Linking an LDAP server to Windows AD as an ACL solution

We are trying to develop an ACL solution that would cater for both internal users (currently managed through Windows AD which is outside of the scope of the project) and external users. The idea is to have a new LDAP server, another Windows AD or non-AD server such as openldap, that will be used to manage external users and all groups that are to be used for the ACL.

And then a referral to the internal Windows AD would be setup so that authentication would work for both internal and external accounts and group membership to the groups defined in the new LDAP server would be open to both internal and external accounts.

The problem is to get the referral working, first following this document http://technet.microsoft.com/en-us/library/cc978014.aspx (under "Creating an External Cross-Reference for an Internal Location") it seems you need to have the external ldap server having the same domain as the internal one, this seems to be a problem, at least when using Windows AD as the external ser开发者_开发问答ver as well.

Also due to security restrictions in place trust relationships cannot be created such that internal users can be added as members of groups created in the external server. So is there a way around this? Is it better to use openldap rather than Windows AD for the external server?

Any pointers would be much appreciated.

Cheers

@Haddad, the example you pointed out never mentioned the external server has to be in the same domain. The requirement is that the dnsRoot should be resolvable by your dns.

Have a look at this http://support.microsoft.com/kb/241737

Where the AD runs yourdomain.msft and the referral server runs in mydomain.msft