RE: Pass-Through authentication

["Paulo Jorge N. Correia (paucorre)" <paucorre@cisco.com>]

Johanathan,
I decide to follow both of the options, and test which one is better :)
:

1 - back-meta 
2 - change the saslauthd from ldap to Kerberos

Regarding back meta I need help :( In the slapd.conf I have an database
created for back-meta..... ( strange thing is that it didn't worked when
I create a separate conf file per each  database "include
/etc/openldap/slapd_domain1.conf", only working if I add all the
database in the same file as showed below ) 
No what should I configure in the saslauthd.conf file..... if I direct
ldap_servers how does it know which AD is associated with each user ?

________________________________________________________________________
___

[root@openam-ldap openldap]# more ../saslauthd.conf
ldap_servers: ldap://localhost
ldap_search_base: dc=cisco,dc=com
ldap_timeout: 10
ldap_filter: uid=%u
ldap_bind_dn: cn=admin,dc=cisco,dc=com
ldap_password: Cisco,123
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

____________________________________________________________________

[root@openam-ldap openldap]# more slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#


include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/openldap.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

sasl-host       localhost
sasl-secprops   none

database meta
suffix "dc=cisco,dc=com"

uri "ldap://localhost/ou=domain1,dc=cisco,dc=com";
suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1"

uri "ldap://localhost/ou=domain2,dc=cisco,dc=com";
suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2"

database        hdb
suffix "ou=domain1"
directory "/var/lib/ldap/domain1"
rootdn "cn=admin,ou=domain1"
rootpw "Cisco,123"

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid                               eq,pres,sub

database        hdb
suffix "ou=domain2"
directory "/var/lib/ldap/domain2"
rootdn "cn=admin,ou=domain2"
rootpw "Cisco,123"


index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uid                               eq,pres,sub
_______________________________________________________________


Thank you,
Paulo

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Jonathan
Clarke
Sent: Monday, November 15, 2010 12:13 PM
To: openldap-technical@openldap.org
Subject: Re: Pass-Through authentication

On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote:
> Hi all,
> 
> I'm just starting with openLDAP and saslauth, and I'm trying to 
> replicate what I can achieve with ADAM/AD LDS in Windows platform.
> 
>  
> 
> I'm trying to use openldap to aggregate user information from several 
> AD servers under different forests.
> 
>  
> 
> So single point of contact from an LDAP perspective for an 
> organization, and then openldap should pass-through the authentication

> request that receives to the AD DC of the respective user.
> 
>  
> 
> This works well with /saslauthd /for a single domain/, but if I need 
> to do this with multiple domains, I don't know how to configure 
> saslauthd./

saslauthd can only launch one LDAP search to find a user and check his
password. So if you're using several AD domains, you need to be able to
perform a single search over all those domains : set up a back-meta with
all the AD forests under it, and point saslauthd at that.

Jonathan