[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl authentication using multiple realms

To: openldap-software@OpenLDAP.org
Subject: sasl authentication using multiple realms
From: "Schaefer, Dirk Alexander" <dirk.a.schaefer@mydom.ath.cx>
Date: Mon, 19 Jun 2006 22:42:36 +0200

dear all,

i'v got openldap 2.3.19 installed on fedora core 5 via yum.
all the things i wanted to be set up are working fine even the
replication. but one thing i'm not able to get to work the way i want it
to work. i'm talking about sasl authentication using different realms.

i want to be able to define two or more sasl realms which are than
getting translated into user information stored at different subtrees of
the dit.

here is what i did so far:

.
.
.
########################################################################
# SASL SETTINGS
########################################################################
sasl-realm mydomain.net
sasl-secprops none

######################
# test.mydomain.net
sasl-regexp
    UID=([^,].+),CN=test.mydomain.net,CN=digest-md5,CN=auth

ldap:///ou=users,o=TEST,dc=cmydomain,dc=net??sub?(&(objectclass=inetOrgPerson)(uid=$1))


######################
# mydomain.net
sasl-regexp
    UID=([^,].+),CN=mydomain.net,CN=digest-md5,CN=auth

ldap:///ou=users,o=MYDOMAIN,dc=mydomain,dc=net??sub?(&(objectclass=inetOrgPerson)(uid=$1))


######################
# catch all the rest to mydomain.net
sasl-regexp
    UID=([^,].+),CN=digest-md5,CN=auth

ldap:///ou=users,o=MYDOM,dc=corproot,dc=net??sub?(&(objectclass=inetOrgPerson)(uid=$1))
.
.
.


up to now i'm not even sure if it is possible to do things like this at
all. furthermore i'm confused about the role of the sasl-realm
parameter. if i set it, e.g. to mydomain.net as above, all
authentication requests are mapped to mydomain.net. even if i define the
realm to use for authentication when using tools like ldapsearch or
ldapwhoami by the -R switch, all requests are getting mapped to
mydomain.net.

if i don't define the sasl-realm parameter things do not work at all
(maybe the catch all works, i'm not sure right now. need to test it once
again).

my first question now is whether or not this is possible in general and
my second one of course is how to do this.

can somebody help me with his, please?

Yours sincerely

d. a. schaefer

Prev by Date: Fwd: Can't auth on shell
Next by Date: meta backend
Index(es):
- Chronological
- Thread