NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2005-02

Re: Trouble with postfix + ldap

From: Schaefer, Dirk Alexander (dasmydom.ath.cx)
Date: Mon Feb 07 2005 - 03:40:14 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(for best view maximize this message!)

hi nicolas,

try the following (this example is set up to your descriptions):

add if not already done an new objectclass, i use CourierImapAccount,
then add a new attribute called mailbox (on other objectclasses it might
be calles maildrop, then you need to set the result_attribute accourding
to this attributes name, look below) and give it the value lastname
without the and without the domain name.
then set the value of mail just to firstname.lastname without and
domain name too.
normaly you will find the accourding ldap schema at the sources of the
courier imap server. just download them and take a look into the package
it will be there, i hope... ;-)

set your filter to mail=%s only.

you can also add some other matching rules too.
e.g. if you want to let the user recieve mail only if it has an
objectclass called posixacccount you can use:

query_filter = (&(objectClass=posixAccount)(mail=%s))

or if you want to let the user recieve email only if a further attribute
is set to true, let's say the attribute is called activated, then it
would looks like this:

    query_filter = (&(mail=%s)(activated=true))
or
    query_filter = (&(mail=%s)(activated=on))
or
    query_filter = (&(mail=%s)(activated=1))

(the value for activated needs to be that one you will set at the ldap
entry!)

hint: the order the parts of the rule appeare at the hole matching
string does not matter! ((&(activated=true)(mail=%s)) would proceed the
same result)

each inner () defines an attribute or objectclass and the value it
should have to be reckognized as a match and the & sign says that each
of them must be true if the hole expression shall be a match.

a further example:
if you need these rules to be matched:
the user has either an objectclass of posixaccount or
sambasamaccount and the mail attribute should be the first part of the
email address the email is sent to:

query_filter = ( | ( & (objectClass=posixAccount) (mail=%s) ) ( &
(objectClass=sambaSamAccount) (mail=%s) ) )

or, for the same result:

query_filter = ( & ( | (objectClass=posixAccount)
(objectClass=sambaSamAccount) ) (mail=%s) )

if we write it down like this it will be more readable for an human:

    query_filter =
        1 ( &
        2 ( |
        3 (objectClass=posixAccount)
(objectClass=sambaSamAccount)
        4 )
        5 (mail=%s)
        6 )

1 says that the rule beginning at 2, ending at 4, and the one beginning
and ending at 5 must be true.
2 says that either the first part of the rule beginning at 3 or the
second part must be true if the hole statement beginning at 2 ending at
4 is true.
6 is the end of the hole matching rule.
(do not write it like this at your postfix config file!)

finally set:

result_attribute = mailbox (or maildrop, according to the
objectclass you use and the attributes it defines! if you ar not shur
try result_attribute = mailbox, maildrop)

this is the way it works on my site. allthough i know that this is not
the best way caus we cannot add the domain name it works at least.
i will go on spending time investigating how to set up ldap look ups
propper.

hope that helps...

best regards

d. a. schaefer

ps: if your ldap server supports tls add version = 3 and set your
server_host to ldaps://172.31.0.236:636 at your postfix config file.
this will let postfix communicate over an secure connection.
you should also use dns names for the case the ip of the ldap
server will change some when!

nbouthorsnbi.fr wrote:

>Hi all,
>
>I'm not new to postfix but quite inexperimented with postfix + ldap integration.
>The situation is : I've setup postfix to deliver mail through cyrus and am
>trying to tell them both to use LDAP for user definitions. Works fine with
>cyrus (mail gets delivered, imap is connecting and all). But it's not enough :
>user ids looks like "lastname" and they shall receive mail at
>lastnamedomain.tld and firstname.lastnamedomain.tld. Since Cyrus is ok with
>ldap and finds the right mailbox when fed with lastnamedomain.tld I thought I
>would simply add a virtual_alias_map in postfix to rewrite
>firstname.lastnamedomain.tld in lastnamedomain.tld
>
>The ldap directory contains data like this :
>
>dn: cn=EXAMPLE,ou=foo,o=bar
>mail: firstname.lastnamedomain.tld
>uid: EXAMPLE
>[...]
>objectClass: inetOrgPerson
>[...]
>cn: EXAMPLE
>
>this data is extracted from ldapsearch command on the postfix server, so it
>seems that I can access the directory fine and extract info from it.
>
>Now in my main.cf, I stated :
>
>directory_server_host = 172.31.0.236
>directory_search_base = o=bar
>directory_query_filter = (&(mail=%sdomain.tld))
>directory_result_attribute = cn
>directory_debuglevel = 4
>directory_bind = no
>
>and
>
>virtual_alias_maps = ldap:directory
>local_recipient_maps =
>
>which seems to me to be the correct way to state things the way I want them. I
>tried several versions of the query_filter by none worked. I can try any way, I
>always get the same result upon sending mail :
>
>postfix/nqmgr[26756]: warning: premature end-of-input on private/rewrite socket
>while reading input attribute name
>postfix/master[26752]: warning: process /usr/libexec/postfix/trivial-rewrite pid
>26758 killed by signal 11
>postfix/master[26752]: warning: /usr/libexec/postfix/trivial-rewrite: bad
>command startup -- throttling
>
>And of course the mail never gets delivered.
>
>All of this is under RedHat Enterprise 3.0 with the following versions :
>
>postfix-2.0.11-4
>openldap-clients-2.0.27-11
>nss_ldap-207-2
>
>Quick help would realy be apreciated !
>
>Thanks,
>
> Nicolas Bouthors
>
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]