David Boreham wrote:
> My guess was that since saslauthd is involved, that he wants to
> authenticate against an existing
> cyrus-sasl user database. I think it may be possible to do that via PAM.
What I have are users that effectively belong to several Kerberos
domains (this way or the other).
User types in only the "username" part. What Kerberos domain it belongs
to is stored in LDAP database. For simple PAM solution to work, user
would need to type "username at REALM" (since there is more than one REALM
involved), which is not acceptable solution in my case.
Basically, I started with the similar ideas as you and Rich sugested
when solving problem with OpenLDAP. And the things always broke at the
multiple Kerberos domains used and the fact that user's were not
supplying the domain portion as part of their login. At the end, using
{SASL}username at REALM was the solution suggested on SASL and OpenLDAP
mailing lists, and it worked great so far.
