Re: OpenLDAP+Active Directory

[Howard Chu <hyc@symas.com>]

Aiko Barz wrote:
> Hello,
>
> is it possible to create an Active Directory forest with multible
> subdomains and make those informations available for one Linux
> machine?
> Right now, we have one domain and it is possible to do authentication
> against the Active Directory, while using OpenLDAP, PAM and Kerberos.
>
> But now, another department would like to have its own
> directory/sub-domain. This means: uid=xyz will be located on
> different directory servers within the Active Directory forest.
> That means, there are UIDs with different BASEDNs.
>
> CN=userA,OU=Users,DC=example,DC=local from AD1 and
> CN=userB,OU=Users,DC=sub,DC=example,DC=local from AD2 shall both be
> able to access a Linux box via SSH. No problem?
>
> Regards,
>      Aiko

There's nothing in OpenLDAP that would prevent this. This is a question more 
suited to either the pam_ldap or nss_ldap mailing lists. The only problem is 
you might have cn=userA representing two different users in both domains at 
once, and you'll have to have some kind of policy for dealing with those 
situations.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/