[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL passthrough - multiple domains

I have a working configuration with pass-through auth to an AD domain using saslauthd.

However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file.

Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf.

My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at).

But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find.

Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                 http://www.le.ac.uk/its
IT Services                                   Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom