On Thu, Nov 13, 2008 at 07:27:44PM -0600, Christopher Barry wrote:
The goal is to have a single user/password db in AD, and have all of the old NIS map data in OpenLDAP. SSO would be a nice to have feature too. I've read more stuff than I can count, but I'm still more than a little confused.
You might want to consider pass-through authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
That would allow you to keep non-Windows data in OpenLDAP but still use AD to check passwords.
Doing tricks like that does leave you open to more failure modes: loss of connectivity to AD, failure of the SASL daemon etc.
Andrew