Hi folks, I would like to extend my Active Directory using openldap. Please bare with me while I explain. There are a couple of reasons that I need to do this and I would like your input into whether this is possible and hopefully point me in the right direction in accomplishing my goal. Reason 1: We have a product that is authenticating against our AD. There are also external customers that use the product who are not in active directory. Currently, when an external user attempts to log into our product, the product first looks to see if the user is in AD and if not, it then authenticates against a file where we currently store the external users username and password details. This is obvioulsy not the most secure setup. Reason 2: I have recently setup an openfire IM server which is authenticating against AD. AD currently only has the username and email address. I would like users to be able to update their own LDAP details, limited to phone number, photograph, address, department, external email, team leader etc. We could use GALMOD.exe to allow users to do this but it doesn't seem to be the best tool for our environment. I thought that the best solution may be to have both applications authenticating against OPENLDAP which would, of sorts, be setup as an extension of AD. I would create a new OU in OpenLDAP for the external clients which would not pull any information from Active Directory. I would then like to pull data for the internal users from OU=users in AD but only the username, password and internal email fields. I would then give users access to update the other fields themselves. Is this a viable solution or can you think of a better solution. Thanks for listening.

Software/Hardware used: