On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
Aiko Barz wrote:
> is it possible to create an Active Directory forest with multible
> subdomains and make those informations available for one Linux
> Right now, we have one domain and it is possible to do authentication
> against the Active Directory, while using OpenLDAP, PAM and Kerberos.
> But now, another department would like to have its own
> directory/sub-domain. This means: uid=xyz will be located on
> different directory servers within the Active Directory forest.
> That means, there are UIDs with different BASEDNs.
> CN=userA,OU=Users,DC=example,DC=local from AD1 and
> CN=userB,OU=Users,DC=sub,DC=example,DC=local from AD2 shall both be
> able to access a Linux box via SSH. No problem?
There's nothing in OpenLDAP that would prevent this. This is a question more
suited to either the pam_ldap or nss_ldap mailing lists. The only problem is
you might have cn=userA representing two different users in both domains at
once, and you'll have to have some kind of policy for dealing with those
This is really the kind of thing that Samba and winbind does best.
Winbind understands the topology, and creates accounts like AD1\userA
and AD2\userB so that there is no possibility of conflict.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.