[exim] SOLVED: Requesting Direction/Advice for LDAP lookups

Etusivu
Poista viesti
Vastaa
Lähettäjä: Jason Martens
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] SOLVED: Requesting Direction/Advice for LDAP lookups
On Wed, 2005-06-29 at 10:45 +0100, Nigel Wade wrote:
> It all depends on how your directory is organized. If you can get the list of
> recipients from a single LDAP query it is definitely doable. I already do
> this sort of thing using OpenLDAP. I don't see why AD should be much
> different (other than MS is *always* different ;-)).
>
> I put our users into different OUs and in my exim4.conf I use these OUs to
> generate group mailing lists on the fly. For example, to send mail to all
> "student" accounts I have the follwing setup:
>
> STUDENT_ACCOUNT_BASE = ou=students,ACCOUNT_BASE
> LDAPS = ldaps://my.ldap.server/
> LDAPU = uid=eximbinddn,dc=your.base.dc
> LDAPP = eximpassword
>
> ldap_students:
>   driver = redirect
>   verify_recipient
>   condition = ${if eq {$local_part} {students} {1} {0}}
>   data = ${lookup ldapm { \
>                 user=LDAPU \
>                 pass=LDAPP \
>                 LDAPSSTUDENT_ACCOUNT_BASE?\
>                 uid?one?(mail=1)} {$value} {}}

>
> this will expand the recipient students into the result of the lookup for all
> uids in the ou=students sub-section of ACCOUNT_BASE which have the "mail"
> attribute set to 1. LDAPU/LDAPP is an account which has permission to search
> the relevent attributes in the directory. I have created a special account
> just for Exim to do searches.
>
> AD will be different, how different I have no idea. It's something I might be
> having to find out for myself shortly...


Thanks so much! This is exactly what I was looking for. If you do ever
have to do the same thing with Active Directory, here's how I modified
your config:

ldap_somelist:
  driver = redirect
  verify_recipient
  condition = ${if eq {$local_part} {somelist} {1} {0}}
  data = ${lookup ldapm { \
        user="CN=someuser,OU=SomeOU,DC=some,DC=domain" \
        pass="somepassword" \
        ldap://somehost:someport/DC=some,DC=domain?\
        mail?\
        subtree?\
        (memberOf=CN=SomeGroup,OU=SomeOU,DC=some,DC=domain)}\
    {$value} {}\
        }


I am looking up the lists by group membership instead of OU container.
It should be trivial to do it the other way if you need to. Now I just
need to figure out why Active Directory is reporting inaccurate
information on group membership... >8( But the exim/ldap part works
anyway!

Thanks again.

Jason