I asked this question over at stakoverflow without an answer yet, so I am trying my luck here as it may be more relevant to sysadmins..
We are trying to develop an ACL solution that would cater for both internal users (currently managed through Windows AD which is outside of the scope of the project) and external users. The idea is to have a new LDAP server, another Windows AD or non-AD server such as openldap, that will be used to manage external users and all groups that are to be used for the ACL.
And then a referral to the internal Windows AD would be setup so that authentication would work for both internal and external accounts and group membership to the groups defined in the new LDAP server would be open to both internal and external accounts.
The problem is to get the referral working, first following this document http://technet.microsoft.com/en-us/library/cc978014.aspx (under "Creating an External Cross-Reference for an Internal Location") it seems you need to have the external ldap server having the same domain as the internal one, this seems to be a problem, at least when using Windows AD as the external server as well.
Also due to security restrictions in place trust relationships cannot be created such that internal users can be added as members of groups created in the external server. So is there a way around this? Is it better to use openldap rather than Windows AD for the external server?
Any pointers would be much appreciated.
Cheers
Best Answer
What you are trying to do sounds a lot like a trust.
Where will those ACLs be? In some cases a one way trust can be appropriate..
Alternatively, check out ADFS (active directory federation services) which can be used to federate access without actual trusts, which is useful for external partners etc..
http://msdn.microsoft.com/en-us/library/ms674895%28v=vs.85%29.aspx