On Friday 08 October 2010 13:39:25 Buchan Milne wrote:
- Groups and aliases must be possible
What specifically do you mean by groups?
By group support I just mean the usual way to group users together, as in ou=groups,dc=example,dc=com. Users on different hosted domains won't/can't be in the same group, if that matters any.
But, what would you use the groups for? Authorization to specific services only available to specific groups?
Exactly. That shouldn't be a problem, should it?
However, when using uid=joe@example.com,o=mysitename, how would Postfix (or anything else) look up which virtual domains it is supposed to serve, i.e. virtual_mailbox_domains?
That's the one think about which I am not yet quite clear. In our relational database there's a simple table "virtual_domains" with a name and an ID for the hosted domains. Postfix only wants the key (the domain name) to exist when doing a lookup so a query is just a simple "SELECT 1 FROM virtual_domains WHERE name='%s'", %s being the domain name of course. How would a "corresponding" LDAP query look like?
Don't try and one-to-one map an RDBMS table to an LDAP container, start by mapping the query to an ldap search (basedn, filter, result attributes) first.
Yeah, I am having some difficulties with that :)
You could use something like this:
dn: domain=domain1.example.com,dc=example,dc=com objectclass: domain domain: domain1.example.com
Then you would use an LDAP map with search_base = dc=example,dc=com query_filter = (&(objectclass=domain)(domain=%s)) result_attribute = domain
Thank you, that makes a lot of sense. Based on that it should not be too difficult to map other necessary queries from SQL to LDAP.
You may choose to have more separation, with a separate basedn for domains, but it isn't necessary.
I see now how it is supposed to work. Hopefully I'll have some time this week to build a test setup. Expect more concrete questions about OpenLDAP :)
Thanks again for your help and ideas!
Andreas