[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recommended approach for LDAP as backend for virtual domain mail hosting?



On Friday 08 October 2010 13:39:25 Buchan Milne wrote:
> > > >  * Groups and aliases must be possible
> > > What specifically do you mean by groups?
> > By group support I just mean the usual way to group users together,
> > as in ou=groups,dc=example,dc=com. Users on different hosted
> > domains won't/can't be in the same group, if that matters any.
> 
> But, what would you use the groups for? Authorization to specific
> services only available to specific groups?

Exactly. That shouldn't be a problem, should it?

> > However, when using uid=joe@example.com,o=mysitename, how would
> > Postfix (or anything else) look up which virtual domains it is
> > supposed to serve, i.e. virtual_mailbox_domains?
> > 
> > That's the one think about which I am not yet quite clear. In our
> > relational database there's a simple table "virtual_domains" with a
> > name and an ID for the hosted domains. Postfix only wants the key
> > (the domain name) to exist when doing a lookup so a query is just
> > a simple "SELECT 1 FROM virtual_domains WHERE name='%s'", %s being
> > the domain name of course. How would a "corresponding" LDAP query
> > look like?
> 
> Don't try and one-to-one map an RDBMS table to an LDAP container,
> start by mapping the query to an ldap search (basedn, filter, result
> attributes) first.

Yeah, I am having some difficulties with that :)

> You could use something like this:
> 
> dn: domain=domain1.example.com,dc=example,dc=com
> objectclass: domain
> domain: domain1.example.com
> 
> Then you would use an LDAP map with
> search_base = dc=example,dc=com
> query_filter = (&(objectclass=domain)(domain=%s))
> result_attribute = domain

Thank you, that makes a lot of sense. Based on that it should not be too 
difficult to map other necessary queries from SQL to LDAP.

> You may choose to have more separation, with a separate basedn for
> domains, but it isn't necessary.

I see now how it is supposed to work. Hopefully I'll have some time this 
week to build a test setup. Expect more concrete questions about 
OpenLDAP :)

Thanks again for your help and ideas!

Andreas