[Exim] Re: exim an ldap problem ...

Top Page
Delete this message
Reply to this message
Author: Derrick 'dman' Hudson
Date:  
To: exim-users
Subject: [Exim] Re: exim an ldap problem ...
--
On Thu, Jul 11, 2002 at 05:32:32PM +0000, Lars Nixdorf wrote:

| I use exim-3 and openldap-2.0.25. I want to put the aliases in
| ldapserver. For single addresses there is no problem.

|
| But how could I use exim to handle groups/mailing lists with ldap?


Depends on your schema.

| Could anybody help me, perhaps with some example code...


For the schema I choose, the LDAP objects look like these examples :

dn: uid=dman,ou=People
objectClass: posixAccount
objectClass: mailRecipient
uid: dman
mail: Derrick.Hudson@???
mailAlternateAddress: dman@???
mailGroupLocalPart: group1
mailGroupLocalPart: group2

dn: uid=user2,ou=People
objectClass: posixAccount
objectClass: mailRecipient
uid: user2
mail: user2@???
mailGroupLocalPart: group1
mailGroupLocalPart: group3

(note that I modified the mailRecipient object class to have the
mailGroupLocalPart attribute, but I don't have a proper OID for it)

The exim config for the group looks like this :

    # mail groups/lists as specified in LDAP
    ldap_list:
        driver = redirect
        domains = +local_domains


        data = ${lookup ldapm {\
                    ldap://the.host.name.example/\
                    ou=People\
                    ?uid?one?\
                    (& (objectClass=mailRecipient) \
                    (mailGroupLocalPart=${quote_ldap:$local_part}) ) \
                    }  {$value} fail }


(uhh, actually this is a router for exim 4, you'll have to upgrade or
backport this to exim3 yourself)

I have local users checked before any of the other ldap stuff is
checked, since local users are in LDAP (using pam_ldap and nss_ldap)
and the mail: attribute is First.LastName@domain, which needs to be
redirected to uid@domain, and uid@domain is a mailAlternateAddress
(which needs to not be redirected in a loop to itself).

I haven't tested this one, but something like this should work for a
schema using the "rfc822MailGroup" object class proposed by some
expired IETF drafts[1]. However, with this I have assumed that the value
associated with the attribute is the user's local part, not their ldap
dn.

    ldap_list:
        driver = redirect
        domains = +local_domains


        data = ${lookup ldap {\
                    ldap://the.host.name.example/\
                    ou=${quote_ldap:$local_part},ou=MailGroups\
                    ?mailGroupMember?one?\
                    (& (objectClass=rfc822MailGroup) \
                    }  {$value} fail }



HTH,
-D

[1] all the ldap-mail drafts are expired, and there really aren't any
    standards that I could find



PS. A few days ago someone asked about handling the case where each
    mail group member was stored as the dn.  I just thought of a
    solution to that -- redirect to "dn@domain", and have another
    router that treats $local_part as the dn and redirects to the
    actual local user name.  That would actually allow people to send
    mail to "dn@domain" instead of "user@domain", but that shouldn't
    be a problem, especially if they never know that.


    Another solution might be to use ${extract} if the dn contains the
    username in the right format (and then bypass an extra ldap query
    since the textual manipulation would suffice).


--

Many are the plans in a man's heart,
but it is the Lord's purpose that prevails.
        Proverbs 19:21


http://dman.ddts.net/~dman/

--
[ Content of type application/pgp-signature deleted ]
--