I recommend OpenLDAP's meta backend, which acts as a proxy to integrate several naming contexts from several different servers in one single tree. I have successfully used it to do just this on several Windows 2003 domains.
For example, if you have several AD domains named ONE.COMPANY.COM and TWO.COMPANY.COM, you would end up with the following LDAP tree:
- dc=company,dc=com
- dc=one,dc=company,dc=com
- Users and Groups from domain
ONE
- dc=two,dc=company,dc=com
- Users and Groups from domain
TWO
Thus, you could base authentication requests on the base DN dc=company,dc=com, which would return entries from either server.
Of course, you must make sure that you have an attribute that can uniquely identify users over all domains, such as an email address (you don't want to use a login name if you have two jdoe users! Unless you're sure logins are unique over all domains).
Check out OpenLDAP's back-meta man page.
Second, I need to be able to add those
users to groups without being able to
make any changes to the LDAP servers
I'm proxying.
You can easily add a local database to the same instance of OpenLDAP, to contain groups that reference users from all proxied domains. They will have unique DNs on this server, just add them to groups and you're done.
The AuthzLDAPAuthoritative off directive will let authentication fall through to the next module only if the user cannot be matched to a DN in the query. Currently even though the user is expired, it seems that their account will still be returned as a result when the LDAP query is performed.
I don't know enough about the ActiveDirectory LDAP schema to give a definite answer here, but if you could add a filter to your AuthLDAPURL directive that filters out expired accounts it should result in the username not matching any DN in the query. This should result in the authentication falling through to the next module.
Best Answer
You cold try the "Satisfy" apache directive, e.g.: satisfy all.
Otherwise you could modify your filter to require the groups, e.g.
(&(ou=foo)(ou=bar))