Buchan Milne wrote:
On Tuesday 22 January 2008 22:38:13 Andrew Bartlett wrote:
On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
There's nothing in OpenLDAP that would prevent this. This is a question more suited to either the pam_ldap or nss_ldap mailing lists. The only problem is you might have cn=userA representing two different users in both domains at once, and you'll have to have some kind of policy for dealing with those situations.
This is really the kind of thing that Samba and winbind does best. Winbind understands the topology, and creates accounts like AD1\userA and AD2\userB so that there is no possibility of conflict.
And it's a band-aid over the fact that there is no standard for multi-realm user identification under Unix.
Not for lack of trying... Kerberos, AFS, DCE ... I think it's somewhat ironic that Windows today is built around a technology (DCE) that was developed for and forgotten by the Unix world a decade ago. (Particularly since I was one of the guys who first implemented DCE/DFS support on Windows95 way back when.) Talk about coming full circle.