[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Authentication Pass-Trough on several LDAP directories



Le 22 août 2011 15:11, Clément OUDOT <clem.oudot@gmail.com> a écrit :
> Hi all,
>
> I searched in the mailing list archives but did not found any solution
> for my problem. Here it is: I want to enable SASL passwords with
> saslauthd but I have more than one LDAP directory as authentication
> backend. So the goal is to delegate the authentication to a specific
> directory depending on a user attribute.
>
> I know this is not directly possible with saslauthd and OpenLDAP, as
> OpenLDAP uses only one saslauthd socket, and saslauthd can use only
> one LDAP directory as backend (several for failover, but all with the
> same suffix, bind DN, etc.)
>
> My idea was to add an OpenLDAP meta between saslauthd and the LDAP
> backends, and use the domain part of the SASL credential to route the
> LDAP request to the good LDAP directory. For example:
> {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2  would bind
> to LDAP 2. As the domain part can be used in saslauthd configuration
> for the LDAP filter or the LDAP search base, we can maybe have this
> configuration in saslauthd.conf :
>
> ldap_search_base: ou=%d,dc=example,dc=com
> ldap_filter: uid=%U
>
> And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com
> and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.
>
> Has everyone ever tried something like this? Do you have other suggestions?
>

Hi,

for those who are interested, I tested above solution and it works. A
little how-to can be found here:
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Hope it helps,

Clément.