Authenticating virtual domain users with saslauthd

Igor Brezac igor at ipass.net
Thu Jun 23 12:01:57 EDT 2005


On Thu, 23 Jun 2005, Etienne Goyer wrote:

> Hi,
>
> I would like to authenticate virtual domain users using saslauthd.  I
> want the possibility to have the same username in more than one domain
> (ie etienne at example.com and etienne at test.com).  I will probably use LDAP
> as authentication backend, but this remain to be decided.
>
> Right now, for testing, I have saslauthd configured for PAM with shadow.
> I have a user etienne, and login is successful for any combination of
> etienne at domain.  I suppose saslauthd strip the @domain part, which would

No.  Your application does it, libsasl in particular.  It is actaully not 
stripped; the domain part is passed in as a separate parameter (realm) to 
saslauthd.  shadow auth mechanism does not use the realm parameter.

> break my setup when authenticating user from different domain with the
> same "username" (part before the @).

Start saslauthd -r ...  (Read saslauthd man page for more)

> If I use LDAP, my users would be in different OU.  Ideally, I could tell
> saslauthd to authenticate users from example.com in ou=exemple.com, etc.
> Is this possible somehow ?

Yes.

>
> Peripheric question : which syslog facility do saslauthd is logging to,
> and at what level for authentication success ?

LOG_AUTH

>
> Thanks for your input.  Please ask for clarification if I am not clear
> enough.
>
> Etienne Goyer
>

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list