I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
I would like to keep everything the same except that when the user bind
to OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active
Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from OpenLDAP.
(anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
The short username are used in in OpenLDAP like this:
While the AD uses the long username. From my test when binding to AD,
only the "DN" is simply set to the username.
I am starting to seriously look at the various OpenLDAP overlay and
proxy functionality but I am a bit confused on how to archive this.