[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Authentication Pass-Trough on several LDAP directories

To: openldap-technical@openldap.org
Subject: Re: SASL Authentication Pass-Trough on several LDAP directories
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Fri, 26 Aug 2011 17:49:01 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=V3qa48coshp5kIWKQnvvJZtmFw77ysvQC8Cw+oDM7E0=; b=rM2iTOc3iLHko/cYqUJEUwUKKFOj/Gt3R7aH4KV0tsAhyg8LRwaxNMB/Z+VPSBj5Jp +EWHUIiTnrlit+bQ0Isb24baEGHJgIVt7U3Vfi6gdZGSMQG6+YtirOs3vuG6dVyGMdsM gFffQtnsRfo+MV2hDvpRHDvRgVUXqBPTHHgBg=
In-reply-to: <CAK_oV48Ou74r3t7dWoqO0keaHdFE+SyrKTSzDdase19WEXHL7A@mail.gmail.com>
References: <CAK_oV48Ou74r3t7dWoqO0keaHdFE+SyrKTSzDdase19WEXHL7A@mail.gmail.com>

Le 22 août 2011 15:11, Clément OUDOT <clem.oudot@gmail.com> a écrit :
> Hi all,
>
> I searched in the mailing list archives but did not found any solution
> for my problem. Here it is: I want to enable SASL passwords with
> saslauthd but I have more than one LDAP directory as authentication
> backend. So the goal is to delegate the authentication to a specific
> directory depending on a user attribute.
>
> I know this is not directly possible with saslauthd and OpenLDAP, as
> OpenLDAP uses only one saslauthd socket, and saslauthd can use only
> one LDAP directory as backend (several for failover, but all with the
> same suffix, bind DN, etc.)
>
> My idea was to add an OpenLDAP meta between saslauthd and the LDAP
> backends, and use the domain part of the SASL credential to route the
> LDAP request to the good LDAP directory. For example:
> {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2  would bind
> to LDAP 2. As the domain part can be used in saslauthd configuration
> for the LDAP filter or the LDAP search base, we can maybe have this
> configuration in saslauthd.conf :
>
> ldap_search_base: ou=%d,dc=example,dc=com
> ldap_filter: uid=%U
>
> And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com
> and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.
>
> Has everyone ever tried something like this? Do you have other suggestions?
>

Hi,

for those who are interested, I tested above solution and it works. A
little how-to can be found here:
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Hope it helps,

Clément.

References:
- SASL Authentication Pass-Trough on several LDAP directories
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: Memory Leak in slapd (or did I miss something configuring?)
Next by Date: Re: syncrepl consumer(with delta replication configuration) skipping updates
Index(es):
- Chronological
- Thread