On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:
credentials are replicated over to the LDAP server from AD which means
that LDAP would handle all authentication or
You will never get the existing passwords out of AD because they
are not there.
If the people running the AD domain are prepared to co-operate
you may be able to load a 'password checker module' into the AD
domain controllers. This could tell you whenever a new password is
set (and pass over the cleartext password). This allows you to
keep up to date with new accounts and password changes.
2) LDAP server would
delegate authentication for users it cannot authenticate to the AD
server but otherwise it would handle the users it knows.
That may be easier - for one thing you do not need to do anything
scary to the central AD servers. See 'Pass-Through Authentication'
in the Admin Guide: