Searching for a Directory Service Solution?

kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why."

"For me, the choices are stark and clear:

1. MS Exchange/Active Directory
2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).

For (2) we have evaluated, and are strongly considering, the following:

• Samba/OpenLDAP/Kerberos
• Bynari Insight Server for messaging/groupware.
• Nitrobit Group Policy for, you guessed it, group policy management.

Of course, Samba 4 will address some of this 'cobbling', but we can't wait for that."

Look at OpenExchange

[adturner]

It's a standards based (LDAP) mail/groupware app which supports standard SMTP/IMAP clients as well as Outlook/Palm clients (for an additional fee).

Seems competitively priced to Exchange and there's also a free pure OSS version available (although if you want offical support and a nice installer, you need to pay for it).

http://www.openexchange.com/ [openexchange.com]

I haven't personally used it, but I've been looking at it as an Exchange alternative (I really really hate exchange) for the small company where I work.

There are Other Options

[Anonymous Coward]

Other Options to Consider:

Novell:
Linux Small Business Suite
http://www.novell.com/products/linuxsmallbiz/ [novell.com]
It includes edirectory, groupwise for email, suse enterprise server,Novell ZENworks Linux Management Client

IBM (Lotus)
http://www.lotus.com/lotus/general.nsf/wdocs/nd7co ntent [lotus.com]
You can use Domino as an ldap server.
Other IBM Software on Linux:
http://www-306.ibm.com/software/os/linux/software/ [ibm.com]
or
http://www-1.ibm.com/linux/matrix/ [ibm.com]

Re:Easy.

[Daengbo]

While I agree with you, the K12OS mailing list that I continually lurk on has quite a few inexperienced Linux fols, and the single sign-on issue has basically been solved by one of them. David Trask has put together a script which automates setting up smb-ldap for a PDC, and it's here: http://web.vcs.u52.k12.me.us/linux/smbldap/ [k12.me.us]

As for a groupware solution, I currently use egroupware ( http://egroupware.org/ [egroupware.org] ), which is fairly mature, can authenticate to ldap, and can be used both over the web and thorugh Kontact as a client.

NDS

[discordja]

I'm sure some /.ers can give you a better view of the quality of Netscape Directory Server but from the rumblings I've heard it's a complete package and it's pretty damned amazing (not to mention it supposedly scales through the roof).

You can check out the documents here [redhat.com]

Novell

[Anonymous Coward]

I don't know what your selection criteria are, but it seems to me that you have another choice: Novell's products. More specifically:
1. Directory Services: eDirectory. It runs on multiple OS platforms such as Windows, Linux, NetWare, Solaris, etc. It is more robust than AD, particularily across wan links (viz. replication). And of course it is LDAP v3 compliant so nearly any LDAP client can use it for authentication and authorization.

2. Open Enterprise Server, Linux and NetWare. For hosting your file and print services. You get the best file system out there - NSS - on either platform. Real ACL's and vastly more refined trustee assignment and inherited rights filtering capabilities than any other filesystem.

3. Groupware/Messaging: I am less experienced in the alternative offerings in this catagory, but I believe that Novell has a decent product in GroupWise 7, which runs on Windows or Linux or NetWare.

Again I don't know what your selection criteria are, but you may have skipped Novell due to lack of awareness...

Cheers.

XAD

[lukehatpadl]

Try XAD [padl.com] from PADL.

To Windows clients, it acts as an Active Directory domain controller, so it supports Kerberos authentication, group policies, etc. It also includes RFC 2307 support for seamless integration of Linux/UNIX clients.

Re:Other options?

[killjoe]

It's all still there, it's still viable, it's still better then what MS offers, it's still cheaper then MS.

Just because something doesn't get a lot of press doesn't mean it's gone.

That's what I thought.

[lsommerer]

That's what I thought when I read the requirements. Netware (or whatever they are calling it now that it runs on Linux) and Groupwise should be all you need.

I don't know about cost. We have their educational license, and that includes Netware and 3 other products (we use Groupwise, ZENworks and iFolder) for less than $3.50 per student. The license covers as many servers as we care to run those products on.

