Author: Phil Pennock Date: To: Mark Schouten CC: exim-users Subject: Re: [exim] Ocasional 'Unrouteable address'-message with
LDAPenvironment
On 2008-05-07 at 10:28 +0200, Mark Schouten wrote: > So, again I have the feeling that nscd is letting me down here, since I
> expect that Exim uses 'user' to find the uid, and that fails.
> Fortunately, Exim now tempfails and delivers the message later on.
If you use the same LDAP query twice then the result is cached, so if
you search for two attributes and then use ${extract on that to extract
the two fields, you should still do only one LDAP query from Exim. In
fact, since there won't be an nscd->LDAP query, your LDAP load will go
down.
See "9.18 Format of data returned by LDAP"
If you use "exim -be" to test the queries and extracts, then you can use
"exim -d -be" to see the lookups and which results are or are not
cached.
Eg, if I query these:
----------------------------8< cut here >8------------------------------
${extract{uid}{${lookup ldap {ldapi:///ou=People,dc=spodhuis,dc=org?uid,homeDirectory?sub?cn=Phil Pennock}}}}
${extract{homeDirectory}{${lookup ldap {ldapi:///ou=People,dc=spodhuis,dc=org?uid,homeDirectory?sub?cn=Phil Pennock}}}}
----------------------------8< cut here >8------------------------------
then the second one shows the cached data being used.
> Anyways, I think that if I let Exim do the ldap-lookup for the uid
> directly, I don't need nscd at all? If I hand Exim a numeric uid for
> 'user', there's no need for translation of username -> uid.
Correct. spec.txt, "15. GENERIC OPTIONS FOR ROUTERS", "user" option
(search for a line matching ^-user- and you'll find one instance for the
Router option and one for the Transport option).
The other issue which might be increasing the load with nscd is the
groups lookup for the user; that might be unnecessary in your
environment, so explicitly setting "group" to something relevant might
reduce load?
----------------------------8< cut here >8------------------------------
When a router queues an address for a transport, and the transport does not
specify a user, the user given here is used when running the delivery process.
The user may be specified numerically or by name. If expansion fails, the error
is logged and delivery is deferred. This user is also used by the redirect
router when running a filter file. The default is unset, except when
check_local_user is set. In this case, the default is taken from the password
information. If the user is specified as a name, and group is not set, the
group associated with the user is used. See also initgroups and group and the
discussion in chapter 23.
----------------------------8< cut here >8------------------------------