LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and managing a centralized directory of user and group information. It can be used to authenticate users and provide a single source of truth for email accounts and aliases across mail services.

Requirements

To enable the LDAP integration the following requirements must be fulfilled:

Existing LDAP service (we currently only test against OpenLDAP)
Bind credentials against LDAP with permissions to
- search for the acceptable set of users
- read the mailserver.ldap.attributes.password attribute
Each user entry must provide attributes that can serve as
- mailserver.ldap.attributes.mail (primary mail address)
- mailserver.ldap.attributes.username (login name)
- mailserver.ldap.attributes.password (login password)
- mailserver.ldap.attributes.uuid (stable identifier)

Features

We currently have a basic feature set covering user accounts only and try to follow best practices to simplify maintenance.

Users authenticate with the username and password attribute
Maildir storage paths are constructed using the uuid attribute
Primary mail address read from mail attribute

Limitations

Design choices

These are intentional choices in how the mail server operates that affect the LDAP integration.

For mail address routing local accounts always take priority over LDAP accounts.

Planned

These are features we are interested in but require implementation, documentation and tests.

Aliases based on LDAP attributes
Quotas based on LDAP attributes

Avoided

The following features will likely never be implemented, since they would complicate the setup significantly.

Domains based on LDAP entries (would require integration with everything we already do for mailserver.domains)
Use of homeDirectory, uid, gid LDAP attributes (we are committed to a virtual setup with one vmail user/uid/gid and UUID based home directories)
Declarative aliases through mailserver.aliases. These are limited to local accounts, because Postfix enforces sender ownership based on login identity and does not consult virtual aliases for authorization.

Enabling LDAP support

Enable the LDAP integration by configuring an authenticated LDAP connection and how to locate all users. The bind DN must be allowed to read the configured password attribute, which may require additional configuration

{
  mailserver = {
    ldap = {
      enable = true;
      uris = [
        "ldaps://ldap1.example.com"
        "ldaps://ldap2.example.com"
      ];
      bind = {
        dn = "cn=mail,dc=example=dc=com";
        passwordFile = "/run/keys/ldap-bind-pw";
      };
      base = "ou=users,dc=example,dc=com";
      scope = "one";
    };
  };
}

We provide sensible defaults for each attribute, that can be adapted to your local setup.

{
  mailserver = {
    ldap = {
      attributes = {
        uuid = "entryUUID";
        username = "uid";
        password = "userPassword";
        mail = "mail";
      };
    };
  };
}

Refer to our LDAP test for an complete example, and see the LDAP options section for all possible settings.