Try Solaris

[tonyr60]

Download Solaris for free. It includes LDAP plus Samba etc. Includes fairly easy admin tools (for example webmin) The LDAP is first class and integrated fully with the OS and Samba. You can do it all and nothing is "cobbled together".

cobbled-together?

[AstroDrabb]

2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).

Well, it sounds like you are an MS-Only type guy with limited experience outside of the proprietary MS-World. There are some excellent solutions that run under Linux. Have you looked at Novell GroupWise [novell.com]?

Novell GroupWise is a complete collaboration software solution that provides information workers with e-mail, calendaring, instant messaging, task management, and contact and document management functions. The leading alternative to Microsoft Exchange, GroupWise has long been praised by customers and industry watchers for its security and reliability

GroupWise is cross platform, unlike MS Exchange/AD. GroupWise has plenty of free tools to help you along the way like:

• GroupWise Migration Utility 2.0.1 for Microsoft Exchange
• GroupWise PDA Connect 1.0 SP1 Multi Lingual
• GroupWise Import Utility 2.0 for Microsoft Outlook
• GroupWise Gateway 2.0 for Async Connections
• GroupWise Gateway 3.0 for Lotus Notes

Just check out Novell [novell.com] to see some of their products (no, I do not work for Novell, I just like some of their products).

Also, there are some really great LDAP/IMAP type solutions you can put together under Linux for zero cost. Obviously this option requires someone more capable than your typical point-n-click "MS-Admin". It would take one employee with the ability to read a book or some docs. Though, I know your typical point-n-click "MS-Admin" wants to be able to just put in a CD and let AUTO-RUN do all the "hard" work for them.

If I personally owned a small company with ~100 employees, I would rather have one talented admin that could handle *nix/Win than 2-3 point-n-click MS "admins". If you added up the salaries, that one guy would cost you less than the 2-3 less capable point-n-click MS "admins". TIJMO (This is just my opinion).

Fedora Directory Server?

[graphicartist82]

I've just started to take a look at Fedora Directory Server [redhat.com]. It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.

Bynari / Samba - Win-win scenario

[Kris2k]

I do some implementation projects for an IBM reseller who does implementations on the iSeries platform, and they push (and I implement as the consultant, go figure) a lot Samba + Bynari to the point that I was actually convinced myself and bought myself a few lics for Bynari.

The nice part about Bynari is that they have great support, and they are continueously improving their product, and they use open technologies (OpenLDAP/Cyrus/Postfix) so its easily hackable. The Outlook IMAP connector rocks, and so far, I think is the only viable product out there if you're on a trim budget.

I haven't tried it yet, but having Bynari and Samba share the same LDAP schema seems to be my next personal project. Maybe even lobby the concept to them ;)

Novell

[RabidMonkey]

Theres always EDirectory ... it runs on sles9 now (as of version 7). All the joy of NDS, but it runs under Linux (and windows, and netware if you want).

I'm going to a Zenworks 7 thingy on Wednesday .. if you want more information about running edirectory under linux, email me and i'll pass along what I find out.

it's not just about OSS and Windows .. there are other products there. NDS is far superior to AD, so consider it as well.

Re:Sounds like you answered your own question...

[Anonymous Coward]

As has been mentioned throughout this topic, look into Novell. Their directory has better pricing, more flexibility, and is more "mature" than AD. Open Enterprise Server can be run on a good amount of hardware, and software. Whether you want to go Netware, Linux(SuSE Enterprise), or Windows you can run OES on them. Groupwise runs on netware and linux. There is the win32 groupwise client in addition to the cross platform java based(I'm fairly sure it is) client which runs on *nix.

The biggest issues with Novell, from what I've seen actually using it, are the lack of a good directory management tool and that the groupwise client is lacking in the usability department. The latter is changing, mostly due to the recently released groupwise 7 which adds many features seen in outlook and the webaccess version of outlook to the related groupwise counterparts. Dragging and dropping in the web access, name completion in the webaccess, and a customizable view in the win 32 rich client. The backend adds things like global sigs and some other behind the scenes stuff.

