Hello,
I am in a environment where we use both OpenLDAP and Active Directory. All Linux servers authenticate against OpenLDAP where we have user group, unix group (...)
I would like to keep everything the same except that when the user bind to OpenLDAP the credential should be checked against Active Directory. There is no need to retrieve/return any information from Active Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be performed against the AD but the search result should from OpenLDAP. (anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01 long username: john.smith@example.com
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD, only the "DN" is simply set to the username.
john.smith@example.com
I am starting to seriously look at the various OpenLDAP overlay and proxy functionality but I am a bit confused on how to archive this.
Best regards,
Alexandre