Hi,
I am trying to use LDAP from exim to determine which (MS Exchange) machine to deliver mail to.
This is in a largish (1500) company with multiple sites. I am querying the local MS Active Directory servers.
My Linux box is relegated to the DMZ and is restricted to what it can see.
My router looks like:
internal:
driver = manualroute
no_more
domains = +ag_domains
transport = remote_smtp
route_data = ${sg{${lookup ldap \
{user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass \
dereference=never time=5 nettime=5 \
ldap:///OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com?msExchHomeServerName?sub? \
(proxyAddresses=smtp:$local_part@$domain)} \
{$value}fail}}{^.*/cn=(\\w+)\$}{\$1}}.example.com
That seems to work well enough with ldap returning something like:
/O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=EXCHANGEBOXNAME
Unfortunately the baseDN above only works for people within OU=USERS,OU=BUSSERV,OU=MAN, ... so I
get it to search a bit wider by replacing the URL line with:
ldap:///DC=example,DC=com?msExchHomeServerName?sub? \
When using ldapsearch this approach works fine, it finds records like:
proxyAddresses=smtp:John.Smith@???
in all business units.
Exim, however, does the lookup and gets a result from ldap, apparently decides that it wants another and
then hangs. It seems to be trying to connect LDAP servers that are not in ldap_default_servers, and never times out.
The connects don't work since the organisation firewalls don't allow it - reasonably enough.
They do admit that their ldap setup could be neater, but I'm not going to get it changed.
I have dug through the code. After getting a good enough result, it calls ldap_result() again, presumably to
get more, stopping this loop when it gets LDAP_RES_SEARCH_ENTRY. In fact it just loops trying to connect to
the same set of ldap servers over & over.
Anyone any suggestions -- please.
I put the debug output below:
expanding: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub? (proxyAddresses=smtp:$local_part@$domain)
result: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)search_open: ldap "NULL"
search_find: file="NULL"
key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass dereference=never time=5
nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)" partial=-1 affix=NULL starflags=0
LRU list:
internal_search_find: file="NULL"
type=ldap key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass
dereference=never time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)"
database lookup required for user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass
dereference=never time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)
LDAP parameters: user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com pass=ldappass size=0 time=5
connect=5 dereference=0
perform_ldap_search: ldap URL = "ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:John.Smith@???)" server=vega.example.com port=0 sizelimit=0 timelimit=5
tcplimit=5
after ldap_url_parse: host=vega.example.com port=0
ldap_initialize with URL ldap://vega.example.com:389/
initialized for LDAP (v3) server vega.example.com:389
LDAP_OPT_X_TLS_TRY set
binding with user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com password=ldappass
Start search
ldap_result loop
LDAP entry loop
LDAP attr loop msExchHomeServerName:/O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=SHIRKAHREXC
*** hangs here ***
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256
http://www.phcomp.co.uk/
#include <std_disclaimer.h>
