From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Fri Aug 31 2007 - 10:27:11 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 31, 2007 at 08:40:50AM -0300, Steve Scanavarro wrote:

> Hello everyone!
> I have a lot of users in my LDAP base, but I wish to only allow users that
> are members of the group cn=MailUsers,ou=Groups,dc=domain to authenticate in
> my postfix.
> I'm using SASL + PAM, where i'm sending to LDAP the sAMAccountName as the
> pam_login_attribute .

There is not a good way in Postfix to limit authentication to members
of an LDAP group, or limit which authenticated users can use the MTA to
members of a group.

Rather you need the list of members to be th lookup keys in an access(5)
(possibly via LDAP) table, where the appropriate policy can be expressed.

So you need to periodically extract the group members and put these
in an indexed file or to LDAP as entries not group members.

If your LDAP schema allows one to form a single query which answers the
question:

        is the user whose email address "userexample.com" a member
        of the group "MailUsers"

then you can use that to creat the required LDAP table directly. Since
LDAP is not as expressive as SQL, this may not be possible.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]