[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?

Thanks for the direction. It seems as though authz-regexp might be
exactly what I'm looking for.

On Mon, Jan 31, 2011 at 2:19 PM, Dan White wrote:
> It depends on the software doing the authentication. Could you elaborate on
> what your environment might look like?:

Environment consists of linux apps, OpenVPN, Postfix/Courier, PAM (
for SSH ), and a custom PHP application.

>  Will there be client software which performs the LDAP authentication
>  directly to the LDAP server?
>  Can you support SASL binds in your environment?

I was under the impression that most all the software would be
attempting to authenticate directly with the LDAP server ( my
understanding of SASL may be a bit unclear ). I'm pretty sure the
linux apps listed above can use SASL. I will need to research SASL
connections a bit more before deciding if that's what I need or not.

>  Are you developing that software, or will you be using existing software?
Existing software, PHP and OpenVPN have pre built libraries for
authenticating LDAP, etc.

> In the parts of our network that allow us to perform SASL authentication,
> such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos
> authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop
> plugin, which does not require storing passwords in config files.
This sounds like what I need, will research this.

> For 'unifying' your different OUs, you could specify a 'sub' scope which
> encompasses all your OUs. For example, if you were configuring a
> authz-regexp, you could do:
> authz-regexp
>  "uid=([^,]+),cn=([^,]+),cn=auth"
>  ldap:///dc=example,dc=com??sub?(uid=$1)
This also sounds like what I need, will research this.

Thanks again