[exim] LDAP problem

Top Page
Delete this message
Reply to this message
Author: Alain Williams
Date:  
To: exim-users
New-Topics: Re: [exim] LDAP problem - Fix & patch to exim, [exim] 451 error codes & Exchange
Subject: [exim] LDAP problem
Hi,

I am trying to use LDAP from exim to determine which (MS Exchange) machine to deliver mail to.
This is in a largish (1500) company with multiple sites. I am querying the local MS Active Directory servers.
My Linux box is relegated to the DMZ and is restricted to what it can see.

My router looks like:
internal:
  driver = manualroute
  no_more
  domains = +ag_domains
  transport = remote_smtp
  route_data = ${sg{${lookup ldap \
        {user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass \
        dereference=never time=5 nettime=5 \
        ldap:///OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com?msExchHomeServerName?sub? \
        (proxyAddresses=smtp:$local_part@$domain)} \
        {$value}fail}}{^.*/cn=(\\w+)\$}{\$1}}.example.com


That seems to work well enough with ldap returning something like:
    /O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=EXCHANGEBOXNAME


Unfortunately the baseDN above only works for people within OU=USERS,OU=BUSSERV,OU=MAN, ... so I
get it to search a bit wider by replacing the URL line with:

        ldap:///DC=example,DC=com?msExchHomeServerName?sub? \


When using ldapsearch this approach works fine, it finds records like:
    proxyAddresses=smtp:John.Smith@???
in all business units.


Exim, however, does the lookup and gets a result from ldap, apparently decides that it wants another and
then hangs. It seems to be trying to connect LDAP servers that are not in ldap_default_servers, and never times out.
The connects don't work since the organisation firewalls don't allow it - reasonably enough.

They do admit that their ldap setup could be neater, but I'm not going to get it changed.

I have dug through the code. After getting a good enough result, it calls ldap_result() again, presumably to
get more, stopping this loop when it gets LDAP_RES_SEARCH_ENTRY. In fact it just loops trying to connect to
the same set of ldap servers over & over.

Anyone any suggestions -- please.


I put the debug output below:

expanding: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub? (proxyAddresses=smtp:$local_part@$domain)
result: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)search_open: ldap "NULL"
search_find: file="NULL"
key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never time=5
nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)" partial=-1 affix=NULL starflags=0
LRU list:
internal_search_find: file="NULL"
type=ldap key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass
dereference=never time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)"
database lookup required for user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass
dereference=never time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)
LDAP parameters: user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com pass=ldappass size=0 time=5
connect=5 dereference=0
perform_ldap_search: ldap URL = "ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)" server=vega.example.com port=0 sizelimit=0 timelimit=5
tcplimit=5
after ldap_url_parse: host=vega.example.com port=0
ldap_initialize with URL ldap://vega.example.com:389/
initialized for LDAP (v3) server vega.example.com:389
LDAP_OPT_X_TLS_TRY set
binding with user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com password=ldappass
Start search
ldap_result loop
LDAP entry loop
LDAP attr loop msExchHomeServerName:/O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=SHIRKAHREXC
*** hangs here ***

--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/

#include <std_disclaimer.h>