How can I proxy multiple LDAP servers, and still have grouping of users on the proxy?
I recommend OpenLDAP's meta backend, which acts as a proxy to integrate several naming contexts from several different servers in one single tree. I have successfully used it to do just this on several Windows 2003 domains.
For example, if you have several AD domains named ONE.COMPANY.COM and TWO.COMPANY.COM, you would end up with the following LDAP tree:
- dc=company,dc=com
- dc=one,dc=company,dc=com
- Users and Groups from domain
ONE- dc=two,dc=company,dc=com
- Users and Groups from domain
TWO
Thus, you could base authentication requests on the base DN dc=company,dc=com, which would return entries from either server.
Of course, you must make sure that you have an attribute that can uniquely identify users over all domains, such as an email address (you don't want to use a login name if you have two jdoe users! Unless you're sure logins are unique over all domains).
Check out OpenLDAP's back-meta man page.
Second, I need to be able to add those users to groups without being able to make any changes to the LDAP servers I'm proxying.
You can easily add a local database to the same instance of OpenLDAP, to contain groups that reference users from all proxied domains. They will have unique DNs on this server, just add them to groups and you're done.
This is an awesome article outlining how to set it up step-by-step: http://ltb-project.org/wiki/documentation/general/sasl_delegation (see "Pass-Trough authentication on several LDAP directories - with OpenLDAP ldap backend")