Hi Howard, Am 22.07.2010 21:27, schrieb Howard Chu: > But if you're going to do something with LDAP you might as well make > it useful too. Two small projects that could be completed in a short > amount of time: implement a DirSync module for OpenLDAP to replicate > from M$AD, and implement a passwordSync module for OpenLDAP with AD. Indeed two interesting projects. But is syncrepl the best way to do this? Let me ask you some questions on this:
DirSync: The DIT in AD is unlikely to be the same as on the OpenLDAP side. The same is true for the attributes. Thus we need things like we have in the rewrite overlay. Are you thinking about syncrepl with a CSN store on the AD side here? What about multi master (several ADs writing to one OpenLDAP)? A more general solution IMHO would be a flexible (with respect to DN massaging and attribute mapping) queue that send plain LDAP operations to the OpenLDAP consumer. What about SPML? Do you think that that is also a "gross misuse of SGML"? passwordSync: What are you thinking here? DLL that recognizes password changes and creates apropriate hashes and syncs these into OpenLDAP, or just plain syncing of the NT hashes into OpenLDAP, which could be done via the DirSync The requirement fur such things is there since a long time and there are a number of different solutions out there already. Something more standardized, that could be packaged with OpenLDAP would be a nice thing, thus I would be very happy, if this could be discussed here in more detail. Cheers, Peter -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72074 Tübingen mail: peter.gi...@daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 Directory Applications for Advanced Security and Information Management _______________________________________________________________________
