[Date Prev][Date Next] [Chronological] [Thread] [Top]

Recommended approach for LDAP as backend for virtual domain mail hosting?



Hi, 

I will probably also post this to the Postfix mailing list but it is 
fundamentally an (Open)LDAP question so here goes:

Short version: What is a recommended way to set up virtual mail hosting 
based on OpenLDAP? I.e. providing mail and authentication services, like 
SMTP and IMAP, using Postfix and Dovecot, for multiple *independent 
domains* such as example.net, example.org, example.com? 

I am looking for RTFMs, HOWTOs, blogs, or any experience and anecdotes 
users on this list can provide. I myself no experience designing a DIT 
in LDAP (I am more at home in Postgres) and have much learning to do. 

Long version: I know such setups exist and I have found many references 
in the archives of this list but there was never a completely straigt-
forward answer that didn't say "it depends on your requirements" or 
involve frontends/add-ons like Jamm or Phamm, which I have no interest 
in.

So the requirements are basically:
 * Independent domains and users, i.e. john.doe@example.org is 
completely different/distinct from john.doe@example.net, even though 
both may be the same physical human being.
  * Thus accounts in different domains must have separate passwords 
fields
 * Groups and aliases must be possible
 * Performance should not be terrible, obviously
 * Applications such as Apache, Ejabberd, Wikis and Webmail clients (to 
name a few) which support LDAP authentication should be able to query 
the DIT or DITs without needing any hacks or ugly constructs (this is a 
vague requirement, I know).

Now I believe the question basically boils down to this: 

Should we use multiple independent backend databases (DITs) or one large 
"hosting" database as described in [1,2]? Which of the two is the better 
approach? Which is more flexible, which has less administrative or 
functional overhead?

If we use multiple DITs we probably will have to glue them together 
somehow, won't we? How would queries against multiple independent DITs 
look? 

Our current setup is more like [1,2], one big hosting database. It is a 
PostgreSQL database with a few tables for virtual domains 
(virtual_mailbox_domains in Postfix), virtual users 
(virtual_mailbox_maps), virtual aliases (virtual_alias_maps) and a few 
others. It is based loosely on [3].

This works fine but now the need has arisen to see if we can migrate 
that setup to an LDAP-based one, mainly for flexibility and 
compatibility with various authentication needs: many applications and 
services provide some kind of LDAP-based authentication but are 
hopelessly overwhelmed with SQL backends, especially when the queries 
are a bit complex.

Thanks in advance!

Andreas

PS: I gathered much from the article in [1] but by now it is over 7 
years old and many things have changed so I can't follow it to the 
letter.

[1] http://www.linuxjournal.com/article/5917
[2] 
http://www.linuxjournal.com/files/linuxjournal.com/linuxjournal/articles/059/5917/5917f2.jpg
[3] http://workaround.org/ispmail/lenny

Attachment: signature.asc
Description: This is a digitally signed message part.