I'm working on a project proposal for integrating Linux machines into a Windows environment. The client is very concerned about their AD environment and wants to do as little modification to it as possible (preferably none).

What I'd like to propose is that we set up an OpenLDAP server that chains to AD. If possible, I would like to use the OpenLDAP client's credentials to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD connection. I believe this can be accomplished with the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this correct?

Now here's where I think it gets tricky. We also need to be able to store information for the Linux boxes in LDAP (samba winbind mappings for example), but keep it separate from AD. I know that part of this would require a dedicated LDAP database backend (slapd-bdb) to be configured, but what confuses me is how to combine these two separate entities (the AD proxy and this bdb database) into one 'virtual' backend that clients can query against. Is this where slapd-translucent would come into play?

Finally, if I want to create OUs in the Linux LDAP database that contain user DNs from AD, is that possible?

Any guidance, example solutions, or suggested reading is greatly appreciated.

-Dave