I'm trying to configure a third party product to obtain the list of valid users based on a group membership in a corporate active directory server. The third party product is not capable of querying for users based on group membership. It can only use an OU or objectClass. The corporate AD server has a very broad "All Users" OU and we can't add an OU or objectClass to AD .

I would like to configure an OpenLDAP proxy using that can dynamically create an OU by querying the members of a group. Is this possible using overlays? Another possibility is that try to synchronize OpenLDAP with AD based on a filter that includes membership in only one group. Would either of these methods work or is there another solution I haven't mentioned?