Le 22 août 2011 15:11, Clément OUDOT <[email protected]> a écrit : > Hi all, > > I searched in the mailing list archives but did not found any solution > for my problem. Here it is: I want to enable SASL passwords with > saslauthd but I have more than one LDAP directory as authentication > backend. So the goal is to delegate the authentication to a specific > directory depending on a user attribute. > > I know this is not directly possible with saslauthd and OpenLDAP, as > OpenLDAP uses only one saslauthd socket, and saslauthd can use only > one LDAP directory as backend (several for failover, but all with the > same suffix, bind DN, etc.) > > My idea was to add an OpenLDAP meta between saslauthd and the LDAP > backends, and use the domain part of the SASL credential to route the > LDAP request to the good LDAP directory. For example: > {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2 would bind > to LDAP 2. As the domain part can be used in saslauthd configuration > for the LDAP filter or the LDAP search base, we can maybe have this > configuration in saslauthd.conf : > > ldap_search_base: ou=%d,dc=example,dc=com > ldap_filter: uid=%U > > And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com > and ou=LDAP2,dc=example,dc=com to access the target LDAP directory. > > Has everyone ever tried something like this? Do you have other suggestions? >
Hi, for those who are interested, I tested above solution and it works. A little how-to can be found here: http://ltb-project.org/wiki/documentation/general/sasl_delegation Hope it helps, Clément.
