subject:"\[SOGo\] domain seperation using ldap"

Re: [SOGo] domain seperation using ldap

2016-11-18 Thread Zhang Huangbin

> On Nov 18, 2016, at 5:54 PM, Jeroen Beerstra (jer...@beerstra.org) 
>  wrote:
> 
> So the question remains and it would be really helpful if I could setup
> LDAP in a way that allows domain separation without needing to add a
> section to the sogo.conf per domain.

I believe this can be perfectly solved if SOGo supports place holder in LDAP 
base dn, bind dn, filter, etc.
Related feature request i submitted in bug tracker:
https://sogo.nu/bugs/view.php?id=3685

Let me copy the request below:

###
Please consider supporting place holders in LDAP base dn, bind dn and filter, 
so that we can get flexible LDAP support.

For example, login as user 'j...@mydomain.com':

- %s for full login username (full email address)
- %d for domain part in email address (mydomain.com)
- %u for username part in email address (john)

Then we can get flexible LDAP base dn and bind dn like this:

base dn: domainName=%d,o=domains,dc=iredmail,dc=org
bind dn: mail=%s,ou=Users,domainName=%d,o=domains,dc=iredmail,dc=org
###

With placeholder support, we can easily achieve the “separation”, no extra 
(logical) code required to be done in SOGo itself.

Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] domain seperation using ldap

2016-11-18 Thread Jeroen Beerstra

Op 15-11-16 om 15:54 schreef Alessandro Briosi (a...@metalit.com):
> Il 15/11/2016 13:56, Jeroen Beerstra (jer...@beerstra.org) ha scritto:
>> We also provide e-mail services to selected clients on request and here
>> is where the problems begin. At the moment we use Mysql as
>> authentication provider for SOGo only and because I don't want
>> individual clients to find other clients contact data or possibly more
>> we use a config section per domain and a seperate user table in the
>> database. This works but is rather hard to maintain.
>>
>> For this reason and some others I'm looking into LDAP as authentication
>> provider. Is it possible to use ldap in a simular way? That is by
>> separating domains from each other so users can only find other users in
>> their own organization or share with them.
>>
>> If I simply need to RTFM please let me know :) LDAP is rather
>> complicated and my experience with it is limited, I did succeed in
>> setting up a test environment with 389 server on CentOS 7 and letting it
>> work with SOGo and Dovecot.
>>
>> PS in the end all of this should work with postfix/dovecot virtual
>> users, but I guess that is off-topic and more a postfix/dovecot issue.
> 
> I have a similar installation.
> 
> I though have 1 table with all the users (my management interface
> handles it this way),
> so I setup 1 view for every "domain/customer" I need to manage.
> Simply a select which filters by domain ...
> 
> I started using the mysql only setup and it worked well, though I
> thought it would have been nice to have groups which is only supported
> by the
> LDAP implementation in SOGo.
> 
> So I configured an LDAP service with the mysql backend just to have
> groups taken from the database.
> 
> [OT] Nobody uses them :-( so I could have left the mysql backend [/OT]
> 
> anyway then I simply configured the SOGO.conf with the separate domains
> and it all works pretty well.
> Of course it might become a bit complicated if you often need to
> add/remove domains you manage,
> but it could be scripted pretty easily IMHO.
> 
> ...
> domains = {
>   firstdomain = {
>   SOGoMailDomain = firstdomain.com;
>   SOGoUserSources = (
>   {
> /*ldap o mysql configuration */
> ...
> /* here I even have a different ldap address book which is a mapped
> database table of a shared web address book */
>   }
>   );
>   };
>   seconddomain = {  SOGoMailDomain = secondomain.com;
>   SOGoUserSources = (
>   {
> ...
>   }
>   );
>   };
>  };
> ...
> 
> 
> Hope this helps,
> Alessandro

Hi Alessandro,

Thank you for your reply.

This is exactly the setup we use, that is multiple mysql usersources for
different domains. But this is rather hard to maintain, and new internet
domains are added on a regular basis. In fact at the moment I'm kind of
holding down the principle of also selling e-mail accounts to clients
because of this.

