2011/11/15 Liam Gretton <liam.gretton(a)leicester.ac.uk>:
I have a working configuration with pass-through auth to an AD domain
However now there is a requirement to be able to handle another domain too,
and I cannot work out how to do this. It seems that saslauthd cannot deal
with multiple Kerberos realms, no matter what hoops one jumps through it
eventually boils down to only using whatever 'default_realm' is set to in
the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way
(that I can work out) of getting OpenLDAP to use anything other than the
single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the
separate saslauthd daemons, and have another outward facing LDAP service
with these as the backends but that's a non starter too because there's no
way of specifying the sasl slapd.conf file, it seems sasl always looks in
/etc/sasl2 for a file derived from the process name (a chroot environment
for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users
against multiple domains. I appreciate this is a SASL issue rather than a
problem with OpenLDAP, but I'm hoping that someone here has cracked this
already. Googling hasn't thrown up an solution that I can find.
I did not do it with Kerberos, but achieve it with LDAP behind
saslauthd. See this tutorial: