[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap structure for multi domain.tld email hosting



--- Edwin Culp <eculp@encontacto.net> wrote:
> Quoting "Gary C. New" <garycnew@yahoo.com>:
> 
>  | I am attempting to setup an email hosting
> solution
>  | with postfix, cyrus-imap, and openldap that will
>  | support several of my current clients and those
> that I
>  | wish to bring on in the future.  Each client has
> an
>  | individual domain.tld or domains.tld with various
>  | users under each domain.tld.
>  | 
>  | I've seen a few postings regarding the subject,
> but am
>  | wondering what might be the best structure for
> this in
>  | ldap?
>  | 
>  | One posting suggested seperate o= attribs:
>  | 
> FWIW, I would change the dn to use mail to simplify
> the seperation
> of multiple gary's - gary@domain1 gary@domain2, etc.
> dn: mail=gary@somedomain.us,o=yourcompany.com
> I actually throw in an ou=people for 
> dn:
> mail=gary@somedomain.us,ou=people,o=yourcompany.com
> 
> ed
> 
>  | dn: uid=someuser, o=someorg, c=us
>  | uid: someuser
>  | userpassword: somepassword
>  | maildrop: fulladdress@machine.dom.ain
>  | mailacceptinggeneralid: someuser
>  | mailacceptinggeneralid: somealias
>  | 


I appreciate your reply and suggestion.  I have a
couple of more questions I thought you might know.

I am new to the ldap architecture, but understand that
like any structure it is important to develop a good
understanding of what is needed and then decide on the
best way of implementing it.  In terms of ldap, I've
read that there are 2 basic types of structures used: 
flat and hierarcle.  It has been suggested that the
flat structure is the better way to go and am trying
to decide on a flat scheme that will best suite my
needs for ldap authentication using postfix,
cyrus-imap, and a ldap based per organization address
book.  I am also trying to tie all this in using SASL
(simply for digest-md5 authentication while user
passwd's will be stored in plain text in their ldap
entry).

I previously outlined a few of the basic attributes
that will be needed per ldap entry, but for security
purposes would it be better to separate each client
company's entries per an organizational unit? 
Wouldn't this better segment the entries and allow a
distinct per organizational unit address book list? 
This would further allow me to continue my use of the
uid attribute (which I believe is required for SASL
authentication) rather than being forced to use the
mail=user@domain attribute in a single group.  Any
idea how I might tie a mailling list to a client
company's group?  I guess my real problem, at the
moment, is the fact that I don't know how ldap's
default attributes work (i.e., o=, ou=, objectclass).

This is how I currently picture the structure in my
mind (a kind of 2 tier then flat model):

       -- company1
rootdn -- company2 -- user1 -- user2 -- user3
       -- company3

As always, comments and suggestions are appreciated
(especially ldif examples).

Respectfully,


Gary

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com