[Date Prev][Date Next]
Re: OpenLDAP+Active Directory
Buchan Milne wrote:
On Tuesday 22 January 2008 22:38:13 Andrew Bartlett wrote:
On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
There's nothing in OpenLDAP that would prevent this. This is a question
more suited to either the pam_ldap or nss_ldap mailing lists. The only
problem is you might have cn=userA representing two different users in
both domains at once, and you'll have to have some kind of policy for
dealing with those situations.
This is really the kind of thing that Samba and winbind does best.
Winbind understands the topology, and creates accounts like AD1\userA
and AD2\userB so that there is no possibility of conflict.
And it's a band-aid over the fact that there is no standard for multi-realm
user identification under Unix.
Not for lack of trying... Kerberos, AFS, DCE ... I think it's somewhat ironic
that Windows today is built around a technology (DCE) that was developed for
and forgotten by the Unix world a decade ago. (Particularly since I was one of
the guys who first implemented DCE/DFS support on Windows95 way back when.)
Talk about coming full circle.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/