On 31/01/11 10:35 -0600, Joe Comeaux wrote:
I'm trying to design an environment that does not allow anonymous binds, and the users that require authentication reside across multiple OU's. It seems common practice among authentication modules to take a cn, bind anonymously to scan for the full dn, and then check password with full dn to authenticate. What I'd like to avoid is the anonymous bind, or storing a name and password with read access to bind, to increase security.
It depends on the software doing the authentication. Could you elaborate on what your environment might look like?:
Will there be client software which performs the LDAP authentication directly to the LDAP server?
Are you developing that software, or will you be using existing software?
Can you support SASL binds in your environment?
In some parts of our network (like with FreeRADIUS), we don't have any other good option other than to stick a DN and password into its LDAP configuration.
In the parts of our network that allow us to perform SASL authentication, such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop plugin, which does not require storing passwords in config files.
For 'unifying' your different OUs, you could specify a 'sub' scope which encompasses all your OUs. For example, if you were configuring a authz-regexp, you could do:
authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" ldap:///dc=example,dc=com??sub?(uid=$1)