因此,我有一个可运行的邮件服务器,该服务器根据活动目录进行身份验证。在我尝试添加辅助身份验证后端之前,一切正常。
服务器信息:
Server OS: CentOS 7.1.1503
Postfix version: 2.10.1
Dovecot version: 2.2.10
目前我的配置如下:
Postfix 配置文件:
/etc/postfix/main.cf
virtual_mailbox_base = /homes/vmail/homes
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf
virtual_uid_maps = static:989
virtual_gid_maps = static:987
ldap-用户-primary.cf
server_host = 192.168.250.200
search_base = cn=Users, dc=domain, dc=local
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/
bind = yes
bind_dn = [email protected]
bind_pw = password
ldap-组-primary.cf
server_host = 192.168.250.200
search_base = ou=Email_Groups, dc=domain,dc=local
version = 3
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
bind = yes
bind_dn = [email protected]
bind_pw = password
start_tls = no
Dovecot 配置文件:
/etc/dovecot/conf.d/10-auth.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}
userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}
dovecot-ldap-primary.conf
hosts = 192.168.250.200
base = cn=Users, dc=domain, dc=local
ldap_version = 3
auth_bind = yes
auth_bind_userdn = domain\%u
以上所有设置均运行良好,不会造成任何问题。直到我尝试添加辅助域控制器。
为此,我创建了新的配置文件:ldap-users-secondary.cf、ldap-groups-secondary.cf、dovecot-ldap-secondary.conf。
这些文件中唯一不同的是服务器的 IP 地址(它仅指向辅助域控制器)。如果我单独使用这些文件,一切都会正常。但是如果我像这样修改 /etc/postfix/main.cf:
virtual_mailbox_base = /homes/vmail/homes
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf, ldap:/etc/postfix/ldap-users-secondary.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf, ldap:/etc/postfix/ldap-groups-secondary.cf
virtual_uid_maps = static:989
virtual_gid_maps = static:987
和 /etc/dovecot/conf.d/10-auth.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-secondary.conf
}
userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}
它只是停止工作并开始发出这些错误:
NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <[email protected]>: Temporary lookup failure;
有人能帮助我吗?
答案1
事实证明,Postfix 和 Dovecot 都允许在 ldap 配置中使用多个 ldap 主机进行故障转移。不过据我所知,所有 LDAP 服务器上的配置必须相同。至少对于 postfix 来说是这样。
在 Postfix 上,这不能可靠地工作:
virtual_mailbox_maps = ldap:/etc/postfix/ad-users-dc-1.cf, ldap:/etc/postfix/ad-users-dc-2.cf
这确实有效。在 main.cf 中:
virtual_mailbox_maps = ldap:/etc/postfix/ad-users.cf
...在 ad-users.cf 文件中:
server_host = 192.168.44.75,192.168.44.76
server_port = 389
version = ...
bind = ...
start_tls = ...
bind_dn = CN=...
bind_pw = ...
... etc
在 Dovecot 中,这是可行的。在您的 ldap 目标配置文件中:
hosts = 192.168.44.75:389, 192.168.44.76:389
答案2
解决方案非常简单。正如@sam_pan_mariusz 所建议的那样,我输入的是 DNS 名称而不是 IP 地址。运行了一些测试,一切正常。