Synchronize LDAP with Azure AD

The requirement to synchronize a Generic LDAP system such as 389DirectoryServer/OpenLDAP, with Azure AD exist, although not often. However, guides on synchronization between LDAP and Azure AD are scarcely found and are difficult to configure in practice. So, I hope that better information related to this will be shared.

Let me share the synchronization configuration between LDAP and Azure AD that I succeeded.

First, I built an OpenLDAP server and created an account to synchronize. And I installed AzureAD Connect on the same server. Of course, it doesn't matter if the server is separated. Also, the AzureADConnect server does not need to be AD joined at all.

After component installation, stop installation at the sign-in selection phase.

When Azure AD Connect is run as LDAP mode via command, the Sign-In settings will only look like "Do not configure". That is, if OpenLDAP is used, PHS and PTA cannot be configured, and Federation must also be configured manually.

For reference, to manually create a Federation of Azure AD, the "Set-MsolDomainAuthentication" PowerShell command can be used.
Set-MsolDomainAuthentication (MSOnline) | Microsoft Docs

The Directory type was checked as LDAP(not AD), and the hostname and authentication method were selected. The authentication type can be changed if LDAP is configured with SSL/TSL.

During installation, '_distinguishedName' was specified in the "source anchor" configuration step. Unlike Active Directory, attribute such as objectGUID do not exist in OpenLDAP, so the source anchor must be specified.

At the last stage of installation, an error as shown in the figure is always checked and the installation work cannot be completed. It is an error that the 'JoinFilter' could not be configured while creating a sync rule.

I had to manually proceed with the remaining configuration. Make a note of the sync rule ID identified in the error at the last stage of wizard installation. In the picture above, it is identified as '37522~783d'.

Start the ‘Synchronization Service Manager’ tool, change the binding account, specify the location to sync to, and then perform "Full Import" to confirm that the account has been imported.

Manually create the erroneous sync rule in the last step when installing with the wizard.
There is a PowerShell script that creates a sync rule in the C:\ProgramData\AADConnet directory. Open this script, find the location where PowerShell starts and ends related to the ID recorded earlier, and copy them all.

Add the following command right before "Add-ADSyncRule" among the copied PowerShell commands. Also, I added a provisioning item from OpenLDAP's mail value to the userPrincipalName value of metaverse, and used the source anchor information (_distinguishedName) specified in the join filter.
#################################################################
Add-ADSyncAttributeFlowMapping `
-SynchronizationRule $syncRule[0] `
-Source @('mail') `
-Destination 'userPrincipalName' `
-FlowType 'Direct' `
-ValueMergeType 'Update' `
-OutVariable syncRule

New-Object `
-TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `
-ArgumentList '_distinguishedName','sourceAnchor' `
-OutVariable condition0

Add-ADSyncJoinConditionGroup `
-SynchronizationRule $syncRule[0] `
-JoinConditions @($condition0[0]) `
-OutVariable syncRule
#################################################################

If the sync rule is normally created, it is checked in the ‘Synchronization Rules Editor’.

Perform "Full Sync" for LDAP in the Synchronization Service Manager and check the attribute information stored in the metaverse.

Create an outbound rule to synchronize information(Source) of the metaverse to Azure AD information (Target).

After performing "Export" synchronization to Azure AD, accounts synchronized in OpenLDAP finally are checked in the Azure portal.

If you know of an easier way than this or a way to complete the configuration normally in the wizard, please share.