[mdlug] LDAP Server Question
Wojtak, Greg (Superfly)
GregWojtak at quickenloans.com
Wed Jul 25 09:07:28 EDT 2012
I've got an interesting challenge I'm facing with LDAP/Active Directory and I was hoping to get some thoughts on an idea I had or get some input into other solutions.
Right now, we have AD and a separate SunOne directory server. The Sun DS serves up information for users and netgroups and does authentication. My goal is to migrate everything into AD.
I've gotten just about all the pieces working and have gotten Unix/Linux servers to be able to authenticate against Active Directory. The challenge I'm facing is that the directory is laid out very poorly and all searches for users need to begin at the top-level directory component. This makes for very slow login times in most cases - anywhere from 10 seconds to a minute. nscd and sssd seem to help a bit, but even with them running, logins can sometimes still be very slow.
I was looking at the possibility of using an OpenLDAP proxy to AD or the rewrite proxy overlay for OpenLDAP. I'm sure that would help too, but that got me thinking…
Is there a way to replicate certain objects (ie users and groups) from one directory server (ie AD) into another (ie, OpenLDAP) and instead of copying the structure of the directory, replicate them into a structure of my choosing? That would be ideal for me, but if anyone else has any ideas, I'd love to hear them.
I think for now I'm going to continue to pursue the OpenLDAP proxy cache solution to see if that adds anything. That solution loses its appeal to me however because at that point there are so many layers of caching going on that I'm sure we'll start to see issues (we see them today just with client caching).
Thanks!
Greg Wojtak
Sr. Unix Systems Engineer
Office: (313) 373-4306
Cell: (734) 718-8472
More information about the mdlug
mailing list