2011/11/15 Liam Gretton liam.gretton@leicester.ac.uk:
I have a working configuration with pass-through auth to an AD domain using saslauthd.
However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find.
Hello,
I did not do it with Kerberos, but achieve it with LDAP behind saslauthd. See this tutorial: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Clément.