[mdlug] LDAP Server Question

Wojtak, Greg (Superfly) GregWojtak at quickenloans.com
Wed Jul 25 10:17:34 EDT 2012 

Hmmm... I might also be able to use the whenChanged attribute on the
objects and compare it to the current time and fashion my ldap query to
just check whenChanged>=$CURRENT_TIME_MINUS_10_MINUTES

One of the main things I'm concerned with though is password replication.
I wonder if that just gets treated as a "normal" attribute.

Greg Wojtak
Sr. Unix Systems Engineer
Office: (313) 373-4306
Cell: (734) 718-8472





On 2012-07-25 10:11 AM, "Jason Taylor" <jmtaylor90 at gmail.com> wrote:

>That's where it will get interesting. A cron entry could work but
>obviously you don't want the job to take 10 minutes every time
>plodding through a full LDIF export. So just brain storming, you could
>do a one time large export conversion and after that have the script
>do a diff against the original dump and convert/sync the diff to the
>destination LDAP server then apply the diff to the original LDIF
>export so your baseline gets updated with every run.
>
>-Jason
>
>On Wed, Jul 25, 2012 at 10:02 AM, Wojtak, Greg (Superfly)
><GregWojtak at quickenloans.com> wrote:
>> I could do that.  Is there a way to keep the two directories in sync in
>> [near] real-time though?
>>
>> Greg Wojtak
>> Sr. Unix Systems Engineer
>> Office: (313) 373-4306
>> Cell: (734) 718-8472
>>
>>
>>
>>
>>
>> On 2012-07-25 9:43 AM, "Jason Taylor" <jmtaylor90 at gmail.com> wrote:
>>
>>>Have you all looked at scripting an LDIF export and modifying the DN
>>>location to the desired destination then importing?
>>>
>>>-Jason
>>>
>>>On Wed, Jul 25, 2012 at 9:07 AM, Wojtak, Greg (Superfly)
>>><GregWojtak at quickenloans.com> wrote:
>>>> I've got an interesting challenge I'm facing with LDAP/Active
>>>>Directory
>>>>and I was hoping to get some thoughts on an idea I had or get some
>>>>input
>>>>into other solutions.
>>>>
>>>> Right now, we have AD and a separate SunOne directory server.  The Sun
>>>>DS serves up information for users and netgroups and does
>>>>authentication.  My goal is to migrate everything into AD.
>>>>
>>>> I've gotten just about all the pieces working and have gotten
>>>>Unix/Linux servers to be able to authenticate against Active Directory.
>>>>The challenge I'm facing is that the directory is laid out very poorly
>>>>and all searches for users need to begin at the top-level directory
>>>>component. This makes for very slow login times in most cases -
>>>>anywhere
>>>>from 10 seconds to a minute.  nscd and sssd seem to help a bit, but
>>>>even
>>>>with them running, logins can sometimes still be very slow.
>>>>
>>>> I was looking at the possibility of using an OpenLDAP proxy to AD or
>>>>the rewrite proxy overlay for OpenLDAP.  I'm sure that would help too,
>>>>but that got me thinkingŠ
>>>>
>>>> Is there a way to replicate certain objects (ie users and groups) from
>>>>one directory server (ie AD) into another (ie, OpenLDAP) and instead of
>>>>copying the structure of the directory, replicate them into a structure
>>>>of my choosing?  That would be ideal for me, but if anyone else has any
>>>>ideas, I'd love to hear them.
>>>>
>>>> I think for now I'm going to continue to pursue the OpenLDAP proxy
>>>>cache solution to see if that adds anything.  That solution loses its
>>>>appeal to me however because at that point there are so many layers of
>>>>caching going on that I'm sure we'll start to see issues (we see them
>>>>today just with client caching).
>>>>
>>>> Thanks!
>>>>
>>>> Greg Wojtak
>>>> Sr. Unix Systems Engineer
>>>> Office: (313) 373-4306
>>>> Cell: (734) 718-8472
>>>>
>>>> _______________________________________________
>>>> mdlug mailing list
>>>> mdlug at mdlug.org
>>>> http://mdlug.org/mailman/listinfo/mdlug
>>>_______________________________________________
>>>mdlug mailing list
>>>mdlug at mdlug.org
>>>http://mdlug.org/mailman/listinfo/mdlug
>>
>> _______________________________________________
>> mdlug mailing list
>> mdlug at mdlug.org
>> http://mdlug.org/mailman/listinfo/mdlug
>_______________________________________________
>mdlug mailing list
>mdlug at mdlug.org
>http://mdlug.org/mailman/listinfo/mdlug

More information about the mdlug mailing list