Sheldon Hearn wrote:
>On (2003/10/16 16:09), Sheldon Hearn wrote:
>
>
>
>>I'm using the following macro, because I reuse it in my
>>ldap_localdelivery router:
>>
>>LDAP_MANAGER = user="cn=Manager,dc=clue,dc=bz" pass=secret
>>LDAP_LOCAL_USER = \
>> ${if \
>> eq \
>> {$local_part@$domain} \
>> { \
>> lookup{$local_part@$domain} \
>> ldap{LDAP_MANAGER \
>> ldap:///cn=$local_part@$domain,dc=clue,dc=bz?mail?base \
>> } \
>> } \
>> {yes}{no} \
>> }
>>
>>
>
>Horribly flawed. I finally figured out that I needed ${lookup ...}, and
>then found that the ldap lookup itself was broken. Here's what I ended
>up with:
>
>LDAP_MANAGER = user="cn=Manager,dc=clue,dc=bz" pass=secret
>LDAP_LOOKUP_EMAIL = \
> ${lookup \
> ldapm{ \
> LDAP_MANAGER \
> ldap:///ou=people,dc=clue,dc=bz?mail?sub?\
> (cn=${quote_ldap:$local_part@$domain})\
> } \
> {$value} \
> }
>LDAP_LOCAL_USER = \
> ${if \
> eq \
> {$local_part@$domain} \
> {LDAP_LOOKUP_EMAIL} \
> {yes}{no} \
> }
>
>Then the check_rcpt ACL condition works:
>
> accept condition = LDAP_LOCAL_USER
>
>I insert the following router before all others:
>
>ldapuser:
> driver = accept
> condition = LDAP_LOCAL_USER
> transport = ldap_delivery
> cannot_route_message = Unknown user
>
>The ldap_delivery transport is simple enough, but hasn't yet been
>extended to get the mailbox path from LDAP:
>
>ldap_delivery:
> driver = appendfile
> maildir_format
> check_string = ""
> create_directory
> current_directory = /var/mail
> directory = /var/mail/$domain/$local_part
> directory_mode = 0775
> user = mailnull
> group = mail
> mode = 0660
> delivery_date_add
> envelope_to_add
> return_path_add
> no_mode_fail_narrower
>
>Big up to Tony Earnshaw, whose past postings in the archives were
>invaluable[1]. And my LDAP books[2] arrive tomorrow, so I hope not to
>be bugging you all with too much of this any time soon. When I end up
>with something I think others will find useful, I'll follow up.
>
>Ciao,
>Sheldon.
>
>[1] The great thing about calling someone's contribution invaluable is
> that it supports non-payment. ;-)
>[2] LDAP System Administration
> [ISBN: 1565924916]
> Understanding and Deploying LDAP Directory Services (2nd Edition)
> [ISBN: 0672323168]
>
>--
>
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
>
Hey Sheldon,
I've just been through a similar wringer cross-eyed looking at curly
brackets out the wazoo.
If I may, let me give you a snapshot of my configure file and it might help:
##################
acl_smtp_rcpt = acl_check_rcpt
acl_check_rcpt:
accept message = User account unknown or disabled
domains = +local_domains
endpass
local_parts = \
${lookup ldap system aliases } : \
${lookup ldap mail users } : \
${lookup ldap domain aliases } : \
${lookup ldap domain pipes }
##################
Looks like a lot but it's still faster that opening huge files
Now the routers:
##################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap system aliases}
user = user
user_aliases:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap user aliases }
user = user
list_pipes:
driver = redirect
allow_fail
allow_defer
hide data = ${lookup ldap {domain pipes}
user = mail
pipe_transport = address_pipe
check_account_status:
driver = accept
hide condition = ${if eq {check for attribute accountStatus true}
transport = account_disabled_autoreply
out_of_office:
driver = accept
hide condition = ${if eq {${lookup ldap check for attribute
outOfOffice true}
transport = out_of_office_reply
unseen
forward_only:
driver = redirect
hide condition = ${if eq {${lookup ldap {check attribute true }
hide data = ${lookup ldap { find forward email address }
no_verify
no_expn
check_ancestor
forward_copy:
driver = redirect
hide condition = ${if eq {${check attribut true}
hide data = ${lookup ldap {find forward email address}
no_verify
no_expn
check_ancestor
unseen
virtualuser:
driver = accept
transport = virtual_delivery
no_more
begin transports
remote_smtp:
driver = smtp
virtual_delivery:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
hide directory = ${lookup ldap {find mail directory}/Maildir
create_directory
hide quota = ${lookup ldap {get quota }M
quota_is_inclusive = false
quota_warn_threshold = 80%
quota_warn_message = \
To: $local_part@$domain\n \
Subject: Maibox Limit\n \
\n \
The size of your mailbox has exceed the warning threshold set by
company policy. \
Please clean out your mailbox.\n
maildir_format=true
maildir_tag= ,S=$message_size
address_pipe:
driver = pipe
return_output
account_disabled_autoreply:
driver = autoreply
user = mail
from = mailadmin@$domain
to = $sender_address
subject = Account Disabled
text = Mail is not being accepted for this account at this time. \
The account has been disabled.
return_message
out_of_office_reply:
driver = autoreply
user = mail
from = $local_part@$domain
to = $sender_address
subject = Out of Office Message
text = ${lookup ldap { lookup the users message}
return_message
##############################################################
Openldap acls make this all work beautifully. Here's my opemldap acl in
slapd.conf:
#########################################################
access to attrs=homeDirectory,quota,accountStatus
by anonymous auth
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=([^,]+),dc=dom,dc=com" write
by * none
access to
attrs=clearPassword,userPassword,outOfOffice,outOfOfficeText,forwardOnly,forwardCopy,forwardMail
by anonymous auth
by self write
by dn="cn=admin,dc=dom,dc=com" write
by * none
access to dn="ou=([^,]+),dc=dom,dc=com"
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=$1,dc=dom,dc=com" write
by * none
access to dn="^.*,ou=([^,]+),dc=dom,dc=com"
by self write
by dn="cn=admin,dc=dom,dc=com" write
by dn="cn=postmaster,ou=$1,dc=dom,dc=com" write
by dn="^.*,ou=$1,dc=dom,dc=com" read
by * none
access to attr=accountStatus
by dn="cn=admin,dc=dom,dc=com" read
access to *
by dn="cn=admin,dc=dom,dc=com" write
by self write
by users read
by * read
###########################################
Some of those attributes I had to add to authldap.schema that comes with
Courier-imap.
So each mail user can edit the attributes he needs and doesn't see the
ones we
don't want him to see. The postmaster can edit/create/delete all in his
domain
and of course the admin is god. I use phpldapadmin to administer the
openldap
database -- it is so convenient and well thought out web interface --
and easy
to change to suit your needs.
I'm not asking anyone to read through all of the above, BUT if you do
and see
errors or a better way please feel free to post.
Thanks,
--
Craig Jackson
cjackson@???
