One of the things I’m looking into to make the life of those remaining easier when I leave, is whether we should try to migrate (I call it downgrade) from OpenLDAP to Active Directory. Under normal circumstances, I’d never, ever suggest this, and the only reasons I’m doing it now are:

  • The organization is deploying a largish AD anyways.
  • Doing so (i.e. moving) would cut down on the number of directory systems within the organization.
  • Some of the administrators might feel happier about having “support”. (That is a joke.)

The evaluation consists of making sure objects and attribute types we’ve defined in our LDAP schema actually can be migrated. Even if we can get all our objects into Active Directory, which should be possible somehow, there are still lots of unanswered questions:

  • Does SASL EXTERNAL authentication finally work in 2008? (It didn’t the last time I tried.)
  • Is there any way to have users created with distinguished names of uid=xxx instead of cn=xxx? (This shouldn’t be a problem for applications, but I don’t know how many rely on the former DN syntax.)
  • Can we plug in all the required subsystems, such as freeRADIUS, Mantis, etc. and will they work as expected?
  • How much work is it going to be to “port” access control to Active Directory?
  • Is Active Directory fast enough?
  • What will break later on?

The most important question to answer is whether it actually is worthwhile to attempt the downgrade. (I think I know the answer to that already.)

Update: forget it.

LDAP, Radius, and AD :: 06 Oct 2009 :: e-mail