| View previous topic :: View next topic |
| Author |
Message |
Raniz
l33t
Joined: 13 Sep 2003
Posts: 967
Location: Varberg, Sweden
|
 Posted: Sat Feb 21, 2009 1:55 pm Post subject: OpenLDAP for authenticating both mail and website |
 |
|
I'm currently in the process of setting up a server for a small organization. The server should provide shell access, mail access and a website with information about peoples roles in the organization, there will be a login-system on the website.
I think LDAP would be a good backend to store all information, but the problem is that I don't know how to structure the database. My problem is that just because someone are listed on the website doesn't mean they should have shell or mail access, some users should have shell- but not mailaccess and some should have shell and mail access but shouldn't be listed on the website. The organization is divided into smaller sections that can further be divided (like a tree structure).
The website isn't done yet, we'll probably code it ourselves or hire someone to code it, so there's no requirements there. Shell access is provided by Gentoo and will probably be hardened with grsecurity at some point, as far as mail goes I don't really care what MTA is used as long as it's stable and supports ldap as a backend and virus/spam filtering.
Any ideas how to structure the database? I'm thinking about creating a custom schema with flags for the different types of access for every user, but I don't know if that is the correct way to go.
I appreciate any help I can get =) |
|
| Back to top |
|
 |
Raniz
l33t
Joined: 13 Sep 2003
Posts: 967
Location: Varberg, Sweden
|
| Posted: Sat Feb 21, 2009 5:42 pm Post subject: |
|
|
I solved the shell access part, I found out that users without the posixAccount objectclass cannot login.
Now I only need to solve the mail part, is it possible to filter on objectclass with postfix aswell? |
|
| Back to top |
|
|
Falador
n00b
Joined: 18 Jan 2004
Posts: 60
|
| Posted: Sat Feb 21, 2009 9:27 pm Post subject: |
|
|
I have postfix setup with an ldap backend and filter on the following attributes:
mail
mailAlternateAddress
AccountStatus
Example
| Code: |
ldapvirtual_server_host = example.net
ldapvirtual_server_port = 389
ldapvirtual_bind = yes
ldapvirtual_bind_dn = cn=Manager, dc=example, dc=net
ldapvirtual_bind_pw = password
ldapvirtual_search_base = ou=Users, dc=example, dc=net
ldapvirtual_query_filter = (&(|(mail=%s)(mailAlternateAddress=%s))(|(AccountStatus=active)(accountStatus=shared)))
ldapvirtual_result_attribute = mailMessageStore
|
|
|
| Back to top |
|
|
ScarletPimpFromHell
n00b
Joined: 15 May 2007
Posts: 32
Location: Sydney
|
| Posted: Sat Feb 21, 2009 9:55 pm Post subject: |
|
|
| Quote: |
Any ideas how to structure the database? I'm thinking about creating a custom schema with flags for the different types of access for every user, but I don't know if that is the correct way to go. |
Mate have a look at the standard ldap schemas supplied with the ebuild. The classes person, organisationalPerson and inetOrgPerson should have everything you may need. |
|
| Back to top |
|
|
adeel
n00b
Joined: 12 Jan 2009
Posts: 1
|
| Posted: Thu Apr 02, 2009 8:07 am Post subject: |
|
|
| Raniz wrote: | I solved the shell access part, I found out that users without the posixAccount objectclass cannot login.
Now I only need to solve the mail part, is it possible to filter on objectclass with postfix aswell? |
Feel like writing a short howto for others who are in similar situations? |
|
| Back to top |
|
|
neonknight
Guru
Joined: 19 Jul 2003
Posts: 357
Location: Zurich, Switzerland
|
| Posted: Thu Apr 02, 2009 9:12 am Post subject: |
|
|
Hi, I set up a postfix/courier mailserver according to this howto: http://wiki.bsdforen.de/howto/postfix_courier_openldap
If you want encrypted passwords for SMTP-auth, this will be a bit tricky but quite simple if you get the trick: Use SASL-authdaemon to authenticate your SMTP-clients. Let SASL authenticate against your local IMAP-server. Courier is already described in the howto and very easy to set up. |
|
| Back to top |
|
|
|
Networking & Security
