I agree with Phil about cleaning up prior if possible. The less confusion you have during a migration scene the better. I've done many both ways (at customer's insistence and after a fight most often) and I can honestly say that the clearer the playing field the better. If nothing else, you can resolve issues that much faster during migration.
As for the sync, I wish I wasn't as familiar with mainframe ldap as I am; ignorance can truly be a happy place :) Knowing the type and how it's configured (is it just a gateway to a different authentication system or a fully populated LDAP instance? Both? If not RACF, what is the mainframe auth system then?? (that's just curiousity on my part but might make a difference when it comes to how you want to deploy a solution)) is going to greatly enhance your ability to get the right solution. As an example I could have several mainframe based LDAP stores. Some would be populated with user accounts while others are a gateway to a different authentication store. Weird to say the least, but I see why IBM did that. Drop me a note offline if you want to know more about what I've seen so far with mainframe implementations of LDAP. I don't see a reason to bore the socks off the rest of the folks with the petty b.s. that mainframe ldap can introduce. NOTE: If it's already online, you can connect to the mf ldap and find out what it is by looking at the rootdse information as long as you can get to it (you may need credentials etc depending on configuration). Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, March 08, 2005 11:06 AM To: [email protected] Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I am a much bigger fan of either cleaning up the NT domains prior to migration, or getting a list of current active users from the mainframe and only migrating those users from the NT domains. In both those situations you end up and only the active users in AD which I prefer to do since I don't want to migrate junk from old domains into my newly created and clean AD environment. Not much help on your dirsync issues, but I have't worked with either so I won't bother to comment on that part. Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 10:14 AM To: [email protected] Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Good question. At this stage this is what I've been made aware of: No RACF (phew) LDAP Connector to mainframe - I haven't been told what version yet User and Attribute sync to AD from the mainframe is the primary goal. The business centres around mainframe existance. If you don't exist on the mainframe - you don't exist. This means that user provisioning AND identity currently happens there as a start. At this point there's a TON of NT4 domains (around 600) that will be switched off. Users used to be created automagically via a process from mainframe to NT 4 domains, however users were never killed off the NT domains when they died on the mainframe. Going forward, this means that users will be synced from the mainframe via LDAP - ergo the sync tool requirement to AD to a dump container. Users from the NT domains will be merge migrated to a sepparate container, and whatever is left behind will be investigated and killed. Migration tools are in place to do this, that the easy bit. The unknown entity is talking to a mainframe via LDAP with no knowledge at this point of what flavour of LDAP it's talking. The Imanami product looks really fine on "paper" - generic ldap connectivity, attribute transformation, supports schema extensions, etc, however I've never met anyone who's used it in anger. I'm trying to stay away from a scripted solution, since object colision resolution, attribute transformation, object matching, delta syncing, etc are pretty standard in the tool world, without having to re-script the weel. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 08 March 2005 04:03 PM To: [email protected] Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I think Murray brings up some good points. What are your requirements exactly? To differentiate between the products (or others) you'll need to understand what the ultimate goal is and what you have to work with. For example, is this a RACF sync? Or LDAP or ?? What exactly needs to sync? Passwords? Accounts? Questions like that should help to differentiate. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, March 08, 2005 6:45 AM To: [email protected]; Nicolas Blank Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Nic, we have implemented Simple Sync, for roughly about 12 connectors and are pleased with the tool. It is syncing roughly 30000 LDAP entries between exchange 5.5, 2000 and 2003 organizations with the exchange 5.5 organization being the root forest. In my mind, it would depend on your needs, and if you require a more advanced 'meta' directory. Simple Sync is a FIFO sync utility not a download all the updates to a meta dir, process them, then resync out (sounds like a description for msmail t1, t2 sync processes!) We are very pleased with the product and the support we get from them. I have no experience with the Imanami product. If you are looking for a LDAP in, LDAP out with transposing, or what have you, I would definitely recommend the Simple Sync. Murray Wall [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 1:56 AM To: [email protected] Subject: [ActiveDir] LDAP dir syncproduct to AD Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on "paper" Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
