On Thu, May 15, 2008 at 11:58:28AM -0600, Philip Guenther wrote:
How about by using saslauthd? Configure the users that need pass-through authentication with userPassword values in the form "{SASL}user@domain", put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure saslauthd to authenticate against the backend server. That gives you both complete control over who gets passed through (only those with the {SASL} format) and complete flexibility in the mapping of frontend users to backend users (by tweaking the "user@domain" in each user's userPassword attribute).
That does look like the best solution so far, thank you.
Odd that such a useful feature is not mentioned in the docs at all. It is a bit tricky to set up due to the interactions with Cyrus SASL, but I now have it running so I will write a section for the Admin Guide explaining how to do it.
Andrew