Mihai Badici
2013-Dec-29 22:03 UTC
[Dovecot] how to separate virtual delivery and authentication?
I have a "pure ldap" setting with postfix and dovecot. When using dovecot delivery, the recipient is checked via ldap. The same ldap query is used when authenticate. So, if I want to authenticate with the uid , I can't use a filter like uid=%u because the delivery will fail. I don't want to use %nor something else because I could use multiple e-mail addresses on a single account. I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex situations should be better to have two separate filters, one for authentication and the other for the delivery. What is your oppinion? -- Mihai B?dici http://mihai.badici.ro
Steffen Kaiser
2014-Jan-07 08:00 UTC
[Dovecot] how to separate virtual delivery and authentication?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Dec 2013, Mihai Badici wrote:> I have a "pure ldap" setting with postfix and dovecot. > When using dovecot delivery, the recipient is checked via ldap. > The same ldap query is used when authenticate. > So, if I want to authenticate with the uid , I can't use a filter like uid=%u > because the delivery will fail. I don't want to use %nor something else > because I could use multiple e-mail addresses on a single account. > > I actually use a filter like ( mail=%u)|(uid=%u) but I think for more complex > situations should be better to have two separate filters, one for > authentication and the other for the delivery. What is your oppinion?There are two filters already: 1) the passdb filter which is used to find users during authentication 2) the userdb filter which is used to get the information about users, e.g. after auth and for delivery The responses of both queries are cached, too. Where / how would you like to have another filter? What is to get better? If you want to make the LDAP search more efficient, you could add another LDAP attribute, index it,& add all writings of the users there, e.g.: dn: uid=user, .... uid: user mail: forename.surname at example.com maildrop: user maildrop: user at host.sub.example.org maildrop: forename.surname at example.com maildrop: forename.surname at example2.com maildrop: forename.oldsurname at example.com maildrop: alias at part.aliasdomain.net However, the values of maildrop must be unique among all users. The passdb filter uses uid only, userdb uses maildrop only. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUsu0D13r2wJMiz2NAQJhEQf/ZJbC3z4XlMHrkae1yeWN4M4sWAFV7K8Y +PewH7IIZMwOvx2uiJXKFdhVqoPkseidwKEYJC2e0mSqAAE+wCiqqRj6Oeo1kAKt tVn6EofgabABf03SCULU3YfCITt2F7GBAyMv4kxEMH1WKxdBiABcTmRXhWJzyWPl aMLc+Z4Jqaedq6m8/efR2JlLsCYflmeeCk8vNNguqXifcnUwqTSRvwGnwn+Ny7Eq lgGCbIYNHZVXcUelRmsJ+F4p1ed6rYX1me/+Q8QgQBCKSWaWiBTslgBLpHhdM4+d ISqIcJcV1djlqT6NA3TpMuicv4RkglzvRl07DbvTKzDmhOB8pKdb6g==HD5o -----END PGP SIGNATURE-----