Virtualdomains and LDAP
in [Postfix]
|
From: Pavel Dimow on 24 Jul 2010 03:27 Hello, I know that this is maybe question for more LDAP oriented users, but I hope someone here can help me. I have a postfix with one "primary" domain and dozen virtual domains. The problem is that users from primary domain use only their username (without domain part) for SASL authentication and all other users (from virtual domains) are using username(a)somedomain as username. Now my DIT is organized something like ou=people,o=somedomain.com,dc=acmecorp ou=people,o=virtualdomain.com,dc=acmecorp The question is how can I perform a search for a "primary" domain when I don't have a domain part? Is there anyway that I can "append" a default domain when %d is empty or I can make some sophisticated filter_search? Thank in advance.
From: Victoriano Giralt on 24 Jul 2010 05:15 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 24/7/10 9:27, Pavel Dimow wrote: > someone here can help me. I have a postfix with one "primary" domain and > dozen virtual domains. The problem is that users from primary domain use only > their username (without domain part) for SASL authentication and all > other users > (from virtual domains) are using username(a)somedomain as username. > Now my DIT is organized something like > > ou=people,o=somedomain.com,dc=acmecorp > ou=people,o=virtualdomain.com,dc=acmecorp > > > The question is how can I perform a search for a "primary" domain when I don't > have a domain part? Is there anyway that I can "append" a default domain when > %d is empty or I can make some sophisticated filter_search? If you have an attribute in your schema like mailAlternateAddress (from NS schema in the 389 server) for every entry in your DIT and uid at least for your "primary" domain users, then you can base the search at dc=acmecorp and use a subtree scope, the filter could look like this: (|(uid=%u)(mailAlternateAddress=%u)) Assuming %u represent the whole user identification, as per Dovecot SASL implementation that I'm familiar with. - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMSq87V6+mDjj1PTgRA4ddAJ9bhxmCUiDrrPQzwN2m600o8l2SKQCfakhk eWb/LX5/6bq18jtq0F+BjHo= =8OGx -----END PGP SIGNATURE-----
From: Patrick Ben Koetter on 24 Jul 2010 08:38 * Pavel Dimow <paveldimow(a)gmail.com>: > Hello, > > > I know that this is maybe question for more LDAP oriented users, but I hope > someone here can help me. I have a postfix with one "primary" domain and > dozen virtual domains. The problem is that users from primary domain use only > their username (without domain part) for SASL authentication and all > other users > (from virtual domains) are using username(a)somedomain as username. > Now my DIT is organized something like > > ou=people,o=somedomain.com,dc=acmecorp > ou=people,o=virtualdomain.com,dc=acmecorp > > > The question is how can I perform a search for a "primary" domain when I don't > have a domain part? Is there anyway that I can "append" a default domain when > %d is empty or I can make some sophisticated filter_search? You can create a search filter that only searches for the localpart. But what if you have identical localparts in your local and your virtual domains and your search finds the localpart in "ou=people,o=virtualdomain.com,dc=acmecorp" first (first match wins)? You would have to create two separate searches and evaluate the local one first. It is probably better and more failsafe configuring Postfix to append a domain value if a client didn't send one like this: smtpd_sasl_local_domain = somedomain.com This way any search will only take place in "ou=people,o=somedomain.com,dc=acmecorp". This puts the burden to provide FQDN usernames to virtual users, but they should already know and nad have configured their systems apropriately. p(a)rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
From: Pavel Dimow on 24 Jul 2010 08:52 Hi Victoriano, are those searches in LDAP slower? For example, is it much slower when you start search at dc=acmecorp instead of ou=people,o=somedomain.com,dc=acmecorp ? On Sat, Jul 24, 2010 at 11:15 AM, Victoriano Giralt <victoriano(a)uma.es> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > On 24/7/10 9:27, Pavel Dimow wrote: > >> someone here can help me. I have a postfix with one "primary" domain and >> dozen virtual domains. The problem is that users from primary domain use only >> their username (without domain part) for SASL authentication and all >> other users >> (from virtual domains) are using username(a)somedomain as username. >> Now my DIT is organized something like >> >> ou=people,o=somedomain.com,dc=acmecorp >> ou=people,o=virtualdomain.com,dc=acmecorp >> >> >> The question is how can I perform a search for a "primary" domain when I don't >> have a domain part? Is there anyway that I can "append" a default domain when >> %d is empty or I can make some sophisticated filter_search? > > If you have an attribute in your schema like mailAlternateAddress (from > NS schema in the 389 server) for every entry in your DIT and uid at > least for your "primary" domain users, then you can base the search at > dc=acmecorp and use a subtree scope, the filter could look like this: > > (|(uid=%u)(mailAlternateAddress=%u)) > > Assuming %u represent the whole user identification, as per Dovecot SASL > implementation that I'm familiar with. > > - -- > Victoriano Giralt > Systems Manager > Central ICT Services > University of Malaga > SPAIN > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iD8DBQFMSq87V6+mDjj1PTgRA4ddAJ9bhxmCUiDrrPQzwN2m600o8l2SKQCfakhk > eWb/LX5/6bq18jtq0F+BjHo= > =8OGx > -----END PGP SIGNATURE----- >
From: Pavel Dimow on 24 Jul 2010 09:01
Hi Patrick, if postfix append the "primary" domain value then it's quite ok with me, I guess it's not a performance penalty for postfix? I can then use auth_default_realm in dovecot and problem should be solved. On Sat, Jul 24, 2010 at 2:38 PM, Patrick Ben Koetter <p(a)state-of-mind.de> wrote: > * Pavel Dimow <paveldimow(a)gmail.com>: >> Hello, >> >> >> I know that this is maybe question for more LDAP oriented users, but I hope >> someone here can help me. I have a postfix with one "primary" domain and >> dozen virtual domains. The problem is that users from primary domain use only >> their username (without domain part) for SASL authentication and all >> other users >> (from virtual domains) are using username(a)somedomain as username. >> Now my DIT is organized something like >> >> ou=people,o=somedomain.com,dc=acmecorp >> ou=people,o=virtualdomain.com,dc=acmecorp >> >> >> The question is how can I perform a search for a "primary" domain when I don't >> have a domain part? Is there anyway that I can "append" a default domain when >> %d is empty or I can make some sophisticated filter_search? > > You can create a search filter that only searches for the localpart. But what > if you have identical localparts in your local and your virtual domains and > your search finds the localpart in > "ou=people,o=virtualdomain.com,dc=acmecorp" first (first match wins)? You > would have to create two separate searches and evaluate the local one first. > > It is probably better and more failsafe configuring Postfix to append a domain > value if a client didn't send one like this: > > smtpd_sasl_local_domain = somedomain.com > > This way any search will only take place in > "ou=people,o=somedomain.com,dc=acmecorp". This puts the burden to provide FQDN > usernames to virtual users, but they should already know and nad have > configured their systems apropriately. > > p(a)rick > > -- > All technical questions asked privately will be automatically answered on the > list and archived for public access unless privacy is explicitely required and > justified. > > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> > |