The other bad part, which also effects other novell products, is the management tools. Console one is pretty clunky. As of right now, using netware 5.1, I use the old nwadmin tool and console 1. If I were at Netware 6.5 or any "OES" build I would have to add imanager into the group. Imanager is nice because it's web based and I could technically admin the directory from anywhere as long as I had a web browser. But for frequent admin duties, I could see it being cumbersome.

eDirectory is LDAP compliant, while active directory is just LDAP compatible(and not even guaranteed). I see Novell offering a more flexible framework.

The real big issue, is whether you see Novell as a viable solution down the road. I do, assuming they don't go get themselves sold to Sun who will probably screw their whole product line to hell. Beyond that, I have and will continue to like their offerings.

Re:Easy.

[sillypixie]

I think you are missing more than a few options there.

IBM has directory services.

Sun has directory services.

Novell has directory services.

My thoughts:

- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.

- the Sun/Netscape/iPlanet/SJSDS-whatever-they-call-it-t his-second tends to run well directly out-of-the-box without the need for much in the way of expertise, in smaller environments. I would call this directory the defacto standard (although this statement may now be obsoleted by the advance of AD - hard to say). If you are using other SUN infrastructure, or if you are using the Sun Calendaring/Messaging product (which I would recommend as a very solid alternative to MS exchange), this DS is an excellent choice.

- Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.

- OSS - I would consider this an advanced option. My suggestion is, if you know nothing about directory services, that you would be better off with something a little more... packaged. I'm sure many here will rabidly disagree with me, but I certainly would consider that choice as risky. A second issue is that many LDAP-enabled products that you may wish to run on top of your directory layer (provisioning, WSSO, etc) only support commercial directory servers.

- Microsoft - well, you're probably going to have to install this one anyways, in order to get a LAN. Although I'm a unix chick at heart, I must admit that I have seen many well-run AD directories. If you aren't already in the UNIX world for any good reason, AD is probably a logical direction. Many many companies have cut their directory services teeth this way. The disadvantage is that your Enterprise Directory is also your NOS, which can be a pain from a licensing perspective, if you want to store authentication-only users as well.

FWIW, hope that helps...

Maybe not so easy.

[jd]

Let us say that you build a direct equiv. in Linux. "Impossible!" I hear you cry! Well, maybe not. Not unless you've cracked into my machine and installed an MP3 of yourself.

Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.

Open Groupware [opengroupware.org], SuSE's Open Exchange [novell.com] and OSER [freshmeat.net] will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.

That just leaves the Active Directories part. ISC's DHCP [isc.org] supports Dynamic DNS. However, you may want to add in DHCP2LDAP [netfoo.org] to get a good link between DHCP and BIND. OpenLDAP [openldap.org] provides the LDAP implementation part. Kerberos [mit.edu] and DNS [isc.org] are easy (although some may quibble with my choice of Kerberos version!)

Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.

The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.

Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.

Re:3. Mac OS X Server

[macshome]

Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.

Well, it's a bit more than that. With a few button clicks you can have a fully functioning Directory Service with OpenLDAP and Kerberos. You get password policies, single sign on for everything from mail to smb to web, and you even get a one click samba pdc.

The only thing it lacks is the groupware support. Firstclass or any number of OSS solutions can provide that.

Check out our site [afp548.com], or even just Apple's server site [apple.com] for more info.

Of course since the questioner didn't mention openLDAP to begin with,

Yeah he did, by name even.

Re:one caveat

[Raspberry]

Actually I can say I worked on one of the largest directories in the world... over 52 million user objects and hundreds of millions of objects.

AD does not scale well. Senior Mgmt wanted to move from eDirectory to AD due to some price breaks on desktop os and MSOffice for over 50000 employees... so we made the attempt with Microsoft in house providing consulting services... they eventually admitted even they couldn't get it stable in our large distributed environent... during the one year migration troubleshooting process we had contractors restarting servers in hundreds of locations around the clock.

