Martin Weinelt
95 lines
3.0 KiB
ReStructuredText
95 lines
3.0 KiB
ReStructuredText
LDAP
|
|
====
|
|
|
|
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and
|
|
managing a centralized directory of user and group information. It can be used
|
|
to authenticate users and provide a single source of truth for email accounts
|
|
and aliases across mail services.
|
|
|
|
|
|
Requirements
|
|
~~~~~~~~~~~~
|
|
|
|
To enable the LDAP integration the following requirements must be fulfilled:
|
|
|
|
- Existing LDAP service (we currently only test against OpenLDAP)
|
|
- Bind credentials against LDAP with permissions to
|
|
|
|
- search for the acceptable set of users
|
|
- read the :option:`mailserver.ldap.attributes.password` attribute
|
|
|
|
- Each user entry must provide attributes that can serve as
|
|
|
|
- :option:`mailserver.ldap.attributes.mail` (primary mail address)
|
|
- :option:`mailserver.ldap.attributes.username` (login name)
|
|
- :option:`mailserver.ldap.attributes.password` (login password)
|
|
- :option:`mailserver.ldap.attributes.uuid` (stable identifier)
|
|
|
|
|
|
Features
|
|
~~~~~~~~
|
|
|
|
We currently have a basic feature set covering user accounts only and try to
|
|
follow best practices to simplify maintenance.
|
|
|
|
- Users authenticate with the username and password attribute
|
|
- Maildir storage paths are constructed using the uuid attribute
|
|
- Primary mail address read from mail attribute
|
|
|
|
|
|
Limitations
|
|
~~~~~~~~~~~
|
|
|
|
Design choices
|
|
^^^^^^^^^^^^^^
|
|
|
|
These are intentional choices in how the mail server operates that affect the
|
|
LDAP integration.
|
|
|
|
- For mail address routing local accounts always take priority over LDAP accounts.
|
|
|
|
Planned
|
|
^^^^^^^
|
|
|
|
These are features we are interested in but require implementation,
|
|
documentation and tests.
|
|
|
|
- Aliases based on LDAP attributes
|
|
- Quotas based on LDAP attributes
|
|
|
|
Avoided
|
|
^^^^^^^
|
|
|
|
The following features will likely never be implemented, since they would
|
|
complicate the setup significantly.
|
|
|
|
- Domains based on LDAP entries (would require integration with everything we
|
|
already do for :option:`mailserver.domains`)
|
|
- Use of ``homeDirectory``, ``uid``, ``gid`` LDAP attributes (we are
|
|
committed to a virtual setup with one vmail user/uid/gid and UUID based home
|
|
directories)
|
|
- Declarative aliases through :option:`mailserver.aliases`. These are limited
|
|
to local accounts, because Postfix enforces sender ownership based on login
|
|
identity and does not consult virtual aliases for authorization.
|
|
|
|
Enabling LDAP support
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Enable the LDAP integration by configuring an authenticated LDAP connection
|
|
and how to locate all users. The bind DN must be allowed to read the configured
|
|
password attribute, which may require additional configuration
|
|
|
|
.. literalinclude:: ./ldap-basic.nix
|
|
:language: nix
|
|
|
|
We provide sensible defaults for each attribute, that can be adapted to your
|
|
local setup.
|
|
|
|
.. literalinclude:: ./ldap-attrs.nix
|
|
:language: nix
|
|
|
|
Refer to our `LDAP test`_ for an complete example, and see the `LDAP options`_ section for all possible settings.
|
|
|
|
.. _LDAP options: options.html#mailserver-ldap
|
|
.. _LDAP test: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/blob/main/tests/ldap.nix
|