Re: OpenLDAP+Active Directory

[Howard Chu <hyc@symas.com>]

Buchan Milne wrote:
> On Tuesday 22 January 2008 22:38:13 Andrew Bartlett wrote:
> > On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
>
> > > There's nothing in OpenLDAP that would prevent this. This is a question
> > > more suited to either the pam_ldap or nss_ldap mailing lists. The only
> > > problem is you might have cn=userA representing two different users in
> > > both domains at once, and you'll have to have some kind of policy for
> > > dealing with those situations.
> > This is really the kind of thing that Samba and winbind does best.
> > Winbind understands the topology, and creates accounts like AD1\userA
> > and AD2\userB so that there is no possibility of conflict.
>
> And it's a band-aid over the fact that there is no standard for multi-realm
> user identification under Unix.

Not for lack of trying... Kerberos, AFS, DCE ... I think it's somewhat ironic 
that Windows today is built around a technology (DCE) that was developed for 
and forgotten by the Unix world a decade ago. (Particularly since I was one of 
the guys who first implemented DCE/DFS support on Windows95 way back when.) 
Talk about coming full circle.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/