I know this list gets a large number of questions about Active Directory integration and this one is no different. I've tried to do as much research as possible on my own but still have a few un-answered questions and issues, so i'm adding yet another AD question to the list. Sorry in advance.
My initial foray into OpenLDAP was to use it to store the idmaps created by Samba, so that mapped user and group IDs were identical between file servers. As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication. So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure. I currently have a proxy database configured that is successfully proxying/querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC=com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user). I know that all of this might be easier if I was to use ADAM/ADLDS and/or scrape the Samba4 schema, but i'd like to do it myself just for the education it provides and because I'm trying to implement just the bare minimum to our users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched. Thanks for the help, -Dave
