Re: [Exim] Using nis/ldap in a reliable fashion (i.e. withou…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Marc MERLIN
Dátum:  
Címzett: Nico Erfurth, Miquel van Smoorenburg
CC: exim-users
Tárgy: Re: [Exim] Using nis/ldap in a reliable fashion (i.e. without losing mail)
[Please try to add a blank line between your answer and my quote, it makes
it a bit easier to locate your answers. Thanks much]

On Wed, Sep 18, 2002 at 12:17:03AM +0200, Nico Erfurth wrote:
> This would miss a key, the next one should be better
> condition = ${lookup {$local_part} nis {passwd}{1}}
> ...I think, but i never used nis ;)


Right, thanks.

> check_local_user uses getpwnam (or something similar), so it MUST be
> replaced ;)


Right, that's why I want to stop using it :-)

> Your setup would be much like a virtual-user setup, but with real users.


Indeed.

> >Ah, ok, so we're on the same page then :-)
> >I suppose I could do a nis query on the auto.home map
>
> (i hope map is a NIS-Term, otherwise you should stop thinking in
> postfix-terms ;) )


Yes "map" is a NIS term. I've never used postfix, I just talked to a guy who
knows postfix well and who was telling me about its ldap support.

> >Ah, I forgot about that one, thanks. I wonder if it caches the individual
> >atoms of an ldap query (probably) or the whole query, and I'm not sure I
> >understand how long the result is cached.
>
> exim -d helps, it will tell you if it used a cached or a new result.


Right, I'll have to check that out.

> By using address_data you can lookup (mostly) ALL data with one query
> and reuse the data with extract.


I'll look into this.

> BTW, do you have a mixed LDAP/NIS config?


It's an ldap setup that exports maps to NIS. Ideally, I won't be using NIS
at all, but since I've used NIS a lot in my previous company and I remember
a few bounces every year because a NIS call failed and exim concluded that
the user didn't exist, I was curious about improving my knowledge of this
too.

On Tue, Sep 17, 2002 at 10:39:35PM +0000, "Miquel van Smoorenburg" wrote:
> >and replace check_local_user with a condition string that does an explicit
> >NIS lookup?
>
> Yes, but the only way to do this reliably is to add a new directive
> that makes it possible to define what a "local user" means to
> check_local_user.
>
> check_local_user fills in user, uid, gid, home, and gecos. So
> you need something like

(...)

I see, so you can't really do nsswitch inside exim with the current code,
although it sounds like it wouldn't be a very tough addition.

So I take it that anyone using ldap to store their users and not using
nsswitch and getpwnam to do user lookups is confined to delivering the mail
to cyrus or something like that because exim doesn't know what the user's
UID is and can't setuid to it for delivery. Correct?

> Now you need someone to write up this code and submit it to
> Philip, or perhaps you can talk Philip into implementing this ;)


I just started at google, so I'm not quite sure how much time I'll have for
this quite now, and I'm still working on trying to convince people that we
need to switch to exim :-)

> It would be very useful for sure, since you would be able
> to use what looks like a standard configuration, including
> the expansion of $home (which you can't set in any other
> way right now), yet lose the association with the
> standard Unix password file / users.


Yes, that'd be quite nice.

> It _is_ possible to do it without all this, by doing a NIS lookup
> in a router and putting it in address_data (exim4) and looking
> it up in every subsequent router using $address_data (or by
> setting address_data in every router), but it just doesn't look
> as nice, it's conceptually very different, and you can't use
> address_data for something else easily.


Mmmh, interesting, I'll have to look into this too.

On Wed, Sep 18, 2002 at 01:35:51AM +0200, Nico Erfurth wrote:
> How about a router like this?
> It must be added BEFORE any local router
>
> check_nis:
> driver = redirect
> data = ${lookup {$local_part} nis {passwd}{}}
>
> How it works?
> If your nis-server is reachable, it will just decline (don't produce any
> new address). If the nis-server is down, the router would defer, this
> means, an incoming message would be temp-rejected (if you use receiver
> verification), if a queue-message is going to be delivered, it would
> requeue the message, because of the defer. This one should not be very
> expensive in usage and it maybe warms up the nscd-cache for the user entry.


Mmmh, that's interesting too. Quite a nice hack :-)

On Wed, Sep 18, 2002 at 01:44:16AM +0200, Nico Erfurth wrote:
> Nico Erfurth wrote> Just an addition, with this router you can use the normal
> check_local_user inside of the other routers. This setup is not 100%
> reliable but it should be around 99.9999999% ;)


Right, I understood that. The nis server could go down right after the
router suceeded. But if you use nscd, this shouldn't quite be a problem.
I like that solution :-)

(although Miquel's route is better in the long run and for the general
versatility of exim)

Thanks both for the input.
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f@??? for PGP key