Rememeber, OpenLdap policies and AD policies are not entirely compatible. U should know, OpenLdap has a config directory which is not present in AD. It is necessary to create a new ACLs for OpenLdap. To migrate AD users, it is quiet easy to dump / import the users and to copy the whole ldap tree. Remember, if using AD authentication, the actual authentication is Kerberos (u have done a little mistake here), not ldap. The user principals are stored in ldap, actually authentication step is Kerberos not ldap. OpenLdap alone can not provide single sign on with AD. It is necessary to pair it with a Kerberos server, i.e. MIT Kerberos. Hope this <a href="http://www.howtoforge.com/ubuntu-9.04-samba-server-integrated-with-active-directory">Guide</a> may clear ur concepts

Rememeber, OpenLdap policies and AD policies are not entirely compatible. U should know, OpenLdap has a config directory which is not present in AD. It is necessary to create a new ACLs for OpenLdap. To migrate AD users, it is quiet easy to dump / import the users and to copy the whole ldap tree. Remember, if using AD authentication, the actual authentication is Kerberos (u have done a little mistake here), not ldap. The user principals are stored in ldap, actually authentication step is Kerberos not ldap. OpenLdap alone can not provide single sign on with AD. It is necessary to pair it with a Kerberos server, i.e. MIT Kerberos. Hope this <a href="http://www.howtoforge.com/ubuntu-9.04-samba-server-integrated-with-active-directory">Guide</a> may clear ur concepts