[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap replication over XMPP

To: Peter Gietz <peter.gietz@daasi.de>
Subject: Re: Openldap replication over XMPP
From: Howard Chu <hyc@symas.com>
Date: Fri, 23 Jul 2010 12:35:00 -0700
Cc: openldap-devel@openldap.org
In-reply-to: <4C496975.505@daasi.de>
References: <20100721173122.GA4051@JollyJumper.blr.novell.com> <4C476BA3.7030309@symas.com> <20100722062325.GA11853@JollyJumper.blr.novell.com> <4C48010D.7070401@gmail.com> <4C489B88.4050400@symas.com> <4C496975.505@daasi.de>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a6pre) Gecko/20100708 Firefox 3.6

Peter Gietz wrote:

Hi Howard,

Am 22.07.2010 21:27, schrieb Howard Chu:

But if you're going to do something with LDAP you might as well make
it useful too. Two small projects that could be completed in a short
amount of time: implement a DirSync module for OpenLDAP to replicate
from M$AD, and implement a passwordSync module for OpenLDAP with AD.

Indeed two interesting projects. But is syncrepl the best way to do
this? Let me ask you some questions on this:

DirSync: The DIT in AD is unlikely to be the same as on the OpenLDAP
side. The same is true for the attributes. Thus we need things like we
have in the rewrite overlay. Are you thinking about syncrepl with a CSN
store on the AD side here? What about multi master (several ADs writing
to one OpenLDAP)? A more general solution IMHO would be a flexible (with
respect to DN massaging and attribute mapping) queue that send plain
LDAP operations to the OpenLDAP consumer. What about SPML? Do you think
that that is also a "gross misuse of SGML"?

DirSync is only a master/slave replication mechanism. For more sophisticatedreplication, it's better to use Samba4 which implements the DRSUapi.

passwordSync:  What are you thinking here? DLL that recognizes password
changes and creates apropriate hashes and syncs these into OpenLDAP, or

Yes. Bi-directionally, of course - it should also intercept LDAPpasswordModify requests and forward them to AD.

just plain syncing of the NT hashes into OpenLDAP, which could be done
via the DirSync

No.

The requirement fur such things is there since a long time and there are
a number of different solutions out there already. Something more
standardized, that could be packaged with OpenLDAP would be a nice
thing, thus I would be very happy, if this could be discussed here in
more detail.

Frankly there's not much to discuss. The scope of functionality is prettyclear, the steps to implementation are also clear. The only time-consumingpart is because the sample Microsoft code is so poor and would need to becompletely rewritten from scratch as a slapd overlay.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Openldap replication over XMPP
  - From: David Boreham <david_list@boreham.org>

References:
- Openldap replication over XMPP
  - From: kalyan <skalyanasundaram@novell.com>
- Re: Openldap replication over XMPP
  - From: Howard Chu <hyc@symas.com>
- Re: Openldap replication over XMPP
  - From: kalyan <skalyanasundaram@novell.com>
- Re: Openldap replication over XMPP
  - From: Emmanuel Lecharny <elecharny@gmail.com>
- Re: Openldap replication over XMPP
  - From: Howard Chu <hyc@symas.com>
- Re: Openldap replication over XMPP
  - From: Peter Gietz <peter.gietz@daasi.de>

Prev by Date: Re: Openldap replication over XMPP
Next by Date: Re: Openldap replication over XMPP
Index(es):
- Chronological
- Thread