2011/11/15 Liam Gretton <liam.gret...@leicester.ac.uk>: > I have a working configuration with pass-through auth to an AD domain using > saslauthd. > > However now there is a requirement to be able to handle another domain too, > and I cannot work out how to do this. It seems that saslauthd cannot deal > with multiple Kerberos realms, no matter what hoops one jumps through it > eventually boils down to only using whatever 'default_realm' is set to in > the krb5.conf file. > > Using multiple saslauthd daemons isn't possible either as there's no way > (that I can work out) of getting OpenLDAP to use anything other than the > single socket specified in /etc/sasl2/slapd.conf. > > My final idea was to run an LDAP instance per realm, each talking to the > separate saslauthd daemons, and have another outward facing LDAP service > with these as the backends but that's a non starter too because there's no > way of specifying the sasl slapd.conf file, it seems sasl always looks in > /etc/sasl2 for a file derived from the process name (a chroot environment > for each LDAP server is therefore the next thing to look at). > > But this seems like a lot of work just to be able to authenticate users > against multiple domains. I appreciate this is a SASL issue rather than a > problem with OpenLDAP, but I'm hoping that someone here has cracked this > already. Googling hasn't thrown up an solution that I can find.
Hello, I did not do it with Kerberos, but achieve it with LDAP behind saslauthd. See this tutorial: http://ltb-project.org/wiki/documentation/general/sasl_delegation Clément.