Re: LDAP schema ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 21 Apr 2017, Mihai Badici wrote: On Friday 21 April 2017 08:36:47 Steffen Kaiser wrote: On Tue, 18 Apr 2017, Dave Dodd wrote: I am trying to determine the correct LDAP schema I need to use to have either mailLocation or mailboxPath available ? Should I be just adding this to one of my own custom objectClasses ? Surprisingly, lots of installations seem to work with standard schemas - if you believe internet search results. Dovecot's LDAP connection is very generic, so maybe it's easier to adopt Dovecot to an existing infrastructure than vice verse. However, I have added several Dovecot related attributes and some objectclasses to my schema, esp. to support the generic userdb_import . -- Steffen Kaiser Let me summarize: In fact, when using the /etc/passwd the only information dovecot need is the username and the password. So if you switch to ldap you only need those attributes. ( The e-mail address is not needed by dovecot, but is needed for MTA) You can then use the inetorgperson schema without problems. But, since you want to use LDAP, you probably want to take advantage of the user managements tools, you want to use a Global Address List, maybe multiple servers etc. When I started to configure my template, i searched for a schema with "vacation" attribute. I even wrote a postfix filter who used this attribute to generate autoresponder messages. I found ispenv2.ldif , i still use it, even I switched to sieve for autoresponder so i don't need vacation anymore. But ispenv2 has also some nice attributes for managing users "ISP style": details about payment, contract, price, user disabled etc In the mean time I started to use parts from the kolab project. So I consider to start using also their schema in the future, because it has some attributes useful for enterprise usage scenario ( and because I want to have some compatibility) So, at the end, the reason for choosing a schema or extending the existing one is not related mainly to the mail system ( which works great with inetorgperson schema, for example) but rather to the organizational model you use . Yes, my thinking, too. I have: quota mail location (as override for some users) import (generic, for anything else, e.g. some users have a home override or specific system_uids or groups) Actually I discovered import too late, otherwise I would not have added quota and mail location as stand alone attributes. There are some other local attributes for other services, so they don't hurt. :) - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWPm3tnz1H7kL/d9rAQKoAQgAl4XHW+0DW6+gk1O6AAJu0+5+nRP6756g 4a3hl/+7o3qBOOMma8kPxy6IEWAQu0cCI9r3CVeR8aCLL3HNPgArhv+eOH9FWL1n I3DSutLQDTZbb1jMafAuBiykA5A04vk3SAsHA24UgwmjSK2rEkM29U91FEW9umrm jcolgrLJrloWG1JAaePaNopx7TneDBbHFLlwn4to0t8Ra0OHAA60tEuF0EfXPWLl 2QJz+hq1gPhQ2K3C1dSSK7e7AAdX/Nvm/x7ehXFHpq1KAGnMteeAaDuk1nD+f43F S5wgcASFOzIMKD2NxkMvBbvR79Ly0YHmJ4JFVa9SBwBOzGQ0dUPxwA== =cFDV -END PGP SIGNATURE-
Re: LDAP schema ?
On Friday 21 April 2017 08:36:47 Steffen Kaiser wrote: > On Tue, 18 Apr 2017, Dave Dodd wrote: > > I am trying to determine the correct LDAP schema I need to use to have > > either mailLocation or mailboxPath available ? > > > > Should I be just adding this to one of my own custom objectClasses ? > > Surprisingly, lots of installations seem to work with standard schemas - > if you believe internet search results. > > Dovecot's LDAP connection is very generic, so maybe it's easier to adopt > Dovecot to an existing infrastructure than vice verse. > > However, I have added several Dovecot related attributes and some > objectclasses to my schema, esp. to support the generic userdb_import . > > -- > Steffen Kaiser Let me summarize: In fact, when using the /etc/passwd the only information dovecot need is the username and the password. So if you switch to ldap you only need those attributes. ( The e-mail address is not needed by dovecot, but is needed for MTA) You can then use the inetorgperson schema without problems. But, since you want to use LDAP, you probably want to take advantage of the user managements tools, you want to use a Global Address List, maybe multiple servers etc. When I started to configure my template, i searched for a schema with "vacation" attribute. I even wrote a postfix filter who used this attribute to generate autoresponder messages. I found ispenv2.ldif , i still use it, even I switched to sieve for autoresponder so i don't need vacation anymore. But ispenv2 has also some nice attributes for managing users "ISP style": details about payment, contract, price, user disabled etc In the mean time I started to use parts from the kolab project. So I consider to start using also their schema in the future, because it has some attributes useful for enterprise usage scenario ( and because I want to have some compatibility) So, at the end, the reason for choosing a schema or extending the existing one is not related mainly to the mail system ( which works great with inetorgperson schema, for example) but rather to the organizational model you use .
Re: LDAP schema ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 18 Apr 2017, Dave Dodd wrote: I am trying to determine the correct LDAP schema I need to use to have either mailLocation or mailboxPath available ? Should I be just adding this to one of my own custom objectClasses ? Surprisingly, lots of installations seem to work with standard schemas - if you believe internet search results. Dovecot's LDAP connection is very generic, so maybe it's easier to adopt Dovecot to an existing infrastructure than vice verse. However, I have added several Dovecot related attributes and some objectclasses to my schema, esp. to support the generic userdb_import . - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBWPmof3z1H7kL/d9rAQLM3QgAxZuHXpkwx5sgC/r36QieikePAKvj2xTX IyyhnXoCaBKlT0+1b9jZtEkCaIf56Fujom2btTQ7H0oD67mMQ1CeW4dUpmRztOUY Xi0HpirI0T8AzQwKQ7EUSoFrddHEXwV3nQZ2kuiwLQtlDp8w/h1Yuej3B+tEI32x ra84B6DlyW9RuWluvVoRE419hDfZxVGVqgD4REw4uhg4xiIPK4pSWMKXceVgrFR9 LX9/wQsBLh5VSwz20Z+3BI2Ydq79r7MfZkAAUdu1FZnJR7eWOUJxRuzy3VM+XKmt RmlJpf46l+gj11mw4JSgZ6NoFEv1c9p5w15kysNbb0B9ZkbQXexSdw== =x0G+ -END PGP SIGNATURE-
Re: LDAP schema ?
