Hi!
we have implemented OpenLDAP -> AD using the OpenLDAP accesslog overlay to see what has changed in OpenLDAP. For AD -> OpenLDAP we use the highestCommittedUSN to see if something has changed on AD side. Synchronization of passwords is a bit more complicated because if you want to sync them OpenLDAP -> AD you have to set them as clear text passwords via LDAP. At the same time you usually don't want to store them as clear text in the OpenLDAP directory. We have solved it by implementing an overlay that gets an encrypted password and stores it in a custom attribute protected by ACLs (similar to the eDirectory universalPassword) and as SSH2-hashed value in the userPassword attribute. It then can be decrypted and synchronized to AD. If you want AD -> OpenLDAP you have to catch the password change the moment it happens. We have done this by implementing a DLL.
Of course there are other ways of doing it.
Cheers,
-Markus-
On 02.04.2013 07:31, Suman Karki wrote:
hello there!
anybody have done openldap and active directory synchronization?
i want to sync them. give me idea how you have done?
i am struggling to solve that.
if you charge some amount then i am ready to pay.
just i need to solve that problem.