Centos
針對 Active Directory 的 Postfix/Dovecot 多重身份驗證
所以我有工作郵件伺服器,它針對活動目錄進行身份驗證。一切正常,直到我嘗試添加輔助身份驗證後端..
伺服器資訊:
Server OS: CentOS 7.1.1503 Postfix version: 2.10.1 Dovecot version: 2.2.10
目前我的配置如下:
後綴配置文件:
/etc/postfix/main.cf
virtual_mailbox_base = /homes/vmail/homes virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf virtual_uid_maps = static:989 virtual_gid_maps = static:987
ldap-users-primary.cf
server_host = 192.168.250.200 search_base = cn=Users, dc=domain, dc=local version = 3 query_filter = (&(objectclass=person)(mail=%s)) result_attribute = samaccountname result_format = %s/ bind = yes bind_dn = user@domain.local bind_pw = password
ldap-groups-primary.cf
server_host = 192.168.250.200 search_base = ou=Email_Groups, dc=domain,dc=local version = 3 query_filter = (&(objectclass=group)(mail=%s)) leaf_result_attribute = mail special_result_attribute = member bind = yes bind_dn = user@domain.local bind_pw = password start_tls = no
Dovecot 配置文件:
/etc/dovecot/conf.d/10-auth.conf
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-primary.conf } userdb { driver = static args = uid=989 gid=987 home=/homes/vmail/homes/%u }
dovecot-ldap-primary.conf
hosts = 192.168.250.200 base = cn=Users, dc=domain, dc=local ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u
以上所有設置工作正常,不會導致任何問題。直到我嘗試添加輔助域控制器..
為此,我創建了新的配置文件:ldap-users-secondary.cf、ldap-groups-secondary.cf、dovecot-ldap-secondary.conf。
這些文件中唯一不同的是伺服器的 IP 地址(它只是指向輔助域控制器)。如果我單獨使用這些文件,一切正常。但是如果我像這樣修改 /etc/postfix/main.cf :
virtual_mailbox_base = /homes/vmail/homes virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf, ldap:/etc/postfix/ldap-users-secondary.cf virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf, ldap:/etc/postfix/ldap-groups-secondary.cf virtual_uid_maps = static:989 virtual_gid_maps = static:987
和 /etc/dovecot/conf.d/10-auth.conf
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-primary.conf } passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-secondary.conf } userdb { driver = static args = uid=989 gid=987 home=/homes/vmail/homes/%u }
它只是停止工作並開始發出這些錯誤:
NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <user@domain.local>: Temporary lookup failure;
任何人都可以幫助我嗎?
解決方案非常簡單.. 正如@sam_pan_mariusz 所建議的,而不是 IP 地址,我輸入了 DNS 名稱。執行了一些測試,一切正常。
事實證明,Postfix 和 Dovecot 都允許在 ldap 配置中使用多個 ldap 主機進行故障轉移。不過,據我所知,所有 LDAP 伺服器上的配置必須相同。至少對於後綴。
在 Postfix 上,這不能可靠地工作:
virtual_mailbox_maps = ldap:/etc/postfix/ad-users-dc-1.cf, ldap:/etc/postfix/ad-users-dc-2.cf
這確實有效。在 main.cf 中:
virtual_mailbox_maps = ldap:/etc/postfix/ad-users.cf
…並在 ad-users.cf 文件中:
server_host = 192.168.44.75,192.168.44.76 server_port = 389 version = ... bind = ... start_tls = ... bind_dn = CN=... bind_pw = ... ... etc
在 Dovecot,這是可行的。在您的 ldap 目標配置文件中:
hosts = 192.168.44.75:389, 192.168.44.76:389