Johanathan, I decide to follow both of the options, and test which one is better :) :
1 - back-meta 2 - change the saslauthd from ldap to Kerberos Regarding back meta I need help :( In the slapd.conf I have an database created for back-meta..... ( strange thing is that it didn't worked when I create a separate conf file per each database "include /etc/openldap/slapd_domain1.conf", only working if I add all the database in the same file as showed below ) No what should I configure in the saslauthd.conf file..... if I direct ldap_servers how does it know which AD is associated with each user ? ________________________________________________________________________ ___ [r...@openam-ldap openldap]# more ../saslauthd.conf ldap_servers: ldap://localhost ldap_search_base: dc=cisco,dc=com ldap_timeout: 10 ldap_filter: uid=%u ldap_bind_dn: cn=admin,dc=cisco,dc=com ldap_password: Cisco,123 ldap_deref: never ldap_restart: yes ldap_scope: sub ldap_use_sasl: no ldap_start_tls: no ldap_version: 3 ldap_auth_method: bind ____________________________________________________________________ [r...@openam-ldap openldap]# more slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/openldap.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sasl-host localhost sasl-secprops none database meta suffix "dc=cisco,dc=com" uri "ldap://localhost/ou=domain1,dc=cisco,dc=com"; suffixmassage "ou=domain1,dc=cisco,dc=com" "ou=domain1" uri "ldap://localhost/ou=domain2,dc=cisco,dc=com"; suffixmassage "ou=domain2,dc=cisco,dc=com" "ou=domain2" database hdb suffix "ou=domain1" directory "/var/lib/ldap/domain1" rootdn "cn=admin,ou=domain1" rootpw "Cisco,123" index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub database hdb suffix "ou=domain2" directory "/var/lib/ldap/domain2" rootdn "cn=admin,ou=domain2" rootpw "Cisco,123" index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid eq,pres,sub _______________________________________________________________ Thank you, Paulo -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jonathan Clarke Sent: Monday, November 15, 2010 12:13 PM To: [email protected] Subject: Re: Pass-Through authentication On 14/11/10 18:29, Paulo Jorge N. Correia (paucorre) wrote: > Hi all, > > I'm just starting with openLDAP and saslauth, and I'm trying to > replicate what I can achieve with ADAM/AD LDS in Windows platform. > > > > I'm trying to use openldap to aggregate user information from several > AD servers under different forests. > > > > So single point of contact from an LDAP perspective for an > organization, and then openldap should pass-through the authentication > request that receives to the AD DC of the respective user. > > > > This works well with /saslauthd /for a single domain/, but if I need > to do this with multiple domains, I don't know how to configure > saslauthd./ saslauthd can only launch one LDAP search to find a user and check his password. So if you're using several AD domains, you need to be able to perform a single search over all those domains : set up a back-meta with all the AD forests under it, and point saslauthd at that. Jonathan
