Re: Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 16.08.2012 19:03, schrieb Stephen Ingram:

On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray@xxxxxxxxxxxxxxxxxx> wrote:

Hi,
I posted this before without getting a response. I think the question is super simple to answer for LDAP experts. I'll try to rephrase the quiestion 
(in case it was unclear before…)
I've geen googling quite a while on this topic trying all sorts of keyword 
combinations and found exactly nothing.
LDAP appears to be commonplace, almost every server software I can think of 
comes with an LDAP authentication module. The services that use the
directory may need have different user bases (i.e. not every Linux user needs to be an IMAP user also and not every IMAP user should automatically 
be able to SSH into servers).

What is the right way to achieve the above?:
1) Have separate LDAP instances running, one for IMAP, the other one for Linux authentication. As there are some users that need both IMAP and Linux 
access, some users would need to be set up twice.

2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP access have their IMAP attributes filled in and those with Linux logins have their posix account settings filled with values. Some would have both. I do not see how to assign different passwords for the two services for this option. 
Is there a way?

Are there any other options?


Generally the whole purpose of using a directory server (LDAP) is to
benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just need
to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only users
with the objectclass=mailRecipient would be allowed to login to your
IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).

Steve


Many thanks for these insights, Steve!

There are two more questions I have:
* Is mailRecipient defined somewhere (schema?) or are these objectClasses free for me to choose?
* Is there a way to have separate passwords for IMAP? Specifically I would like to run Cyrus-imap. 

Cheers,
Ray

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux