[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as master of other vendors' directory servers?



On Jan 8, 2004, at 6:52 PM, Howard Chu wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Phil Durbin

We're thinking about using OpenLDAP as our "master" or primary
directory server.  However, like a lot of folks, we need to run other
vendors' directory servers as well.

My primary question is if anyone is using OpenLDAP as a master and
replicating/synchronizing the data to a Netscape/iPlanet/Sun ONE/Sun
Java System Directory Server.  Down the road, we may also need to
synchronize with Active Directory and Oracle Internet Directory.

I've heard of people using Sun ONE Directory as a master and
replicating data to Active Directory.  And Oracle says its directory
server can be a spoke on another vendor's hub.  But are people using
OpenLDAP as the hub?

I get the impression from this lists' archives that this is going to
require some custom programming.  Are we talking about
scripts to dump
and import LDIF files?  Cooking something up using perl-ldap,
JNDI, or
JLDAP?  Are there ready-made scripts or other tools available to make
synchronizing data from OpenLDAP to Sun ONE as painless as possible?

You haven't really described enough of your goal to formulate an answer. If
two LDAP servers store identical DITs, then generally
replication/synchronization is a no-brainer. Most frequently however, when
dealing with entrenched use of heterogeneous servers, those servers are in
place because their DITs are specialized and don't match one-to-one with
every other server's DIT. The first question to answer is, what is the
situation with your particular servers, what are they being used for, and how
similar are their existing structures? I.e., why do you "need" to run other
vendors' servers?


In many cases, slurpd can be used directly to sync from OpenLDAP to any other
LDAP server. In more complex cases, I would use slurpd targeted at an
OpenLDAP back-ldap/back-meta instance and use the mapping facilities there to
prep the data that gets sent to the remote server.

I started reading through the slurpd documentation. Thanks for the tip.

What are our LDAP servers used for? Right now we are only running Sun ONE Directory Server (well, Netscape 4.x) to authenticate Netscape Messaging Server, Oracle Calendar, and some other applications that I'm sure will work against any LDAP server.

We're in the process of building a bigger, better LDAP service (expanded user base, fairly highly available, fault tolerant) and are considering using OpenLDAP as the primary LDAP service, which will be fed data from our administrative system. All of our current apps should work fine against OpenLDAP, with the possible exception of Netscape/Sun ONE Messaging Server, which requires (officially anyway) running Sun's directory server. I'll do some more research elsewhere to see if anyone has this mail server working against OpenLDAP. Another possibility is to switch to a different mail server.

The wrinkle with Oracle Calendar is that today OpenLDAP is supported directly, but a couple years from now, we will be required to run Oracle Internet Directory to run the calendar application. Oracle calls it a "hub and spoke" model, and they are more than willing to be a spoke to another directory's hub. When the time comes, Oracle should provide whatever software we need to pull data in from the primary directory server. If we're really opposed to running multiple vendors' directory severs, I suppose we could start looking for a new calendar application as well.

I don't know much about the plans for Active Directory here. We're still using an NT4 PDC, but I imagine that Active Directory integration with our primary LDAP would be an eventual goal for us.

As far as DITs go, we only have the one DIT today, which I think could easily be moved over to OpenLDAP and still support our apps, with the exception of mail. If we decide to stick with this mail server and we find we have to run Sun ONE Directory Server, I see two options. 1) Forget OpenLDAP altogether and go Sun or 2) or store everything we can in OpenLDAP and try to pull user data into Sun ONE, which will also hold other data (o=NetscapeRoot?) required by the mail server to function.

Clear as mud?  I'd be happy to explain further.

Anybody out there with a similar set up? People who run (or want to run) OpenLDAP as their primary directory server and feed data into other vendors' servers? I'd love to hear success stories. Or just tell us we're crazy.

Cheers,

Phil Durbin
Network Services Administrator
Berklee College of Music
pdurbin@berklee.edu