On Fri, Jun 04, 2021 at 10:53:25AM +0300, Kapetanakis Giannis wrote:
> I want to separate the ldap configuration to be different per domain.
> I was thinking something like this, but this recursion does not work:
>
> The reason is that the ldap search_base might be different per domain (no
> common parent) and sometimes on a different ldap server.
>
> Is this somehow possible?
For a modest number of such domains, the solution is:
proxy:ldap:domain1.cf, proxy:ldap:domain2.cf, ..., proxy:ldap:domainN.cf
where "domain<k>.cf" contains:
domain = domain<k>.example
server = ...
search_base = ...
query = ...
As documented, the "domain = " setting will efficiently locally limit
queries to just the domain in question, without contacting the
underlying server. See:
http://www.postfix.org/ldap_table.5.html
Note also that the search base supports "%[1-9]" and "%d" substitution
strings, so if the server pool is common, and the search base is
uniformly constructed from the domain names, you can use a single
table with a domain-dependent search base to support multiple similar
domains.
Note, queries must then all be of the form "[email protected]".
Queries for inputs that are just a domain part (or just a user name)
will be ignored.
--
Viktor.
