Hi all,
I searched in the mailing list archives but did not found any solution for my problem. Here it is: I want to enable SASL passwords with saslauthd but I have more than one LDAP directory as authentication backend. So the goal is to delegate the authentication to a specific directory depending on a user attribute.
I know this is not directly possible with saslauthd and OpenLDAP, as OpenLDAP uses only one saslauthd socket, and saslauthd can use only one LDAP directory as backend (several for failover, but all with the same suffix, bind DN, etc.)
My idea was to add an OpenLDAP meta between saslauthd and the LDAP backends, and use the domain part of the SASL credential to route the LDAP request to the good LDAP directory. For example: {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2 would bind to LDAP 2. As the domain part can be used in saslauthd configuration for the LDAP filter or the LDAP search base, we can maybe have this configuration in saslauthd.conf :
ldap_search_base: ou=%d,dc=example,dc=com ldap_filter: uid=%U
And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.
Has everyone ever tried something like this? Do you have other suggestions?
Thanks for your help,
Clément.
Le 22 août 2011 15:11, Clément OUDOT clem.oudot@gmail.com a écrit :
Hi all,
I searched in the mailing list archives but did not found any solution for my problem. Here it is: I want to enable SASL passwords with saslauthd but I have more than one LDAP directory as authentication backend. So the goal is to delegate the authentication to a specific directory depending on a user attribute.
I know this is not directly possible with saslauthd and OpenLDAP, as OpenLDAP uses only one saslauthd socket, and saslauthd can use only one LDAP directory as backend (several for failover, but all with the same suffix, bind DN, etc.)
My idea was to add an OpenLDAP meta between saslauthd and the LDAP backends, and use the domain part of the SASL credential to route the LDAP request to the good LDAP directory. For example: {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2 would bind to LDAP 2. As the domain part can be used in saslauthd configuration for the LDAP filter or the LDAP search base, we can maybe have this configuration in saslauthd.conf :
ldap_search_base: ou=%d,dc=example,dc=com ldap_filter: uid=%U
And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com and ou=LDAP2,dc=example,dc=com to access the target LDAP directory.
Has everyone ever tried something like this? Do you have other suggestions?
Hi,
for those who are interested, I tested above solution and it works. A little how-to can be found here: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Hope it helps,
Clément.
openldap-technical@openldap.org