On 05/10/10 04:17 +0200, Andreas Ntaflos wrote:
Dan, thank you for the reply and ideas! Essentially making all virtual users look like system users to Postfix and Dovecot (and other services) certainly sounds interesting but I am not sure if this won't make things more complex than they need to be. And wouldn't this approach require any services and applications to know how to handle PAM/NSS? I will keep it in mind, however, could come in handy in the future.
Most modern unixes make use of nss in a way that's transparent to applications - that is, any application which retrieves users and groups via the getpwent and getgrent system calls will make use of an nss plugin transparently.
An application does explicitly compile against PAM to make use of it, but shouldn't need to know any details about which PAM modules are used, and implementing a PAM LDAP module would not require a recompile of your applications.
Our current setup using Postgres and virtual users, while complex enough, is quite adequate for our ISP needs. We just need to evaluate if and how it is feasible to model this setup using LDAP as a backend.
Postfix, as you probably already know, has LDAP support for looking up most tables, which is how I implement virtual domain lookups.
So I guess my question is really more about how to properly design a DIT that holds multiple independent domains and for each domain possibly hundreds of users and groups.
I went with a flat design, which has worked well. That is:
uid=jsmith@example.net,ou=people,dc=example,dc=com uid=jsmith@custdom.com,ou=people,dc=example,dc=com
and
cn=jsmith@example.net,ou=groups,dc=example,dc=com cn=jsmith@custdom.com,ou=groups,dc=example,dc=com
The problem is roughly equivalent to designing a proper relational database schema to manage and query user information only that a relational database schema is generally not designed with a single root or base node like the typical LDAP tree. This makes finding the information I require difficult.