|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Harry Hoffman (hhoffman
ip-solutions.net)
Date: Fri Aug 31 2007 - 10:50:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't have a place to test this so I can't confirm if it works or not
but you may try.
If you had a entry like:
dn: cn=MailUsers,ou=Groups,dc=domain
objectClass: groupOfNames
cn: MailUsers
member: uid=user1,ou=People,dc=domain
member: uid=user2,ou=People,dc=domain
I do something similar for a webapp and it works...
Cheers,
Harry
Victor Duchovni wrote:
> On Fri, Aug 31, 2007 at 08:40:50AM -0300, Steve Scanavarro wrote:
>
>> Hello everyone!
>> I have a lot of users in my LDAP base, but I wish to only allow users that
>> are members of the group cn=MailUsers,ou=Groups,dc=domain to authenticate in
>> my postfix.
>> I'm using SASL + PAM, where i'm sending to LDAP the sAMAccountName as the
>> pam_login_attribute .
>
> There is not a good way in Postfix to limit authentication to members
> of an LDAP group, or limit which authenticated users can use the MTA to
> members of a group.
>
> Rather you need the list of members to be th lookup keys in an access(5)
> (possibly via LDAP) table, where the appropriate policy can be expressed.
>
> So you need to periodically extract the group members and put these
> in an indexed file or to LDAP as entries not group members.
>
> If your LDAP schema allows one to form a single query which answers the
> question:
>
> is the user whose email address "userexample.com" a member
> of the group "MailUsers"
>
> then you can use that to creat the required LDAP table directly. Since
> LDAP is not as expressive as SQL, this may not be possible.
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]