Re: [exim] Check if LDAP server can be reached

Top Page
Delete this message
Reply to this message
Author: Moritz Wilhelmy
Date:  
To: exim-users
Subject: Re: [exim] Check if LDAP server can be reached
Hello,

On Mon, Apr 09, 2012 at 07:25:19 -0700, Phil Pennock wrote:
> On 2012-04-04 at 18:53 +0200, Moritz Wilhelmy wrote:
> > On my setup, LDAP lookups happen through NSS. If the LDAP server goes
> > down, the lookup fails, and the mail gets permanently rejected. I'd like
> > to either reject it only temporarily or accept all messages if the LDAP
> > server is down/can't be reached and freeze them.
> >
> > I tried a simple lookup like this
> > ${if eq{\
> >     ${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
> >     {$local_part}\
> >     {true}{false}}

>
> You don't say where this query is.


I tried expanding it in exim -be. The result was an error, and I wasn't
so sure how exim handles these.

> The LDAP lookups always return temporary errors.
>
> In a Router or Transport, you'll get a deferral, 4xx.


I guess it fails in the localuser router.

> In an ACL, the condition is likely to fail. Careful construction of
> your ACL rules, with "set acl_m_foo" will let you set a variable and
> check for deferral, which will let you return a 4xx error from the ACL.


Thanks for pointing this out, I wouldn't have thought of that.

> You can also set more than one server in ldap_default_servers which
> helps with failover.


We have two LDAP servers, both of which are in the configuration, but in
case the network is down during a delivery attempt, this doesn't help
too much.
We use NSS because some users insist on using procmail. NSS makes
dealing and identifying with user processes easier.

> I'm guessing your expansion problem is in an ACL. If you need help
> restructuring the ACL, post the relevant ACL here and people will help.


Which ACL should I use? The configuration file differs from the official
configuration example only marginally..
Currently, there are only two ACLs, like in the default configuration:
acl_check_data (which sounds like the wrong one to use) and
acl_check_rcpt.

My naïve attempt at this would be putting the expansion as a condition
into the localuser router:

localuser:
driver = accept
check_local_user
local_part_suffix = +* : -*
local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user
condition = ${if >={${lookup ldap{ldaps:///ou=People,dc=bla?uidNumber?sub?(uid=${quote_ldap:$local_user})}}}{1000}{yes}{no}}

Currently, the condition looks like this:
condition = ${if >={$local_user_uid}{1000}{yes}{no}}

This should generate a temporary error if the ldap lookup fails, if I'm
not mistaken?


Best regards,

    Moritz