All we really need replicated is enough to build out /etc/passwd, /etc/shadow, and /etc/group files. I suspect the difficult part is getting the password out of SAM and into OpenLDAP in crypted form, though I'm guessing someone out there has done this.
AFAIK, you can't. The password hash used by Windows is incompatible, the only way to convert would be brute-force.
Second, I need to dump the OpenLDAP data into /etc/passwd,shadow,group files on some AIX systems. PAM is a poor choice because connectivity is going to be an issue, and we're looking at roughly 200 remote sites with limited bandwidth. The goal is to dump the relevant data about once per day, but the tricky part is dumping the userPassword hash in a format which the OS can understand. I *suspect* {crypt} form will "just work", though I'm wondering if anyone can confirm or deny that
I don't think this is a viable strategy.
(if not, does anyone have a good solution - cleartext in LDAP salted to a crypt hash?)
nss_updatedb, nss_ldap and nss_updatedb?
-- Geoff Silver <geoff at uslinux dot net> "If Bill Gates had a nickel for every time Windows crashed... Oh wait, he does"