On Monday 08 December 2008 15:15:44 Andrew Findlay wrote:
On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:
- LDAP server would
delegate authentication for users it cannot authenticate to the AD server but otherwise it would handle the users it knows.
That may be easier - for one thing you do not need to do anything scary to the central AD servers. See 'Pass-Through Authentication' in the Admin Guide:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentic ation
In principle you could use either LDAP or Kerberos access to the AD domain to implement this, though I think LDAP would be easier.
It is also worth looking at the contributed slapd modules, as I think there is one that delegates authentication to a remote AD and then builds a local entry if the password is OK. smbk5pwd perhaps?
No, adpwc, which is stuck in ITS (#5042).
Depending on the exact requirements, bi-directional Kerberos trusts could also be a solution here.
Regards, Buchan