Re: [exim] LDAP router section

Top Page
Delete this message
Reply to this message
Author: Nigel Wade
Date:  
To: exim-users
New-Topics: Re: [exim] LDAP router section - part 2
Subject: Re: [exim] LDAP router section
On 15/09/10 18:36, Stanczak Slawomir wrote:
> Hi,
>
> I have to set LDAP router section in my exim4.conf
>
> I read:
>
> http://exim.org/exim-html-current/doc/html/spec_html/ch15.html#id560622
>
> I very sorry but I don't understand it at all.
>
> My exaple LDAP account:
>
> dn: uid=test,ou=People,dc=ams,dc=szn,dc=pl
> uid: test
> cn: test
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {MD5}xxxxxxxxxxxxxxxxxxxxxxxxxx
> shadowLastChange: 14844
> loginShell: /bin/bash
> uidNumber: 2205
> gidNumber: 1001
> homeDirectory: /home/prac/Adm/test
> gecos: Test, BPE Rek/AMS
>
>
> ara:~# ldapsearch -x -b dc=ams,dc=szn,dc=pl '(uid=test)'
> # extended LDIF
> #
> # LDAPv3
> # base <dc=ams,dc=szn,dc=pl> with scope subtree
> # filter: (uid=test)
> # requesting: ALL
> #
>
> # test, people, ams.szn.pl
> dn: uid=test,ou=people,dc=ams,dc=szn,dc=pl
> uid: test
> cn: test
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 2205
> gidNumber: 1001
> homeDirectory: /home/prac/Adm/test
> gecos: Test, BPE Rek/AMS
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> -----------
>
> My example LDAP router section:
>
> ldap_user:
>    debug_print = "R: ldap_user for $local_part@$domain"
>    driver = accept
>    domains = +local_domains
>    local_parts = ${extract{uid}{${lookup ldap{ldap://212.14.2.145:389/ou=People,dc=ams,dc=szn,dc=pl}fail}}}
>    transport = local_delivery
>    cannot_route_message = Unknown user

>
> How have I to set local_parts line?


What do you want local_parts to be set to?
You have specified no search pattern for the lookup, nor have you
specified any attributes to return. This will return the entire LDAP
directory as the result of the lookup. The idea behind the ldap lookup
is that you get LDAP to do the searching and attribute extraction, and
only return back to Exim the attribute which you require. If you return
multiple results you have to use ldapm.

There is no authentication specified in your lookup, does your LDAP
server allow anonymous bind for searching? That's not very wise, as
there is potentially a lot of valuable information in that directory.

This is how I do it. I declare a set of macros to be used by LDAP
lookups, it makes the actual lookups shorter and more readable.

LDAP_BASE = dc=<my LDAP base>
LDAPS = ldap://
LDAPU = uid=<the bind uid>,LDAP_BASE
LDAPP = <the bind password>

This is an example lookup using those macros. It verifies that a local
account in the LDAP directory is allowed to receive email (I use the
destinationIndicator attribute for this). The lookup searches for an
objectClass of rsppgAccount (a class I've defined for our account
entries) where the uid is the local part of the recipient address. The
search is set to "sub", i.e. it will search sub-directories of the
LDAP_BASE (LDAP is hierarchical). If a match is found the value of the
attribute "destinationIndicator" is returned as the value of the lookup.
If the attribute does not exist in the entry the value of the lookup is
set ot 0. The condition checks for the result being 0, if it is the
verify fails and the recipient fails verification.

localrecipient_verify:
  driver = accept
  verify_only
  verify_recipient = true
  verify_sender = false
  check_local_user
  condition = ${if eq {0} {${lookup ldap { \
        user=LDAPU pass=LDAPP LDAPS/LDAP_BASE?\
        destinationIndicator?sub?(&(objectClass=rsppgAccount)\
        (uid=${quote_ldap:$local_part}))} \
        {$value} fail}} {1} {0} }
  fail_verify


Another lookup which substitutes a mail alias in a redirect router. It
searches for an account entry with a mailLocalAddress attribute which
matches the value of the recipient. If the lookup finds one it returns
the uid of that entry, and the router substitutes the uid as the
recipient in the redirect (the redirect routers "data" value).

ldap_user_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup ldap { \
                user=LDAPU \
                pass=LDAPP \
                LDAPS/LDAP_BASE?\


uid?sub?(&(objectClass=rsppgAccount)(mailLocalAddress=${quote_ldap:$local_part@$domain}))}
\
                {$value} fail}
  file_transport = address_file
  pipe_transport = address_pipe



-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@???
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555