[Date Prev][Date Next] [Chronological] [Thread] [Top]

same objects in multiple ou?

I'm trying to design an environment that does not allow anonymous
binds, and the users that require authentication reside across
multiple OU's. It seems common practice among authentication modules
to take a cn, bind anonymously to scan for the full dn, and then check
password with full dn to authenticate.
What I'd like to avoid is the anonymous bind, or storing a name and
password with read access to bind, to increase security.

I think what would be ideal is to somehow map all objects across
multiple ou's to a single ou. Something along the lines of : all
objects in ou=Department1,dc=example,dc=com +
ou=Department2,dc=example,dc=com + ou=Department3,dc=example,dc=com to
be linked to ou=Everyone,dc=example,dc=com. If something like that
were in place, new users created in Department3 could be authenticated
with cn=username,ou=Everyone,dc=example,dc=com. All modules designed
to check authentication would not need to bind first to search the
directory for the full dn.

I've seen references to aliasing, but that applies only to a single
object, and also mentions of mapping, but I can't tell if that would
do what I expect it to do.

Has anyone else built something similar? Can what I explain even be
done with OpenLDAP? What should I be looking in to for direction on
setting this up?

Thanks in advance
-Joe Comeaux