You might be able to get some ideas from here: http://mailman.mit.edu/pipermail/kerberos/2011-January/016989.html You should bear in mind that ultimately you're going to have some sort of "password" stored in a file somewhere on the client machine - whether it be a Kerberos keytab, or the private key for a TLS certificate, or something else. Anyone who has root on the client box will be able to use those credentials. (Or, if you don't store it in the filesystem, you'll have to prompt the user to type it in every time the system starts up)
When you realise this, perhaps a fixed bindDN+password doesn't seem so bad after all. You only need to grant it just enough access to do searches to map username to DN, after all.
I think I may end up just storing a name+password on workstations that need any kind of search access to the directory. But if I can get authz-regexp working I may not need to store passwords on anything.
I'm having a lot of trouble just getting just a basic regexp example working though. I dont have any kind of slapd.conf set up, so I'm injecting the updates through ldapmodify. Here's what I've tried : #ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config add: olcAuthzRegexp olcAuthzRegexp: uid=jrambo,ou=users,dc=example,dc=com uid=jrambo,ou=it,ou=users,dc=example,dc=com
modifying entry "cn=config"
#ldapsearch -x -H "ldap://voss.worleyco.com/" -b "dc=worleyco,dc=com" -D "uid=jrambo,ou=Users,dc=example,dc=com" -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
I'm assuming that with the above instruction, requests to bind with uid=jrambo,ou=users,dc=example,dc=com should translate to uid=jrambo,ou=it,ou=users,dc=example,dc=com, but it doesnt appear to be working for me. Am I missing something simple? I've restarted slapd, verify that the object exists, credentials are valid, etc.
# rambo, IT, Users, example.com dn: uid=jrambo,ou=IT,ou=Users,dc=example,dc=com uid: jrambo objectClass: account objectClass: posixAccount cn: jrambo loginShell: /bin/bash homeDirectory: /home/jrambo uidNumber: 10000 gidNumber: 548
-Joe