Re: SASL passthrough - multiple domains

[Clément OUDOT <clem.oudot@gmail.com>]

2011/11/15 Liam Gretton <liam.gretton@leicester.ac.uk>:
> I have a working configuration with pass-through auth to an AD domain using
> saslauthd.
>
> However now there is a requirement to be able to handle another domain too,
> and I cannot work out how to do this. It seems that saslauthd cannot deal
> with multiple Kerberos realms, no matter what hoops one jumps through it
> eventually boils down to only using whatever 'default_realm' is set to in
> the krb5.conf file.
>
> Using multiple saslauthd daemons isn't possible either as there's no way
> (that I can work out) of getting OpenLDAP to use anything other than the
> single socket specified in /etc/sasl2/slapd.conf.
>
> My final idea was to run an LDAP instance per realm, each talking to the
> separate saslauthd daemons, and have another outward facing LDAP service
> with these as the backends but that's a non starter too because there's no
> way of specifying the sasl slapd.conf file, it seems sasl always looks in
> /etc/sasl2 for a file derived from the process name (a chroot environment
> for each LDAP server is therefore the next thing to look at).
>
> But this seems like a lot of work just to be able to authenticate users
> against multiple domains. I appreciate this is a SASL issue rather than a
> problem with OpenLDAP, but I'm hoping that someone here has cracked this
> already. Googling hasn't thrown up an solution that I can find.

Hello,

I did not do it with Kerberos, but achieve it with LDAP behind
saslauthd. See this tutorial:
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Clément.