Hi,

Thank you for all the information, even if it is going a bit far from the initial question...
To clarify the problem, I will try to show what we are doing, you will find here attached an image file that goes with following explanation:

There are "u" user accounts on the ldap server
We have a number of "s" services that use LDAP to manage user account.
Each service has particular attributes
Each service must be able to access only it's information
Basic services use only the information contained in the standard LDAP useraccount
Advanced services have dedicated OUs with special attributes

It is important that each service can accees in RO (no modification) to only it's information.
That's why we made our LDAP as it is in the attached picture.

To simplify usage of services for each user, we decided to duplicate the "password" field between the different OUs, that's why I came here to ask about aliases.

If ever you are sure that there is a cleaner way to do the things (that isn't too heavy to setup), we will be glad to have more technical and logical explanations.


Best regards,
ZP


2015-04-14 14:20 GMT+04:00 Michael Ströder <michael@stroeder.com>:
Ulrich Windl wrote:
Michael Ströder<michael@stroeder.com> wrote:
Hmm, if you don't want all your PAM system users to be valid e-mail
users then simply don't use PAM. Sometimes one should rethink the
software stack if requirements get more clear. smtpd sounds like postfix
which has very flexible LDAP support.

Depending on the PAM/NSS system you're using there could be group authz
mechs there too. But you did not provide enough information to really
think about this. Personally I prefer to directly use the LDAP features
of the software used.

 The advantage of the PAM configuration seems to be that you only have to
describe your LDAP structure once, and not for every application.

But if requirements (e.g. set of user accounts) differ you have to define different LDAP client or other configuration anyway. There is no issue if they are the same.

I thought there might by a method to restict the accepted users from the
sasl configuration file, but it seems there is none.

Which would somewhat contradict your wish to use the very same configuration anyway.

Ciao, Michael.