Article

(View Disclaimer)

Problem

A Forum reader recently asked:

"Last year I created a simple eDir-to-eDir IDM system to manage the life cycle of our students. Students are dumped into the identity tree then, via eDir-to-eDir, they are created in the production tree.

When I first set up the eDir-to-eDir drivers, I pointed everything to OU=Users|OU=Students, since that is all we were doing, and it was set up so the Identity tree was the authoritative source. Now we need to create a flat tree for all our staff to be in a single OU, for LDAP authentication purposes for a new application.

My thought was to just take all the Staff from the various OUs in my production tree and have IDM, via the edir-edir driver, create the accounts in the identity tree under OU=Staff|OU=active.

Can I use the same eDir drivers already set up, or is it best to create new set of eDir-to-eDir drivers to handle this task? Is it possible multiple sets of eDir-to-eDir drivers in the same tree?"

And here's the response from David Gersic ...

Solution

Running one or more eDir-to-eDir drivers is primarily a function of how you want to handle replica placement. If you're comfortable with a single server in each tree holding a writable replica (Master or Read/Write) of all partitions, then you can do everything in one eDir driver. If you don't have a single server that meets this criteria, then you would have to run multiple eDir drivers, and things get more complicated.

You could also choose to run multiples for scaling or performance reasons, but if you need this you probably already know how to do it.

Yes, is it possible to have multiple sets of eDir-to-eDir drivers in the same tree.

Here's mine ...

Note that there are 12 eDir-eDir drivers connecting my two trees. There are some things you have to be careful of when doing this, to keep events on one driver from causing a loop through another driver ("scoping"). Still, it's worked really well for us.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.