On Tue, Jan 13, 2009 at 02:30:27PM +0700, Duong Pham Tung (FIM HN) wrote:
My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand.
Do you mean that you want to have a single OpenLDAP server that refers authentication to the three backend servers?
Does each AD server manage a separate non-overlapping part of the tree? If so, you may be able to use OpenLDAP with back-meta to glue the three servers together into a single service without having to copy any data across.
In more complex cases you may have to copy data into OpenLDAP. 10,000 users is not very many, but you certainly would not want to copy the entries by hand. You may need to write some scripts to synchronise the data. The scripts could put an attribute into each entry in OpenLDAP to say which AD server the user came from. You could then use Pass-Through Authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Andrew