multidomain LDAP

типа вот, правда оно для postfix+cyrus, т.е. на всех лукапах возвращается email:

smtpd_recipient_restrictions = check_recipient_access static:WARN,
        permit_mynetworks,
        check_client_access btree:/var/lib/drac/drac,
        check_recipient_access ldap:recipient,
        permit_sasl_authenticated,
        permit_auth_destination,
        check_relay_domains,
        reject
smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_unverified_sender,
        permit
smtpd_helo_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        permit
smtpd_etrn_restrictions = reject

smtpd_sasl_security_options = noanonymous
smtpd_helo_required = yes

message_size_limit = 10240000
virtual_transport = lmtp:unix:/var/imap/socket/lmtp

virtual_mailbox_domains = ldap:domains
domains_server_host = localhost
domains_server_port = 389
domains_base_dn = o=domain.tld
domains_scope = one
domains_bind_dn = uid=postfix,ou=Admins,o=domain.tld
domains_bind_pw = postfixpassword
domains_search_base = ou=domains,o=domain.tld
domains_query_filter = (&(objectClass=top)(ou=%s))
domains_result_attribute = ou
domains_dereference = 0

virtual_mailbox_maps = ldap:ldapvirtual
ldapvirtual_server_host = localhost
ldapvirtual_server_port = 389
ldapvirtual_base_dn = o=domain.tld
ldapvirtual_scope = one
ldapvirtual_bind_dn = uid=postfix,ou=Admins,o=domain.tld
ldapvirtual_bind_pw = postfixpassword
ldapvirtual_search_base = ou=%d,ou=domains,o=domain.tld
ldapvirtual_query_filter = (|(mail=%u)(mailAlternateAddress=%u))
ldapvirtual_result_attribute = mailForwardingAddress
ldapvirtual_dereference = 3

virtual_alias_maps = ldap:ldapvirtual, ldap:catchall
ldapvirtual_server_host = localhost
ldapvirtual_server_port = 389
ldapvirtual_base_dn = o=domain.tld
ldapvirtual_scope = one
ldapvirtual_bind_dn = uid=postfix,ou=Admins,o=domain.tld
ldapvirtual_bind_pw = postfixpassword
ldapvirtual_search_base = ou=%d,ou=domains,o=domain.tld
ldapvirtual_query_filter = (|(mail=%u)(mailAlternateAddress=%u))
ldapvirtual_result_attribute = mailForwardingAddress
ldapvirtual_dereference = 3

catchall_server_host = localhost
catchall_server_port = 389
catchall_base_dn = o=domain.tld
catchall_scope = base
catchall_bind_dn = uid=postfix,ou=Admins,o=domain.tld
catchall_bind_pw = postfixpassword
catchall_search_base = ou=%d,ou=domains,o=domain.tld
catchall_query_filter = (&(objectClass=top)(description=*))
catchall_result_attribute = description
catchall_dereference = 3

recipient_server_host = localhost
recipient_server_port = 389
recipient_base_dn = o=domain.tld
recipient_scope = one
recipient_bind_dn = uid=postfix,ou=Admins,o=domain.tld
recipient_bind_pw = postfixpassword
recipient_search_base = ou=%d,ou=domains,o=domain.tld
recipient_query_filter = (|(mail=%u)(mailAlternateAddress=%u))
recipient_result_attribute = accountstatus
recipient_dereference = 3

схема ldap:
attributetype ( 1.3.6.1.4.1.7914.1.2.1.1 NAME 'qmailUID'
        DESC 'UID of the user on the mailsystem'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.2 NAME 'qmailGID'
        DESC 'GID of the user on the mailsystem'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailMessageStore'
        DESC 'Path to the maildir/mbox on the mail system'
        EQUALITY caseExactIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.4 NAME 'mailAlternateAddress'
        DESC 'Secondary (alias) mailaddresses for the same user'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost'
        DESC 'On which qmail server the messagestore of this user is located.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.7914.1.2.1.7 NAME 'mailForwardingAddress'
        DESC 'Address(es) to forward all incoming messages to.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.8 NAME 'deliveryProgramPath'
        DESC 'Program to execute for all incoming mails.'
        EQUALITY caseExactIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.9 NAME 'qmailDotMode'
        DESC 'Interpretation of .qmail files: both, dotonly, ldaponly, ldapwithprog'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.10 NAME 'deliveryMode'
        DESC 'multi field entries of: nolocal, noforward, noprogram, reply'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.11 NAME 'mailReplyText'
        DESC 'A reply text for every incoming message'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4096} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.12 NAME 'accountStatus'
        DESC 'The status of a user account: active, noaccess, disabled, deleted'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.14 NAME 'qmailAccountPurge'
        DESC 'The earliest date when a mailMessageStore will be purged'
        EQUALITY numericStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.15 NAME 'mailQuotaSize'
        DESC 'The size of space the user can have until further messages get bounced.'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.16 NAME 'mailQuotaCount'
        DESC 'The number of messages the user can have until further messages get bounced.'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.2.1.17 NAME 'mailSizeMax'
        DESC 'The maximum size of a single messages the user accepts.'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.1 NAME 'dnmember'
        DESC 'Group member specified as distinguished name.'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.2 NAME 'rfc822member'
        DESC 'Group member specified as normal rf822 email address.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.3 NAME 'filtermember'
        DESC 'Group member specified as ldap search filter.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.4 NAME 'senderconfirm'
        DESC 'Sender to Group has to answer confirmation email.'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.5 NAME 'membersonly'
        DESC 'Sender to Group must be group member itself.'
        EQUALITY booleanMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.6 NAME 'confirmtext'
        DESC 'Text that will be sent with sender confirmation email.'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4096} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.7 NAME 'dnmoderator'
        DESC 'Group moderator specified as Distinguished name.'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.8 NAME 'rfc822moderator'
        DESC 'Group moderator specified as normal rfc822 email address.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.9 NAME 'moderatortext'
        DESC 'Text that will be sent with request for moderation email.'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{4096} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.10 NAME 'dnsender'
        DESC 'Allowed sender specified as distinguished name.'
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

