Replication of an X.500 Directory Service to Microsofts Active Directory

1
Replication of an X.500 Directory Service to
Microsofts Active Directory
2
Business Drivers

• Active Directory is a requirement for desktop
  management, and the security which comes with it
• The cost of maintaining two separate data sets
  (one for the enterprise services, and one for the
  desktops), in any kind of consistent state, would
  have been prohibitive

3
Scope and Goals

• Unidirectional replication of data in OpenLDAP
  (an X.500 directory service) to Active Directory
• Full replication of users and groups
• Real time
• Adaptable, and low maintenance

4
Method
5
My Definition of a Translating Proxy

• A normal proxy server lets data through verbatim
  in most cases (though it may make authorization
  decisions)
• A translating proxy server strives to let meaning
  through verbatim, but it may change the datas
  representation.

6
Translation Process, General Flow

• Given an object to add, or a modification to
  apply
• Compute the set of attributes which are allowed
  based on the AD schema. Remove attributes which
  are not allowed
• Compute the set of attributes which are required,
  but missing, generate values for them if
  possible, otherwise reject the change
• Perform AD specific translations (address AD
  quirks), and apply the change

7
A Small Example
8
Tdir at csun
9
So How About Those Goals

• Tdir is currently able to replicate 99.9 of our
  user and group objects
• Tdir is fast enough that real time replication is
  the rule instead of the exception
• Because Tdir understands the schema, and the
  directory, at a high level it has proven very
  adaptable to changes

10
http//tdir.sourceforge.neteric.stokes_at_csun.edu