This past few weeks I have been messing around with OpenLDAP in the interest of using it on a role as a metadirectory – the master directory that “glue” all other directories (Active Directory, eDirectory, Lotus Notes directory, etc) together.
Among things I’ve learned so far:
- You can synch TO Active Directory using slapd/slurpd; but the tree on both directory MUST be identical.
My config in slapd.conf :replica uri=ldaps://10.100.299.199:389 binddn="cn=administrator,cn=users,dc=bcc,dc=test" bindmethod=sasl saslmech=GSSAPI credentials=mypassword replogfile /usr/local/openldap/var/replog-bcc-test
- A better way would be to setup another OpenLDAP server, and run slapd-ldap (back-ldap) there. It’ll act as the intermediary between the master OpenLDAP server, and Active Directory server.
The big advantage with slapd-back is with it’s proxy & rewrite capability, the tree on both server does not have to be identical. - An even better way would be to setup another OpenLDAP server, and run slapd-meta (back-meta) there. While back-ldap can only proxy for one directory, back-meta can proxy & rewrite (eg: act as a metadirectory) for multiple directory services at the same time
I do suspect though that back-meta would be a PITA to configure 🙂 but that’s the price we gotta pay for its power.
References:
slapd-ldap
slapd-meta
Great things you’ve always shared with us. Just keep writing this kind of posts.The time which was wasted in traveling for tuition now it can be used for studies.Thanks
צלם חתונות
צילום אירועים