Global Security Forum

Did someone implement realtime sync/replication between security directory server and MS Active Directory?

If yes, Are there any references or documentation around it?

------------------------------
Akash B
------------------------------

You can't get true realtime - it will always involve an asynchronous connection. SDS has a changelog. When you enable it, SDS will write entries there whenever there are changes. It's very easy to write a TDI assembly line to read from the changelog (from memory there's a ChangeLog connector ) and write into AD (via LDAP or some other mechanism). You could use any mechanism that leverages LDAP to read records from the changelog and push the changes into AD (again using LDAP).

------------------------------
David Edwards,
WW Tech Enablement SME for Identity Products
IBM Security
------------------------------

Original Message:
Sent: Wed April 17, 2019 09:48 AM
From: Akash Bollepalli
Subject: Can we have realtime sync between IBM Directory Server and Microsoft Active Directory?

Did someone implement realtime sync/replication between security directory server and MS Active Directory?

If yes, Are there any references or documentation around it?

------------------------------
Akash B
------------------------------

Yes, this is how Federated Directory Server - https://www.ibm.com/support/knowledgecenter/en/SSCQGF_7.2.0/com.ibm.IBMDI.doc_7.2/fds.html - syncs between SDS and AD.

------------------------------
Dave Bachmann
------------------------------

Original Message:
Sent: Thu April 18, 2019 02:53 AM
From: David Edwards
Subject: Can we have realtime sync between IBM Directory Server and Microsoft Active Directory?

You can't get true realtime - it will always involve an asynchronous connection. SDS has a changelog. When you enable it, SDS will write entries there whenever there are changes. It's very easy to write a TDI assembly line to read from the changelog (from memory there's a ChangeLog connector ) and write into AD (via LDAP or some other mechanism). You could use any mechanism that leverages LDAP to read records from the changelog and push the changes into AD (again using LDAP).

------------------------------
David Edwards,
WW Tech Enablement SME for Identity Products
IBM Security

Original Message:
Sent: Wed April 17, 2019 09:48 AM
From: Akash Bollepalli
Subject: Can we have realtime sync between IBM Directory Server and Microsoft Active Directory?

Did someone implement realtime sync/replication between security directory server and MS Active Directory?

If yes, Are there any references or documentation around it?

------------------------------
Akash B
------------------------------

You especially want to leverage the changelog to do this in environments with many users.  If you have 10's of thousands of records, or worse yet, hundreds of thousands of records, don't try to iterate through them all.  It takes WAY to long with TDI, especially if you have a lot going on in the AL before writing back to AD.

------------------------------
Eric Newman
------------------------------

Original Message:
Sent: Wed April 17, 2019 09:48 AM
From: Akash Bollepalli
Subject: Can we have realtime sync between IBM Directory Server and Microsoft Active Directory?

Did someone implement realtime sync/replication between security directory server and MS Active Directory?

If yes, Are there any references or documentation around it?

------------------------------
Akash B
------------------------------