Hi, Andrew
Thanks for your suggestion. I will try using OpenLDAP with back-meta.
Do you mean that you want to have a single OpenLDAP server that
refers authentication to the three backend servers?
I am figuring out more detail about my task: Suppose that, if some one such as Mr Deck has account d@abc.com want to use company mail service, so he will send his username/password to Openldap server to authenticate to use mail service. He don't know anything about AD server which manage abc.com domain. OpenLDAP server receives this authentication request, and responses to the client that his access is granted or denied. And authenticating users from other domains is familiar.
But, because my company structure so I have not Admin account or super user account these AD servers that means I can't install any software. (each domain is a sub-company). I can only lookup info.
Best regards,
Duong Pham
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: 14 tháng một 2009 12:14 SA To: Duong Pham Tung (FIM HN) Cc: openldap-technical@openldap.org Subject: Re: OpenLDAP centralized authentication with Active Directory
Do you mean that you want to have a single OpenLDAP server that refers authentication to the three backend servers?
Does each AD server manage a separate non-overlapping part of the tree? If so, you may be able to use OpenLDAP with back-meta to glue the three servers together into a single service without having to copy any data across.
In more complex cases you may have to copy data into OpenLDAP. 10,000 users is not very many, but you certainly would not want to copy the entries by hand. You may need to write some scripts to synchronise the data. The scripts could put an attribute into each entry in OpenLDAP to say which AD server the user came from. You could then use Pass-Through Authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat ion
Andrew