On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users wrote:
> To be precise: Postfix opens your LDAP configuration file and asks
> the LDAP library to create an LDAP client instance, before entering
> the chroot jail and before accepting any SMTP client commmands.
>
> HOWEVER, Postfix does not connect to LDAP sockets before entering
> the chroot jail and before accepting any SMTP client commmands. The
> LDAP library decides when it wants to do that.
IIRC there we were once upon a time requeting immediate connections to
LDAP, but that was not ideal:
- It complicated connection sharing across multiple tables with
the same underlying backend server, that differ only in the
query deails.
- It also (when chrooted) meant automatic reconnect on error
to an alternative server, ... would not necessarily work.
- ...
IIRC, the is in principle a way to perform an early, rather than delayed
LDAP bind, but the OP should instead use:
proxy:ldap:...
with "proxyread" not chrooted. This further improves connection sharing
and is a best practice.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
