[Date Prev][Date Next]
Re: SASL passthrough - multiple domains
- To: Liam Gretton <email@example.com>
- Subject: Re: SASL passthrough - multiple domains
- From: Clément OUDOT <firstname.lastname@example.org>
- Date: Tue, 15 Nov 2011 18:09:53 +0100
- Cc: OpenLDAP Technical <email@example.com>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ctZmINMJm9JRhuVAHkjgEmwBu9h98hKx93EgJwQeXSs=; b=mJyzzOATu67B58yxR6qCeZJs9DcrhxKpDpD/X3VkW8BI8eioGS1Cjtm3379gMj7z4y ReWc2KUdfZSyEbCUu6zM1bLxa+TYBxxHk3Cl81z19Fool5CKgobVibiTj65yorp0p4ss OL2Zm6SI0EcPRssdmnq3ui4TnBDLdsuN6WFm8=
- In-reply-to: <4EC29371.firstname.lastname@example.org>
- References: <4EC29371.email@example.com>
2011/11/15 Liam Gretton <firstname.lastname@example.org>:
> I have a working configuration with pass-through auth to an AD domain using
> However now there is a requirement to be able to handle another domain too,
> and I cannot work out how to do this. It seems that saslauthd cannot deal
> with multiple Kerberos realms, no matter what hoops one jumps through it
> eventually boils down to only using whatever 'default_realm' is set to in
> the krb5.conf file.
> Using multiple saslauthd daemons isn't possible either as there's no way
> (that I can work out) of getting OpenLDAP to use anything other than the
> single socket specified in /etc/sasl2/slapd.conf.
> My final idea was to run an LDAP instance per realm, each talking to the
> separate saslauthd daemons, and have another outward facing LDAP service
> with these as the backends but that's a non starter too because there's no
> way of specifying the sasl slapd.conf file, it seems sasl always looks in
> /etc/sasl2 for a file derived from the process name (a chroot environment
> for each LDAP server is therefore the next thing to look at).
> But this seems like a lot of work just to be able to authenticate users
> against multiple domains. I appreciate this is a SASL issue rather than a
> problem with OpenLDAP, but I'm hoping that someone here has cracked this
> already. Googling hasn't thrown up an solution that I can find.
I did not do it with Kerberos, but achieve it with LDAP behind
saslauthd. See this tutorial: