[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP+Active Directory

Aiko Barz wrote:

is it possible to create an Active Directory forest with multible
subdomains and make those informations available for one Linux
Right now, we have one domain and it is possible to do authentication
against the Active Directory, while using OpenLDAP, PAM and Kerberos.

But now, another department would like to have its own
directory/sub-domain. This means: uid=xyz will be located on
different directory servers within the Active Directory forest.
That means, there are UIDs with different BASEDNs.

CN=userA,OU=Users,DC=example,DC=local from AD1 and
CN=userB,OU=Users,DC=sub,DC=example,DC=local from AD2 shall both be
able to access a Linux box via SSH. No problem?


There's nothing in OpenLDAP that would prevent this. This is a question more suited to either the pam_ldap or nss_ldap mailing lists. The only problem is you might have cn=userA representing two different users in both domains at once, and you'll have to have some kind of policy for dealing with those situations.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/