Moving from Zimbra LDAP to External 389 Directory?

[whetu]

Hi all,
short details of the setup I'm administrating: 5.0.18 GA on Centos 64 bit. This is a Xen VM running on a Debian Lenny host, it's on a Sun X2200 and the VM itself has 4G of memory. We're an APT shop, but my predecessor had difficulties with Ubuntu VM's that I have not been able to replicate, hence the use of Centos.

We want to achieve a few goals - firstly we'd like to migrate to an Ubuntu VM. Easy enough, I can do that over a quiet weekend. Secondly we'd like to upgrade to 6.0.5 - also easy.

The problematic goal we do have though is we're wanting to hook up the rest of our infrastructure, our NAS etc to LDAP and myself and the boss agree that messing around with Samba and Zimbra's LDAP is probably not ideal. What we want to do instead is to setup 389 Directory (the artist formerly known as Fedora Directory) + Samba and authenticate everything against that, including Zimbra (obviously with some cron'd sync)

I've done so much googling on Zimbra + 389 Directory and Zimbra + Fedora Directory that my brain is about to melt down.

There's also this, in Spanish, that mentions importing the Zimbra schema:
http://wiki.fedora-ve.org/WilmerJaramillo/ZimbraSchema

My question is: does anyone here have experience with migrating from an existing Zimbra LDAP to an external Fedora/389 Directory?

I'm assuming, especially given that we can define the directory layout from scratch, that the best path to take is to import the Zimbra and Samba schemas, export everything out of Zimbra LDAP and import it into 389, then reconfigure Zimbra to authenticate against 389. Then it's just a matter of getting the sync to work.

Does that sound right to you guys? Any thoughts/links/advice appreciated

[bdial]

i have seen the zimbra ldap maintainer/guru respond to a question like this before with pretty much 'dont do it'. while you may be able to get the schema and data in, there are fundamental differences in ldap servers in architecture and what not that can come back to bite you. zimbra's openldap is built with certain options and patches that it absoluttely depends on.

[whetu]

Thanks for the response. Just to be clear: We don't want to completely replace Zimbra's LDAP with 389 - we know that Zimbra's LDAP holds all kinds of trickery etc... We only want to authenticate Zimbra against 389, which shouldn't be a problem - it's an external LDAP server.

In other words, this is not a re-hash of this thread:
389 Directory Server as backend

We just want to use 389 as an external LDAP server, preferably having imported existing data from Zimbra LDAP into it...

[bdial]

oh in order to authenticate against an external ldap you don't need to mess with the schema really. you just have to know a basedn, filter, and a binddn if your ldap server doesn't allow anonymous bind for authentication. these things are pretty much the basics in ldap so really any ldap service should be fine. you'd just need an attribute to match your zimbra logins to your 389 directory server.

[vavai]

Just a quick note :

If you plan to applying Zimbra External Authentication as you described above, you should be able to authenticate Zimbra user against your FDS but you still needed to maintain Zimbra mailbox (or in another word : create Zimbra account) on Zimbra itself.

External authentication will only authenticate user, as shown on it's words :-)