Re: [Exim] LDAP Efficiency

Top Page
Delete this message
Reply to this message
Author: Douglas Gray Stephens
Date:  
To: Joseph Kezar
CC: exim-users
Subject: Re: [Exim] LDAP Efficiency
Joseph,

At 09:00 on 6-December-2001, Joseph Kezar wrote:
> Can someone better versed in Exim's configuration help me determine
> if this is the most efficient way to process LDAP aliases.


The syntax looks are fine, and should be performant (from an LDAP
perspective) provided you have the appropriate indicies on your
X.500(LDAP) server.

My only comments are that your example
dn: cn=MIS Staff,ou=Groups,o=Vermont Department of Corrections,c=US
objectClass top
objectClass rfc822MailGroup
cn mis

may have an issue in that it does not follow LDAPv3 standards that the
relative distinguished name (cn=MIS Staff) is not one of the values
for the CN, hopefully you have
dn: cn=MIS Staff,ou=Groups,o=Vermont Department of Corrections,c=US
cn: mis
cn: MIS Staff

Secondly from an exim/ldap perspective, It may be that each message
would cause each ldap query to opens a new connection to the server,
but it may be that EXIM is smart, and re-using an existing connection
if the ldap host is the same.

(so in ldap terms does exim do
open LDAP
search for cn=${local_part}
close connection
then
open LDAP
search for memberOfGroup
close connection

or does exim do
open LDAP
search for cn=${local_part}
search for memberOfGroup
close connection
). Your LDAP server logs will enable you to see what searches are
being executed.


I hope this helps,

Douglas.


> ____(Director)________________________________________________
> internal_ldap_aliases:
> driver = aliasfile
> search_type = ldapm
> query = ldap://ldap.doc.state.vt.us/ \
> ou=People,o=Vermont Department of Corrections,c=US?mail?sub? \
> (memberOfGroup=${lookup ldapdn {ldap://ldap.doc.state.vt.us/ou=Groups,o=Vermont Department of Corrections,c=US??sub?(cn=${local_part})}})
> file_transport = address_file
> pipe_transport = address_pipe
> ____________________________________________________________
>
> Whats happening is due to our prexisting x.500(LDAP) mess we are forced to use this convention.
>
> We have groups like:
> ____(LDAP Group Object)___________________________________
> dn: cn=MIS Staff,ou=Groups,o=Vermont Department of Corrections,c=US
> objectClass top?
> objectClass rfc822MailGroup
> cn mis
> __________________________________________________________
>
> now for the users:
> ____(LDAP User Object)____________________________________
> dn: uid=jkezar + cn=Joseph Kezar,ou=Central Office,ou=Groups,o=Vermont Department of Corrections,c=US
> objectClass: top
> objectClass: person
> memberOfGroup: cn=MIS Staff,ou=Groups,o=Vermont Department of Corrections,c=US
> mail: jkezar@???
> __________________________________________________________
> 1) So when we receive an email for "mis@???" the configuration search for cn=mis and returns the DN.
> 2) Then it searches the People for the attribute memberOfGroup="That DN"
> When I watch the -d9 logs it seems like there is a heck of alot of recurrsion. Am I right?
>
> --
> Joseph Kezar
>


--

================================
Dr. Douglas GRAY STEPHENS        
Global Infrastructure (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND


Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================