Re: LDAP just for passdb

2022-10-14 Thread Francis Augusto Medeiros-Logeay 
Again, a bit more reading got me to adding this to my passdb config:

  username_filter = *@domain-a.com

This way, I can control which domains get to authenticate via my ldap backend, 
which gives me time to design a good way of saving other attributes there.

If anyone have other ways of doing this, ie., having multiple domains on 
ldap/freeipa and getting an elegant integration with Dovecot, I’d be glad to 
hear.

Best,

Francis

> On 14 Oct 2022, at 21:58, dovecot-requ...@dovecot.org wrote:
> 
> I actually saw that it was possible, and it works, but I came across another 
> problem and I wonder if you have any tips about it:
> 
> On my current dovecot setup, I use SQL as the backend. So I have the 
> following users:
> 
> fran...@domain-a.com  
> 
> fran...@domain-b.com  
> 
> 
> Those are separate users which their own mailboxes.
> 
> However, I have a freeipa that is configured for the `domain-a.com 
>  ` realm. However, since I am 
> using `%n` for the uid search:
> 
> auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=domain-a,dc=com
> And 
> pass_filter = (&(objectClass=posixAccount)(uid=%n))
> 
> It of course leads up to both users above being able to authenticate with the 
> same password.
> 
> Is there a way to limit ldap authentication to just one domain, or perform a 
> search where both username and domain are checked? I could use the 
> `mail``attribute to filter users, but I imagine that if two users have the 
> same mail configured, I?d run into trouble?.
> 
> Best,
> 
> Francis
> 
>> On 14 Oct 2022, at 20:08, dovecot-requ...@dovecot.org 
>>  wrote:
>> 
>> Hi,
>> 
>> I couldn't find it in the documentation, so I was wondering - is it 
>> possible to configure Dovecot to use LDAP for passdb and keep using SQL 
>> for userdb?
>> 
>> I would like to do that before I come up with a good strategy to expand 
>> my ldap schema to support other mail attributes for virtual domains, 
>> aliases, etc.
>> 
>> I am currently using FreeIPA.
>> 
>> Best,
>> 
>> Francis
>

Re: LDAP just for passdb

2022-10-14 Thread Francis Augusto Medeiros-Logeay 
I actually saw that it was possible, and it works, but I came across another 
problem and I wonder if you have any tips about it:

On my current dovecot setup, I use SQL as the backend. So I have the following 
users:

fran...@domain-a.com 
fran...@domain-b.com 

Those are separate users which their own mailboxes.

However, I have a freeipa that is configured for the `domain-a.com 
` realm. However, since I am using `%n` for the uid 
search:

auth_bind_userdn = uid=%n,cn=users,cn=accounts,dc=domain-a,dc=com
And 
pass_filter = (&(objectClass=posixAccount)(uid=%n))

It of course leads up to both users above being able to authenticate with the 
same password.

Is there a way to limit ldap authentication to just one domain, or perform a 
search where both username and domain are checked? I could use the 
`mail``attribute to filter users, but I imagine that if two users have the same 
mail configured, I’d run into trouble….
 
Best,

Francis

> On 14 Oct 2022, at 20:08, dovecot-requ...@dovecot.org wrote:
> 
> Hi,
> 
> I couldn't find it in the documentation, so I was wondering - is it 
> possible to configure Dovecot to use LDAP for passdb and keep using SQL 
> for userdb?
> 
> I would like to do that before I come up with a good strategy to expand 
> my ldap schema to support other mail attributes for virtual domains, 
> aliases, etc.
> 
> I am currently using FreeIPA.
> 
> Best,
> 
> Francis

LDAP just for passdb

2022-10-14 Thread Francis Augusto Medeiros-Logeay 

Hi,

I couldn't find it in the documentation, so I was wondering - is it 
possible to configure Dovecot to use LDAP for passdb and keep using SQL 
for userdb?


I would like to do that before I come up with a good strategy to expand 
my ldap schema to support other mail attributes for virtual domains, 
aliases, etc.


I am currently using FreeIPA.

Best,

Francis