.conf |
| --force | Force synchronization of all objects | False |
| --dryrun | simulate a send but does not actually perform the actions | Value in config File |
| --logfile | logfile | /var/log/azure_ad_sync |
| --service-mode | Run the script in service mode | False |