4

I have a production Active Directory installation and now I want to setup a test environment in my PC using ApacheDS as my Directory.

Is it possible / how can I copy / migrate / clone my active directory data to my ApacheDS installation?

It seems to be very hard to find any instructions on how to do this so I'm also open to solutions for cloning my production AD to something on my Win7 PC (windows server virtual machine?). My end goal is really clear: a simple solution to emulate AD in my PC...

AlfaTeK
  • 275
  • 3
  • 12

3 Answers3

6

Hayalci's answer is a good one for the question in your title, but not for the goal in your last sentence. This will not accomplish "AD in your PC." End of sentence.

LDAP alone will not emulate AD. For one thing, an LDIF export and import won't bring in passwords. But much larger, LDAP is only a piece of AD. AD also includes Kerberos, DNS with RR, and GPO - plus all the ACLs, both to AD objects and everything else in the microsoft ecosystem.

If you need a copy of AD, then you can use some VM software (VMware, HyperV, etc) to host a Windows Server that gets a DCpromo. Without knowing what you need to test, I can't tell you how much to export/import to actually get a proper test. The suggestion to use LDIF is a good one, and if you're using AD with the same version and unmodified schemas on both production and your test instance, that will get your whole user databases (minus passwords) into your test environment.

That won't include permissions, servers, and who knows what else might be important in your environment. But it's a good start.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I just require the "LDAP" part of active directory (my application uses it to authenticate the users). Problem with LDIF export is that when importing ApacheDS gives an error stating "attributes unknown" – AlfaTeK Aug 14 '12 at 15:03
  • As I said, the schemas will have to match. Actually, that's the same thing hayalci said as well : you'll have to modify the LDIF file. But let me ask you - if you're just using AD for authentication, why don't you just point your application to the existing domain controllers? They'll allow other services to authenticate via LDAP. There's security etc to consider, but it's easier than setting up a new directory service. Use what you have. – mfinni Aug 14 '12 at 17:19
  • Because I need to replicate my production environment in my machine (to develop without access to production). Any way to import active directory schema to apacheDS? Please note that I already tried multiple approaches to export / import and that's exactly the problem: it doesn't seem to be easy to export/import from AD to apacheDS because of incompatible schemas and such. – AlfaTeK Aug 14 '12 at 18:50
  • That's a separate issue, and you should post that as a new question with what you've tried and what the results are. Saying "attributes unknown" is not enough - hayalci already told you that you'd probably get errors. – mfinni Aug 14 '12 at 18:57
2

I'm not aware of any specific tools, but here is an idea.

Both Active Directory and ApacheDS are LDAP servers, and the main format for backup/restore of LDAP directories is LDIF. Try to get and LDIF dump of the whole Active Directory, and try to import it into ApacheDS. Probably you will get some errors, and you will have to modify the ldif file into something ApacheDS accepts. [ We are in the middle of a SunDS -> OpenLDAP migration and we are writing python programs to massage the LDIF files ]

hayalci
  • 3,611
  • 3
  • 25
  • 37
1

This may help. Take a look at Jeff Middleton's tools in SBS migration. You can get an exact copy of your AD with out harming your production domain. Sounds like you do not need to use the whole kit, but the early phases should accomplish our goals

Crtl-Alt-Del
  • 11
  • 1