[Date Prev][Date Next]
Re: OpenLDAP+Active Directory
On Tuesday 22 January 2008 22:38:13 Andrew Bartlett wrote:
> On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
> > There's nothing in OpenLDAP that would prevent this. This is a question
> > more suited to either the pam_ldap or nss_ldap mailing lists. The only
> > problem is you might have cn=userA representing two different users in
> > both domains at once, and you'll have to have some kind of policy for
> > dealing with those situations.
> This is really the kind of thing that Samba and winbind does best.
> Winbind understands the topology, and creates accounts like AD1\userA
> and AD2\userB so that there is no possibility of conflict.
And it's a band-aid over the fact that there is no standard for multi-realm
user identification under Unix.