I have an OpenDirectory server running on an OSX Server machine, and I'd like to increase the reliability of the service by having a slave server. The problem is, I only have 1 OSX Server but I have plenty of Linux servers available. I'm happy with Apple's tools that integrate with OpenDirectory, but given Apple's recent discontinuation of the XServe, I'm not particularly interested in continuing with Apple hardware.
I remember hearing that OpenDirectory is (now-distantly) based off the OpenLDAP code base; is there any way I could replicate from OpenDirectory to OpenLDAP instead of having to purchase another OSX server?
Best Answer
Sort of. An Open Directory domain is actually 3 semi-integrated services: LDAPv3 for most data (provided by a fairly standard OpenLDAP server), Kerberosv5 KDC for single-signon authentication (provided by MIT's Kerberos implementation, with a few tweaks), and a SASL-based password server for other types of authentication (provided by something at least partly based on a CMU SASL project).
Replicating the LDAP component shouldn't be too hard -- configure syncrepl as with any other OpenLDAP implementation, then add the extra server(s) URL(s) as values of the apple-ldap-replica attribute of the cn=ldapreplicas,cn=config,whateveryoursearchbaseis record in LDAP (this tells the clients about the replica(s).
Password service and Kerberos are much harder. As far as I can tell, Apple's extended the CMU SASL code considerably, so I don't think it's going to be possible to copy it without massive effort. Kerberos would be easy... except that it depends on the password server for replication (the password servers in a replica network update each other about new passwords, and then each one is responsible for updating the Kerberos KDC on the same server). Note that there are also LDAP records under cn=config telling clients where all the available password servers and KDCs are; the Kerberos one is fairly obvious, but the password server one is harder to make out.
So you could do LDAP replication, but I don't think password server and KDC replicas are practical. And if you don't have those services backed up, there's not much benefit to replicating LDAP.
If it's just uptime you're concerned about, how about adding one of the Mac Mini servers as a replica? They aren't up for high-throughput serving by any means, but as an emergency backup I'd consider them just the thing.