I actually saw that it was possible, and it works, but I came across another problem and I wonder if you have any tips about it:

On my current dovecot setup, I use SQL as the backend. So I have the following users:

francis@domain-a.com
francis@domain-b.com

Those are separate users which their own mailboxes.

However, I have a freeipa that is configured for the `domain-a.com` realm. However, since I am using `%n` for the uid search:

auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=domain-a,dc=com
And 
pass_filter = (&(objectClass=posixAccount)(uid=%n))

It of course leads up to both users above being able to authenticate with the same password.

Is there a way to limit ldap authentication to just one domain, or perform a search where both username and domain are checked? I could use the `mail``attribute to filter users, but I imagine that if two users have the same mail configured, I’d run into trouble….
 
Best,

Francis

On 14 Oct 2022, at 20:08, dovecot-request@dovecot.org wrote:

Hi,

I couldn't find it in the documentation, so I was wondering - is it 
possible to configure Dovecot to use LDAP for passdb and keep using SQL 
for userdb?

I would like to do that before I come up with a good strategy to expand 
my ldap schema to support other mail attributes for virtual domains, 
aliases, etc.

I am currently using FreeIPA.

Best,

Francis