Using multiple realms with saslauthd/ldap
Dan White
dwhite at olp.net
Wed Nov 4 09:53:35 EST 2009
On 04/11/09 15:38 +1100, John Newbigin wrote:
> Hi. I have a working ldap/sasl/saslauthd/ldap set up with openldap using
> passthrough authentication as per
> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
>
> The problem is that I would like to use the realm to specify which
> server to authenticate against.
>
> The ldap settings in /etc/saslauthd.conf are quite different for each
> server (ie. it is more than the filter which needs to be changed).
>
> Is there a way which a per realm configuration can be used? Either
> directly with sasl or with saslauthd?
I'm not aware of a way to apply specific SASL configuration depending on
the realm like that.
Depending on your server app and setup, you might be able to configure
multiple saslauthd instances, each with their own ldap configuration. That
would require your end users to authenticate to different IPs or ports
though.
For instance, in /etc/cyrus.conf (for Cyrus IMAP), you could do this in
your SERVICES section:
imap cmd="imapd -U 30 -D" listen="4.1.2.3:imap" prefork=0 maxchild=200
imapb cmd="imapd -U 30 -D" listen="4.1.2.4:imap" prefork=0 maxchild=200
imapc cmd="imapd -U 30 -D" listen="4.1.2.5:imap" prefork=0 maxchild=200
In /etc/imapd.conf:
sasl_pwcheck_method: saslauthd
imap_sasl_saslauthd_path: /var/run/saslauthd/mux
imapb_sasl_saslauthd_path: /var/run/saslauthd/muxb
imapc_sasl_saslauthd_path: /var/run/saslauthd/muxc
And then start up several instances of saslauthd:
saslauthd -m /var/run/saslauthd/mux -a ldap -O /etc/saslauthd.conf
saslauthd -m /var/run/saslauthd/muxb -a ldap -O /etc/saslauthdb.conf
saslauthd -m /var/run/saslauthd/muxc -a ldap -O /etc/saslauthdc.conf
The same approach should work when using the ldap auxprop plugin as well
(e.g. imapb_sasl_ldapdb_uri)
--
Dan White
More information about the Cyrus-sasl
mailing list