I was wondering if anyone have implemented this before or if this is even possible ( if so, any suggestions or gotcha's )?

We have windows and linux/UNIX employee accts, plus customer only accts on our linux/UNIX systems. What we would like to do is have central points of auth and changes to passwd. But the customer accts should only exits on linux/UNIX systems, while for our employee's from Windows to linux/UNIX to be the same, ( ie. changing passwd will propagate to both )

What I have in mind was to have AD or LDAP to manage all employee accounts, which means, when the user changes his/her passwd, it also changes on the linux/UNIX side. When a customer acct is created or any modifications to customer acct is only up to the LDAP master, does not prop up to the Windows AD domain. Since we are still using RH 7.3, and some of the functionality we need for automount and netgroup is not implemented yet. I'm considering using PADL gateway with ypldap between the clients and the LDAP server's. Which means, the clients will still think it is using NIS.

details --- ( I also have a gif diagram [48k] of what I would like to do, but I don't know how to attach it to here ) Hopefully what's below makes sense to what I'm asking about.

our RH7.3 clients will use NIS to talk to our LDAP server via ypldap, and I know that LDAP supports having mulitple DB or domain's on the same LDAP server(s), but can the client support this in both sceniaro's where our employee's (pro) and customer can login to the same box, although they are both on different domains.

If an employee updates his/her passwd on linux/UNIX/Windows, the changes will be sync acroos.
If a customer updates his/her passwd on linux/UNIX, it will probagate "only" up to LDAP master and to it's "slaves"
If a customer try's to connect to a windows's box, he will not get authenticated, since he is not on the same network..

Can a client be setup to auth users from two separate domains ( one for employee's, other for customers)?

Thanks,
Steven

samba setup as a PDC with an LDAP backend would acomplish this.

For the windows side of things:
If the user is lacking the sambaSamAccount class they would not be allowed to auth against the windows domain.
this should keep the customers from loging into your windows side of things

For the Unix(linux/bsd/etc..) side:
nssldap would allow you to auth against the same LDAP that is holding the windows domain users.
This would allow your employees to login into both windows & unix machines using the same account.

Other silly things that can be done once this is setup is roaming profiles for the windows users that are based off of the users unix home directory, and of course a centralized contact list (Addressbook for Outlook / Thunderbird / etc...)

so I would have to use a single repos, which would be openLDAP right?

I can't use Windows 2003 Active Directory for employee's and openLDAP for customer accounts?

Technicly the single repos would be whatever backend you are using for the LDAP server, but yes one spot to manage them both.

You could auth them both from the AD server using kerberos...