Using multiple realms with saslauthd/ldap

Dan White dwhite at olp.net
Wed Nov 4 09:53:35 EST 2009


On 04/11/09 15:38 +1100, John Newbigin wrote:
> Hi. I have a working ldap/sasl/saslauthd/ldap set up with openldap using  
> passthrough authentication as per  
> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
>
> The problem is that I would like to use the realm to specify which  
> server to authenticate against.
>
> The ldap settings in /etc/saslauthd.conf are quite different for each  
> server (ie. it is more than the filter which needs to be changed).
>
> Is there a way which a per realm configuration can be used? Either  
> directly with sasl or with saslauthd?

I'm not aware of a way to apply specific SASL configuration depending on
the realm like that.

Depending on your server app and setup, you might be able to configure
multiple saslauthd instances, each with their own ldap configuration. That
would require your end users to authenticate to different IPs or ports
though.

For instance, in /etc/cyrus.conf (for Cyrus IMAP), you could do this in
your SERVICES section:

imap            cmd="imapd -U 30 -D" listen="4.1.2.3:imap" prefork=0 maxchild=200
imapb            cmd="imapd -U 30 -D" listen="4.1.2.4:imap" prefork=0 maxchild=200
imapc            cmd="imapd -U 30 -D" listen="4.1.2.5:imap" prefork=0 maxchild=200

In /etc/imapd.conf:

sasl_pwcheck_method: saslauthd
imap_sasl_saslauthd_path: /var/run/saslauthd/mux
imapb_sasl_saslauthd_path: /var/run/saslauthd/muxb
imapc_sasl_saslauthd_path: /var/run/saslauthd/muxc

And then start up several instances of saslauthd:

saslauthd -m /var/run/saslauthd/mux -a ldap -O /etc/saslauthd.conf
saslauthd -m /var/run/saslauthd/muxb -a ldap -O /etc/saslauthdb.conf
saslauthd -m /var/run/saslauthd/muxc -a ldap -O /etc/saslauthdc.conf

The same approach should work when using the ldap auxprop plugin as well
(e.g. imapb_sasl_ldapdb_uri)

-- 
Dan White


More information about the Cyrus-sasl mailing list