Hi, On Tue, 2017-04-18 at 17:06 +1000, Dave Dodd wrote: > I am trying to determine the correct LDAP schema I need to use to > have either > mailLocation or mailboxPath available ? I have a custom schema for postfix and dovecot. I then have the various configuration files set up to match against that schema and return the needed values. I also use this setup for sasl auth for both postfix and dovecot (postfix using dovecot for sasl auth). About the only thing I need to do is adjust it for amavisd usage. If you are interested I can share it with you, and the configs to make it work. FWIW there is not really a standard schema for usage with dovecot and/or postfix - in fact the author of postfix told me personally to just write my own schema. -- Nikolai Lusan signature.asc Description: This is a digitally signed message part
Re: LDAP schema ?
On Tuesday 18 April 2017 17:06:30 Dave Dodd wrote: > Hi, > > I am trying to determine the correct LDAP schema I need to use to have > either mailLocation or mailboxPath available ? > > Should I be just adding this to one of my own custom objectClasses ? > > -- Dave Actually i don't see a reason to use a special attribute for that, because it can be expanded using the username. I have something like: mail_location = maildir:/home/dovecot/%u You may need howewer other attributes for user management so you can use kolab schema or ispenv2.ldif in order not to reinvent the wheel.
LDAP schema ?
Hi, I am trying to determine the correct LDAP schema I need to use to have either mailLocation or mailboxPath available ? Should I be just adding this to one of my own custom objectClasses ? -- Dave
LDAP schema for dovecot proxy?
Hello, I want to deploy dovecot proxy/director with the backend and authorization in LDAP. Dovecot wiki specifies only what is necessary to apply additional arguments that the scheme would have earned a proxy, but no solid LDAP schema. Is there such a scheme, such as the existing scheme http://www.zytrax.com/books/ldap/ape/courier.html http://pro-ldap.ru/sources/schema/qmail.schema http://open.rhx.it/phamm/schema/phamm.schema Unfortunately for the tasks they are not good because they just no dovecot-specific variables
Re: [Dovecot] Dovecot LDAP schema?
Hi Hadmut, Monday, July 30, 2007, 11:27:37 AM, you wrote: > Hi Sergey, > Sergey A. Kobzar wrote: >> >> You can use standard LDAP attributes. It's more than enough. > Well, I know that it works with standard LDAP attributes, that's what I > do right now. But that is what I want to avoid, because I want to have > IMAP users *without* standard uid/gid attributes because they are not > Unix users. To avoid confusion and security holes I'd prefer to use > separate Attributes for the LDAP objects. And in some cases I need to > override the default PATH variable, which requires a new attribute. And > I cannot work with static uid/gid schemes as in your example, because > every IMAP user is managed by one of several Unix users, therefore they > cannot share the same uid/gid. > I can define my own LDAP scheme, what I did in a test environment. > But I'd prefer if there was a common dovecot scheme for such cases. There is no such scheme because your case is not common. > regards > Hadmut -- Sergey
Re: [Dovecot] Dovecot LDAP schema?
Hi Sergey, Sergey A. Kobzar wrote: > > You can use standard LDAP attributes. It's more than enough. Well, I know that it works with standard LDAP attributes, that's what I do right now. But that is what I want to avoid, because I want to have IMAP users *without* standard uid/gid attributes because they are not Unix users. To avoid confusion and security holes I'd prefer to use separate Attributes for the LDAP objects. And in some cases I need to override the default PATH variable, which requires a new attribute. And I cannot work with static uid/gid schemes as in your example, because every IMAP user is managed by one of several Unix users, therefore they cannot share the same uid/gid. I can define my own LDAP scheme, what I did in a test environment. But I'd prefer if there was a common dovecot scheme for such cases. regards Hadmut
Re: [Dovecot] Dovecot LDAP schema?
Hi Hadmut,
You can use standard LDAP attributes. It's more than enough.
My configs:
dovecot.conf:
first_valid_uid = 8
last_valid_uid = 8
first_valid_gid = 12
last_valid_gid = 12
auth_username_format = %Lu
auth default {
mechanisms = plain
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb static {
args = uid=mail gid=mail
}
}
dovecot-ldap.conf:
hosts = localhost
dn = cn=Dovecot,ou=DSA,o=top
dnpass = xxx
ldap_version = 3
base = ou=Users,dc=%d,o=top
scope = onelevel
pass_attrs = userPassword=password
pass_filter = uid=%n
Saturday, July 28, 2007, 12:53:09 PM, you wrote:
> Hi,
> does dovecot define its own LDAP schema or should I create my own one?
> (I want to provide IMAP boxes for virtual users that do not have a
> Unix account on the mail server and thus do not want to use the
> plain uid/gid entries of the posix account objectclass to avoid confusion
> and accidently giving access to accounts.)
> regards
> Hadmut
--
Sergey
[Dovecot] Dovecot LDAP schema?
Hi, does dovecot define its own LDAP schema or should I create my own one? (I want to provide IMAP boxes for virtual users that do not have a Unix account on the mail server and thus do not want to use the plain uid/gid entries of the posix account objectclass to avoid confusion and accidently giving access to accounts.) regards Hadmut
