[Dovecot] Dovecot LDAP schema?
Hi,
does dovecot define its own LDAP schema or should I create my own one?
(I want to provide IMAP boxes for virtual users that do not have a Unix account on the mail server and thus do not want to use the plain uid/gid entries of the posix account objectclass to avoid confusion and accidently giving access to accounts.)
regards Hadmut
Hi Hadmut,
You can use standard LDAP attributes. It's more than enough.
My configs:
dovecot.conf:
first_valid_uid = 8 last_valid_uid = 8
first_valid_gid = 12 last_valid_gid = 12
auth_username_format = %Lu
auth default { mechanisms = plain
passdb ldap { args = /etc/dovecot/dovecot-ldap.conf }
userdb static { args = uid=mail gid=mail }
}
dovecot-ldap.conf:
hosts = localhost
dn = cn=Dovecot,ou=DSA,o=top dnpass = xxx
ldap_version = 3
base = ou=Users,dc=%d,o=top scope = onelevel
pass_attrs = userPassword=password pass_filter = uid=%n
Saturday, July 28, 2007, 12:53:09 PM, you wrote:
Hi,
does dovecot define its own LDAP schema or should I create my own one?
(I want to provide IMAP boxes for virtual users that do not have a Unix account on the mail server and thus do not want to use the plain uid/gid entries of the posix account objectclass to avoid confusion and accidently giving access to accounts.)
regards Hadmut
-- Sergey
Hi Sergey,
Sergey A. Kobzar wrote:
You can use standard LDAP attributes. It's more than enough.
Well, I know that it works with standard LDAP attributes, that's what I do right now. But that is what I want to avoid, because I want to have IMAP users *without* standard uid/gid attributes because they are not Unix users. To avoid confusion and security holes I'd prefer to use separate Attributes for the LDAP objects. And in some cases I need to override the default PATH variable, which requires a new attribute. And I cannot work with static uid/gid schemes as in your example, because every IMAP user is managed by one of several Unix users, therefore they cannot share the same uid/gid.
I can define my own LDAP scheme, what I did in a test environment.
But I'd prefer if there was a common dovecot scheme for such cases.
regards Hadmut
Hi Hadmut,
Monday, July 30, 2007, 11:27:37 AM, you wrote:
Hi Sergey,
Sergey A. Kobzar wrote:
You can use standard LDAP attributes. It's more than enough.
Well, I know that it works with standard LDAP attributes, that's what I do right now. But that is what I want to avoid, because I want to have IMAP users *without* standard uid/gid attributes because they are not Unix users. To avoid confusion and security holes I'd prefer to use separate Attributes for the LDAP objects. And in some cases I need to override the default PATH variable, which requires a new attribute. And I cannot work with static uid/gid schemes as in your example, because every IMAP user is managed by one of several Unix users, therefore they cannot share the same uid/gid.
I can define my own LDAP scheme, what I did in a test environment.
But I'd prefer if there was a common dovecot scheme for such cases.
There is no such scheme because your case is not common.
regards Hadmut
-- Sergey
participants (2)
-
Hadmut Danisch
-
Sergey A. Kobzar