I have a working configuration with pass-through auth to an AD domain using saslauthd.
However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find.
2011/11/15 Liam Gretton liam.gretton@leicester.ac.uk:
I have a working configuration with pass-through auth to an AD domain using saslauthd.
However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find.
Hello,
I did not do it with Kerberos, but achieve it with LDAP behind saslauthd. See this tutorial: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Clément.
On 15/11/2011 17:09, Clément OUDOT wrote:
I did not do it with Kerberos, but achieve it with LDAP behind saslauthd. See this tutorial: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Perfect! Thanks. That's worked nicely.
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
I did get approved to do one, but never moved on it. I still think there's a demand.
Howard, how's the Symas book going?
Gav.
-- Liam Gretton liam.gretton@le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
Gavin Henry wrote:
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
I did get approved to do one, but never moved on it. I still think there's a demand.
Howard, how's the Symas book going?
That's been on the backburner for a while. We've spent more time writing the code, which of course meant it was always changing so everything we wrote about it was already out of date.
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
I did get approved to do one, but never moved on it. I still think there's a demand.
Howard, how's the Symas book going?
That's been on the backburner for a while. We've spent more time writing the code, which of course meant it was always changing so everything we wrote about it was already out of date.
Has SoC passed? Maybe we could get some funding for it?
Yes, SoC is gone!
On Wed, Jul 4, 2012 at 6:28 PM, Gavin Henry ghenry@suretecsystems.comwrote:
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is
fine
but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
I did get approved to do one, but never moved on it. I still think there's a demand.
Howard, how's the Symas book going?
That's been on the backburner for a while. We've spent more time writing
the
code, which of course meant it was always changing so everything we wrote about it was already out of date.
Has SoC passed? Maybe we could get some funding for it?
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
Did you see our API news? http://www.surevoip.co.uk/news-events/surevoip-launches-innovative-api
Hello guys,
I can help on documentation in my spare time. I tryed to submit a patch for ITS#6339 in the past but I don't know why it was not accepted and I did not received any feedback about it. There is some TODO list for documentation?
Thanks, Matheus Morais.
On Wed, Jul 4, 2012 at 5:59 PM, Howard Chu hyc@symas.com wrote:
Gavin Henry wrote:
As an aside, I've seen lots of debates here about the quality of the
OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
I did get approved to do one, but never moved on it. I still think there's a demand.
Howard, how's the Symas book going?
That's been on the backburner for a while. We've spent more time writing the code, which of course meant it was always changing so everything we wrote about it was already out of date.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/**project/http://www.openldap.org/project/
Le 04/07/2012 22:40, Gavin Henry a écrit :
As an aside, I've seen lots of debates here about the quality of the OpenLDAP documentation, as far as I'm concerned the documentation is fine but I'd love to see an O'Reilly 'OpenLDAP Cookbook'.
For anyone reading french, I published some times ago such kind of cookbook, in Linux magazine (the french one): https://www.zarb.org/~guillomovitch/articles/openldap.pdf
For anyone reading french, I published some times ago such kind of cookbook, in Linux magazine (the french one): https://www.zarb.org/~guillomovitch/articles/openldap.pdf
Looks good. All the overlay stuff and replication we have covered I think, maybe not as much ACLs and no Posix things, also no Kerberos.
Thanks.
openldap-technical@openldap.org
-
Clément OUDOT -
Gavin Henry -
Gavin Henry -
Guillaume Rousse -
Howard Chu -
Jan-Piet Mens -
Liam Gretton -
xsun