[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL Authentication Pass-Trough on several LDAP directories
- To: openldap-technical@openldap.org
- Subject: SASL Authentication Pass-Trough on several LDAP directories
- From: Clément OUDOT <clem.oudot@gmail.com>
- Date: Mon, 22 Aug 2011 15:11:20 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=KAD+e9m4y31RMFnwdFK0PkJqF3jg8379sHvf8ZKYf30=; b=g8xdCJYTzZVUlJB0ac9hdPkdK09x5NOclHTYMDsKTsMHDFBDrqG+KR8s3XBDl3mCjK lArOMcVwIpKg5/BTsdT0DIl8m4rRH7oW0Y0NpZrZMOesgzaoWN9ENAaBSH4Bwo5sJC7h dvrT96X5SwHi8xT5jrgI2FPcV2g+Cz3t4XZfw=
Hi all,
I searched in the mailing list archives but did not found any solution
for my problem. Here it is: I want to enable SASL passwords with
saslauthd but I have more than one LDAP directory as authentication
backend. So the goal is to delegate the authentication to a specific
directory depending on a user attribute.
I know this is not directly possible with saslauthd and OpenLDAP, as
OpenLDAP uses only one saslauthd socket, and saslauthd can use only
one LDAP directory as backend (several for failover, but all with the
same suffix, bind DN, etc.)
My idea was to add an OpenLDAP meta between saslauthd and the LDAP
backends, and use the domain part of the SASL credential to route the
LDAP request to the good LDAP directory. For example:
{SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2 would bind
to LDAP 2. As the domain part can be used in saslauthd configuration
for the LDAP filter or the LDAP search base, we can maybe have this
configuration in saslauthd.conf :
ldap_search_base: ou=%d,dc=example,dc=com
ldap_filter: uid=%U
And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com
and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.
Has everyone ever tried something like this? Do you have other suggestions?
Thanks for your help,
Clément.