[Date Prev][Date Next]
Re: eDirectory LDAP To OpenLDAP Layout
- To: firstname.lastname@example.org
- Subject: Re: eDirectory LDAP To OpenLDAP Layout
- From: Radovan Semancik <email@example.com>
- Date: Mon, 24 Oct 2016 10:25:42 +0200
- Dkim-filter: OpenDKIM Filter v2.9.0 hermes.evolveum.com E9F7A3629B9
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evolveum.com; s=46F1F96C-8266-11E5-BB5D-6C9186186C84; t=1477297712; bh=G7bV8zmd7qbw0KCIFxKeG3yrEpQ60sqDK5rjUTK7v3M=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=Di0S+MGvzllzrtXOjAyQA44VqMcVG2mIGYbPNu+p4760CTrvZcYPC44eNzCdv0r93 V/KMhFkPhKIyZ0WEkI0l74Z+INGNp7jHcf1keEJmwNqB648dK1C+r9c4akT3z6+vuI PopYV2vnaK4XSIyaS0opPyc2RSsmiMqtY9bGqMXc=
- In-reply-to: <firstname.lastname@example.org>
- References: <CA+OzjxLoviNohjX0Xt4nrzAEBN8ikCsU7rrLRa2=yxCwD8eY=Q@mail.gmail.com> <email@example.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
According to my experience working with eDirectory is quite tricky,
especially if you have to align it with directories such as OpenLDAP.
E.g. it looks to be common practice in eDirectory to modify the
definition of standard object classes such as inetOrgPerson. EDirectory
maintains reciprocal group membership attributes in somehow unusual way,
the DN conventions are all different, account enable/disable is
different and generally speaking there is a lot of little differences
that need to be taken care of.
We have a deployment when we run and synchronize OpenLDAP and eDirectory
using midPoint. We even had to create a special eDirectory connector for
this as stock LDAP connector could not easily handle eDirectory
peculiarities. MidPoint is built to rewrite the DNs, object classes and
actually anything else that needs to be done. I'm sure that this
approach works. But please note that midPoint is a comprehensive IDM
system and it may not be entirely easy to set it up.
On 10/22/2016 11:47 AM, Dieter Klünter wrote:
Am Thu, 20 Oct 2016 15:49:24 +0200
schrieb Shaun Glass <firstname.lastname@example.org>:
I am having to migrate from eDirectory to OpenLDAP as we getting rid
of eDirectory Services. When setting up OpenLDAP I have as example the
... but in eDirectory it was just :
this is a valid DN, I myself run a few directories with 'o' RDN.
OpenLDAP Would not let me create as above since I got the following
error when not initially creating a dc= :
LDAP: error code 53 - no global superior
result code 53 is 'unwilling to perform', there must be something else
wrong in your setup und your configuration.