migrating to virtual domain support

[Stefan Palme]

Hi,

I am running a cyrus imap server 2.2.x without virtual domain support.
Usernames are "simple" (fred, bob, ...) and authenticated using SASL
-> saslauthd -> PAM -> /etc/passwd. Mailboxes are in unix hierarchy
style ("user/fred", "user/bob/spam").

Because number of users raises, collisions become more and more
probably. For example, the mail server (postfix) receives mail for
fred at domain1.com and fred at domain2.net (where the two fred's are not
the same person!). Currently there exist user "fred" (for domain1.com)
and user "fred2" (for domain2.net) in /etc/passwd - but this becomes
more and more ugly. 
So I wanted to migrate to virtual domain support, so that there are now
two separate users fred at domain1.com and fred at domain2.net.

I know hot to create those virtual mailboxes and how to configure the 
cyrus imap server. But how to realize authentication? In the current
configuration using /etc/passwd such usernames ("fred at domain1.com")
are not possible. My preferred solution would be an LDAP server
with a user hierarchy like "cn=fred,ou=domain1.com" and
"cn=fred,ou=domain2.net" etc.

But how do I configure cyrus imapd and/or SASL correctly to achieve
this? The "virtual domain part" of a userid (fred at domain1.com) must
somehow be used as a search filter for the LDAP query that represents
the correct user...

Or maybe this approach is totally gaga, and there are solutions
much better than that?

TIA
Regards
-stefan-