Hello,
I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here).
I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD.
Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each).
Thanks! Alex
--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass ait@p2ee.org wrote:
Hello,
I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here).
I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD.
Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each).
Thanks! Alex
One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested.
Bill
Alejandro Imass wrote:
Hello,
I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here).
I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD.
Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each).
I would interface your perl script to back-sock running as an overlay on the main OpenLDAP database.
On Wed, Apr 20, 2011 at 3:24 PM, Howard Chu hyc@symas.com wrote:
Alejandro Imass wrote:
Hello,
[...]
I would interface your perl script to back-sock running as an overlay on the main OpenLDAP database.
Thanks!
I will look at slapd-sock and see if I can get it working!
Thanks again,
-- Alejandro Imass
openldap-technical@openldap.org