Active Directory Data Synchronization for Heterogeneous Applications

 

Many legacy applications, all hold their usernames and passwords in some native formats. Most Linux servers still use /etc/password for authentication.

 

When maintaining passwords in /etc/password became cumbersome for most organizations, they moved to LDAP on Linux using different variants of commercial and open source directories available.

 

Network access in most organizations is still maintained through RADIUS protocol and uses many open source and commercial RADIUS server. Almost none of the available RADIUS servers support authentication directly through Microsoft Active Directory.

 

All legacy applications whether on-premises or SaaS have their own local authentication mechanisms. Very few of the newer generations applications now support SSO (Single Sign-On) through a Microsoft Active Directory. All others have locally provided database or disk based files from where they authenticate the users.

 

This has caused the users to keep separate passwords into many, at a times tens of different applications and authenticate separately.

 

Most fortune 500 organizations and a very large number of other organizations have already moved to Microsoft Active Directory to consolidate their identity data at one place. They are promoting single sign-on from other applications to facilitate users to maintain their passwords at one place only.

 

While it is an ongoing effort to authenticate users from one single AD, legacy applications remain an outlier. Many applications are no more supported or not expected to enable SSO in near future. In such cases, system administrators just ask users to maintain separate passwords in all such applications. This practice has been found to be at the core of many recent security breaches where data was leaked from legacy applications.

 

Introducing Hosting Controller’s ADConnectSync Utility:

 This utility enables selective data to be polled from a source AD for any changes and any such changes are copied over to any third application.

 This may also include plain-text passwords.

The way this utility works is to send all changes into password changes to a REST API where the IT team can write their workflows to process these data (provided in easy to consume json format) and call different APIs or database calls to support their legacy applications..

This will synchronize all user account data, their passwords, group membership or other changes.

As is obvious, once changes are submitted to the REST path, the IT team can write more complex workflows that may encrypt passwords in different formats, apply other rules, make multiple copies or whatever else they want to do.