|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: LDAP Lookup Tables
From: Bill Anderson (bill
noreboots.com)
Date: Fri Dec 01 2006 - 09:36:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday 29 November 2006 17:45, Richard Greaney wrote:
> Hi all
>
> I have a desired goal in mind but I'm not sure whether using an ldap
> lookup table will do what I want. I thought I'd bring it up here and see
> what others thought.
>
> I am running a Postfix server as part of a Windows network. Users are
> stored in Active Directory and replicated onto the Linux server using
> Winbind. However, I don't always want to give every AD user a mail
> account. On the Windows server, there is a group called "Email-Access".
> Each person who belongs to this group is able to send e-mail. How I have
> been governing this up until now is by a script that runs every so
> often, querying all members of this group and writing their addresses to
> a lookup table (hash:/etc/postfix/email-access). At the bottom of this
> list of users is an explicit REJECT for the entire domain.
>
> What I would like to do is to start having more groups on the AD server
> defining certain policies. For instance, one group enables e-mail access
> while another might enable remote email and another might enable the
> right to attach certain filetypes to messages. In theory, all of this
> could be done using my current method, but there are more areas to fail.
>
> Ultimately, I'd like to look up each group from the AD server in
> real-time.
How large is your AD infrastructure? Real time querying may not be as
important as you think if you have replication delays. In the environment I
work in the AD replication takes a minimum of 15 minutes, usually about 30.
In this case, I use a separate (shell) script that periodically generates a
mapfile from the memberof queries I need to run against our AD, and if
differences from last run are detected pushes the updated file to each relay
and postmaps it. Works like a charm. it also allows much more flexibility as
you can do combination queries.
Cheers,
Bill
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]