[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD->OpenLDAP replication

yup, that was me. Acctsync is the perl module, schema and password filter I use to sync my OpenLDAP and AD users. I run OpenLDAP on Win2k with the perl backend and this perl module. The main OpenLDAP server has the Win2k OpenLDAP server setup as a replica. The perl module processes all the user add and modify request using perl/ADSI. Passwords changed on Win2k go back to OpenLDAP using the Win2k password filter.

It sounds like you want to go the opposite direction. I've only gone the AD->openldap direction for only user password changes. I don't think full AD->OpenLDAP would be very difficult. AD supports a notification control, much like the persistent search control, called LDAP_SERVER_DIRSYNC_OID and LDAP_SERVER_NOTIFICATION_OID. The first will return all entries that have changed since your last search, the second is an async search which you will poll to see what's changed periodically. There are commercial packages out there that do that, 'ADListener', and 'Metamerge' are two of them. Maybe someone could write a slurpd like program that does this?


MOURYLEV, Serguei [euler:sfac] wrote:

I'm working at the same problem that you, i've posted my question yesterday.. and had this link in answer:

or, you can try this one:

But i've not tested yet, but i will soon :)



-----Message d'origine-----
De: Geoff Silver [mailto:geoff@uslinux.net]
Date: vendredi 31 mai 2002 17:14
À: openldap-software@OpenLDAP.org
Objet: AD->OpenLDAP replication

I'm interested if anyone has had any luck replicating Active Directory (or parts of it) to an OpenLDAP server. On my current contract, they are using AD strictly for generic user/computer/etc management; however, they want to replicate some (if possible) or all AD info (specifically just "phonebook-related stuff") to an OpenLDAP server.

The rationale is twofold.  First, even the NT admins feel AD is terrible
unstable, and they don't want anyone querying it if they can avoid it.
Second (and more importantly), they will be receiving LDIF files from
other customers they want to sync into their tree (no, referrals are
unfortunately not an option due to some political issues) - and they want
to keep the non-company LDAP info off the AD servers.

So, has anyone had any luck doing this?  Can anyone point me in the right
direction?  I've done replication OpenLDAP->OpenLDAP, but I'm just
beginning to mess around with AD.  userPassword synchronization isn't
necessary - basically, just cn, sn, givenName, o, ou, telephoneNumber,
mail, and postalAddress, l, st, and zip.

Thanks for any help anyone can provide.

Geoff Silver                                    <geoff at uslinux dot net>
"If Bill Gates had a nickel for every time Windows crashed...
        Oh wait, he does"