We are currently maintaining our user profile in Active Directory (as part of Exchange) We are planning to implement Iplanet Directory Server for Unix authentication/application usage. I have heard of Metadirectory to integrate these. Anyone with some experience on this?
Hi Sandep, Yes. Meta-directory can help in this regard. You would use the meta-directory product to synchronize information between the two directories as appropriate. One thing to consider, however, is that some meta-directory products have weak password propagation capabilities. meaning that if you change a password in LDAP you might not be able to easily move the password to Active Directory and vice-versa. In an environment where the idea is to provide a consolidated identity information (including login information), this is obviously an important field to get integrated. To get around this with those meta-directory products, you can use special password synchronization products, most of which are agent-based and specialize in password capture. Psynch, Passgo, and Courion all make good password synchronization products that work with Active Directory and other LDAP directories. As an alternative to meta-directory, you might go with a provisioning product. Rather than have you use your management interfaces in Exchange and Sun and then synchronize with a metadirectory on the backend, you might use the provisioning tool's interface to make changes and have it fan out those changes to Active Directory, Sun One, and any other identity repository that might need the information. Clayton [ March 17, 2003: Message edited by: Clayton Donley ]
Someone was developing an open source tool, but I can't seem to find the link anymore with a Google search. The commercial ones are a bit pricey, but worth it if you have many environments (particularly ones that require specialized skills to connect to). Some vendors with full-blown provisioning solutions would be Business Layers, IBM/Tivoli, Waveset, and Thor. If you're just looking to do an LDAP server plus Active Directory, you could probably cobble together what you need by extending a few of the LDAP management tools out there to change multiple directories from a single change. Clayton