Using Exim with LDAP Douglas Gray Stephens Senior
- Slides: 29
Using Exim with LDAP Douglas Gray Stephens Senior Directory Architect Schlumberger
Topics • • • What is LDAP; What is LDAP designed for; How is LDAP integrated into Exim; Case study of using Exim with LDAP; How to trouble shoot Exim with LDAP; 2 DGS 23 Feb 2005
What is LDAP • Light weight Directory Access Protocol; • (X. 500 is DAP, so more heavy weight); • Communications protocol : – no specification for back end server system; • Standards based; • Defacto standard for internet white pages (c. f. http for on line documents). • Current version is LDAPv 3 (ratified in 2000) 3 DGS 23 Feb 2005
What is LDAP designed for • Systems where there are few writes, but many reads; • Storing any data; • Fast response for queries; • Redundancy (i. e automatic fail over); 4 DGS 23 Feb 2005
What is LDAP not designed for • It is not a relational database; • Is not efficient for systems with frequent writes; • Server may return unexpected (e. g. no) results if attribute not indexed. 5 DGS 23 Feb 2005
How is data stored in LDAP (DIT) • LDAP is a tree structure (Document Information Tree): 6 DGS 23 Feb 2005
LDAP searches • Require – Server to search (where to look); – Search root (part of DIT to start searching from); – Scope (how far to look ─ base, one level, or sub tree); – Filter (what to look for); – Attribute(s) to return; 10 DGS 23 Feb 2005
LDAP search example • E. g. ldapsearch –h myhost: 389 –b dc=company 1, dc=com –s sub “(cn=douglas gray stephens)” cn sn givenname mail – Returns dn: cn=Douglas Gray Stephens, ou=employee, dc=company 1, dc=com cn: Douglas Gray Stephens cn: Douglas Gray-Stephens cn: Grey Stevens sn: Gray Stephens given. Name: Douglas 11 DGS 23 Feb 2005 mail: dgs 1@skibass. org
LDAP filters • Components of filter nested within brackets “(…. . )”; • Items can be ANDed together (with “&”); • Items can be ORed together (with “|”); • Items can be negated (with “!”); • Searches can include wild cards (with “*”); • RFC 2254 gives full details. 12 DGS 23 Feb 2005
LDAP filter example • E. g. “(&(mail=*)(c=gb)(!(l=london))(cn=douglas*))” • Means – Find all records with an mail attribute – that are in the United Kingdom (GB) – and are do not have London as the city – and have a common name starting with douglas 13 DGS 23 Feb 2005
LDAP URLs • An LDAP URL begins with the protocol prefix "ldap" and is defined by the following grammar, as defined in RFC 2255: <ldapurl> : : = "ldap: //" [ <host: port> ] "/" <dn> [ "? " <attributes> [ "? " <scope> "? " <filter> ] ] <host: port> : : = <hostname> [ ": " <portnumber> ] <dn> : : = a string as defined in RFC 2253 <attributes> : : = NULL | <attributelist> : : = <attributetype> | <attributetype> [ ", " <attributelist> ] <attributetype> : : = a string as defined in RFC 1777 14 DGS<scope> : : = "base" | "one" | "sub" 23 Feb 2005 <filter> : : = a string as defined in RFC 2254
LDAP URL example • ldap: //server 1 server 2: 387/dc=com? cn, mail? sub? (&(cn=douglas*)(l=cambridge)) • Specifies that – there are two servers to try (server 1, then server 2). Note the second server is on a non standard port (387); – a search root of “dc=com”; – attributes “cn” and “mail” should be returned; – the sub tree should be searched; – using a filter “(&(cn=douglas*)(l=cambridge))”; 15 DGS 23 Feb 2005
Building Exim • Requires that the LDAP libraries be available – Open. LDAP (http: //www. openldap. org/); – Sun. One (previously Netscape/i. Planet) (http: //www. sun. com/software/products/directory_s rvr_ee/ ) • Specify in Makefile LOOKUP_LDAP=yes LDAP_LIB_TYPE=OPENLDAP 1/OPENLDAP 2/NETSCAPE/SOLAR IS LOOKUP_INCLUDE=-I /? ? ? /include LOOKUP_LIBS=-L/? ? ? /lib -lldap -llber 17 DGS 23 Feb 2005
Configuring Exim • Location of LDAP servers ldap_default_servers = “ localhost: : 389 : server 1: : 389 : server 2: : 387” • Some router/transport commands to make use of LDAP (use anywhere that you would use the exim lookup functionality). 18 DGS 23 Feb 2005
