Hello,
I have been working on a mail server project that will need to potentially
serve many virtual domains. One of the design requirements is that any
consolidation of existing mail servers to this one server be transparent
to the end user (with maybe the exception of a password change). This
means that a) uid must be the same, b) server name must be the same and c)
email address must be the same.
To that end, I've tested the following:
Cyrus, latest CVS, sendmail 8.11.2, pam_ldap used with Netscape Directory
Server 4.12
With the latest CVS of cyrus, I'm using the -C alternate config file
option to cause the master process to bind an imapd process for each
domain we serve. While this means we have to use at least one IP address
for each domain, it allows us to separate the domains nicely and keeps
users from one domain out of another domain. It also means that the
design requirements b and c are potentially met.
Combined with an instance of sendmail bound to each IP address as well, I
think I have the SMTP, IMAP, and POP3 bases virtually covered (pun
intended).
The only remaining hurdle is authentication/user enumeration. Since I'm
binding sendmail (or postfix - still haven't settled on one or the other),
I can specify a different LDAP map for each IP address I'm bound to which
will be much more efficient than just having sendmail search our entire
directory tree and which allows for duplicate uid's in separate domains.
But with Cyrus, I need to somehow pass information up the stack pertaining
to the IP address the request came from. In turn, with a pam_ldap module
that is IP-address aware, I can switch directory trees based on IP-address
and I think my problem will be solved.
In other words, say I have two imap sockets listening: 172.0.0.1:143 and
172.0.0.2:143, both for different domains. A request comes in on
172.20.0.1. SASL would grab the IP address of the local end of the
connection and pass that to PAM, along with the user id and password.
Then, the pam_ldap module would first check its config file to see what
LDAP tree to use for that IP address, then do it search and return.
Currently, the config file for pam_ldap is /etc/ldap.conf and it has
directives like:
host <hostname>
base <directory path>
ldap_version <version>
What I would propose to do is add support to pam_ldap so that it would
support the following config syntax:
host[172.0.0.1] <hostname of directory server>
host[172.0.0.2] <hostname of directory server - can be same or different>
base[172.0.0.1] <dc=domain1,dc=blah>
base[172.0.0.2] <dc=domain2,dc=blah>
I dropped a note to [EMAIL PROTECTED] and Luke thought this might be doable but
he needed to think about it some more. I think it would really extend
pam_ldap and nss_ldap and allow the mixing and matching of a bunch of
directories.
What do others think of this approach? I'd appreciate any comments, good
or bad.
Thanks,
Kevin
--
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717)-560-6140
