On 22/03/10 17:26 +0000, Purahoo, Krishan wrote:
Hi all,
I am trying to authenticate against multiple Active Directory
servers from openldap.
I have started multiple (two) saslauthd servers and can use
testsaslauthd to successfully authenticate against any of
my two AD (Active Directory) servers.
I start my two saslauthd servers, as
saslauthd -m /var/run/saslauthda -a ldap -O /etc/saslauthd_a.conf -r
saslauthd -m /var/run/saslauthdb -a ldap -O /etc/saslauthd_b.conf -r
Using testsaslauthd, as follows works OK
testsaslauthd -f /var/run/saslauthd_a/mux -u joe@xxxxxxxxxxxxx -p xxx
testsaslauthd -f /var/run/saslauthd_b/mux -u jill@xxxxxxxxxxxxx -p xxx
I can't seem to be able to configure openldap to authenticate against
both AD servers. I can authenticate against one at a time.
When I configure /etc/sasl2/slapd.conf with the following lines
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauth_a/mux
I'm not aware of a way to reference two saslauthd paths that way.
The ldap_servers parameter in the saslauthd ldap config accepts multiple
ldap servers, but I assume that doesn't work the way you need it to.
You can have multiple pwcheck_methods, which should work, but isn't a very
clean solution.
For authentication to the first server, you could you saslauthd, and for
authentication to the second server, you could do one of:
auxprop using the giengerldap plugin - ldapdb probably won't work with active
directory:
(http://southbrain.com/south/2008/06/writing-a-cyrus-sasl-ldap-auxp.html)
authdaemon (courier) using it's pam config, which in turn uses one of
pamldap/nssldap/nssov/nss-ldapd (I'm not sure which of these may work with
Active Directory)
--
Dan White