postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Recommended approach for LDAP as backend for virt

Recommended approach for LDAP as backend for virtual domain hosting?

From: Andreas Ntaflos <daff_at_nospam>
Date: Mon Oct 04 2010 - 21:15:35 GMT
To: postfix-users@postfix.org

Hi,

I have sent this message almost verbatim to the OpenLDAP list as well
(since it is fundamentally about LDAP) but I am sure many people on this
list have extensive experience with virtual domain hosting in
conjunction with LDAP.

Short version: What is a recommended way to set up virtual mail hosting
based on OpenLDAP? I.e. providing mail and authentication services, like
SMTP and IMAP, using Postfix and Dovecot, for multiple *independent
domains* such as example.net, example.org, example.com? How should the
DIT be designed for that?

I am looking for RTFMs, HOWTOs, blogs, or any experience and anecdotes
anyone can provide. I myself no experience designing a DIT in LDAP (I am
more at home in Postgres) and have much learning to do.

Long version: I know such setups exist and I have found many references
in the archives of the OpenLDAP list but there was never a completely
straigt-forward answer that didn't say "it depends on your requirements"
(with no follow-ups) or involve frontends/add-ons like Jamm or Phamm,
which I have no interest in.

So the requirements are basically:
 * Independent domains and users, i.e. john.doe@example.org is
completely different/distinct from john.doe@example.net
  * Thus accounts in different domains must have separate password
fields
 * Groups and aliases must be possible
 * Performance should not be terrible, obviously
 * Applications such as Apache, Ejabberd, Wikis and Webmail clients (to
name a few) which support LDAP authentication should be able to query
the DIT or DITs without needing any hacks or ugly constructs (this is a
vague requirement, I know).
 * Users are purely virtual, i.e. have no shell accounts

Now I believe the question basically boils down to this:

Should we use multiple independent backend databases (DITs) or one large
"hosting" database as described in [1,2]? Which of the two is the better
approach? Which is more flexible, which has less administrative or
functional overhead?

If we use multiple DITs we probably will have to glue them together
somehow, won't we? How would queries against multiple independent DITs
look?

Our current setup is more like [1,2], one big hosting database. It is a
PostgreSQL database with tables for virtual domains
(virtual_mailbox_domains), virtual users (virtual_mailbox_maps), virtual
aliases (virtual_alias_maps) and a few others. It is based loosely on
the HOWTO in [3].

This works fine but now the need has arisen to see if we can migrate
that setup to an LDAP-based one, mainly for flexibility and
compatibility with various authentication needs: many applications and
services provide some kind of LDAP-based authentication but are
hopelessly overwhelmed with SQL backends, especially when the queries
are a bit complex.

Thanks in advance!

Andreas

PS: I gathered much from the article in [1] but by now it is over 7
years old and many things have changed so I can't follow it to the
letter.

[1] http://www.linuxjournal.com/article/5917
[2]
http://www.linuxjournal.com/files/linuxjournal.com/linuxjournal/articles/059/5917/5917f2.jpg
[3] http://workaround.org/ispmail/lenny