tags:

views:

389

answers:

2
Q: 

keeping OpenLDAP and Active Directory in sync (windows server 08R2)

I've got a Windows Server box running AD, and a CentOS box running OpenLDAP in a mixed windows Linux network and I want to keep the two in sync. Preferably using free software/just some configuration changes. anyone know how to make these 2 authentication systems play nice? any syncing would have to be done over SSL for security reasons.

A: 

Ganymede is a free metadirectory available under the GPL.

dbyrne  2010-05-14 17:14:23
A: 

I use a home-grown perl script, which sync one-way from AD to LDAP via SSL. It is very custom and very rigid. I walked the same path 6 months back looking for tools to sync but none fits our needs. Well actually there isn't any that does sync without breaking

So my answer is get a scripting guy and give him the requirements and a months paycheck. Seriously, it is best done in-house than spend time looking for one and molding to your needs.

Perl has good libraries and has worked very well for us. We migrated from OpenLDAP to 389-DS which already has windowsSync plugin.(Hope that tempts you to switchover). :)

Prashanth Sundaram  2010-05-20 20:43:09
any more info on 389-DS? that sounds like it would work for me. I have to achieve 2-way sync
Brian  2010-05-24 18:11:52
389-DS is a pretty solid ldap server and has some very nice/desirable plug-ins like WinSync. You can fire up in less than a minute with a config file and it comes with a console(GUI) to do most of the job. The redhat documentation is the best place to start. http://www.redhat.com/docs/manuals/dir-server/
Prashanth Sundaram  2010-05-27 17:35:34
I've got that all good to go but for some reason my 389 server isn't able to push updates. it can pull info over from the AD server, but can't push changes. any ideas?
Brian  2010-06-02 17:42:35
Remember, you need an account in AD with write permissions to the root dc=domain, dc=com. This search-able mailing list will help you troubleshoot m99.99% issues. http://www.mail-archive.com/[email protected]/info.html
Prashanth Sundaram  2010-06-03 21:50:57
Set permissions like below. Also there is a bug(not sure if they fixed it), you need to give write permissions for dc=domain,dc=com nomatter you are editing only OU's.http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
Prashanth Sundaram  2010-06-03 22:04:46
btw where are my vote points? ;)
Prashanth Sundaram  2010-06-03 22:08:21

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication