14 Nov
2008
14 Nov
'08
3:42 a.m.
On Thu, Nov 13, 2008 at 07:27:44PM -0600, Christopher Barry wrote:
The goal is to have a single user/password db in AD, and have all of the old NIS map data in OpenLDAP. SSO would be a nice to have feature too. I've read more stuff than I can count, but I'm still more than a little confused.
You might want to consider pass-through authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
That would allow you to keep non-Windows data in OpenLDAP but still use AD to check passwords.
Doing tricks like that does leave you open to more failure modes: loss of connectivity to AD, failure of the SASL daemon etc.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------