Problem solve Get help with specific problems with your technologies, process and projects.

OpenLDAP migration: OpenLDAP from an Active Directory schema

While integrating user provisioning products may seem like a lot of work, there are strategies to make it go smoothly. In this expert response, Randall Gamby describes how to incorporate OpenLDAP into an Active Directory schema.

I'd like to transition our user provisioning from Active Directory to OpenLDAP. I was planning to install OpenLDAP...

on Ubuntu. Is it possible to move all AD users to OpenLDAP?

Yes, from Active Directory it is possible to perform an OpenLDAP migration on an Ubuntu or other operating system, but you'll need to use an intelligent transfer program like a virtual directory or meta-directory to do it. Flat-file synchronization generally is a lot of work, since the data migrates but the access controls do not (something virtual directories and meta-directories do carry over).

First, you must map the OpenLDAP schema to the current Active Directory schema. Next, the OpenLDAP user object must be extended to include all the fields used in Active Directory. Once the mappings are done, you'll need a transportation method, either a flat-file synchronization program or a meta-directory. For synchronization you'll extract the Active Directory user objects into a flat file (usually comma delimited), then run an import synchronization that takes the flat file and imports the content into the OpenLDAP schema. If a meta-directory is used, you'll create real-time connections between the Active Directory server and the OpenLDAP server.

The mappings done in the previous step are then used to configure the connectors. Finally, a meta directory update is done and the Active Directory will send out a "replication" that maps to the OpenLDAP schema, as defined by the meta directory, and automatically populates the OpenLDAP server.

This was last published in June 2010

Dig Deeper on Privileged access management