|
Suman, The answer is 'yes' users can be synchronized between OpenLDAP and ActiveDirectory LDAP servers. There are various ways in which to do this and it depends on requirements which option to choose. Below are several options but this list is by no means complete: 1. Just use AD. AD is among other things an LDAPv3 server. Fortress is an LDAPv3 compliant SDK so it works fine with AD. For this type of integration you would have the following caveats: a. Fortress password policies and auditing would not be available to applications that use Fortress. b. AD is an inferior product in terms of LDAPv3 protocol support compared with OpenLDAP. The reasons are numerous... AD locks you into a single server platform, is not performant, does not scale to the same extent as OL. 2. Synchronize AD users and passwords into OpenLDAP server. This would enable your application to point to OpenLDAP for all security checks and bypass AD altogether. 3. Synchronize Fortress users and passwords into AD. Shares many of the same caveats as #1. 4. Don't synch at all. Use OpenLDAP's native capability to communicate with remote LDAP servers for v3 operations. This type of option allows Fortress to point to OpenLDAP as usual. The OL server would be configured (using various Overlays) to authenticate with the downstream AD server(s) under certain circumstances. There are tools on the market that can perform synchronization between two LDAP servers. As a general rule synchronization is bad. It always leads to pain because of the extra processes that must be managed. But sometimes synchronization is the only answer. I do not have any particular expertise in this area. I did see a presentation on an open source product some time ago that looked promising: http://lsc-project.org/wiki/ Shawn On 05/13/2013 01:52 AM, suman karki wrote:
-- shawn.mckinney@jts.us is my new email address |