Alright. I've responded to about 15 messages on this list
about the use of the OpenLDAP module. I'm going to do my best
to explain everything that has ever been asked. In case you
aren't aware, I'm the author of the LDAP module. A little background
on the project, we needed to convert a large LDAP solution over
to a vpopmail-based LDAP solution as per the client's request.
I knew nothing of LDAP before I began work on the project, and believe
you me, I had a hell of a time figuring out exactly how LDAP functioned.
First of all, there is absolutely NO RELATIONSHIP between
vpopmail's LDAP module, and qmail-ldap. qmail-ldap is an
LDAP-enabled qmail-based MTA. The vpopmail LDAP module reads
user authentication information out of an LDAP database.
Second, the LDAP module DOES work, however, it is not actively
maintained because here at Inter7, we dislike LDAP, and anything
using it with a passion. LDAP is the most terribly conceived idea
ever to hit the database industry, and to top it off, it is widely
used with bulky commercial mail solutions. I wish I knew why.
Just to quelch any flaming I might get for my opinions in this area;
I've been over the code, I've worked with the big solutions, and I've
seen many benchmarks.
Here are common problems that will arise when trying to use the vpopmail
LDAP module:
1) Unable to add new information to the database (domains, users, etc)
and/or unable to authenticate out of the database
Various misconfigurations can occur here:
A) Bad authentication information (see vldap.h)
B) Bad BASEDN information (see vldap.h)
C) Mismatched schema (see vldap.h, and your ldap configurations)
This will be the main problem people run into. This is a
misconfiguration on your end. Not the module. As far as I know,
there have been no major re-writes of the OpenLDAP API that would
cause the base functions to work differently causing database
information retrieval to fail or act differently.
2) Things are not properly removed from the database
This worked in the original code. Someone reported an error
where something was not properly removed from the database.
I have not worked with the LDAP module since early 4.x versions.
As you know, 5.0 is a big re-write of a lot of the base vpopmail
code. I cannot verify if this is a true bug or not.
Instructions for installing the vpopmail LDAP module:
Okay, folks. I need to say right up front. If you don't know
enough about LDAP to construct a database from scratch without
reading for hours on end, you're not going to have great success
with this installation. If you're not already an LDAP guru,
please just decide upon another database. You will be a lot
happier in the long run.
First of all, you need to configure your LDAP server. For our
purposes, this will be slapd. You'll need to edit your slapd.conf
and your slapd.oc.conf (I think its called that still). Add
the new schema information. You can find all this in vldap.c/vldap.h
source files (or you used to be able to). Again, if you don't know
what a 'schema' is, you really shouldnt be mucking with LDAP. Do
NOT attempt to modify the structure. It will BREAK. Follow the
schema from vldap.h/vldap.c.
Modify vldap.h for the authentication information.
Now, in the old version I worked with, you had to create the basedn
to start. If this is no longer needed, ignore this step. Create
a little LDIF (you'll probably want to save this in case of problems)
and pipe it into the database.
If you followed these instructions, and understood everything you
were doing more or less, your vpopmail LDAP configuration should be
working smoothly.
Last words:
As I said above, the LDAP module has not been verified as extremely
functional since early 4.x versions. We'd prefer, if you must use
backend database, that you go with MySQL. I'd really suggest you
look at the benchmarking on the MySQL site. MySQL cant hold 2
terabytes
of authentication information, but it's three times faster than
Oracle.
On the flip side, Oracle CAN hold 2 terabytes of authentication
information, but unless you're a fortune 500 company, you probably
will not need to bother with that type of database storage.
Any further questions about LDAP, we will not be able to help you with
unless you want to fund some sort of documentation, update project.
We always welcome funding for any project, of course. :)
I hope this has helped those of you who absolutely cannot live without
LDAP authentication.
Good luck!
--
[EMAIL PROTECTED]
Inter7 Internet Technologies, Inc.
www.inter7.com - 847-492-0470
Prices at http://www.inter7.com/prices
