On a project I need to use a database of users that is stored on a Mac Server based LDAP to create a mailserver using postfix+courier and a samba. Can you tell me if anyone made this or if it's possible (theoretical should be). If you can give me a hint I will thank you for the rest of my days :)
Thanks in advance
It appears that postfix, Courier, and Samba all support pulling user info from LDAP.
You'll need to know the OS X server's LDAP search base (you can find it in Server Admin -> Open Directory module in the sidebar -> Overview in the toolbar) -- it'll generally be the server's full domain name in LDAPspeak (e.g. macserver.example.com would be dc=macserver,dc=example,dc=com); user accounts will be under cn=users,searchbase (e.g. cn=users,dc=macserver,dc=example,dc=com).
User attribute mapping should be fairly straightforward, as OS X follows the unix standard (RFC 2307). If you do need to look at the user's LDAP attributes to figure out how to configure the services, use Workgroup Manager, enable its '"All Records" tab and inspector in the application preferences (that's the Preferences under the Workgroup Manager menu, not the Preferences tab in the toolbar); with that enabled, select a user, then select the Inspector tab on the right, and look for "Native" (aka dsAttrTypeNative) attributes to see how the user records are stored in LDAP (note: you can simplify the view a bit by clicking the Options button, and turning off everything except "Show Native Attributes").
The biggest sticking point you're likely to run into is that by default, OS X's Open Directory doesn't store user passwords in the "standard" form (unix crypt form in the user record in LDAP), so you may have trouble configuring Courier and Samba to validate user passwords. OD generally authenticates users via either Kerberos or a SASL-based password server. If you can figure out how to configure Kerberos (and the client software/configuration supports it), you're in good shape. I doubt that either Courier or Samba know how to authenticate against the password service, but I could be wrong (and if I am, I'd love to know about it -- please leave a comment with a pointer to more info!).
If neither of those is possible, another option would be to configure the server to authenticate via LDAP bind (i.e. they check user passwords by trying to use the password to authenticate an LDAP connection to the OD server) -- avoid this if possible because it'd require passwords to be sent in plaintext both from the client to Linux server, and from Linux server to OD LDAP server (using SSL can avoid this problem for IMAP and LDAP, but not for SMB; also, recent SMB clients will refuse to send passwords in plaintext). (And I don't know if either Courier or Samba support this.)
Finally, you can store the users' passwords in crypt form (there's an option for this in Workgroup Manager, under the Advanced tab for users) -- avoid this even more because it means the passwords are unencrypted between client and Linux server (unless you use SSL), and also vulnerable to a dictionary attack by anyone with read access to the LDAP domain.