[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL Authentication Pass-Trough on several LDAP directories

Hi all,

I searched in the mailing list archives but did not found any solution
for my problem. Here it is: I want to enable SASL passwords with
saslauthd but I have more than one LDAP directory as authentication
backend. So the goal is to delegate the authentication to a specific
directory depending on a user attribute.

I know this is not directly possible with saslauthd and OpenLDAP, as
OpenLDAP uses only one saslauthd socket, and saslauthd can use only
one LDAP directory as backend (several for failover, but all with the
same suffix, bind DN, etc.)

My idea was to add an OpenLDAP meta between saslauthd and the LDAP
backends, and use the domain part of the SASL credential to route the
LDAP request to the good LDAP directory. For example:
{SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2  would bind
to LDAP 2. As the domain part can be used in saslauthd configuration
for the LDAP filter or the LDAP search base, we can maybe have this
configuration in saslauthd.conf :

ldap_search_base: ou=%d,dc=example,dc=com
ldap_filter: uid=%U

And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com
and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.

Has everyone ever tried something like this? Do you have other suggestions?

Thanks for your help,