On 1 November 2012 15:07, Stephen Ingram <sbing...@gmail.com> wrote:

> On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown <rendhal...@gmail.com> wrote:
> > On 1 November 2012 08:20, Stephen Ingram <sbing...@gmail.com> wrote:
> >>
> >> On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown <rendhal...@gmail.com>
> wrote:
> >> > Hi everyone,
> >> >
> >> > I have been trying to work out how to achieve this.
> >> > I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix
> and
> >> > dovecot on my new mail server authenticating against Freeipa.
> >> > One last thing I would love to do it pull down the virtual users and
> >> > aliases
> >> > for the domains my mailserver will be serving from freeipa.
> >> > Is this possible?
> >> > Is this all automatic due to sssd looking up the user details in the
> ds?
> >> > Does it do the same for domains and email aliases or will I need extra
> >> > lookups to achieve this.
> >>
> >> I've recently built an entire mail system around FreeIPA and it works
> >> great. There are two parts to be concerned with:
> >>
> >> 1. Authentication - With Postfix, this is handled by saslauthd which
> >> can authenticate against Kerberos (using or not using sssd). I used
> >> Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has
> >> it's own sasl built in which can authenticate against Kerberos or
> >> LDAP, thus it should work with IPA.
> >
> >
> > I have dovecot authing against freeipa (via pam)and I setup a sasl auth
> > instance in dovecot and have postfix authing against that.
> > I figured why setup another sasl auth daemon when dovecot can do it for
> me
> > so they effectively use the same authentication source.
> >
> >> 2. Configuration - With Postfix, you can set all different areas (e.g.
> >> virtual, aliases, etc.) to use LDAP lookup of configuration
> >> information. You are typically searching for the email address (mail
> >> attribute in IPA) and your search will generally return the userid
> >> (uid attribute) of where the mail is to be stored. I don't believe
> >> that Dovecot or Cyrus-IMAP have any way of maintaining any
> >> configuration in LDAP so you generally have to setup mailboxes and
> >> authorization information by hand using their tools.
> >
> >
> > I have most of that worked out but getting delivery addresses for domains
> > that aren't the base is proving tricky.
> > It's looking like I will need to add some extra schemas to the ds so i
> can
> > add the delivery domain to each user and somehow use that to construct
> the
> > delivery address.
> > I am not sure I can do that though.
> I didn't really have to add anything except for one extra attribute.
> You can group your users into user groups representing the domains
> they belong to such that Postfix can query whether or not to accept
> for a domain or not. I added mailAlternateAddress for aliases rather
> than user multi-value attribute mail so I can have a "master" email
> address for each user. It was easy to do with the existing schema
> (mailRecipient objectclass). BTW if you haven't already figured it
> out, postmap -q is your friend when setting up your LDAP config in
> Postfix. Just keep adjusting everything until you get the answer you
> (and Postfix) expect.

I discovered that attribute when I was digging around in the ldif files and
I was just wondering why they didn't use that for setting aliases.
It would certainly make my ldap queries for postfix a lot simpler.

I added the mailRecipient class to the defaults for users and tried to use
the ipa user-mod --setattr=mailAlternateAddress= and it is telling me

ipa: ERROR: attribute "mailAlternateAddress" not allowed

I have also trying to set a few other non standard attributes that seem to
be in the default schemas already and they all give me the same error.
Am I missing something?

> I am half tempted to add the extra components of 389-ds and see it that
> will
> > let me do what I need.
> >
> > On a side note the freeipa lads seem to be working out how to add
> > multitenancy support so it will be capable of serving multiple separate
> > Kerberos principals.
> > That would help a lot but I need to cobble something together now.
> Yes, if you want unique uid's within each domain you'll have to wait
> for that. I gave up on that notion and simply require unique uids for
> every user regardless of domain and deliver to single domain style
> mail store setup.

yeah that's tempting but I need to have separate domains.

> Steve
Freeipa-users mailing list

Reply via email to