aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
23364b04e86313c73aaa4224221946ded5f65ba5
simple-nixos-mailserver/docs/ldap.rst
T
Martin Weinelt 23364b04e8 ldap: allow local accounts and aliases with ldap enabled 
In conflicts between local addresses and LDAP addresses the local one
will always take priority in mail routing.

This is something we now document and guarantee through tests.
2026-03-23 16:25:50 +01:00

95 lines
3.0 KiB
ReStructuredText
Raw Blame History

LDAP
====
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and
managing a centralized directory of user and group information. It can be used
to authenticate users and provide a single source of truth for email accounts
and aliases across mail services.
Requirements
~~~~~~~~~~~~
To enable the LDAP integration the following requirements must be fulfilled:
- Existing LDAP service (we currently only test against OpenLDAP)
- Bind credentials against LDAP with permissions to
- search for the acceptable set of users
- read the :option:`mailserver.ldap.attributes.password` attribute
- Each user entry must provide attributes that can serve as
- :option:`mailserver.ldap.attributes.mail` (primary mail address)
- :option:`mailserver.ldap.attributes.username` (login name)
- :option:`mailserver.ldap.attributes.password` (login password)
- :option:`mailserver.ldap.attributes.uuid` (stable identifier)
Features
~~~~~~~~
We currently have a basic feature set covering user accounts only and try to
follow best practices to simplify maintenance.
- Users authenticate with the username and password attribute
- Maildir storage paths are constructed using the uuid attribute
- Primary mail address read from mail attribute
Limitations
~~~~~~~~~~~
Design choices
^^^^^^^^^^^^^^
These are intentional choices in how the mail server operates that affect the
LDAP integration.
- For mail address routing local accounts always take priority over LDAP accounts.
Planned
^^^^^^^
These are features we are interested in but require implementation,
documentation and tests.
- Aliases based on LDAP attributes
- Quotas based on LDAP attributes
Avoided
^^^^^^^
The following features will likely never be implemented, since they would
complicate the setup significantly.
- Domains based on LDAP entries (would require integration with everything we
already do for :option:`mailserver.domains`)
- Use of ``homeDirectory``, ``uid``, ``gid`` LDAP attributes (we are
committed to a virtual setup with one vmail user/uid/gid and UUID based home
directories)
- Declarative aliases through :option:`mailserver.extraVirtualAliases`. These
are limited to local accounts, because Postfix enforces sender ownership based
on login identity and does not consult virtual aliases for authorization.
Enabling LDAP support
~~~~~~~~~~~~~~~~~~~~~
Enable the LDAP integration by configuring an authenticated LDAP connection
and how to locate all users. The bind DN must be allowed to read the configured
password attribute, which may require additional configuration
.. literalinclude:: ./ldap-basic.nix
:language: nix
We provide sensible defaults for each attribute, that can be adapted to your
local setup.
.. literalinclude:: ./ldap-attrs.nix
:language: nix
Refer to our `LDAP test`_ for an complete example, and see the `LDAP options`_ section for all possible settings.
.. _LDAP options: options.html#mailserver-ldap
.. _LDAP test: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/master/tests/ldap.nix
Reference in New Issue View Git Blame Copy Permalink