I have been searching on google for a while to find out the best way to synchronize the user database between OpenLDAP and an ActiveDirectory, but with not a clear results !
What i want to achieve is, have user database in OpenLDAP and then populate them into AD so these users can access all my applications(email, vpn, file server, print server almost all the opensource apps)..
Basically what I am trying to do is to create a single SignOn DB so all users can have the same passwords for windows and linux based apps, but also I want to make sure the passwords are updated bidirectionally.
I will appreciate if anyone can share his experience on how this can be done. Thank you!!
Best Answer
What will work for one-way sync, but with quite a bit of "some assembly required", is:
where the intermediate OpenLDAP replica uses a perl backend -- rather than persistent storage. You must write a perl module which provides 9 (last time I checked) functions which map onto the LDAP API calls (
bind,search,compare,modify,addetc.).Within this code you can do whatever attribute/objectclass and name mapping might be required. There is sample configuration and code in the source distribution (
SampleLDAP.pm). Estimate 1000-1500 lines of code for robust real world implementation.A slightly simpler approach is to poll the source directory for modified objects, and push the changes, see the lsc project for an implementation. This approach may have latency and scalability concerns. With a polling method you can cheat a little with OpenLDAP searching by adding the syncrepl controls, and this gets you a simpler version of the back-perl approach -- the advantage being you don't have to implement the API, you just need to process search results which are pushed to you as changes occur, and propagate them (and save state/reconnect on error).
You will have to think hard about password handling, password attributes (userPassword, unicodePwd) are effectively magic. I've always been able to talk people out of bidirectional password synchronisation, so I can only offer basic advice there (unless I can talk you out of it too ;-)
The usual approach is to capture password changes under the guise of "complexity checking", create the password hash/format as required and propagate those values, see PasswdHk.
You might be able to "convince" your users to use an alternate method of password change/reset, and that can propagate changes, something like Self Service Password (this only sets passwords in one place though).
Red Hat have some useful documentation (though the underlying DS is no longer OpenLDAP) much of the theory still applies. AFAICT the current versions haven't made it into CentOS 6 yet.
PCNS is the Microsoft way, I believe it can push passwords to OpenLDAP (but does not do the reverse itself). XMA claims to do both, though I have not used it.
See also: Active Directory and OpenLDAP synchronization it covers a hybrid approach using Kerberos which eliminates the password synchronisation (though this makes AD authoritative for authentication).
In short, start by reading the lsc documentation, it might just do what you want.