We're now back on Novell eDirectory with Open Enterprise Server and stable again.

Re:3. Mac OS X Server

[plsuh]

Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI.

Open Directory [apple.com] covers a lot more than LDAP. Yes, it's based on OpenLDAP -- in part. Yes, there is a nice GUI, which you can use to administer users and groups remotely, from another Mac OS X machine.

But there's also MIT Kerberos, integrated with the LDAP. When you create a user in Open Directory, the necessary Kerberos principals are created for that user. User identification (linking usernames with Kerberos principals and home directories) happens automatically.

But wait, there's more -- there's also the Apple Password Server, which is based on the SASL layer from CMU. This provides centralized, non-Kerberos password support, for things like CRAM-MD5 authentication, or NTLMv2 auth for Samba. The Password Server passwords are automaticaly synchronized with the Kerberos passwords. When you change a user password in the KDC the corresponding password is also changed in the Password Server or vice versa.

Still not happy? How about built-in replication support for load-balancing and high availablility. It covers not only the LDAP database via slurpd but also the Kerberos and Password Server databases?

Oh, and one more thing -- encrypted archiving built in to the GUI. Archive your entire set of LDAP user information and your password database to an encrypted disk image. Secure and convenient.

(Yes, I work for Apple -- but the parent post misses most of the good parts.)

--Paul

Mac OS X Server

[Aron S-T]

Cheap - $1K for an unlimited server license, and the Xserves come with the license and are great performers in their own right and cost-effective.

It has ease of use GUI goodness, with a full open source stack underneath: supports Open/LDAP directory services, single sign-on, kerberros, email, calendering (via WebDav), file services (via Samba for Windows and Linux), CUPS, Apache, DNS, Mailman - the list goes on and on. It plays extremely well in mixed environments and is extremely easy to administer - no steep learning curve.

It's far cheaper than all the other alternatives, including Novell and RH, not to speak of Microsoft. And soon you will be migrating all your users to OS X boxen as well once you see all the advantages.

I have done administration on all the other alternatives and I'm far from an Apple fanboy, so don't start flaming me on that score.

Some tips and a little more on Lotus Domino

[JDAP]

As this is my First! Slashdot! Post! Ever! (R), I'm hoping to avoid any crass errors in style or etiqutte..fortunately, based on some posts I've read over the years, there'a a pretty high bar. (Hopefully, smartass jokes are also OK.)

I've done a lot of work with a range of customers on implementing and maintaining directory infrastructure, mainly centered around Lotus Domino and the IBM Directory Server. To start the shameless plug, I'll say that based on your criteria - directory services and a groupware/mail solution - you should give Domino a hard look. A Domino server contains a totally integrated mail system (both fat client and web mail based), an application development platform with Java support, LDAP directory server, Web, SMTP, IMAP and POP server, predefined application database templates, and advanced security services like PKCS and SSL out of the box; it can also synchronize user information with Active Directories for centralized user account administration. Outside LDAP servers can be associated with Domino to allow those users direct access to resources like web-based apps. Current versions are shipping that run on Windows, Linux, HP-UX, and other platforms, which allows for platform flexibility.

To save this from becoming a sales pamphlet, there are some good reasons to consider other options depending on your needs. Some corporations demaand that directory services be highly integrated into the OS; Domino's directory is not, though it can share information with native services if they exist.

While Domino is great for having so many services instantly available out of the box, they are not necessarily best-of-class. If a very large, intensively utilized directory system is planned, then a dedicated LDAP server like the ones mentioned in previous posts may offer better performance. Some advanced LDAP features, like multi-master replication aren't included in Domino.

All that aside, in my opinion the most important things to remember in creating a directory services infrastructure is to plan around intended use and growth, not around products and glib promises a sales rep will spout. When you talk about the need to "set up directory services", take some time to plan what workflow will be used the most, what functions will need to be the most efficient, and what future applicaions and products will be hooked into the system. Create a concrete, detailed outline of what operations you'll need supported - signing people onto their workstattions is usually just the beginning.

