Joerg Schoppet wrote: > I'm in an account of a bigger company, which uses Microsoft Active > Directory for User Management and Authentication. > Now we need to save some additional information for a subset of all > employees, but the AD-Administrators do not want to include the > required attributes in the company ad. Our plan is now to install > "Fedora Directory Server" to hold these additional information. The > users, which uses a special application, should now connect to this > server to retrieve the necessary information, but the authentication > should stay in the AD. > > Is it possible, and if yes how, to configure "Fedora Directory Server" > to pass the authentication information to the AD and only let the > specific user bind to the directory server if the AD-Authentication is > OK? Hmm...I think what you are trying to implement is a form of Directory Federation. You might be able to achieve what you want with FDS and its AD sync feature. In that case, passwords are synchronized from AD to FDS (and vice versa) so your requirement for authentication 'against AD' would be met except that authentication would be done by FDS, using the AD password. If you want to proxy authentication directly to AD that might be possible without code changes in FDS, but I'm not sure. Another option you might look at is to deploy Microsoft's ADAM, which is a Federation add-on for AD. It was designed to meet your exact needs (application wants to use AD for directory services, but AD admins refuse to allow the schema to be extended).
