ADOD Synchronization – Anyone out there doing this?

[mcnaugha]

I have a customer who wants to keep his Mac OS X Servers in power at his individual schools, but would like the school ODMs to sync up accounts (and their passwords) to a centralised enterprise AD. The sync’ing should be bidirectional.

I’ve tried to find answers on the web without much hope. I’ve seen a few projects look at doing this with OpenLDAP, but they all seem to fall flat at some point in the past as though they gave up.

Is there a metadirectory solution or something for this?

Or is the best advice just to give up and go with AD? The Mac servers will definitely be kept around for MCX.

Thanks in advance.

[mcnaugha]

Hey Joel and Josh,

Thanks for replying. I’m an ACT/ACSA and consulting engineer with many years of integration experience. I attended WWDC07 there and saw you guys. Great sessions. “Bending Directory Services to your will” was just the best wasn’t it? If only we had an official event from Apple like WWDC in Europe. I think they need to split the IT track into two though. One track for newbies and another for old hacks. PLUS… more promotion of Apple Training! So many people appeared hungry for the knowledge that can be provided by the Apple Training courses and yet no one promoted them at any session. Is that Steve up to his old anti-training tricks??? 😆

This is an advanced customer who does not want to switch to AD. He prefers to prove that the Apple technology is solid. He wants to leave the Mac servers with their own databases and merely sync accounts back to a central system. This is needed because of a new country-wide education network that is currently under construction. The aim is to have country-wide single accounts. At the moment it looks like AD will be the focus.

My IT colleagues have suggested MS’ Federated Identity stuff. [url]http://www.microsoft.com/windowsserver2003/technologies/idm/FederatedIdentity.mspx[/url] So we’re going to look at that and talk directly with MS about it. Had you seen this before?

This definitely seems like a hole in the market. If someone can produce a solution which will allow you to sync accounts back and forth then that could be a killer app. All we’d need is the accounts. MCX can continue to reside soley on the Mac server.

[mcnaugha]

I think the last reason there may be the strongest. We’re talking about approx. 300 OS X Servers. At the moment they all run their own independent ODM.

I have attempted to present the now traditional way of doing things, but he’s determined to at least research some potential solutions here.

Everything I’ve read on the web so far seems to indicate that people have attempted this and apparently given up at some point.

I will pass on your comments, give our enthusiastic Windows/Linux techs a chance to try something, and post again with the final outcome.

We have another major education district here that went completely AD and modified the schema to support MCX.

For this customer I suspect it will have to be complete move to magic/golden triangle or after October… the CoD (Cylinder Of Destiny)!

[Author]

Posts