views:

389

answers:

2

I've got a Windows Server box running AD, and a CentOS box running OpenLDAP in a mixed windows Linux network and I want to keep the two in sync. Preferably using free software/just some configuration changes. anyone know how to make these 2 authentication systems play nice? any syncing would have to be done over SSL for security reasons.

A: 

Ganymede is a free metadirectory available under the GPL.

dbyrne
A: 

I use a home-grown perl script, which sync one-way from AD to LDAP via SSL. It is very custom and very rigid. I walked the same path 6 months back looking for tools to sync but none fits our needs. Well actually there isn't any that does sync without breaking

So my answer is get a scripting guy and give him the requirements and a months paycheck. Seriously, it is best done in-house than spend time looking for one and molding to your needs.

Perl has good libraries and has worked very well for us. We migrated from OpenLDAP to 389-DS which already has windowsSync plugin.(Hope that tempts you to switchover). :)

Prashanth Sundaram
any more info on 389-DS? that sounds like it would work for me. I have to achieve 2-way sync
Brian
389-DS is a pretty solid ldap server and has some very nice/desirable plug-ins like WinSync. You can fire up in less than a minute with a config file and it comes with a console(GUI) to do most of the job. The redhat documentation is the best place to start. http://www.redhat.com/docs/manuals/dir-server/
Prashanth Sundaram
I've got that all good to go but for some reason my 389 server isn't able to push updates. it can pull info over from the AD server, but can't push changes. any ideas?
Brian
Remember, you need an account in AD with write permissions to the root dc=domain, dc=com. This search-able mailing list will help you troubleshoot m99.99% issues. http://www.mail-archive.com/[email protected]/info.html
Prashanth Sundaram
Set permissions like below. Also there is a bug(not sure if they fixed it), you need to give write permissions for dc=domain,dc=com nomatter you are editing only OU's.http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
Prashanth Sundaram
btw where are my vote points? ;)
Prashanth Sundaram