Open LDAP and ActiveDirectory synchronization

linux windows ldap openldap synchronization
7,279

What will work for one-way sync, but with quite a bit of "some assembly required", is:

OpenLDAP → OpenLDAP replica → ActiveDirectory

where the intermediate OpenLDAP replica uses a perl backend -- rather than persistent storage. You must write a perl module which provides 9 (last time I checked) functions which map onto the LDAP API calls (bind, search, compare, modify, add etc.).

Within this code you can do whatever attribute/objectclass and name mapping might be required. There is sample configuration and code in the source distribution (SampleLDAP.pm). Estimate 1000-1500 lines of code for robust real world implementation.

A slightly simpler approach is to poll the source directory for modified objects, and push the changes, see the lsc project for an implementation. This approach may have latency and scalability concerns. With a polling method you can cheat a little with OpenLDAP searching by adding the syncrepl controls, and this gets you a simpler version of the back-perl approach -- the advantage being you don't have to implement the API, you just need to process search results which are pushed to you as changes occur, and propagate them (and save state/reconnect on error).

You will have to think hard about password handling, password attributes (userPassword, unicodePwd) are effectively magic. I've always been able to talk people out of bidirectional password synchronisation, so I can only offer basic advice there (unless I can talk you out of it too ;-)

The usual approach is to capture password changes under the guise of "complexity checking", create the password hash/format as required and propagate those values, see PasswdHk.

You might be able to "convince" your users to use an alternate method of password change/reset, and that can propagate changes, something like Self Service Password (this only sets passwords in one place though).

Red Hat have some useful documentation (though the underlying DS is no longer OpenLDAP) much of the theory still applies. AFAICT the current versions haven't made it into CentOS 6 yet.

PCNS is the Microsoft way, I believe it can push passwords to OpenLDAP (but does not do the reverse itself). XMA claims to do both, though I have not used it.

See also: Active Directory and OpenLDAP synchronization it covers a hybrid approach using Kerberos which eliminates the password synchronisation (though this makes AD authoritative for authentication).

In short, start by reading the lsc documentation, it might just do what you want.

Share:
7,279

Related videos on Youtube

Bouanani Meher
Author by

Bouanani Meher

Updated on September 18, 2022

Comments

  • Bouanani Meher
    Bouanani Meher over 1 year

    I have been searching on google for a while to find out the best way to synchronize the user database between OpenLDAP and an ActiveDirectory, but with not a clear results !

    What i want to achieve is, have user database in OpenLDAP and then populate them into AD so these users can access all my applications(email, vpn, file server, print server almost all the opensource apps).. Basically what I am trying to do is to create a single SignOn DB so all users can have the same passwords for windows and linux based apps, but also I want to make sure the passwords are updated bidirectionally.

    I will appreciate if anyone can share his experience on how this can be done. Thank you!!

    • Deb
      Deb about 11 years
      @ScottPack Likely the driver behind this is schema differences. The common OSS schema would have to be imported into AD and that scares some people.
    • Scott Pack
      Scott Pack about 11 years
      @sysadmin1138: It's possible. Stills seems like it might be easier to attempt to use the existing structure rather than hand roll an MDM.
    • Bouanani Meher
      Bouanani Meher about 11 years
      @ScottPack Thanks for answering, sysadmin1138 it's exactly the reason for which I need to synchronise OpenLDAP with AD, and the second reason is that I have already the data into the OpenLDAP and I need to replicate it in the first time into AD and then put in place a mutual synchronisation between these two directories
  • Bouanani Meher
    Bouanani Meher about 11 years
    Thanks a lot for your answer that's exactly what i was searching for :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
Python ldap3 LDAPSocketOpenError unable to send message, socket is not open
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain
ldap_modify: No such object (32)
Find out my bind DN in a Windows network
How to get Linux users list from LDAP
LDAP+SAMBA login issues
ldapsearch can't connect to ldaps
Difference between openldap 2.3 and 2.4
How to copy a LDAP entry and all the subtree on a Linux/openldap server?