On 04/06/2021 12:10, Viktor Dukhovni wrote: > On Fri, Jun 04, 2021 at 10:53:25AM +0300, Kapetanakis Giannis wrote: > >> I want to separate the ldap configuration to be different per domain. >> I was thinking something like this, but this recursion does not work: >> >> The reason is that the ldap search_base might be different per domain (no >> common parent) and sometimes on a different ldap server. >> >> Is this somehow possible? > > For a modest number of such domains, the solution is: > > proxy:ldap:domain1.cf, proxy:ldap:domain2.cf, ..., proxy:ldap:domainN.cf > > where "domain<k>.cf" contains: > > domain = domain<k>.example > server = ... > search_base = ... > query = ... > > As documented, the "domain = " setting will efficiently locally limit > queries to just the domain in question, without contacting the > underlying server. See: > > http://www.postfix.org/ldap_table.5.html > > Note also that the search base supports "%[1-9]" and "%d" substitution > strings, so if the server pool is common, and the search base is > uniformly constructed from the domain names, you can use a single > table with a domain-dependent search base to support multiple similar > domains. > > Note, queries must then all be of the form "[email protected]". > Queries for inputs that are just a domain part (or just a user name) > will be ignored. >
That's it !!! I saw the domain setting while reading ldap_table(5) but I probably need a 2nd coffee :) I use search_base substitutions for domains on same server but now I now want to use a different server. thanks, I'll try the domain limit. G
