On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:
- user
credentials are replicated over to the LDAP server from AD which means that LDAP would handle all authentication or
You will never get the existing passwords out of AD because they are not there.
If the people running the AD domain are prepared to co-operate you may be able to load a 'password checker module' into the AD domain controllers. This could tell you whenever a new password is set (and pass over the cleartext password). This allows you to keep up to date with new accounts and password changes.
- LDAP server would
delegate authentication for users it cannot authenticate to the AD server but otherwise it would handle the users it knows.
That may be easier - for one thing you do not need to do anything scary to the central AD servers. See 'Pass-Through Authentication' in the Admin Guide:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
In principle you could use either LDAP or Kerberos access to the AD domain to implement this, though I think LDAP would be easier.
It is also worth looking at the contributed slapd modules, as I think there is one that delegates authentication to a remote AD and then builds a local entry if the password is OK. smbk5pwd perhaps?
Whichever way you go, you will need some regular process to deal with account updates and deletions.
Andrew