2013/4/2 Markus Widmer <[email protected]> > Hi! > > we have implemented OpenLDAP -> AD using the OpenLDAP accesslog overlay to > see what has changed in OpenLDAP. For AD -> OpenLDAP we use the > highestCommittedUSN to see if something has changed on AD side. > Synchronization of passwords is a bit more complicated because if you want > to sync them OpenLDAP -> AD you have to set them as clear text passwords > via LDAP. At the same time you usually don't want to store them as clear > text in the OpenLDAP directory. We have solved it by implementing an > overlay that gets an encrypted password and stores it in a custom attribute > protected by ACLs (similar to the eDirectory universalPassword) and as > SSH2-hashed value in the userPassword attribute. It then can be decrypted > and synchronized to AD. If you want AD -> OpenLDAP you have to catch the > password change the moment it happens. We have done this by implementing a > DLL. > > Of course there are other ways of doing it. > > Cheers, > > -Markus- > > > On 02.04.2013 07:31, Suman Karki wrote: > >> hello there! >> anybody have done openldap and active directory synchronization? >> i want to sync them. give me idea how you have done? >> >> i am struggling to solve that. >> if you charge some amount then i am ready to pay. >> just i need to solve that problem. >> >>
Hi, another solution is to use LDAP Synchronization Connector ( http://lsc-project.org). Here is a tutorial for OpenLDAP to AD synchronization: http://lsc-project.org/wiki/documentation/2.0/tutorials/openldaptoactivedirectory And here some notes on password synchronization: http://lsc-project.org/wiki/documentation/2.0/howtos/activedirectory#password_synchronization Clément.
