Configuring Openldap with SASL pass-through authentication

When using an Openldap server with a Kerberos server, you will have the issue of double password management.
However Openldap can be configured to pass through all the bind requests to another server/service.

In this example it's required to have already an running Openldap and Kerberos server.

Execute the following steps to setup the pass-through authentication:

Install the cyrus-sasl and cyrus-sasl-gssapi packages

yum install cyrus-sasl cyrus-sasl-gssapi

Add the following lines in /etc/sysconfig/saslauthd file


Create the file /etc/sasl2/slapd.conf.
Add the following lines to this file:

pwcheck_method: saslauthd

Now the server configuration is correctly done.

To setup the pass-through authentication for a specific user, change the userPassword of this user to

userPassword: {SASL}username@REALM

When now a ldapsearch with simple bind is done, the authentication should be successfully.

ldapsearch -h hostname -x -D “uid=username,ou=People,dc=example,dc=com” -b “dc=example,dc=com”