• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Integrating Active Directory with LDAP

 
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are currently maintaining our user profile in Active Directory (as part of Exchange)
We are planning to implement Iplanet Directory Server for Unix authentication/application usage.
I have heard of Metadirectory to integrate these. Anyone with some experience on this?
 
Author
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Sandep,
Yes. Meta-directory can help in this regard. You would use the meta-directory product to synchronize information between the two directories as appropriate. One thing to consider, however, is that some meta-directory products have weak password propagation capabilities. meaning that if you change a password in LDAP you might not be able to easily move the password to Active Directory and vice-versa. In an environment where the idea is to provide a consolidated identity information (including login information), this is obviously an important field to get integrated.
To get around this with those meta-directory products, you can use special password synchronization products, most of which are agent-based and specialize in password capture. Psynch, Passgo, and Courion all make good password synchronization products that work with Active Directory and other LDAP directories.
As an alternative to meta-directory, you might go with a provisioning product. Rather than have you use your management interfaces in Exchange and Sun and then synchronize with a metadirectory on the backend, you might use the provisioning tool's interface to make changes and have it fan out those changes to Active Directory, Sun One, and any other identity repository that might need the information.
Clayton
[ March 17, 2003: Message edited by: Clayton Donley ]
 
Sandep Chaturvedi
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That was a great suggestion. Can you tell me some of the provisioning tools that I can use.
 
Clayton Donley
Author
Posts: 27
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Someone was developing an open source tool, but I can't seem to find the link anymore with a Google search. The commercial ones are a bit pricey, but worth it if you have many environments (particularly ones that require specialized skills to connect to).
Some vendors with full-blown provisioning solutions would be Business Layers, IBM/Tivoli, Waveset, and Thor.
If you're just looking to do an LDAP server plus Active Directory, you could probably cobble together what you need by extending a few of the LDAP management tools out there to change multiple directories from a single change.
Clayton
reply
    Bookmark Topic Watch Topic
  • New Topic