Again, a bit more reading got me to adding this to my passdb config: username_filter = *@domain-a.com
This way, I can control which domains get to authenticate via my ldap backend, which gives me time to design a good way of saving other attributes there. If anyone have other ways of doing this, ie., having multiple domains on ldap/freeipa and getting an elegant integration with Dovecot, I’d be glad to hear. Best, Francis > On 14 Oct 2022, at 21:58, dovecot-requ...@dovecot.org wrote: > > I actually saw that it was possible, and it works, but I came across another > problem and I wonder if you have any tips about it: > > On my current dovecot setup, I use SQL as the backend. So I have the > following users: > > fran...@domain-a.com <mailto:fran...@domain-a.com> > <mailto:fran...@domaina.com> > fran...@domain-b.com <mailto:fran...@domain-b.com> > <mailto:fran...@domain-b.com> > > Those are separate users which their own mailboxes. > > However, I have a freeipa that is configured for the `domain-a.com > <http://domain-a.com/> <http://domain-a.com/>` realm. However, since I am > using `%n` for the uid search: > > auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=domain-a,dc=com > And > pass_filter = (&(objectClass=posixAccount)(uid=%n)) > > It of course leads up to both users above being able to authenticate with the > same password. > > Is there a way to limit ldap authentication to just one domain, or perform a > search where both username and domain are checked? I could use the > `mail``attribute to filter users, but I imagine that if two users have the > same mail configured, I?d run into trouble?. > > Best, > > Francis > >> On 14 Oct 2022, at 20:08, dovecot-requ...@dovecot.org >> <mailto:dovecot-requ...@dovecot.org> wrote: >> >> Hi, >> >> I couldn't find it in the documentation, so I was wondering - is it >> possible to configure Dovecot to use LDAP for passdb and keep using SQL >> for userdb? >> >> I would like to do that before I come up with a good strategy to expand >> my ldap schema to support other mail attributes for virtual domains, >> aliases, etc. >> >> I am currently using FreeIPA. >> >> Best, >> >> Francis >