I've got two Active Directory servers that are being proxied through OpenLDAP and their respective trees are being merged into one.  So far, so good.

Now I want to allow users to bind to the OpenLDAP server and pass the authentication through to the appropriate AD and let it do the password checking.

I see a lot of documentation on using SASL for passthrough, but where I'm stuck is that this requires every user to have an account in the OpenLDAP server in order to see if the userPassword attribute is specially formatted.  In my case, this isn't really a palatable solution because I'm using the OpenLDAP server with the meta backend and using it as a "live view" into the data contained in the ADs.  Other applications can talk directly to the ADs and in order to do the SASL approach there'd have to be some syncing from the ADs to the OpenLDAP server every time a user is created/deleted.

I would think that surely there must be some way to pass through the authentication in a more obvious manner -- i.e., if the user doesn't exist locally, try to bind against each proxied server in succession.  But I can't seem to find a way to do this, all references point to the SASL approach.

Is there a way to do this?

Thanks in advance.