From: Tony Earnshaw (tonnihetnet.nl)
Date: Sat Jul 28 2007 - 06:02:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Patrick - South Valley Internet skrev, on 26-07-2007 22:14:

> I've been having a wonderful time trying to get Postfix to talk with
> LDAP. I've been trying to follow several different HOWTO's and such,
> and although I'm slowly understanding everything as a whole, I feel much
> better doing this without using another HOWTO that isn't complete.
>
> I've read http://www.postfix.org/LDAP_README.html but I still have a few
> questions regarding what to put where.
>
> I'm using an existing working configuration of main.cf from our current
> mail server. This new mail server with LDAP implementation is going to
> replace our old server. The current server does not have any LDAP
> entries in main.cf.
>
> This server will not be hosting any virtual domains when I'm finished.
> It will have different variations of our domain name, such as .biz,
> .info, and .org. I don't know if those count as virtual domains to
> Postfix.
>
> If I want to have Postfix to authenticate users via LDAP, what entries
> would I edit? Here's what our current entries look like which I believe
> to be LDAP related:
>
> virtual_alias_maps = hash:/etc/postfix/virtual
> virtual_alias_domains = $virtual_alias_maps
> transport_maps = hash:/etc/postfix/transport
> alias_database = hash:/etc/postfix/aliases,
> hash:/etc/postfix/majordomo.aliases

What's in these maps? Quote one line of each, apart from transport.

> Secondly, I want to be able to configure a separate /home for each user
> that will be different from where their mail is. I also want to use
> Maildir format, because the /home and mail directory will be NFS
> mounted. After reading a bunch of stuff regarding Postfix and LDAP, I
> found something regarding the qmail.schema which will allow me to define
> a mail directory as well as a home directory. I don't know how I would
> be able to configure Postfix to accommodate that. Any ideas?

The high school site of which I'm mail/LDAP admin has mail users on a
dedicated mail server with all their mail folders under a common
hierarchy which has nothing to do with their home directories on other
(e.g. Samba, Linux Terminal Server Project etc.) servers. We use LDAP
across the board for authentication (and other reasons), so that each
user has a common login (POSIX UID) id and password for all services.

Postfix (2.4.3) hands mail to Courier maildrop for distribution to the
mail folders, and Postfix doesn't know anything about the above
hierarchy, it just authenticates the users. maildrop (actually Courier
authlib) *does* have to know about the virtual user used for mail and
where the mail folders are, but that has nothing to do with Postfix. As
an aside, maildrop can deal with virtual domains, procmail (at least,
older versions) can't. We also use Courier IMAP, not dovecot.

here's a typical group ldap .cf file, that's defined in
local_recipient_maps:

timeout = 20
version = 3
domain = barlaeus.nl
server_host = ldapi://%2Fvar%2frun%2fslapd%2Fldapi/
   ldap://oikos.leerlingen/
search_base = ou=docenten,dc=school,dc=nl
scope = sub
query_filter = (&(objectClass=posixAccount)(|(mail=%s)(uid=%u)))
#result_attribute = mail
result_attribute = uid

We also use LDAP for most aliases (not Unix system users), but not for
transport (no point, we have 1,500+ users, but only a couple of transports).

> I think I'll hold off on any Dovecot questions, mainly because I want to
> get Postfix up and running and accepting new mail before I test out
> receiving.

Here's authlib's configuration file, so you know what we do. Note that
there's no reference to users' home directories, which the ns libraries
(e.g. getent passwd, getent group) use to find out each user's real home
directory:

1034 [root:mercurius.intern] /etc/authlib # grep '^[^#]' authldaprc
LDAP_URI ldapi://%2fvar%2frun%2fslapd%2fldapi/,
    ldap://oikos.leerlingen/
LDAP_PROTOCOL_VERSION 3
LDAP_BASEDN dc=shool,dc=nl
LDAP_BINDDN cn=proxy,dc=school,dc=nl
LDAP_BINDPW password
LDAP_TIMEOUT 5
LDAP_MAIL uid
LDAP_FILTER (accountStatus=active)
LDAP_GLOB_UID vmail
LDAP_GLOB_GID vmail
LDAP_HOMEDIR mailMessageStore
LDAP_MAILDIR mailMessageStore
LDAP_DEFAULTDELIVERY defaultDelivery
LDAP_MAILDIRQUOTA quota
LDAP_FULLNAME gecos
LDAP_CLEARPW userPassword
LDAP_CRYPTPW userPassword
LDAP_DEREF never
LDAP_TLS 0

Note the fallback ldap server in each example; if the LDAP server on the
mail server breaks down, all hell breaks loose without a fallback server.

mailMessageStore is, indeed, from qmail.schema

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]