LDAP lookups in Exim • Types of lookups: – ldap requires the result to contain just one entry; if there are more, it gives an error. – ldapdn also requires the result to contain just one entry, but it is the Distinguished Name that is returned rather than any attribute values. – ldapm permits the result to contain more than one entry; the attributes from all of them are returned; each entry in result string is on a separate line; 19 DGS 23 Feb 2005
LDAP lookup results • ldap: ///o=base? attr 1? sub? (uid=frederic) value 1. 1, value 1. 2 • ldap: ///o=base? attr 2? sub? (uid=frederic) value two • ldap: ///o=base? attr 1, attr 2? sub? (uid=frederic) attr 1="value 1. 1, value 1. 2" attr 2="value two" • ldap: ///o=base? objectclass, cn, sn? sub? (uid=frede ric) object. Class="top, person" cn=“Frederic Smith, Fred Smith" sn=“Smith“ • ldapm: ///o=base? ? sub? (uid=fred*) object. Class="top, person" attr 1="value 1. 1, value 1. 2" attr 2="value two“ object. Class="top, person" …. Etc. for the second match 20 DGS 23 Feb 2005
Case study • Objective – Look up names in LDAP and forward to appropriate person; – Handle instance when multiple matches; – Handle instance when there is no email address; – Enable user to control lookup options (so limiting spam). 21 DGS 23 Feb 2005
Details of mail handling • Addresses of the form uid@company. com will always be sent to only one person, since a uid is by definition unique within the directory. ; • Addresses of the form abc. efg_hijmno@company. com will be processed according to the following rules. – – – – 22 DGS 23 Feb 2005 Forward to record that matches uid and has email address Forward to record that matches the common name(s) Forward to record that givename/surname Forward to a record that contains all the words in the common name(s) If record does not have email address, return phone number If there are 2 to 5 matches, give more details to sender If there are more than 5 matches, bounce message
Mail processing • For a single match, the message is forwarded to that address; • For 2 to 5 matches, the message is bounced back to the sender along with details of the matches. The sender is asked to try again. • For more than 5 matches, the message is bounced back to the sender. The sender is asked to be more specific about the address. 23 DGS 23 Feb 2005
Message flow Loop through series of LDAP lookups Perl code alias_bounce handles • no matches • 2 to 5 matches • more than 5 matches • No email address (snail mail details) 24 DGS 23 Feb 2005 Zero or more than one matches is failure for ldapm lookup Perl code ldap_one sets new_address and status
Exim Global parameters • ldap_default_servers = “server 1 server 2: 387” • What should be returned: Perl function that builds up an LDAP filter LDAP_URL = ldap: ///dc=comany 1, dc=com? uid, mail, cn, ou, telephonenumber, o? sub? • Search definitions for different lookups: – MAIL_UID_MATCH = &(mail=*)(uid=${perl{punc_to_dash}{$local_part – MAIL_CN_MATCH = &(mail=*)(cn=${perl{punc_to_spc}{$local_part}}) – MAIL_GIVENNAME_SN_MATCH = &(mail=*)(${perl{givenname_sn_match}{$local_part}}) 25 DGS 23 Feb 2005 – MAIL_CN_WORDS_MATCH = &(mail=*)(${perl{cn_match}{$local_part}})
LDAP router example company 1_user: driver = redirect Returns mail address when one match allow_defer allow_fail condition = "${perl{ldap_who} {${lookup ldapm {LDAP_URL(MAIL_UID_MATCH)}{$value} {${lookup ldapm {LDAP_URL(MAIL_CN_MATCH)} {$value} {${lookup ldapm {LDAP_URL(MAIL_GIVENNAME_SN_MATCH)} {$value} {${lookup ldapm {LDAP_URL(MAIL_CN_WORDS_MATCH)} {$value} {DUNNO}}}}}" data = ${perl{new_address}} domains = company 1. com headers_add = "X-LDAP-Alias: V LDAP_ALIAS_VERSION. Sent to $local_part@$domain resolving to ${perl{new_address}}" 26 DGS 23 retry_use_local_part Feb 2005
