Viktor Dukhovni via Postfix-users:
> On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users
> wrote:
>
> > To be precise: Postfix opens your LDAP configuration file and asks
> > the LDAP library to create an LDAP client instance, before entering
> > the chroot jail and before accepting any SMTP client commmands.
> >
> > HOWEVER, Postfix does not connect to LDAP sockets before entering
> > the chroot jail and before accepting any SMTP client commmands. The
> > LDAP library decides when it wants to do that.
>
> IIRC there we were once upon a time requeting immediate connections to
> LDAP, but that was not ideal:
>
> - It complicated connection sharing across multiple tables with
> the same underlying backend server, that differ only in the
> query deails.
>
> - It also (when chrooted) meant automatic reconnect on error
> to an alternative server, ... would not necessarily work.
>
> - ...
>
> IIRC, the is in principle a way to perform an early, rather than delayed
> LDAP bind, but the OP should instead use:
>
> proxy:ldap:...
>
> with "proxyread" not chrooted. This further improves connection sharing
> and is a best practice.
Confirmed. proxy:ldap improves sharing and can sidestep chroot issues,
as long as the read-only 'proxymap' service is not chrooted in master.cf.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
