0

We are currently researching the best way to go about switching our mail server (dovecot/postfix/debian 7) from local authentication to ldap (AD) authentication.

We would like to have local auth as backup as well during the transition. We could also use courier instead of dovecot if needed.

I am not looking for an answer here, I am just looking for advice from my fellow sysadmins on where to start. I have ldap auth working correctly with dovecot but I don't know how to make the local auth act as a backup.

Any ideas?

user2363217
  • 13
  • 2

1 Answers1

2

The dovecot wiki would seem to suggest that Pluggable Authentication Modules(PAM) is a pretty common authentication solution.

PAM also works well with LDAP and there is a lot of information about integrating existing LDAP servers into PAM authentication schemes.

PAM also offers a lot of different customization of the authorization process for various services.

In the past I have used PAM+LDAP with a fallback to local passwords for end user ssh when LDAP servers were unreachable and it worked very well. Sorry about posting as an answer but this seemed like a lot of text for a comment.

Matt
  • 2,711
  • 1
  • 13
  • 20
  • I was thinking about that idea as well. I was just wondering if there was a more elegant solution out there. Thanks for the advice. – user2363217 Jul 13 '15 at 21:25
  • I had some difficulty getting used to PAM until I got comfortable with the `pam-config` command. If you by any chance happen to be using a SUSE variant there is a great guide to [Configuring PAM](https://www.suse.com/documentation/sled11/book_security/data/sec_pam_pam-config.html). I use Debian less frequently and am not aware of a similar guide that might be more helpful in your situation, sorry. – Matt Jul 13 '15 at 21:38