attributetype ( 1.3.6.1.4.1.7914.1.3.1.11 NAME 'rfc822sender'
        DESC 'Allowed sender specified as normal rf822 email address.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.12 NAME 'filtersender'
        DESC 'Allowed sender specified as ldap search filter.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} )
attributetype ( 1.3.6.1.4.1.7914.1.3.1.13 NAME 'bounceadmin'
        DESC 'rfc822 email address where bounces should be sent to.'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.1 NAME 'qladnmanager'
        DESC ''
        EQUALITY distinguishedNameMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.2 NAME 'qlaDomainList'
        DESC ''
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.3 NAME 'qlaUidPrefix'
        DESC ''
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.4 NAME 'qlaQmailUid'
        DESC ''
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.5 NAME 'qlaQmailGid'
        DESC ''
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.6 NAME 'qlaMailMStorePrefix'
        DESC ''
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.7 NAME 'qlaMailQuotaSize'
        DESC ''
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.8 NAME 'qlaMailQuotaCount'
        DESC ''
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.9 NAME 'qlaMailSizeMax'
        DESC ''
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7914.1.4.1.10 NAME 'qlaMailHostList'
        DESC ''
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'qmailUser'
        DESC 'QMail-LDAP User'
        SUP top
        AUXILIARY
        MAY ( mail $ uid $ mailMessageStore $ homeDirectory $ userPassword $
              mailAlternateAddress $ qmailUID $ qmailGID $
              mailHost $ mailForwardingAddress $ deliveryProgramPath $
              qmailDotMode $ deliveryMode $ mailReplyText $
              accountStatus $ qmailAccountPurge $
              mailQuotaSize $ mailQuotaCount $ mailSizeMax ) )
objectclass ( 1.3.6.1.4.1.7914.1.3.2.1 NAME 'qmailGroup'
        DESC 'QMail-LDAP Group'
        SUP top
        AUXILIARY
        MUST ( mail $ mailAlternateAddress $ mailMessageStore )
        MAY ( dnmember $ rfc822member $ filtermember $ senderconfirm $
              membersonly $ confirmtext $ dnmoderator $ rfc822moderator $
              moderatortext $ dnsender $ rfc822sender $ filtersender $
              bounceadmin) )
objectclass ( 1.3.6.1.4.1.7914.1.4.2.1 NAME 'qldapAdmin'
        DESC 'QMail-LDAP Subtree Admin'
        SUP top
        AUXILIARY
        MUST ( qlaDnManager $ qlaDomainList $ qlaMailMStorePrefix $
               qlaMailHostList )
        MAY ( qlaUidPrefix $ qlaQmailUid $ qlaQmailGid $ qlaMailQuotaSize $
              qlaMailQuotaCount $ qlaMailSizeMax ) )


пример пользователя и алиаса (для доменов алаиасы делаются алиасами в ldap с домена на домен):

dn: mail=user,ou=domain.tld,ou=Domains,o=domain.tld
sn: user
mail: user
objectClass: top
objectClass: inetOrgPerson
objectClass: qmailUser
mailForwardingAddress: user@dmain.tld
userPassword: test123
cn: user

dn: mailAlternateAddress=alias,ou=domain.tld,ou=Domains,o=domain.tld
cn: alias
sn: alias
mailAlternateAddress: alias
objectClass: top
objectClass: inetOrgPerson
objectClass: qmailUser
mailForwardingAddress: user@dmain.tld

Спасибо! Буду копать! =)

мне в таких условиях не пришлось изобретать отдельную схему. Достаточно было создать отдельные ou для отдельных доменов и все.

Тут все зависит от того, какой серверный софт вы выберите. У каждого своя схема + могут быть использованы отдельные уникальные поля (кроме общих типа mail и т.п.).

Вам для какой?