So the question remains and it would be really helpful if I could setup
LDAP in a way that allows domain separation without needing to add a
section to the sogo.conf per domain. As a bonus users could change their
e-mail password themselves which would further add to the user
expierence and take some load of me :)

So is this even possible and of so how does one do this? Pointers would
be greatly appreciated also!

-- 
kind regards

Jeroen Beerstra



signature.asc
Description: OpenPGP digital signature

Re: [SOGo] domain seperation using ldap

2016-11-15 Thread Alessandro Briosi

Il 15/11/2016 13:56, Jeroen Beerstra (jer...@beerstra.org) ha scritto:
> We also provide e-mail services to selected clients on request and here
> is where the problems begin. At the moment we use Mysql as
> authentication provider for SOGo only and because I don't want
> individual clients to find other clients contact data or possibly more
> we use a config section per domain and a seperate user table in the
> database. This works but is rather hard to maintain.
>
> For this reason and some others I'm looking into LDAP as authentication
> provider. Is it possible to use ldap in a simular way? That is by
> separating domains from each other so users can only find other users in
> their own organization or share with them.
>
> If I simply need to RTFM please let me know :) LDAP is rather
> complicated and my experience with it is limited, I did succeed in
> setting up a test environment with 389 server on CentOS 7 and letting it
> work with SOGo and Dovecot.
>
> PS in the end all of this should work with postfix/dovecot virtual
> users, but I guess that is off-topic and more a postfix/dovecot issue.

I have a similar installation.

I though have 1 table with all the users (my management interface
handles it this way),
so I setup 1 view for every "domain/customer" I need to manage.
Simply a select which filters by domain ...

I started using the mysql only setup and it worked well, though I
thought it would have been nice to have groups which is only supported
by the
LDAP implementation in SOGo.

So I configured an LDAP service with the mysql backend just to have
groups taken from the database.

[OT] Nobody uses them :-( so I could have left the mysql backend [/OT]

anyway then I simply configured the SOGO.conf with the separate domains
and it all works pretty well.
Of course it might become a bit complicated if you often need to
add/remove domains you manage,
but it could be scripted pretty easily IMHO.

...
domains = {
  firstdomain = {
  SOGoMailDomain = firstdomain.com;
  SOGoUserSources = (
  {
/*ldap o mysql configuration */
...
/* here I even have a different ldap address book which is a mapped
database table of a shared web address book */
  }
  );
  };
  seconddomain = {  SOGoMailDomain = secondomain.com;
  SOGoUserSources = (
  {
...
  }
  );
  };
 };
...


Hope this helps,
Alessandro



-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] domain seperation using ldap

2016-11-15 Thread Jeroen Beerstra

At the moment we use SOGo as our webmail and contact/calendar solution
at work, mail backend is dovecot+postfix augmented with several addons
to make everything work the way we want it to (antispam, spf, dkim and
srs). All works very well, so first of all a big thank you for providing
this incredible and well thought out open-source software to the
community! I really feel we have something that has more features and
looks and works better then what most big internet service providers
have to offer, and all of that by just putting some time and effort in
freely available open-source software. Again great work!

We also provide e-mail services to selected clients on request and here
is where the problems begin. At the moment we use Mysql as
authentication provider for SOGo only and because I don't want
individual clients to find other clients contact data or possibly more
we use a config section per domain and a seperate user table in the
database. This works but is rather hard to maintain.

For this reason and some others I'm looking into LDAP as authentication
provider. Is it possible to use ldap in a simular way? That is by
separating domains from each other so users can only find other users in
their own organization or share with them.

If I simply need to RTFM please let me know :) LDAP is rather
complicated and my experience with it is limited, I did succeed in
setting up a test environment with 389 server on CentOS 7 and letting it
work with SOGo and Dovecot.

PS in the end all of this should work with postfix/dovecot virtual
users, but I guess that is off-topic and more a postfix/dovecot issue.

-- 
kind regards,

Jeroen Beerstra



signature.asc
Description: OpenPGP digital signature

Re: [SOGo] domain seperation using ldap

Re: [SOGo] domain seperation using ldap

Re: [SOGo] domain seperation using ldap

[SOGo] domain seperation using ldap

4 matches

Site Navigation

Mail list logo

Footer information