Hi,
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Thanks,
Siddhartha
Siddhartha Jain sjain@silverspringnet.com writes:
Hi,
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Ask Microsoft to implement RFC-4533 into AD.
-Dieter
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Am 20.02.2010 17:28, schrieb Dieter Kluenter:
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Ask Microsoft to implement RFC-4533 into AD.
That would be the best thing to do; but there are some posibilities to do some sort of repl on other ways. At the moment I work on some sort of plugin for a software to authenticate via LDAP with an AD, and while running I plan to implement an LDAP<-->AD data synchronization. But it is still far in the future. In fact, this will *not* do repl of schema data, because this is quite complex in AD (in comparison with openLDAP).
Best regards Stefan
- --
• S T E F A N • J U R I S C H • ====================================== System Engineer • Department VMware® Software Development ====================================== SIEGNETZ.Informationstechnologie® GmbH
Schneppenkauten 1a • DE 57076 Siegen phone +49 271 68193 -0 • facsimile -28 web www.siegnetz.de • info@siegnetz.de
Geschäftsfuehrer: Oliver Seitz Amtsgericht Siegen HRB4838 Sitz der Gesellschaft ist Siegen
Stefan Jurisch wrote:
Am 20.02.2010 17:28, schrieb Dieter Kluenter:
Ask Microsoft to implement RFC-4533 into AD.
That would be the best thing to do;
Even if AD would support syncrepl directly one would have to deal with major schema differences. That's not so easy (see also Samba4).
but there are some posibilities to do some sort of repl on other ways.
Yupp, you can alwaye use your favourite scripting language and easily implement what fits your needs.
Ciao, Michael.
On 21/02/2010 11:26, Stefan Jurisch wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Am 20.02.2010 17:28, schrieb Dieter Kluenter:
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Ask Microsoft to implement RFC-4533 into AD.
That would be the best thing to do; but there are some posibilities to do some sort of repl on other ways.
Indeed. May I suggest you take a look at Ldap Synchronization Connector (LSC), which can easily be used to synchronize some attributes to/from AD.
This page lists some tips when trying to read/synchronize with Active Directory (they are general tips, not LSC-specific): http://lsc-project.org/wiki/documentation/1.1/howtos/activedirectory
Hope this helps, Jonathan
Thanks all for the responses especially Jonathan for that useful link to LSC. I think replication is the wrong word for my requirements, my apologies. All I need to pull from AD to LDAP are unique user-ids such that when a user gets created in AD, it's userid should get populated in LDAP and when the user gets deleted from AD, again, the userid should get deleted from LDAP. So I just need to sync cn,sn, and the sAMAccountName attributes from AD to LDAP. The "person" object would have more attributes like public certificates or keys that would be populated later by the user. And, I am not looking at AD to do either authentication or pull passwords to LDAP.
- Siddhartha
-----Original Message----- From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org [mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On Behalf Of Jonathan Clarke Sent: Monday, February 22, 2010 10:10 AM To: Stefan Jurisch Cc: openldap-technical@openldap.org Subject: Re: Syncrepl for AD replication
On 21/02/2010 11:26, Stefan Jurisch wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Am 20.02.2010 17:28, schrieb Dieter Kluenter:
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Ask Microsoft to implement RFC-4533 into AD.
That would be the best thing to do; but there are some posibilities to do some sort of repl on other ways.
Indeed. May I suggest you take a look at Ldap Synchronization Connector (LSC), which can easily be used to synchronize some attributes to/from AD.
This page lists some tips when trying to read/synchronize with Active Directory (they are general tips, not LSC-specific): http://lsc-project.org/wiki/documentation/1.1/howtos/activedirectory
Hope this helps, Jonathan
openldap-technical@openldap.org