The vast majority of questions and so on regarding the interoperability of Active and Open directories involves getting Mac clients to see an AD and auth against it.
What we'd like to do is get a Windows 7 workstation to auth completely against Open Directory. We tried setting it up as an NT4 type PDC, and that doesn't work satisfactorily.
We tried using pGina and the LDAP backend, which allows Authentication, but has no support for Authorization, and as a result, if we mount an NFS Share, the user has the rights to do anything they damn well please. Not ideal for security (Totally bloody unacceptable, actually).
We tried using a Samba server (newer version than on the Open Directory Server) as an intermediate, so that it knows about the LDAP server on the OD Server, but uses Samba 4 instead of v3. That didn't work either. We could login, but couldn't mount, and if we did, we had the same rights as with pGina. If we right-click the mounted drive in Windows, and have a look at NFS UID, it returns -2, not the correct (mapped) UID.
So the final plan I've got is to use an Active Directory, inside a Windows 2008R2 Virtual Machine. What I want to achieve is to have the Active Directory sync it's user data from OpenDirectory (read-only would be fine). That way, we'd have the ability to connect Windows 7 clients to a "virtual domain" which would actually just grab information from OD's LDAP.
All the information I've found is about how to go the other way.
Does anyone know how we can do this?
What you want to do may be possible. It depends on a few things though. What is the central identity store? Is it OpenDirectory? And what would be the impact in having the sync work in reverse? (i.e. is it feasible to manage users in AD and have that sync back to OD?) Where are your shares to be stored? Does it matter?
This will probably require substantial experimentation and testing, but you may be able to achieve some level of success using Centrify Express or Likewise Open (although I think that's been renamed now). As you have stated these are geared towards getting your non-Windows clients to authenticate against AD as opposed to the other way round, but seeing as you are already considering using a Wn2k8R2 domain controller, this may be the way to go.
I've never seen anything (besides Active Directory) that will allow Windows to authenticate other than pGina and Novell.
The NetIQ (previously Novell) Identity Manager product will do exactly as you asked -- it will sync between a central user store and AD and OD (which for our purposes would be "openldap"). https://www.netiq.com/products/identity-manager/
You might also consider using eDirectory instead of OD or AD as it can nicely work with both kinds of clients (and with the Domain Services for Windows Product from Novell Open Enterprise Server, eDirectory can pretend to be AD for all intents and purposes).
These would be the more stable and expandable options, although they are non-free.