After that's done, it's easier to look at hardware and software more critically to suit your needs - much better than fitting your needs to what a particular solution can provide.

Re:cobbled-together?

[ThisOrThat]

That's odd. We use Novell for all user storage/printing/groupwise/etc for thousands of PCs and have none of the issues you list.

Which version of NetWare are you on?

The college is went to a number of years ago used NetWare (and still do) and it works very well for them.

At work we have edir and AD integrated, edir being the main directory. I mostly work with HPUX/AIX/Linux but have done a little NetWare stuff in the past. I don't know about current QA at Novell but we don't seem to have many issues that I can tell. GW use to be pretty bad a few years ago but they have since upgraded and it's been working like a charm.

When I have had to do administration of MS servers (doing contract work or what not) I realize how much better the admin tools are in NetWare vs MS. Unless it's changed (and I don't think it has) assigning/administrating file rights and users is a pain for any sort of large network. Also login scripting in MS bites really really bad IMHO. I can't believe that MS can't have a better way of doing login scripts.

Oh well,

- Justin

Re:Easy.

[Anonymous Coward]

Not exactly. The Red Hat and Sun directory servers are each descendents of the iPlanet DS. What Red Hat bought was the Netscape fork of the Sun/Netscape Alliance's code tree. Sun has retained their own version since the fork. Both versions of the DS have been added to significantly since the fork. As a result, they are similar but not identical.

Re:3. Mac OS X Server

[hyc]

As far as I recall, the Apple Password Server is only provided for backward compatibility with previous MacOS releases. I don't wish to denigrate what Apple has achieved in shipping OpenDirectory with their OS, but anybody can install Heimdal Kerberos, OpenLDAP, and Cyrus SASL and get automatic integration of Kerberos principals with LDAP accounts and Cyrus passwords. All of these three packages support each other directly, out of the box. And likewise, since you can create a single LDAP user object with all of their Kerberos info, Unix info, and SASL info in one place, they naturally all replicate together. So there's nothing magic about OpenDirectory here. (Nevertheless, OpenDirectory is good stuff, and I'm sure it will be even better in the future.)

And yes, I'm on the OpenLDAP core team, and I wrote a lot of the code that makes Heimdal, OpenLDAP, and Cyrus SASL play together. It's been working well in the field for years. And for those people who have trouble getting configure scripts to connect everything the way they want, my company Symas Corp. offers pre-built binaries of all of these packages, already integrated, ready to run.

Re:Maybe not so easy.

[Korgan]

May I introduce you to an opensource Directory solution that quite nicely replaces Windows Active Directory. Many moons ago it started life as just OpenLDAP but it is now become so much more.

http://www.apple.com/server/macosx/features/opendi rectory.html [apple.com]

Good ol' Apple.

Darwin, *BSD, Linux, various Unixes. Builds with GCC and source is available under Apple's OpenSource license.

Redhat's RHDS available on subscription for RHEL3 and RHEL4 is another. Based on Netscape Directory Services. Thats mostly available under the GPL now, called Fedora Directory Server.

http://directory.fedora.redhat.com/ [redhat.com]

Personally my favourite has been eDirectory. It may not be opensource or even free, but the little you do pay for it is definitely worth the product. Anyone skipping over it is either deliberately obtuse or just plain ignorant. Especially if they're willing to pay for Active Directory and all the costs that go with it (including licensing, security and maintence/administration) while receiving a far inferior product.

Ultimately, Ask Slashdot is the worst place for the original poster to ask this kind of question. They need to sit down with people from various companies and vendors to get an idea of all available products. Many will happily discuss the requirements and work together with you to find the best solution, not just sell you a solution from a preferred supplier.

Ask various engineering places in the district to submitt RFP's based on requirements you set. It doesn't have to be a multi-million dollar contract to get many interested. Companies are starting to really take notice of the SME market now days. Ultimately the have to. ;-)

Red Hat Directory Server

[PMoonlite]

For a supported version of the highly-regarded LDAP formerly known as Netscape Directory Server that runs on Linux, see Red Hat Directory Server [redhat.com]. And to try before you buy, you can check it out on Fedora as the parent suggested.

