I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers. I'm able to query against our AD servers by hand using: ldapsearch -x -LLL -E pr=200/noprompt -h ouradhost -D "CN=Administrator,OU=IT Department,OU=Users,OU=My Business,DC=ourdomain,DC=dotcom" -W -b "dc=ourdomain, dc=dotcom" -s sub "(cn=*)"
And that gives me the entire tree, but I haven't made much progress from there. Honestly, I am unsure what 'right' resulting architecture would be: have each unix (linux, CentOS) system, using nss_ldap, authenticate against AD directly, or build an openldap replica of the AD contents (just user accounts) and have the unix boxes authenticate against that. Because of the AD layout, I'm not sure nss_ldap is even configurable enough to map users from the mess of groups within AD to one layer of users. The AD layout is messy.. the users are broken up in to different groups ("IT Department", "Executives", etc., etc) within AD, and it isn't straightforward on how to do a query just to get all users (regardless of the group).
(unfortunately, I have no ability at this time to re-work the AD architecture, nor do I take responsibility for its current layout)
Thanks! -Rich