Hi,
Thank you for all the information, even if it is going a bit far from the initial question... To clarify the problem, I will try to show what we are doing, you will find here attached an image file that goes with following explanation:
There are "u" user accounts on the ldap server We have a number of "s" services that use LDAP to manage user account. Each service has particular attributes Each service must be able to access only it's information Basic services use only the information contained in the standard LDAP useraccount Advanced services have dedicated OUs with special attributes
It is important that each service can accees in RO (no modification) to only it's information. That's why we made our LDAP as it is in the attached picture.
To simplify usage of services for each user, we decided to duplicate the "password" field between the different OUs, that's why I came here to ask about aliases.
If ever you are sure that there is a cleaner way to do the things (that isn't too heavy to setup), we will be glad to have more technical and logical explanations.
Best regards, ZP
2015-04-14 14:20 GMT+04:00 Michael Ströder michael@stroeder.com:
Ulrich Windl wrote:
Michael Strödermichael@stroeder.com wrote:
Hmm, if you don't want all your PAM system users to be valid e-mail users then simply don't use PAM. Sometimes one should rethink the software stack if requirements get more clear. smtpd sounds like postfix which has very flexible LDAP support.
Depending on the PAM/NSS system you're using there could be group authz mechs there too. But you did not provide enough information to really think about this. Personally I prefer to directly use the LDAP features of the software used.
The advantage of the PAM configuration seems to be that you only have to describe your LDAP structure once, and not for every application.
But if requirements (e.g. set of user accounts) differ you have to define different LDAP client or other configuration anyway. There is no issue if they are the same.
I thought there might by a method to restict the accepted users from the
sasl configuration file, but it seems there is none.
Which would somewhat contradict your wish to use the very same configuration anyway.
Ciao, Michael.
