SASL passthrough - multiple domains

[Liam Gretton <liam.gretton@leicester.ac.uk>]

I have a working configuration with pass-through auth to an AD domain 
using saslauthd.

However now there is a requirement to be able to handle another domain 
too, and I cannot work out how to do this. It seems that saslauthd 
cannot deal with multiple Kerberos realms, no matter what hoops one 
jumps through it eventually boils down to only using whatever 
'default_realm' is set to in the krb5.conf file.

Using multiple saslauthd daemons isn't possible either as there's no way 
(that I can work out) of getting OpenLDAP to use anything other than the 
single socket specified in /etc/sasl2/slapd.conf.

My final idea was to run an LDAP instance per realm, each talking to the 
separate saslauthd daemons, and have another outward facing LDAP service 
with these as the backends but that's a non starter too because there's 
no way of specifying the sasl slapd.conf file, it seems sasl always 
looks in /etc/sasl2 for a file derived from the process name (a chroot 
environment for each LDAP server is therefore the next thing to look at).

But this seems like a lot of work just to be able to authenticate users 
against multiple domains. I appreciate this is a SASL issue rather than 
a problem with OpenLDAP, but I'm hoping that someone here has cracked 
this already. Googling hasn't thrown up an solution that I can find.

--
Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                 http://www.le.ac.uk/its
IT Services                                   Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom