On Thu, Oct 24, 2002 at 05:45:04PM -0400, Benton Roberts wrote:
> My problem is that each of my virtual domains has, of course, its own
> basedn, but authdaemon.ldap only lets me specify a single basedn
> against which to search.
Assuming they're all on the same LDAP server, then you should just organise
your DN hierarchy so they're all under some common parent. For example (not
necessarily the best, see below):
uid=fred, dc=virt1, dc=myisp, dc=com
mail: [EMAIL PROTECTED]
uid=jim, dc=virt2, dc=myisp, dc=com
mail: [EMAIL PROTECTED]
Then you just set 'dc=myisp, dc=com' as your LDAP_BASEDN; if you're running
OpenLDAP as the server, you would also set this as your 'rootdn'
> Do I need to run another instance of authdaemon.ldap, one for each
> virtual domain on a separate port? I think I read in the documentation
> this was not possible. I have thought of collapsing all domains into a
> single LDAP database, with each in its own organizationalGroup, but
> this is not only inelegant, it defeats the point of having basedns
> correspond to a domain.
It is generally a good idea to avoid hardcoding information such as E-mail
addresses or personal names into the DN (because if someone changes their
address or their name, then the DN of the record changes; and in a well
designed database of any kind, the primary key remains with a record for its
lifetime). Keep your hierarchy as flat as possible. Taking this to its
limit:
uid=12345, dc=myisp, dc=com
mail: [EMAIL PROTECTED]
uid=12346, dc=myisp, dc=com
mail: [EMAIL PROTECTED]
The LDAP search will use the filter (mail=user@domain) to locate the record.
This works very well. It's a shame that LDAP servers don't support the idea
of a 'sequence' to implement this automatically. The only problem is that it
doesn't automatically enforce uniqueness of usernames or E-mail addresses,
which is why you might want to use the first example instead.
This is a good book:
http://developer.netscape.com/docs/books/macmillan/ldap/ldapbk.html
The most important chapters (3 and 8) are available on-line to read as PDF.
> Even if a single authdaemon could be induced to search more than one
> basedn, it couldn't differentiate between two accounts in different
> domains with the same key/value pair used to match the username during
> authentication,
Of course. But then if you login to POP3 as 'jim' rather than 'jim@domain'
then you are going to have this problem anyway, unless you run multiple POP3
servers bound to different IP addresses; then you can use a different
LDAP_DOMAIN setting for each one. This will be appended to the username
before the search takes place.
Brian.
-------------------------------------------------------
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
