Again, a bit more reading got me to adding this to my passdb config:
username_filter = *@domain-a.com
This way, I can control which domains get to authenticate via my ldap backend,
which gives me time to design a good way of saving other attributes there.
If anyone have other ways of doing this, ie., having multiple domains on
ldap/freeipa and getting an elegant integration with Dovecot, I?d be glad to
hear.
Best,
Francis
> On 14 Oct 2022, at 21:58, dovecot-request at dovecot.org wrote:
>
> I actually saw that it was possible, and it works, but I came across
another problem and I wonder if you have any tips about it:
>
> On my current dovecot setup, I use SQL as the backend. So I have the
following users:
>
> francis at domain-a.com <mailto:francis at domain-a.com>
<mailto:francis at domaina.com>
> francis at domain-b.com <mailto:francis at domain-b.com>
<mailto:francis at domain-b.com>
>
> Those are separate users which their own mailboxes.
>
> However, I have a freeipa that is configured for the `domain-a.com
<http://domain-a.com/> <http://domain-a.com/>` realm. However, since
I am using `%n` for the uid search:
>
> auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=domain-a,dc=com
> And
> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>
> It of course leads up to both users above being able to authenticate with
the same password.
>
> Is there a way to limit ldap authentication to just one domain, or perform
a search where both username and domain are checked? I could use the
`mail``attribute to filter users, but I imagine that if two users have the same
mail configured, I?d run into trouble?.
>
> Best,
>
> Francis
>
>> On 14 Oct 2022, at 20:08, dovecot-request at dovecot.org
<mailto:dovecot-request at dovecot.org> wrote:
>>
>> Hi,
>>
>> I couldn't find it in the documentation, so I was wondering - is it
>> possible to configure Dovecot to use LDAP for passdb and keep using SQL
>> for userdb?
>>
>> I would like to do that before I come up with a good strategy to expand
>> my ldap schema to support other mail attributes for virtual domains,
>> aliases, etc.
>>
>> I am currently using FreeIPA.
>>
>> Best,
>>
>> Francis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20221014/5686ccfe/attachment.htm>