[Date Prev][Date Next]
Re: same objects in multiple ou?
- To: Dan White <firstname.lastname@example.org>
- Subject: Re: same objects in multiple ou?
- From: Joe Comeaux <email@example.com>
- Date: Mon, 31 Jan 2011 16:04:15 -0600
- Cc: firstname.lastname@example.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3Mc+s3fey3UBMzusPxWf4bBXxyxW3NEyZzqA7qp0DpA=; b=ifAD18RnE8puDsBTTkt7WWbVLX1v86w9LRdBwvyi3O+KUimkMHM11XnOSo4uZIeVmA tsLiRcdwogQ6cPV+Rr+0RYCnOMc0LFfAyZl6CPlz8sQAVGqjDlb8aj01LwDnWc6igkYD JlrySgM8pePBclnoAaUDGqANIad3EU3XEwhp4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=CyRAqMrWNn0Tb3yIucuupZ72SJHJWJzrW/LXWSX8rTfXdKQioGg4kJ+Iir5mBZLl38 6RXUK1W7ugvlz9n0oK8oCj4o8HxA92dVH7clEWDf2TENWUv5S+wvpdvm2XhgNyEErOA7 P/uOj4B6M+PdpWhavWV2anJkyQXrdAV3mVGjg=
- In-reply-to: <20110131201949.GA5146@dan.olp.net>
- References: <AANLkTinty-Q09zqHbaEEQSyfu8iJgH0euF+tSEVbVg9y@mail.gmail.com> <20110131201949.GA5146@dan.olp.net>
Thanks for the direction. It seems as though authz-regexp might be
exactly what I'm looking for.
On Mon, Jan 31, 2011 at 2:19 PM, Dan White wrote:
> It depends on the software doing the authentication. Could you elaborate on
> what your environment might look like?:
Environment consists of linux apps, OpenVPN, Postfix/Courier, PAM (
for SSH ), and a custom PHP application.
> Will there be client software which performs the LDAP authentication
> directly to the LDAP server?
> Can you support SASL binds in your environment?
I was under the impression that most all the software would be
attempting to authenticate directly with the LDAP server ( my
understanding of SASL may be a bit unclear ). I'm pretty sure the
linux apps listed above can use SASL. I will need to research SASL
connections a bit more before deciding if that's what I need or not.
> Are you developing that software, or will you be using existing software?
Existing software, PHP and OpenVPN have pre built libraries for
authenticating LDAP, etc.
> In the parts of our network that allow us to perform SASL authentication,
> such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos
> authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop
> plugin, which does not require storing passwords in config files.
This sounds like what I need, will research this.
> For 'unifying' your different OUs, you could specify a 'sub' scope which
> encompasses all your OUs. For example, if you were configuring a
> authz-regexp, you could do:
This also sounds like what I need, will research this.