Thanks for the direction. It seems as though authz-regexp might be exactly what I'm looking for.
On Mon, Jan 31, 2011 at 2:19 PM, Dan White wrote:
It depends on the software doing the authentication. Could you elaborate on what your environment might look like?:
Environment consists of linux apps, OpenVPN, Postfix/Courier, PAM ( for SSH ), and a custom PHP application.
Will there be client software which performs the LDAP authentication directly to the LDAP server? Can you support SASL binds in your environment?
I was under the impression that most all the software would be attempting to authenticate directly with the LDAP server ( my understanding of SASL may be a bit unclear ). I'm pretty sure the linux apps listed above can use SASL. I will need to research SASL connections a bit more before deciding if that's what I need or not.
Are you developing that software, or will you be using existing software?
Existing software, PHP and OpenVPN have pre built libraries for authenticating LDAP, etc.
In the parts of our network that allow us to perform SASL authentication, such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop plugin, which does not require storing passwords in config files.
This sounds like what I need, will research this.
For 'unifying' your different OUs, you could specify a 'sub' scope which encompasses all your OUs. For example, if you were configuring a authz-regexp, you could do:
authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" ldap:///dc=example,dc=com??sub?(uid=$1)
This also sounds like what I need, will research this.
Thanks again -Joe