Re: [SOGo] domain seperation using ldap
> On Nov 18, 2016, at 5:54 PM, Jeroen Beerstra (jer...@beerstra.org) >wrote: > > So the question remains and it would be really helpful if I could setup > LDAP in a way that allows domain separation without needing to add a > section to the sogo.conf per domain. I believe this can be perfectly solved if SOGo supports place holder in LDAP base dn, bind dn, filter, etc. Related feature request i submitted in bug tracker: https://sogo.nu/bugs/view.php?id=3685 Let me copy the request below: ### Please consider supporting place holders in LDAP base dn, bind dn and filter, so that we can get flexible LDAP support. For example, login as user 'j...@mydomain.com': - %s for full login username (full email address) - %d for domain part in email address (mydomain.com) - %u for username part in email address (john) Then we can get flexible LDAP base dn and bind dn like this: base dn: domainName=%d,o=domains,dc=iredmail,dc=org bind dn: mail=%s,ou=Users,domainName=%d,o=domains,dc=iredmail,dc=org ### With placeholder support, we can easily achieve the “separation”, no extra (logical) code required to be done in SOGo itself. Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/ Time zone: GMT+8 (China/Beijing). -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] domain seperation using ldap
Op 15-11-16 om 15:54 schreef Alessandro Briosi (a...@metalit.com): > Il 15/11/2016 13:56, Jeroen Beerstra (jer...@beerstra.org) ha scritto: >> We also provide e-mail services to selected clients on request and here >> is where the problems begin. At the moment we use Mysql as >> authentication provider for SOGo only and because I don't want >> individual clients to find other clients contact data or possibly more >> we use a config section per domain and a seperate user table in the >> database. This works but is rather hard to maintain. >> >> For this reason and some others I'm looking into LDAP as authentication >> provider. Is it possible to use ldap in a simular way? That is by >> separating domains from each other so users can only find other users in >> their own organization or share with them. >> >> If I simply need to RTFM please let me know :) LDAP is rather >> complicated and my experience with it is limited, I did succeed in >> setting up a test environment with 389 server on CentOS 7 and letting it >> work with SOGo and Dovecot. >> >> PS in the end all of this should work with postfix/dovecot virtual >> users, but I guess that is off-topic and more a postfix/dovecot issue. > > I have a similar installation. > > I though have 1 table with all the users (my management interface > handles it this way), > so I setup 1 view for every "domain/customer" I need to manage. > Simply a select which filters by domain ... > > I started using the mysql only setup and it worked well, though I > thought it would have been nice to have groups which is only supported > by the > LDAP implementation in SOGo. > > So I configured an LDAP service with the mysql backend just to have > groups taken from the database. > > [OT] Nobody uses them :-( so I could have left the mysql backend [/OT] > > anyway then I simply configured the SOGO.conf with the separate domains > and it all works pretty well. > Of course it might become a bit complicated if you often need to > add/remove domains you manage, > but it could be scripted pretty easily IMHO. > > ... > domains = { > firstdomain = { > SOGoMailDomain = firstdomain.com; > SOGoUserSources = ( > { > /*ldap o mysql configuration */ > ... > /* here I even have a different ldap address book which is a mapped > database table of a shared web address book */ > } > ); > }; > seconddomain = { SOGoMailDomain = secondomain.com; > SOGoUserSources = ( > { > ... > } > ); > }; > }; > ... > > > Hope this helps, > Alessandro Hi Alessandro, Thank you for your reply. This is exactly the setup we use, that is multiple mysql usersources for different domains. But this is rather hard to maintain, and new internet domains are added on a regular basis. In fact at the moment I'm kind of holding down the principle of also selling e-mail accounts to clients because of this. So the question remains and it would be really helpful if I could setup LDAP in a way that allows domain separation without needing to add a section to the sogo.conf per domain. As a bonus users could change their e-mail password themselves which would further add to the user expierence and take some load of me :) So is this even possible and of so how does one do this? Pointers would be greatly appreciated also! -- kind regards Jeroen Beerstra signature.asc Description: OpenPGP digital signature
Re: [SOGo] domain seperation using ldap
Il 15/11/2016 13:56, Jeroen Beerstra (jer...@beerstra.org) ha scritto: > We also provide e-mail services to selected clients on request and here > is where the problems begin. At the moment we use Mysql as > authentication provider for SOGo only and because I don't want > individual clients to find other clients contact data or possibly more > we use a config section per domain and a seperate user table in the > database. This works but is rather hard to maintain. > > For this reason and some others I'm looking into LDAP as authentication > provider. Is it possible to use ldap in a simular way? That is by > separating domains from each other so users can only find other users in > their own organization or share with them. > > If I simply need to RTFM please let me know :) LDAP is rather > complicated and my experience with it is limited, I did succeed in > setting up a test environment with 389 server on CentOS 7 and letting it > work with SOGo and Dovecot. > > PS in the end all of this should work with postfix/dovecot virtual > users, but I guess that is off-topic and more a postfix/dovecot issue. I have a similar installation. I though have 1 table with all the users (my management interface handles it this way), so I setup 1 view for every "domain/customer" I need to manage. Simply a select which filters by domain ... I started using the mysql only setup and it worked well, though I thought it would have been nice to have groups which is only supported by the LDAP implementation in SOGo. So I configured an LDAP service with the mysql backend just to have groups taken from the database. [OT] Nobody uses them :-( so I could have left the mysql backend [/OT] anyway then I simply configured the SOGO.conf with the separate domains and it all works pretty well. Of course it might become a bit complicated if you often need to add/remove domains you manage, but it could be scripted pretty easily IMHO. ... domains = { firstdomain = { SOGoMailDomain = firstdomain.com; SOGoUserSources = ( { /*ldap o mysql configuration */ ... /* here I even have a different ldap address book which is a mapped database table of a shared web address book */ } ); }; seconddomain = { SOGoMailDomain = secondomain.com; SOGoUserSources = ( { ... } ); }; }; ... Hope this helps, Alessandro -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] domain seperation using ldap
At the moment we use SOGo as our webmail and contact/calendar solution at work, mail backend is dovecot+postfix augmented with several addons to make everything work the way we want it to (antispam, spf, dkim and srs). All works very well, so first of all a big thank you for providing this incredible and well thought out open-source software to the community! I really feel we have something that has more features and looks and works better then what most big internet service providers have to offer, and all of that by just putting some time and effort in freely available open-source software. Again great work! We also provide e-mail services to selected clients on request and here is where the problems begin. At the moment we use Mysql as authentication provider for SOGo only and because I don't want individual clients to find other clients contact data or possibly more we use a config section per domain and a seperate user table in the database. This works but is rather hard to maintain. For this reason and some others I'm looking into LDAP as authentication provider. Is it possible to use ldap in a simular way? That is by separating domains from each other so users can only find other users in their own organization or share with them. If I simply need to RTFM please let me know :) LDAP is rather complicated and my experience with it is limited, I did succeed in setting up a test environment with 389 server on CentOS 7 and letting it work with SOGo and Dovecot. PS in the end all of this should work with postfix/dovecot virtual users, but I guess that is off-topic and more a postfix/dovecot issue. -- kind regards, Jeroen Beerstra signature.asc Description: OpenPGP digital signature