This past few weeks I have been messing around with OpenLDAP in the interest of using it on a role as a metadirectory – the master directory that “glue” all other directories (Active Directory, eDirectory, Lotus Notes directory, etc) together.
Among things I’ve learned so far:
- You can synch TO Active Directory using slapd/slurpd; but the tree on both directory MUST be identical.
My config in slapd.conf :
replica uri=ldaps://10.100.299.199:389 binddn="cn=administrator,cn=users,dc=bcc,dc=test" bindmethod=sasl saslmech=GSSAPI credentials=mypassword replogfile /usr/local/openldap/var/replog-bcc-test
- A better way would be to setup another OpenLDAP server, and run slapd-ldap (back-ldap) there. It’ll act as the intermediary between the master OpenLDAP server, and Active Directory server.
The big advantage with slapd-back is with it’s proxy & rewrite capability, the tree on both server does not have to be identical.
- An even better way would be to setup another OpenLDAP server, and run slapd-meta (back-meta) there. While back-ldap can only proxy for one directory, back-meta can proxy & rewrite (eg: act as a metadirectory) for multiple directory services at the same time
I do suspect though that back-meta would be a PITA to configure 🙂 but that’s the price we gotta pay for its power.