[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?



On 31/01/11 10:35 -0600, Joe Comeaux wrote:
I'm trying to design an environment that does not allow anonymous
binds, and the users that require authentication reside across
multiple OU's. It seems common practice among authentication modules
to take a cn, bind anonymously to scan for the full dn, and then check
password with full dn to authenticate.
What I'd like to avoid is the anonymous bind, or storing a name and
password with read access to bind, to increase security.

It depends on the software doing the authentication. Could you elaborate on
what your environment might look like?:

  Will there be client software which performs the LDAP authentication
  directly to the LDAP server?

  Are you developing that software, or will you be using existing software?

  Can you support SASL binds in your environment?

In some parts of our network (like with FreeRADIUS), we don't have any
other good option other than to stick a DN and password into its LDAP
configuration.

In the parts of our network that allow us to perform SASL authentication,
such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos
authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop
plugin, which does not require storing passwords in config files.

For 'unifying' your different OUs, you could specify a 'sub' scope which
encompasses all your OUs. For example, if you were configuring a
authz-regexp, you could do:

authz-regexp
  "uid=([^,]+),cn=([^,]+),cn=auth"
  ldap:///dc=example,dc=com??sub?(uid=$1)

--
Dan White