[389-users] Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?

Ray ray at renegade.zapto.org
Thu Aug 16 17:27:12 UTC 2012 

Am 16.08.2012 19:03, schrieb Stephen Ingram:
> On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray at renegade.zapto.org> wrote:
>> Hi,
>>
>> I posted this before without getting a response. I think the 
>> question is
>> super simple to answer for LDAP experts. I'll try to rephrase the 
>> quiestion
>> (in case it was unclear beforeā€¦)
>>
>> I've geen googling quite a while on this topic trying all sorts of 
>> keyword
>> combinations and found exactly nothing.
>>
>> LDAP appears to be commonplace, almost every server software I can 
>> think of
>> comes with an LDAP authentication module. The services that use the
>> directory may need have different user bases (i.e. not every Linux 
>> user
>> needs to be an IMAP user also and not every IMAP user should 
>> automatically
>> be able to SSH into servers).
>>
>> What is the right way to achieve the above?:
>>
>> 1) Have separate LDAP instances running, one for IMAP, the other one 
>> for
>> Linux authentication. As there are some users that need both IMAP 
>> and Linux
>> access, some users would need to be set up twice.
>>
>> 2) Have all users in one LDAP instance, and have different sets of
>> attributes for IMAP and Linux authentication. Those users with IMAP 
>> access
>> have their IMAP attributes filled in and those with Linux logins 
>> have their
>> posix account settings filled with values. Some would have both. I 
>> do not
>> see how to assign different passwords for the two services for this 
>> option.
>> Is there a way?
>>
>> Are there any other options?
>
> Generally the whole purpose of using a directory server (LDAP) is to
> benefit from centralized and consistent configuration and
> authentication. As such, most setups use the same user base for
> everything (in your case IMAP access and shell logins). You just need
> to point each service (login and IMAP) to your directory and filter
> based on the existence of certain attributes. For example, only users
> with the objectclass=mailRecipient would be allowed to login to your
> IMAP mail store. This can easily be accomplished through the
> authentication system of your IMAP software (one that supports LDAP
> authentication).
>
> Steve

Many thanks for these insights, Steve!

There are two more questions I have:

* Is mailRecipient defined somewhere (schema?) or are these 
objectClasses free for me to choose?

* Is there a way to have separate passwords for IMAP? Specifically I 
would like to run Cyrus-imap.

Cheers,
Ray

More information about the 389-users mailing list