Jonathan and all, Need your support ..... what should be the configuration of saslauthd.conf in the case where I have a slapd.conf configuration where I use a back-meta to aggregate different hdb databases that are synchronized against AD Domain Controllers. Paulo -----Original Message----- From: Paulo Jorge N. Correia (paucorre) Sent: Tuesday, November 16, 2010 7:01 PM To: Jonathan Clarke; openldap-technical(a)openldap.org Subject: RE: Pass-Through authentication Johanathan, I decide to follow both of the options, and test which one is better :) : 1 - back-meta 2 - change the saslauthd from ldap to Kerberos Regarding back meta I need help :( In the slapd.conf I have an database created for back-meta..... ( strange thing is that it didn't worked when I create a separate conf file per each database "include /etc/openldap/slapd_domain1.conf", only working if I add all the database in the same file as showed below ) No what should I configure in the saslauthd.conf file..... if I direct ldap_servers how does it know which AD is associated with each user ? ________________________________________________________________________ ___ [root@openam-ldap openldap]# more ../saslauthd.conf ldap_servers: ldap://localhost ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: uid=%u ldap_bind_dn: cn=admin,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ____________________________________________________________________ [root@openam-ldap openldap]# more slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/openldap.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sasl-host localhost sasl-secprops none database meta suffix "dc=cisco,dc=com" uri "ldap://localhost/ou=domain1,dc=cisco,dc=com" suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1" uri "ldap://localhost/ou=domain2,dc=cisco,dc=com" suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2" database hdb suffix "ou=domain1" directory "/var/lib/ldap/domain1" rootdn "cn=admin,ou=domain1" rootpw "Cisco,123" index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub database hdb suffix "ou=domain2" directory "/var/lib/ldap/domain2" rootdn "cn=admin,ou=domain2" rootpw "Cisco,123" index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub _______________________________________________________________ Thank you, Paulo -----Original Message----- From: openldap-technical-bounces(a)OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Jonathan Clarke Sent: Monday, November 15, 2010 12:13 PM To: openldap-technical(a)openldap.org Subject: Re: Pass-Through authentication On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote: saslauthd can only launch one LDAP search to find a user and check his password. So if you're using several AD domains, you need to be able to perform a single search over all those domains : set up a back-meta with all the AD forests under it, and point saslauthd at that. Jonathan