[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ActiveDirectory Connector...

> So let me get this strait, I can use a second database (ldap) and map my
> attributes/objectclasses to the Active Directory server, we'll call
> adServer.domain.com, so that when a user on this server, we'll call
> ldapServer.domain.com, changes his password (or anything else perhaps)
> in OpenLdap, it will then be changed automatically on BOTH servers? Is
> this correct?
> Many thanks!

In principle, yes: have a master, which replicates to a fake slave
which actually is a back-ldap (could be on the same machine); the
back-ldap is configured to proxy AD, and remap some of the attributes
to comply with AD's user schema; of course the problem is to map
userPassword to unicodePwd.  However, Slurpd will send password
changes as modify operations applied to the userPassword attribute,
not as extended operations.  So password replication between
OpenLDAP's slapd and AD is not possible via slurpd.  For password
synchronization only with OpenLDAP 2.2 we developed a dedicated
overlay, but there are other means.  You can use SASL auth with
passwords on AD via GSSAPI, so there is no need to sync passwords;
or replace AD with SAMBA storing passwords on OpenLDAP; in this case,
SAMBA will take care of syncing passwords changed via Windows clients,
or other solutions that better experts in AD cooperation wil surely
describe in the following days.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497