[Date Prev][Date Next]
same objects in multiple ou?
- To: firstname.lastname@example.org
- Subject: same objects in multiple ou?
- From: Joe Comeaux <email@example.com>
- Date: Mon, 31 Jan 2011 10:35:09 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=EeP4pTMKTGOtbdMbpympVztec5skQBHCld19JVYrH+s=; b=uU2Q0s0XmhC5VjjmglxznRzXGFHHkIVF0PCvIqJiSnPl6oKDSkX/QSDNTkhKRQV16d r5iLJWFNgMt3ATYlffqaWfxdf+TzriWZpMDBEwahIfCQhvX163Dm0vSyeevnWjxdIX4H Tc+wLGy+BIlHV7X9/LEcMzK/irTgrnMNCjU9I=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=q36dsmqeMFdyxYMaz5YZJ37gLZcZhb/2p/2WKrqHX15UNuiQg+sqCJidaREJOy/el2 7NUWKzvAx6BXT7GGOdb0R2htDHURjlMc/+wjHpxnCrFrLSgBZ9tzIPPCEAFcrO9v0iqq W1ozij6es07OOnPWtVXNuyqO2JaTrknhYZ29Q=
I'm trying to design an environment that does not allow anonymous
binds, and the users that require authentication reside across
multiple OU's. It seems common practice among authentication modules
to take a cn, bind anonymously to scan for the full dn, and then check
password with full dn to authenticate.
What I'd like to avoid is the anonymous bind, or storing a name and
password with read access to bind, to increase security.
I think what would be ideal is to somehow map all objects across
multiple ou's to a single ou. Something along the lines of : all
objects in ou=Department1,dc=example,dc=com +
ou=Department2,dc=example,dc=com + ou=Department3,dc=example,dc=com to
be linked to ou=Everyone,dc=example,dc=com. If something like that
were in place, new users created in Department3 could be authenticated
with cn=username,ou=Everyone,dc=example,dc=com. All modules designed
to check authentication would not need to bind first to search the
directory for the full dn.
I've seen references to aliasing, but that applies only to a single
object, and also mentions of mapping, but I can't tell if that would
do what I expect it to do.
Has anyone else built something similar? Can what I explain even be
done with OpenLDAP? What should I be looking in to for direction on
setting this up?
Thanks in advance