Kevin,
Here at Rutgers, we are looking to do the same thing you are, and are
currently running into the same problems you are facing. Our LDAP servers
run
on Novell NDS, and when we initially had this problem with pam_ldap, we
looked
to use the pam_nds module, which we thought would handle the problem with
multiple contexts in an ldap tree (since Novell designed LDAP to be highly
organized...) Nonetheless, I have found the ldap module to be completely
reliable and more customizable than the nds module, and would prefer to use
this module instead. I would be interested in any work that is being done
to
fix this problem.
-John
______________________________________________
John C. Amodeo, Associate Director
Information Technology and Computer Operations
Faculty of Arts & Sciences, Rutgers University
732.932.9455-voice 732.932.0013-fax
"Kevin M. Myer" wrote:
> Hello,
>
> I have been working on a mail server project that will need to
potentially
> serve many virtual domains. One of the design requirements is that any
> consolidation of existing mail servers to this one server be transparent
> to the end user (with maybe the exception of a password change). This
> means that a) uid must be the same, b) server name must be the same and
c)
> email address must be the same.
>
> To that end, I've tested the following:
>
> Cyrus, latest CVS, sendmail 8.11.2, pam_ldap used with Netscape Directory
> Server 4.12
>
> With the latest CVS of cyrus, I'm using the -C alternate config file
> option to cause the master process to bind an imapd process for each
> domain we serve. While this means we have to use at least one IP address
> for each domain, it allows us to separate the domains nicely and keeps
> users from one domain out of another domain. It also means that the
> design requirements b and c are potentially met.
>
> Combined with an instance of sendmail bound to each IP address as well, I
> think I have the SMTP, IMAP, and POP3 bases virtually covered (pun
> intended).
>
> The only remaining hurdle is authentication/user enumeration. Since I'm
> binding sendmail (or postfix - still haven't settled on one or the
other),
> I can specify a different LDAP map for each IP address I'm bound to which
> will be much more efficient than just having sendmail search our entire
> directory tree and which allows for duplicate uid's in separate domains.
>
> But with Cyrus, I need to somehow pass information up the stack
pertaining
> to the IP address the request came from. In turn, with a pam_ldap module
> that is IP-address aware, I can switch directory trees based on
IP-address
> and I think my problem will be solved.
>
> In other words, say I have two imap sockets listening: 172.0.0.1:143 and
> 172.0.0.2:143, both for different domains. A request comes in on
> 172.20.0.1. SASL would grab the IP address of the local end of the
> connection and pass that to PAM, along with the user id and password.
> Then, the pam_ldap module would first check its config file to see what
> LDAP tree to use for that IP address, then do it search and return.
> Currently, the config file for pam_ldap is /etc/ldap.conf and it has
> directives like:
>
> host <hostname>
> base <directory path>
> ldap_version <version>
>
> What I would propose to do is add support to pam_ldap so that it would
> support the following config syntax:
>
> host[172.0.0.1] <hostname of directory server>
> host[172.0.0.2] <hostname of directory server - can be same or different>
> base[172.0.0.1] <dc=domain1,dc=blah>
> base[172.0.0.2] <dc=domain2,dc=blah>
>
> I dropped a note to [EMAIL PROTECTED] and Luke thought this might be doable
but
> he needed to think about it some more. I think it would really extend
> pam_ldap and nss_ldap and allow the mixing and matching of a bunch of
> directories.
>
> What do others think of this approach? I'd appreciate any comments, good
> or bad.
>
> Thanks,
> Kevin
>
> --
> Kevin M. Myer
> Systems Administrator
> Lancaster-Lebanon Intermediate Unit 13
> (717)-560-6140
