[mdlug] LDAP Server Question

Jason Taylor jmtaylor90 at gmail.com
Wed Jul 25 10:11:07 EDT 2012 

That's where it will get interesting. A cron entry could work but
obviously you don't want the job to take 10 minutes every time
plodding through a full LDIF export. So just brain storming, you could
do a one time large export conversion and after that have the script
do a diff against the original dump and convert/sync the diff to the
destination LDAP server then apply the diff to the original LDIF
export so your baseline gets updated with every run.

-Jason

On Wed, Jul 25, 2012 at 10:02 AM, Wojtak, Greg (Superfly)
<GregWojtak at quickenloans.com> wrote:
> I could do that.  Is there a way to keep the two directories in sync in
> [near] real-time though?
>
> Greg Wojtak
> Sr. Unix Systems Engineer
> Office: (313) 373-4306
> Cell: (734) 718-8472
>
>
>
>
>
> On 2012-07-25 9:43 AM, "Jason Taylor" <jmtaylor90 at gmail.com> wrote:
>
>>Have you all looked at scripting an LDIF export and modifying the DN
>>location to the desired destination then importing?
>>
>>-Jason
>>
>>On Wed, Jul 25, 2012 at 9:07 AM, Wojtak, Greg (Superfly)
>><GregWojtak at quickenloans.com> wrote:
>>> I've got an interesting challenge I'm facing with LDAP/Active Directory
>>>and I was hoping to get some thoughts on an idea I had or get some input
>>>into other solutions.
>>>
>>> Right now, we have AD and a separate SunOne directory server.  The Sun
>>>DS serves up information for users and netgroups and does
>>>authentication.  My goal is to migrate everything into AD.
>>>
>>> I've gotten just about all the pieces working and have gotten
>>>Unix/Linux servers to be able to authenticate against Active Directory.
>>>The challenge I'm facing is that the directory is laid out very poorly
>>>and all searches for users need to begin at the top-level directory
>>>component. This makes for very slow login times in most cases - anywhere
>>>from 10 seconds to a minute.  nscd and sssd seem to help a bit, but even
>>>with them running, logins can sometimes still be very slow.
>>>
>>> I was looking at the possibility of using an OpenLDAP proxy to AD or
>>>the rewrite proxy overlay for OpenLDAP.  I'm sure that would help too,
>>>but that got me thinkingŠ
>>>
>>> Is there a way to replicate certain objects (ie users and groups) from
>>>one directory server (ie AD) into another (ie, OpenLDAP) and instead of
>>>copying the structure of the directory, replicate them into a structure
>>>of my choosing?  That would be ideal for me, but if anyone else has any
>>>ideas, I'd love to hear them.
>>>
>>> I think for now I'm going to continue to pursue the OpenLDAP proxy
>>>cache solution to see if that adds anything.  That solution loses its
>>>appeal to me however because at that point there are so many layers of
>>>caching going on that I'm sure we'll start to see issues (we see them
>>>today just with client caching).
>>>
>>> Thanks!
>>>
>>> Greg Wojtak
>>> Sr. Unix Systems Engineer
>>> Office: (313) 373-4306
>>> Cell: (734) 718-8472
>>>
>>> _______________________________________________
>>> mdlug mailing list
>>> mdlug at mdlug.org
>>> http://mdlug.org/mailman/listinfo/mdlug
>>_______________________________________________
>>mdlug mailing list
>>mdlug at mdlug.org
>>http://mdlug.org/mailman/listinfo/mdlug
>
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug

More information about the mdlug mailing list