Quoting "Bryan J. Smith <b.j.smith@xxxxxxxx>" <thebs413@xxxxxxxxxxxxx>:
> What are you using multiple REALMs for anyway if everyone was under
> a "real UNIX" account before?
I'm abusing the fact that all users have accounts on one of AD domains. The
"Unix" services are not aware of it. They simply authenticate user against
flat userspace on LDAP server, and the LDAP/saslauthd component is
smart enough
to contact appropriate AD domain. So, no I'm not using Kerberos as such,
because in reallity the clients users have can't use it either (reason is
simple, most Windows software don't talk neither Kerberos nor SASL - they are
all username/password based with option to pass it over SSL/TLS). I'm simply
abusing the fact I can authenticate against AD domain using Kerberos as
protocol.
So the question is. If I have user-a and user-b, where user-a exists as
principal user-1@domain-1, and user-b exists as principal user-2@domain-2, can
I have FDS authenticate the user against appropriate domain if passed only the
"id=user-a,dc=mydomain,dc=com" or "id=user-b,dc=mydomain,dc=com"? No SASL, no
Kerberos mumbo-jumbo all the way from the user's client software to
LDAP server
(what happens between LDAP server onwards can be anything, as long as
it works).
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
