--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass <ait(a)p2ee.org>
I am seeking a simple integration between OpenLDAP and MS AD. The DIT
structures are completely different but the Posix UIDs are the same.
The integration is very simple because all we need to do is update the
corresponding UID in AD whenever an entry changes in OpenLDAP (i.e.
OpenLDAP is the master here).
I though it would be easy to use the overlays for this but after
careful examination it is not what we need. All we need for the moment
is to capture the entry write event in OpenLDAP and run an external
subroutine/program/lib that connects to the AD and does the changes
there. We already have the second part developed in Perl, that is, we
have a Perl program that connects to AD and changes whatever we want.
We now need to pass this program the data that have changed in
OpenLDAP. We could turn the Perl program into an LDAP server as well
so we could maybe use the overlays, so in this case, the Perl program
would receive the LDAP, and translate that to AD. The other option is
to use SLAPI and capture the change event and use that to connect to
AD, maybe spawning a daemonized process in Perl in order not to hang
OpenLDAP waiting for AD.
Anyway, if anyone can give us a hand as to how to approach this and
what are the best alternatives to do this integration would be great.
We would gladly publish this OpenLDAP to AD integration as OpenSource.
Or if anyone happens to know if this already exists (but needs to be
flexible because we need to translate from one DIT structure to the
other with different schemas on each).
One way to do this is to configure your OpenLDAP server to generate an
accesslog. They you read the accesslog looking for any changes and
apply the changes to your downstream datastore whatever it is. We do
this using perl and Net::LDAPapi. I can provide an example if you are
Infrastructure Delivery Group, Stanford University