so far I had a setup where Dovecot was using a passwd file as
userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for
Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
If I understood correctly the question, you ask why do not add the ldap users to system ( like using pam ldap plugin) .
This will certainly work but I consider more secure to have pure e-mail
I am always surprised to read such statement. The fact is that user authentication/authorisation is a core task of linux. Dovecots core tasks are related to handling mail. How on earth would you come to conclude that dovecot should be able to handle such tasks better than linux? Afaik even dovecot is utilizing the use of different uid's in a virtual environment to store files.
users, not system users - which can have shell, local folder and so on ( sure it can be restricted but why bother if nobody will ssh on that server).
? Imho are these just arguments for people not being able to setup an environment correctly.
But the main reason is the scalability: if your setup became bigger you can consider to have different servers ( or containers), adding multiple ldap servers for redundancy and so on...
I was also researching a 'micro service' approach of hosting dovecot, but for now I will just stick to what I know works. If I get the >30k users, I am happy to pursue this again, and if you have these numbers, you will not be researching ldap but iops. I don't really understand the relationship between wanting to have multiple ldap servers, which is possible in any scenario.