I'm trying to design an environment that does not allow anonymous binds, and the users that require authentication reside across multiple OU's. It seems common practice among authentication modules to take a cn, bind anonymously to scan for the full dn, and then check password with full dn to authenticate. What I'd like to avoid is the anonymous bind, or storing a name and password with read access to bind, to increase security.
I think what would be ideal is to somehow map all objects across multiple ou's to a single ou. Something along the lines of : all objects in ou=Department1,dc=example,dc=com + ou=Department2,dc=example,dc=com + ou=Department3,dc=example,dc=com to be linked to ou=Everyone,dc=example,dc=com. If something like that were in place, new users created in Department3 could be authenticated with cn=username,ou=Everyone,dc=example,dc=com. All modules designed to check authentication would not need to bind first to search the directory for the full dn. I've seen references to aliasing, but that applies only to a single object, and also mentions of mapping, but I can't tell if that would do what I expect it to do. Has anyone else built something similar? Can what I explain even be done with OpenLDAP? What should I be looking in to for direction on setting this up? Thanks in advance -Joe Comeaux
