Getting a little more specific as I keep reading . . . can an OpenLDAP (or
LDAP in general) server contain a referral to a parallel naming context? 
For example, can my LDAP server, responsible for somedomain.com, provide a
referral to someotherdomain.com?

Thanks,
Chaz

On Fri, 18 Feb 2005 15:20:43 -0500, Charles McCabe wrote:

> I hope someone is willing to entertain my questions here ; )
> 
> Right now we use a product called ClearTrust from RSA.  It attaches to our
> Active Directory via LDAP for user authentication to various [web]
> resources.  We use the uPN for user identification and, because users are
> stupid and lazy, we append the domain portion of the name for them via the
> web form; the user enters john.smith and we submit
> john.smith@subdomain.ourdomain.com.  ClearTrust then attempts an LDAP bind
> to AD to determine if the name and password are valid.
> 
> Now, in typical corporate fashion, I have to get this authentication
> working for not one, but 4 forests in 90 days.
> 
> Here are the requirements:
> 
> [Almost] user-transparent.
> [Almost] no downtime.
> No significant changes to source directories.
> 
> To me, this sounds like I need a metadirectory, but I have no experience
> here.  This is how I feel the metadir working (stop me when I don't make
> sense):
> 
> User enters name and chooses domain on logon form.
> ClearTrust tries to auth to metadir.
> Metadir looks at domain and forwards (referral, right?) to the right
> source directory.  How does this work?  Is this a standard LDAP thing?
> ClearTrust attempts auth at referred directory.
> 
> Is it possible to sync all records into the metadir, instead?  You can't
> do this with the AD passwords via LDAP, right?
> 
> Any guidance is much appreciated . . . products, standards, problems, etc.
> . . are all open game.
> 
> Thanks,
> Chaz