Hi All,

I need some guidance with AD and OpenLDAP user database integration/synchronization.
Here is what i am trying to do,

We have Full Linux database(Ubuntu 10.4) with users on OpenLDAP and using only opensource applications(POSTFIX, Fileserver, Print server, apache, VPN etc.). Currently all windows(Mostly 7 and Vista) clients machines are not on Domain. We want to introduce Active directory because of its excellent features when it comes to handling users, plus with it can also handle update patches and we can have a variety of restrictions on users using group policies.
I have been digging on the web since last couple of days but have had no luck in finding something that can synchronize user information from AD to openldap so we can have one user password for all the applications. We would like to have a centralized user database with one password for all applications.
I hope i was able to explain it correct on what i am looking for.
Please let me know if you have implemented something similar to synchronize user password information between AD and OpenLDAP. I will appreciate any input.

Thank you!!

Hi there,

As I can understand you want to migrate the users from OpenLDAP to Active Directory. If I am not wrong here is the plan of action:

1. Intall Windows Server 2008 and create a new domain.
2. Add windows machine to this domain.
3. Configure all applications to point authentication on this Windows 2008 PDC
4. Migrate the users from OpenLDAP to Active directory.

For the last part the best way that I can think of is taking export in either ldif or csv format and then export it in Active Directory. You can first try it for an OU will less number of users and if it works for you then you can take export for all of them.

As far as I know ldif or csv export does not export password. However, you can set a default password while importing it in Active Directory.

I hope this helps.

Thanks for your reply.
What i really want to achieve from this integration is to create a centralized user database with one password for all linux and windows applications. We barely have any Windows applications just the desktop machines. I have done the first 2 steps but now i am confused on how to proceed from here to the 3rd and 4th steps you mentioned. Is there a way that in the future i can create users on Active directory and have them use all the OpenLDAP applications(Postfix, file server, VPN etc) using AD credentials which they are currently using through OpenLDAP. This way i will have a synchronized database with one user password for all Linux and Windows applications and i will be able to find users in OpenLDAP as well as AD. If there is then can you suggest some names?
I know following can do the job but they cost more than $10K,
LDSU (from HP)
SimpleSync (from CPS Systems)
MIIS (aka ILM from MS)

Thanks again for your input.

Yes, it is possible but require a lot of care. As I mentioned in my previous post you can do the ldif/csv export and then import it to AD. Here is the plan that you can execute but remember first try it at a low level (for couple of users).

1. Take ldif/csv export from OpenLDAP server.
2. Import it on AD.
3. Edit the configuration file of application to point to AD for authentication.

At the end all it is LDAP, we call it by different names whether it is AD or SunONE or eDirectory or OpenLDAP. So it is possible. Make sure you take a backup of configuration file of your applications before making any modifications.

Thanks again for your quick reply. I think i got it now. Just one question, DO you think i will be able to point all open source apps to AD for authentication? I mostly have postfix, dovecot, apache, vpn, file server, print server etc. Plus lets say my domain name is example.com on AD and OpenLDAP. How will i be able to point opensource apps to AD when both the domain names (Windows and linux) are same. Should i change the domain names AD and OpenLDAP too?

Many thanks!!

Well, I cannot say if it will go for all the applications for that I would suggest you to google and see if it is possible. For the other part I will say that yes we have to keep separate domain names the reason being we are not integrating OpenLDAP and AD instead we are just dumping the data from OpenLDAP to AD.

I am working on it now. Hopefully it will work for me
Really appreciate your help.

You're welcome!

Note that you can use them together easily. We use the openldap Meta backend to proxy AD really well. I would strongly recommend pushing as much back into AD as possible.

Hi, thanks for your reply. Can you suggest some tutorial or step by step guide i can refer to. I am not that familiar with Linux and i have been asked to work on this task. What i have is Ubuntu 10.4 with OpenLDAP and almost all open source applications. We just want to create and maintain users in AD and have them use all the opensource applications. And if possible propagate the created users to OpenLDAP so we have a synchronized user database in AD and OpenLDAP. Basically create a one password, centralized AD and OpenLDAP integrated user environment. Thanks again!

Hallo:

In my company, we use AD and OpenLDAP.

Windows and Linux computers are joined to AD. If you have applications that can authenticate to OpenLDAP, they also should authenticate with AD, as AD is a LDAP (and more things). In my applications, I use LDAP queries for asking AD.

But, even I prefer to use free software, I don't understand why you are trying to use AD and OpenLDAP. If you only use AD, you can use various domain controllers and information is replicated automatically. If you use AD and LDAP, you have to configure synchronization, which can be a bit more complicated.

Regards

I am not sure if all the open source applications would work perfectly fine with AD authentication. Can you tell me what kind of open source services do you use? We have email, vpn, fileserver, print server, apache, mysql, samba, Virtual machines everything open source and uses OpenLDAP for authentication now.
Thanks..

talk about "open source services" is totally meaningless. they either speak ldap / kerberos or they don't, regardless of their price tag. And things like "virtual machines" don't perform any authentication at all, you might as well say your motherboard uses authentication.

Thanks for the reply. I still have not found anything thats solid enough to sink the user database between AD and openLDAP so i think i gonna try AD to authenticate all the opensource apps. I hope i wont face any problems in the future.

@Felipe..
I was trying to point PostFix & Dovecot to AD but i dont see any option where i can do that. PostFix and DoveCot just as like other open source apps once installed automatically are pointed to OpenLDAP. Can you tell me how did you configure your opensource apps(Mail, sql, web, files servers) to contact AD for authentication??