Bounce router unknownuser: driver = accept retry_use_local_part transport = uid_bounce no_verify 27 DGS 23 Feb 2005
Bounce transport uid_bounce: driver = autoreply from = Comapny 1 Mail Server <mailer-daemon@org. com> headers = "X-LDAP-To: bouncing ${local_part}@${domain} (${perl{failure_reason}})n Mime-Version: 1. 0n. Content-Type: multipart/mixed; boundary="${perl{mime_boundary}}"" log = "/var/spool/exim/log/bouncelog" once = "/var/spool/exim/db/bounce/${local_part}" once_repeat = 1 w return_message subject = "Unable to deliver to ${local_part}@${domain}" text = ${perl{mime_bounce}{${domain}}} to = $sender_address transport_filter = "/etc/exim/close_mime ${perl{mime_boundary}}" 28 DGS 23 Feb 2005
Sample too many matches From: Company 1 Mail Server <mailer-daemon@slb. com> Subject: Unable to deliver to few@company 1. com …… To help you locate the correct individual, selected fields from the possible matches are included below. The uid field is the only onemguaranteed unique within a given community. Name Uid Email Organisation City Name Uid Email Organisation 29 DGS 23 Feb. City 2005 : Andy Few : : AFew 1 a. Few 1@london. company 1. com Company 1 london : Alex Few : : afew 2@cambridge. company 1. com Company 1 cambridge
Example with no email address From: Company 1 Mail Server <mailer-daemon@slb. com> Subject: Unable to deliver to dages 1@company 1. com Dear email sender, This message has been automatically generated because I, the email server, found a single match looking for <dages 1@company 1. com> but that match contained no forwarding email address and was thus undeliverable. The details of this match are as follows: Name Uid Organisation City 30 DGS 23 Feb. Tel 2005 : Dark Ages : : dages 1 Company 1 Oxford +44 1865 1234567
Trouble shooting • Test out address resolution – exim -bt dgraystephens@company 1. com dgs 1@skibass. org <-- dgraystephens@company 1. com router = perimeter_routes, transport = remote_smtp host mail-relay. slb. com [163. 184. 1. 20] host mail-relay. slb. com [134. 32. 26. 55] host mail-relay. slb. com [163. 187. 152. 23] host mail-relay. slb. com [163. 188. 150. 130] 31 DGS 23 Feb 2005
Trouble shooting (cont) • Additional debugging exim -d+lookup -bt dgraystephens@company 1. com Shows details including LDAP calls database lookup required for ……. . perform_ldap_search: ldapm URL = "ldap: ///dc=company 1, dc=com? uid, mail, cn, ou, telephonenumber, o? sub? (&(mail=*)(ui d=dgraystephens))" server=localhost port=389 sizelimit=0 timelimit=0 tcplimit=-1 after ldap_url_parse: host=localhost port=389 ldap_initialize with URL ldap: //localhost: 389/ …… ldap_parse_result yielded 0: Success LDAP search: returning: cn="Douglas Gray Stephens, Douglas Gray-Stephens, Grey Stevens" mail="dgs 1@skibass. org" o="Company 1" ou="Core services" uid="dgraystephens" telephone. Number="44 1223 325295 “ Check LDAP server logs for connection details 32 DGS 23 Feb 2005
Controlling fuzzy logic or spam • Fuzzy logic is good when there is no spam • If spam is an issue, then enable users to opt in or out • Add new component to searches, e. g. MAIL_CN_MATCH = &(mail=*)(cn=${perl{punc_to_spc}{$local_part}}) becomes MAIL_CN_MATCH = &(mail=*)(cn=${perl{punc_to_spc}{$local_part}})(!(description=exclud e: cn)) 33 DGS 23 Feb 2005
Gray stephens
Gmb service exim 2004
Exim gex
Exim bank
Exim international trade consultants
Exim bank
Functions of exim bank
Exim banc
Function of exim bank
Neeraj exim enterprises
Function of exim bank
Subir tfg a addi
Mim privileged access management
Radiant logic ldap
Co je ldap
Ldap adalah
Open dcim
Ldap benutzerverwaltung
Tam ldap
Ldap
Zeppelin ldap
Outline ldap
Rpcclient hacktricks
Introduction to ldap
Webkredit cuni
Susie stephens
Patrick michael stephens
Mark stephens knoxville
Ron stephens berkeley county wv
Alexander stephens rechtsanwalt
