-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 7 Jan 2014, Mihai Badici wrote:
On Tuesday 07 January 2014 09:00:15 you wrote:
On Mon, 30 Dec 2013, Mihai Badici wrote:
I have a "pure ldap" setting with postfix and dovecot.
When using dovecot delivery, the recipient is checked via ldap.
The same ldap query is used when authenticate.
So, if I want to authenticate with the uid , I can't use a filter like
uid=%u because the delivery will fail. I don't want to use %nor something
else because I could use multiple e-mail addresses on a single account.
I actually use a filter like ( mail=%u)|(uid=%u) but I think for more
complex situations should be better to have two separate filters, one
for authentication and the other for the delivery. What is your oppinion?
There are two filters already:
1) the passdb filter
which is used to find users during authentication
2) the userdb filter
which is used to get the information about users, e.g. after auth and for
delivery
The passdb filter uses uid only, userdb uses maildrop only.
There is not the efficiency , but the flexibility who interest me.
There are two sepparate processes: delivery and authentication.
During delivery, dovecot will check if the mailbox exists and where it is
located; it is not important how the user is authenticated.
During authentication, there is user, pasword and mailbox location, iti is not
important if the user has an valid e-mail address.
When the filter is accessed by the delivery module, the query string must be
the e-mail ( all other solutions will fail when multiple e-mail addresses and
non-standard uid are used).
When the filter is accessed via the authentication module, the query will
contain the username, not the e-mail . So basically there is not the same
string provided as argument for the query filter. We need all sort of
workarounds to solve this dilema, like the "or" between mail and uid , split
the e-mail address as %u and % d and so on.... With two query strings, one for
authentication and the other for delivery I think it could be more elegant and
clear.
IMHO, exactly that works with the maildrop LDAP attribute. You enumerate
all mail addresses into maildrop. Use maildrop in userdb filter only. If
you like to use "uid" on command line of doveadm, you need to add the uid
to maildrop as well, otherwise have the passdb return another username,
e.g. the "mail" LDAP attribute to convert the uid into mail adress.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUsvRMV3r2wJMiz2NAQIMfAf9F1juWY2KOGkYYPeKcpIZXrJqH3goyCX1
D7+a8Vl4vWMimjpGq13sVB4yrRwnOLViGHGQNcuZtx/sI75hFUqrd93WufYsShiv
VyfIeOdPbsBE9M0wje2z8conH3GX0clo/5vPhftgFe+NYQTvrJct8is2N2RPyqrE
8p9SzmjH3mhB0dAoZOeCdxeFWIGqNP59uTGSowRWQH5CX4zCi0IJWWiP6I39ffiV
mG5OMdY1bbCCLJQDGwfz9VGeRQ5Gpua5LDThq8QJKzASwkw6G3KtKr0wfGUOkijt
gXyFIQEI8QeXvd2xLrEwnmlW/HFETVZnyTQk21n9pq/T0c18lIUqXg==
=wTnt
-----END PGP SIGNATURE-----
