[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Synchronizing a NT4 PDC with OpenLDAP

We at Symas have developed a dynamically loaded module for slapd that
an NT PDC with a parent LDAP hierarchy. No separate synchronization step is
required because the NT information just appears under its own branch of the
LDAP directory. The code was developed against an earlier OpenLDAP 2.x beta,
and still needs to be brought forward to be compatible with the released
The code is proprietary to Symas, but you can download a free demo at

The NT module is actually just a part of a grander distributed sysadmin
called "Connexitor". The currently available modules will manage
accounts/authentication/authorization databases for NT, AIX 4, Solaris,
Linux, Oracle 8, Apache, RADIUS, and Sendmail 8, with various other modules
in development. There is also an automation superstructure that allows all
of the known accounts to be collated into higher-level "user" objects. Using
LDAP to manipulate these user objects, passwords can be set/reset on a
per-account basis, or all accounts owned by a user can be synchronized at
once, etc. Administration privileges are ACL-based and can be securely
delegated to other LDAP entities (not just users). The backing store also
supports our single-signon client (a natural extension of an integrated
authorization database), which can not only manage account information for
the above listed platforms, but also securely manages login information for
standalone Windows apps and arbitrary web services. (See mysso.com for more
on this.)

In general, excluding the case of straightforward replica management, you'll
that synchronization between multiple directories is basically a nightmare.
modules serve as gateways between LDAP and the native APIs to access the
data live, in realtime. (Take back-passwd as an example, then expand it to
ACL-protected read-write manipulation of /etc/group, /etc/shadow, etc....)
The management database structure uses libldbm for file storage but unlike
it is a true hierarchy, and manages referential integrity automatically. See
web site or feel free to email me for more information.

Most of the groundwork we did in developing Connexitor has been contributed
to the OpenLDAP project. This includes the port of OpenLDAP to NT/MingW32,
libtool/libltdl dynamic loading support into slapd, the back-ldap backend
integrating remote LDAP servers into a local hierarchy, SSL/TLS work, and
and sundry debugging. I have been an active participant in Open Source
projects of
one form or another for the past 15 years, and I am proud to say that Symas
dedicated to the Open Source philosophy as well. Everything we've learned
developing and using directories comes back to enhance OpenLDAP's
functionality and

Sorry for the length of this reply, it got a little preachy in there but I
hope the
main point was not lost - there are viable solutions to your question.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kervin Pierre
> Sent: Monday, September 11, 2000 10:32 PM
> To: Petricevich, Paul
> Cc: 'openldap-stable@openldap.org'
> Subject: Re: Synchronizing a NT4 PDC with OpenLDAP
> "Petricevich, Paul" wrote:
> >
> > Hello, is there currently any software which will allow a NT4
> PDC server to
> Not that I know of.  I began researching the project a few months back,
> but when I realized that iPlanet Directory server was free for 20,000
> entries with Solaris 8, I just settled for the the iPlanet sync.
> iPlanet NT sync is a pain at times so I'm still not opposed to work on a
> generic LDAP NT sync tool.
> A sync tool is worth it though.  We have all our labs, wether
> NT/IRIX/Solaris/Linux, using one user database, and the user can change
> their passwords from any of these stations, this is worth a great deal
> in saved administration cost.
> I have a few informational links if you are interested in working on
> such a tool, and a little code on the password notify DLL part (a NT DLL
> that notifies an external program that the user has changed their
> passsword).  That was the first part I was looking into (probably the
> easiest part to ). Then you'd need a OpenLDAP plugin/"server
> extension"/trigger (do those exist?) that notifies an external program
> whenever a user is added or a NT attribute has changed.
> -Kervin