[Dovecot] Using LDAP for Dovecot extra/regular fields
Hi,
We're moving to a dovecot proxy / server configuration in order to make sure that a users go to a specific server.
If someone has used these LDAP for this, there are a few things that I wish to verify.
Dovecot does not verify that type of the LDAP attribute, only that the returned value works.
If a boolean is used for a yes/no field, then FALSE sets the field to no and TRUE sets the field to yes.
If a multivalue attribute is used for a single value field, the last returned value for the LDAP lookup is used in that field (i.e. host will use the last value).
If a string attribute is returned for a yes/no field and has any value, then the associated field is set to true.
There is no automatic failover with the host field so if the remote host is down, the IMAP connection no longer works.
I'm fairly sure of all of these except for the boolean.
Now this is just due diligence. I don't know that turning on/off or switching LDAP attributes is the right way to go to handle failover but it might work for phased rollout.
My feeling is the best configuration will be using a secondary IP address that has to be manually turned on for a host after a reboot or shutdown. This creates a poor mans "fencing". The secondary can either be brought up on another host or handled via a load balance with DSR/backup server.
As a practical matter, it is probably worth setting sensible attributes for each field (i.e. numeric for host, boolean for proxy/proxy_maybe etc). Any interest in registering an LDAP object class for dovecot?
---Jack
Just to answer some of my own questions and close the loop in case anyone sees this message down the road. All of it makes sense when you consider SQL and the implications.
With a multivalue attribute, the last value is returned.
There is no host failure, which is likely a good thing when you consider all of the possible proxy configurations - you can get yourself into a lots of trouble with this.
If the host attribute exists in LDAP, then it is flagged as true even if the attribute is boolean and set to FALSE. This is not a big deal and makes sense when you have sql support with a NULL.
A standard LDAP objectclass does not exist - since there are so make possible configurations, it is unlikely that you could make everyone happy.
---Jack
Jack Stewart wrote:
Hi,
We're moving to a dovecot proxy / server configuration in order to make sure that a users go to a specific server.
If someone has used these LDAP for this, there are a few things that I wish to verify.
Dovecot does not verify that type of the LDAP attribute, only that the returned value works.
If a boolean is used for a yes/no field, then FALSE sets the field to no and TRUE sets the field to yes.
If a multivalue attribute is used for a single value field, the last returned value for the LDAP lookup is used in that field (i.e. host will use the last value).
If a string attribute is returned for a yes/no field and has any value, then the associated field is set to true.
There is no automatic failover with the host field so if the remote host is down, the IMAP connection no longer works.
I'm fairly sure of all of these except for the boolean.
Now this is just due diligence. I don't know that turning on/off or switching LDAP attributes is the right way to go to handle failover but it might work for phased rollout.
My feeling is the best configuration will be using a secondary IP address that has to be manually turned on for a host after a reboot or shutdown. This creates a poor mans "fencing". The secondary can either be brought up on another host or handled via a load balance with DSR/backup server.
As a practical matter, it is probably worth setting sensible attributes for each field (i.e. numeric for host, boolean for proxy/proxy_maybe etc). Any interest in registering an LDAP object class for dovecot?
---Jack
On Fri, 2009-03-13 at 13:05 -0700, Jack Stewart wrote:
With a multivalue attribute, the last value is returned.
Currently, but I don't think you should rely on this. Also in situations where multiple values make sense Dovecot might do something special in future.
If the host attribute exists in LDAP, then it is flagged as true even if the attribute is boolean and set to FALSE. This is not a big deal and makes sense when you have sql support with a NULL.
Currently yes. After the config rewrite perhaps this will change.
There is no automatic failover with the host field so if the remote host is down, the IMAP connection no longer works.
I'll do something about this in future. Perhaps it should allow a list of IP addresses.
participants (2)
-
Jack Stewart
-
Timo Sirainen