Mostly Easy.

[wildjim]

I was involved in setting up a similar system in a prev. job.
Basically, if you're expecting to use A.D anywhere, you're really advised to stick to all-MS.

We worked hard on getting A.D. to play nicely with a Unix LDAP system, Bind (DNS), Samba, etc. and it just wasn't even slightly fun. There's quite a few hacks that they use, and they seem to expect an ability to dynamically-update quite a few things (e.g. in DNS) which was tricky to get going with Unix tools. On top of that, it will be expensive.

However, if you avoid A.D, and even Windows PDC's, it's actually fairly easy. OpenLDAP is mostly only tricky for Access-Controls, Samba 3 can do pretty-much everything SMB/CIFS file/print-related, and can auth. against LDAP easily.
We preferred Exim over Sendmail, Postfix, and QMail, but just pick the one you like best as they all do LDAP.
We installed Dovecot for the IMAP server -- does LDAP, too.

I think the main point is: if you use some decent (read: fully-compliant) LDAP server, or X.500 + LDAP shim, the rest of it can be whatever you like best.

I would like to put in a couple of other points:

• For what you're aiming for, OSS will do it all. (e.g. OpenLDAP, Samba, Exim + DSpam + ClamAV, Dovecot/Courier, SquirrelMail...). If you're prepared to give your staff time to test-drive and learn the products, it's probably money better spent rather than giving away in licenses.
  
• Pick OSS s/w that has decent docs. I find that to be a reasonable bench-mark for both its popularity and likelihood for it to stick around.
  
• If you don't care about OSS, I personally have had good experiences with Lotus Notes. It is fairly straight-forward to use and Admin, tries hard to use standard protocols (e.g. IMAP, LDAP, NNTP...) for non-Notes clients and the document-management abilities will make you wonder why you never thought about it before!
  However licenses start at £150-ish/user, and £3000-ish/server... (sorry if I mis-remembered those prices!)

Re:STOP....

[AngryElmo]

Along with Zenworks (an eDirectory enabled management application) you can have your group policies too! Buy Netware (or Open Enterprise Server - Suse SLES 9.0 + Novell services by another name) and you'll get all of the eDirectory and Linux goodness, plus DirXML which is a programmable metadirectory allowing synchronisation between eDirectory and whatever you want (including MS-AD)

SunONE Directory Server

[CrudPuppy]

While I would normally say use OpenLDAP, Sun has recently made a version of their Directory Server free and open source. Their GUI management is excellent, and it supports Multi-Master Replication.

In case you're not familiar with MMR, think about your normal scenario. Maybe you have 1 master server and 2 slaves, one for each physical location. with MMR, you quite literally have 3 master servers, all of which can be updated and will push the changes to the others. This means no more worrying about losing the "most important" server--they are all equally unimportant if lost!

Re:SunONE Directory Server

[Ath]

Wow. MMR sounds great. But it isn't. It's nothing more than a half-baked feature set compared to Novell's eDirectory. Since its release in 1993, eDirectory has supported partitions and replicas of the directory with full backlink support for all resources.

What that means is that you don't tie up your WAN link with unnecessary directory traffic sending sync messages when they aren't necessary.

What I find amazing is that people just reject eDirectory too often because it is from Novell. It is fully LDAP v2 and v3 compliance, so even if you don't use applications that support eDirectory natively, you can still get all the benefits with no downside. Active Directory, by the way, is not fully RFC compliance for LDAP v3. If you think it is, you haven't bothered to actually try using it in a scenario where v3 functionality is required.

In addition, if you really need a serious directory solution then Novell's Identity Manager really shows the strengths of their directory offerings. There is absolutely no such thing as an enterprise environment with a homogenous directory. With IDM, you can publish and subscribe between just about any "directory" available. Active Directory, LDAP, Notes, Exchange, other eDirectory trees, SQL databases, and just about any JDBC-compliant database.