OpenLDAP as Metadirectory

This past few weeks I have been messing around with OpenLDAP in the interest of using it on a role as a metadirectory – the master directory that “glue” all other directories (Active Directory, eDirectory, Lotus Notes directory, etc) together.

Among things I’ve learned so far:

  • You can synch TO Active Directory using slapd/slurpd; but the tree on both directory MUST be identical.
    My config in slapd.conf :

    replica         uri=ldaps://10.100.299.199:389
                    binddn="cn=administrator,cn=users,dc=bcc,dc=test"
                    bindmethod=sasl saslmech=GSSAPI credentials=mypassword
    replogfile      /usr/local/openldap/var/replog-bcc-test
    
  • A better way would be to setup another OpenLDAP server, and run slapd-ldap (back-ldap) there. It’ll act as the intermediary between the master OpenLDAP server, and Active Directory server.
    The big advantage with slapd-back is with it’s proxy & rewrite capability, the tree on both server does not have to be identical.
  • An even better way would be to setup another OpenLDAP server, and run slapd-meta (back-meta) there. While back-ldap can only proxy for one directory, back-meta can proxy & rewrite (eg: act as a metadirectory) for multiple directory services at the same time

I do suspect though that back-meta would be a PITA to configure 🙂 but that’s the price we gotta pay for its power.

References:
slapd-ldap
slapd-meta

1 thought on “OpenLDAP as Metadirectory

Leave a Reply

Your email address will not be published. Required fields are marked *