Quoting "Bryan J. Smith <b.j.smith at ieee.org>" <thebs413 at earthlink.net>: > What are you using multiple REALMs for anyway if everyone was under > a "real UNIX" account before? I'm abusing the fact that all users have accounts on one of AD domains. The "Unix" services are not aware of it. They simply authenticate user against flat userspace on LDAP server, and the LDAP/saslauthd component is smart enough to contact appropriate AD domain. So, no I'm not using Kerberos as such, because in reallity the clients users have can't use it either (reason is simple, most Windows software don't talk neither Kerberos nor SASL - they are all username/password based with option to pass it over SSL/TLS). I'm simply abusing the fact I can authenticate against AD domain using Kerberos as protocol. So the question is. If I have user-a and user-b, where user-a exists as principal user-1 at domain-1, and user-b exists as principal user-2 at domain-2, can I have FDS authenticate the user against appropriate domain if passed only the "id=user-a,dc=mydomain,dc=com" or "id=user-b,dc=mydomain,dc=com"? No SASL, no Kerberos mumbo-jumbo all the way from the user's client software to LDAP server (what happens between LDAP server onwards can be anything, as long as it works). ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.