A Forum reader recently asked:
"I'm trying to synchronize eDirectory with AD in an MS-centric network. This is in preparation for installing ZENworks. I have loaded the driver on the eDirectory server and am NOT using a remote loader on the DC. I have the driver installed and working, but get the error LDAP_SERVER_DOWN in the trace."
And here's the response from Aaron Burgemeister ...
I highly recommend you put the Remote Loader (RL) on the Domain Controller (DC). It will simplify (incredibly) what you will probably need to do. Also, should you decide to go with a non-DC you will need to use Negotiate if you want passwords to synchronize bidirectionally or
Exchange to be provisioned.
If you do not have the RL on the DC, you still need to use Negotiate as long as the server running the RL is in the domain. If it is not, you must use Simple - and then you lose features.
While using Negotiate on a member server (of your domain), you still must use SSL for the synchronization. Also, you must specify your DC with a DNS name, as I recall. Running the RL on the DC means you can leave out the authentication context (the DC in DNS form) as well as
SSL/Signing/Sealing - which are, in all other cases, required. If you get an LDAP 81 error, usually that means SSL isn't configured properly on the DC. You will need to talk to Microsoft or your MAD admins for that.
As a note of why I prefer the RL on the DC a few things come to mind.
- No extra configuration is needed for either MAD or eDirectory.
- Fewer network connections are being crossed (slowing things down), and there are fewer places for interruptions to occur or malicious-types to penetrate.
- I can get the RL on DC working in about 5 minutes with passwords going both ways, including the DC reboot. The steps to setup LDAPS on MAD and have it working with the driver are painful and take much longer - and there aren't really any benefits to doing it that way.
The Remote Loader runs (on my box) taking a whole 11 MB RAM when tracing, which is fairly minimal (about the same as wordpad and calc running together, on my box). All the Remote Loader does is listen (on the port you choose) and run the driver shim. The shim talks to AD, so it's not prone to harming the DC itself. When SSL is enabled there, between the RL and the engine (as it should be), anybody attempting to connect to the RL would need, besides two passwords, the SSL certificate used for the connection. So, it's fairly safe against attackers.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.