[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as proxy for another LDAP-Server

On Thu, May 15, 2008 at 11:58:28AM -0600, Philip Guenther wrote:

> How about by using saslauthd?  Configure the users that need pass-through 
> authentication with userPassword values in the form "{SASL}user@domain", 
> put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure 
> saslauthd to authenticate against the backend server.  That gives you both 
> complete control over who gets passed through (only those with the {SASL} 
> format) and complete flexibility in the mapping of frontend users to 
> backend users (by tweaking the "user@domain" in each user's userPassword 
> attribute).

That does look like the best solution so far, thank you.

Odd that such a useful feature is not mentioned in the docs at all. It
is a bit tricky to set up due to the interactions with Cyrus SASL, but
I now have it running so I will write a section for the Admin Guide
explaining how to do it.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |