On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray(a)renegade.zapto.org> wrote:
Hi,
I posted this before without getting a response. I think the question is
super simple to answer for LDAP experts. I'll try to rephrase the quiestion
(in case it was unclear beforeā¦)
I've geen googling quite a while on this topic trying all sorts of keyword
combinations and found exactly nothing.
LDAP appears to be commonplace, almost every server software I can think of
comes with an LDAP authentication module. The services that use the
directory may need have different user bases (i.e. not every Linux user
needs to be an IMAP user also and not every IMAP user should automatically
be able to SSH into servers).
What is the right way to achieve the above?:
1) Have separate LDAP instances running, one for IMAP, the other one for
Linux authentication. As there are some users that need both IMAP and Linux
access, some users would need to be set up twice.
2) Have all users in one LDAP instance, and have different sets of
attributes for IMAP and Linux authentication. Those users with IMAP access
have their IMAP attributes filled in and those with Linux logins have their
posix account settings filled with values. Some would have both. I do not
see how to assign different passwords for the two services for this option.
Is there a way?
Are there any other options?
Generally the whole purpose of using a directory server (LDAP) is to
benefit from centralized and consistent configuration and
authentication. As such, most setups use the same user base for
everything (in your case IMAP access and shell logins). You just need
to point each service (login and IMAP) to your directory and filter
based on the existence of certain attributes. For example, only users
with the objectclass=mailRecipient would be allowed to login to your
IMAP mail store. This can easily be accomplished through the
authentication system of your IMAP software (one that supports LDAP
authentication).
Steve