Re: [Exim] Re: LDAP virtual users ACL condition

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MSheldon Hearn at <-
MSheldon Hearn at ->
Delete this message
Reply to this message
Author: Craig Jackson
Date:  
To: Sheldon Hearn, exim-users
Subject: Re: [Exim] Re: LDAP virtual users ACL condition
Sheldon Hearn wrote:

>On (2003/10/16 16:09), Sheldon Hearn wrote:
>
>
>
>>I'm using the following macro, because I reuse it in my
>>ldap_localdelivery router:
>>
>>LDAP_MANAGER = user="cn=Manager,dc=clue,dc=bz" pass=secret
>>LDAP_LOCAL_USER = \
>>  ${if \
>>    eq \
>>      {$local_part@$domain} \
>>      { \
>>        lookup{$local_part@$domain} \
>>          ldap{LDAP_MANAGER \
>>            ldap:///cn=$local_part@$domain,dc=clue,dc=bz?mail?base \
>>          } \
>>      } \
>>    {yes}{no} \
>>  }

>>
>>
>
>Horribly flawed. I finally figured out that I needed ${lookup ...}, and
>then found that the ldap lookup itself was broken. Here's what I ended
>up with:
>
>LDAP_MANAGER = user="cn=Manager,dc=clue,dc=bz" pass=secret
>LDAP_LOOKUP_EMAIL = \
>  ${lookup \
>    ldapm{ \
>      LDAP_MANAGER \
>      ldap:///ou=people,dc=clue,dc=bz?mail?sub?\
>        (cn=${quote_ldap:$local_part@$domain})\
>    } \
>    {$value} \
>  }
>LDAP_LOCAL_USER = \
>  ${if \
>    eq \
>      {$local_part@$domain} \
>      {LDAP_LOOKUP_EMAIL} \
>    {yes}{no} \
>  }

>
>Then the check_rcpt ACL condition works:
>
>  accept condition    = LDAP_LOCAL_USER

>
>I insert the following router before all others:
>
>ldapuser:
> driver = accept
> condition = LDAP_LOCAL_USER
> transport = ldap_delivery
> cannot_route_message = Unknown user
>
>The ldap_delivery transport is simple enough, but hasn't yet been
>extended to get the mailbox path from LDAP:
>
>ldap_delivery:
> driver = appendfile
> maildir_format
> check_string = ""
> create_directory
> current_directory = /var/mail
> directory = /var/mail/$domain/$local_part
> directory_mode = 0775
> user = mailnull
> group = mail
> mode = 0660
> delivery_date_add
> envelope_to_add
> return_path_add
> no_mode_fail_narrower
>
>Big up to Tony Earnshaw, whose past postings in the archives were
>invaluable[1]. And my LDAP books[2] arrive tomorrow, so I hope not to
>be bugging you all with too much of this any time soon. When I end up
>with something I think others will find useful, I'll follow up.
>
>Ciao,
>Sheldon.
>
>[1] The great thing about calling someone's contribution invaluable is
>    that it supports non-payment. ;-)
>[2] LDAP System Administration
>    [ISBN: 1565924916]
>    Understanding and Deploying LDAP Directory Services (2nd Edition)
>    [ISBN: 0672323168]

>
>--
>
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
>
Hey Sheldon,

I've just been through a similar wringer cross-eyed looking at curly
brackets out the wazoo.
If I may, let me give you a snapshot of my configure file and it might help:

##################
acl_smtp_rcpt = acl_check_rcpt 

acl_check_rcpt:
accept  message       = User account unknown or disabled
          domains       = +local_domains
          endpass
          local_parts   =  \
                ${lookup ldap system aliases } : \
                ${lookup ldap mail users } : \
                ${lookup ldap domain aliases } : \
                ${lookup ldap domain pipes }
##################
Looks like a lot but it's still faster that opening huge files



Now the routers:

##################
begin routers

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

system_aliases:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap system aliases}
user = user

user_aliases:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap user aliases }
user = user

list_pipes:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap {domain pipes}
user = mail
pipe_transport = address_pipe

check_account_status:
driver = accept
hide condition = ${if eq {check for attribute accountStatus true}
transport = account_disabled_autoreply

out_of_office:
driver = accept
hide condition = ${if eq {${lookup ldap check for attribute
outOfOffice true}
transport = out_of_office_reply
unseen

forward_only:
driver = redirect
hide condition = ${if eq {${lookup ldap {check attribute true }
hide data = ${lookup ldap { find forward email address }
no_verify
no_expn
check_ancestor

forward_copy:
driver = redirect
hide condition = ${if eq {${check attribut true}
hide data = ${lookup ldap {find forward email address}
no_verify
no_expn
check_ancestor
unseen

virtualuser:
driver = accept
transport = virtual_delivery
no_more

begin transports

remote_smtp:
driver = smtp 

virtual_delivery:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0660
  hide directory = ${lookup ldap {find mail directory}/Maildir
  create_directory
  hide quota = ${lookup ldap {get quota }M
  quota_is_inclusive = false
  quota_warn_threshold = 80%
  quota_warn_message = \
        To: $local_part@$domain\n \
        Subject: Maibox Limit\n \
        \n \
        The size of your mailbox has exceed the warning threshold set by
company policy. \
        Please clean out your mailbox.\n
  maildir_format=true
  maildir_tag= ,S=$message_size


address_pipe:
driver = pipe
return_output 

account_disabled_autoreply:
  driver = autoreply
  user = mail
  from = mailadmin@$domain
  to = $sender_address
  subject = Account Disabled
  text = Mail is not being accepted for this account at this time. \
        The account has been disabled.
  return_message


out_of_office_reply:
driver = autoreply
user = mail
from = $local_part@$domain
to = $sender_address
subject = Out of Office Message
text = ${lookup ldap { lookup the users message}
return_message
##############################################################

Openldap acls make this all work beautifully. Here's my opemldap acl in
slapd.conf:
#########################################################
access to attrs=homeDirectory,quota,accountStatus
by anonymous auth
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=([^,]+),dc=dom,dc=com" write
by * none

access to
attrs=clearPassword,userPassword,outOfOffice,outOfOfficeText,forwardOnly,forwardCopy,forwardMail
by anonymous auth
by self write
by dn="cn=admin,dc=dom,dc=com" write
by * none

access to dn="ou=([^,]+),dc=dom,dc=com"
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=$1,dc=dom,dc=com" write
by * none

access to dn="^.*,ou=([^,]+),dc=dom,dc=com"
by self write
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=$1,dc=dom,dc=com" write
by dn="^.*,ou=$1,dc=dom,dc=com" read
by * none

access to attr=accountStatus
by dn="cn=admin,dc=dom,dc=com" read

access to *
by dn="cn=admin,dc=dom,dc=com" write
by self write
by users read
by * read
###########################################
Some of those attributes I had to add to authldap.schema that comes with
Courier-imap.
So each mail user can edit the attributes he needs and doesn't see the
ones we
don't want him to see. The postmaster can edit/create/delete all in his
domain
and of course the admin is god. I use phpldapadmin to administer the
openldap
database -- it is so convenient and well thought out web interface --
and easy
to change to suit your needs.

I'm not asking anyone to read through all of the above, BUT if you do
and see
errors or a better way please feel free to post.

Thanks,

--
Craig Jackson
cjackson@???




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] ClamAV Problem[Exim] message size->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)