Thanks for the direction. It seems as though authz-regexp might be
exactly what I'm looking for.
On Mon, Jan 31, 2011 at 2:19 PM, Dan White wrote:
It depends on the software doing the authentication. Could you
what your environment might look like?:
Environment consists of linux apps, OpenVPN, Postfix/Courier, PAM (
for SSH ), and a custom PHP application.
Will there be client software which performs the LDAP
directly to the LDAP server?
Can you support SASL binds in your environment?
I was under the impression that most all the software would be
attempting to authenticate directly with the LDAP server ( my
understanding of SASL may be a bit unclear ). I'm pretty sure the
linux apps listed above can use SASL. I will need to research SASL
connections a bit more before deciding if that's what I need or not.
Are you developing that software, or will you be using existing
Existing software, PHP and OpenVPN have pre built libraries for
authenticating LDAP, etc.
In the parts of our network that allow us to perform SASL
such as postfix/cyrus/php that link against cyrus sasl, we use Kerberos
authentication (or EXTERNAL over ldapi:///), along with the ldapdb auxprop
plugin, which does not require storing passwords in config files.
This sounds like
what I need, will research this.
For 'unifying' your different OUs, you could specify a
'sub' scope which
encompasses all your OUs. For example, if you were configuring a
authz-regexp, you could do:
This also sounds like what I need, will