Hi. I'm a first time poster, new to OpenLDAP, and I have identified this list as the (hopefully) best place for my question.

I have an Active Directory that contains accounts and groups for employees. Besides that, there is a group of around 1000 people that also need to authenticated and authorized (based on group membership). I'm trying to assess if OpenLDAP can be used for a scenario to avoid Windows CAL license costs.

Is it possible to administer and authenticate the non-employees in OpenLDAP, and proxy requests about users that are not found in OpenLDAP to an AD? The information needed by the applications using OpenLDAP would be UPN, sAMAccountName, email address and group membership of the authenticated users.

If this can be accomplished with OpenLDAP, that would a) be very nice, and b) I would like you to explain this in brief here, and approach me off-list to help me accomplish this. If there's no ready-made recipe for this, and it can be done, I'm willing to publish the configuration so others can benefit from the work, too.

Thanks.

Siebrand Mazeland