How would you integrate several companies with one mother company? (where our Linux team and IT is part of)
We need to implement different OpenLDAP servers because of policies...yeaha... ;-) But I'm not sure how to do this.
My opinion: Each company needs his own pair of multi-master LDAP servers. (for HA) Each LDAP server pair belongs to one of the affiliates and there has to be a 'chinese wall' between those (if possible) Off course it should not be possible for employees from company A to authenticate through the LDAP server of company B. Except for esx, kvm and other virtualization hosts each server belongs also to only 1 of these subcompanies.
But for me and other admins it should be possible to access and manage all servers using the same password and tooling (like puppet with LDAP...)
My idea was some combination of chaining, proxy... (or other overlays). We could use the LDAP server of the mother company as the last part of some chain. The DIT / right structure is also still an issue for me (I'm not an LDAP expert)
Other nice to haves are some AD integration and kerberos, but this has nothing to do with my question :-)
-- Sincerely, Pieter Baele www.pieterb.be