LDAP (slapd) creating users with access to specific trees
You need to do two things:
- Create an object in the LDAP directory that Postfix can bind to (connect to)
- Write an ACL in OpenLDAP's configuration to allow this user to bind, and search the tree as you desire
To add a simple entry for Postfix, use either a graphical LDAP browser (such as Apache Directory Studio, or with the command line tool ldapadd. Add an object like this:
dn: cn=postfix,ou=Applications,dc=mydomain,dc=com
cn: postfix
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}n+aYhO/TOitWkyMp9v/fe5ndtOhY0/3U
This last line is a hash of the password you want to use, generated via the slappasswd utility:
$ slappasswd -s secret
{SSHA}n+aYhO/TOitWkyMp9v/fe5ndtOhY0/3U
Once this is done, add some ACLs to your slapd.conf that look something like this:
access to dn.sub="dc=mydomain,dc=com" attrs=userPassword
by anonymous auth
access to dn.sub="ou=people,dc=mydomain,dc=com"
by dn.exact="cn=postfix,ou=Applications,dc=mydomain,dc=com" read
See the OpenLDAP admin guide chapter on access control for more details on writing ACL and their interpretation. Watch out for the order they are in, it matters!
This part of "LDAP for Rocket Scientists" explains how to set up an ACL for parts of your LDAP server tree.