Using Exim with LDAP - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Using Exim with LDAP

Description:

If there are more than 5 matches, bounce message. Mail processing ... For more than 5 matches, the message is bounced back to the sender. ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 30
Provided by: douglasgra
Category:
Tags: ldap | bounced | exim | using

less

Transcript and Presenter's Notes

Title: Using Exim with LDAP


1
Using Exim with LDAP
  • Douglas Gray Stephens
  • Senior Directory ArchitectSchlumberger

2
Topics
  • What is LDAP
  • What is LDAP designed for
  • How is LDAP integrated into Exim
  • Case study of using Exim with LDAP
  • How to trouble shoot Exim with LDAP

3
What is LDAP
  • Light weight Directory Access Protocol
  • (X.500 is DAP, so more heavy weight)
  • Communications protocol
  • no specification for back end server system
  • Standards based
  • Defacto standard for internet white pages (c.f.
    http for on line documents).
  • Current version is LDAPv3 (ratified in 2000)

4
What is LDAP designed for
  • Systems where there are few writes, but many
    reads
  • Storing any data
  • Fast response for queries
  • Redundancy (i.e automatic fail over)

5
What is LDAP not designed for
  • It is not a relational database
  • Is not efficient for systems with frequent
    writes
  • Server may return unexpected (e.g. no) results if
    attribute not indexed.

6
How is data stored in LDAP (DIT)
  • LDAP is a tree structure (Document Information
    Tree)

7
How is data stored in LDAP (objects)
  • LDAP has several containers (objectclasses)
  • Each objectclass has required and/or allowable
    attributes (fields), e.g.
  • person (OID 2.5.6.6)

8
Object Identifiers (OIDs)
  • Each LDAP objectclass and attribute has a
    definition
  • The definition can be registered
  • Normally has an associated OID
  • OIDs allocated by IANA, ANSA, BSI as in dot
    notation, e.g.
  • 1.3.6.1 is the top of the Internet OID branch
    (RFC 1065)
  • 1.3.6.1.4 is the top of the Internet Enterprise
    OID branch
  • 1.3.6.1.4.1.1489.1 is Schlumbergers OID for LDAP
  • OIDs can be private, but you can walk the tree
    from http//www.alvestrand.no/objectid/

9
Activedirectory (Windows 2000)
  • Windows 2000 server comes with Activedirectory
  • Activedirectory has an LDAP interface
  • Implementation of LDAP is not 100 standard
    compliant
  • If you have Windows 2000, then LDAP provides a
    usable standards based interface to access
    account details
  • May need to modify Activedirectory ACLs to enable
    LDAP access.

10
LDAP searches
  • Require
  • Server to search (where to look)
  • Search root (part of DIT to start searching
    from)
  • Scope (how far to look - base, one level, or sub
    tree)
  • Filter (what to look for)
  • Attribute(s) to return

11
LDAP search example
  • E.g. ldapsearch h myhost389
    b dccompany1,dccom s sub
    (cndouglas gray
    stephens) cn sn
    givenname mail
  • Returns dn cnDouglas Gray Stephens,ouemployee,
    dccompany1,dccom
  • cn Douglas Gray Stephens
  • cn Douglas Gray-Stephens
  • cn Grey Stevens
  • sn Gray Stephens
  • givenName Douglas
  • mail dgs1_at_skibass.org

12
LDAP filters
  • Components of filter nested within brackets
    (..)
  • Items can be ANDed together (with )
  • Items can be ORed together (with )
  • Items can be negated (with !)
  • Searches can include wild cards (with )
  • RFC 2254 gives full details.

13
LDAP filter example
  • E.g. ((mail)(cgb)(!(llondon))(cndouglas))
  • Means
  • Find all records with an mail attribute
  • that are in the United Kingdom (GB)
  • and are do not have London as the city
  • and have a common name starting with douglas

14
LDAP URLs
  • An LDAP URL begins with the protocol prefix
    "ldap" and is defined by the following grammar,
    as defined in RFC 2255
  • ltldapurlgt "ldap//" lthostportgt "/"
    ltdngt "?" ltattributesgt
  • "?" ltscopegt "?"
    ltfiltergt
  • lthostportgt lthostnamegt ""
    ltportnumbergt
  • ltdngt a string as defined in RFC 2253
  • ltattributesgt NULL ltattributelistgt
  • ltattributelistgt ltattributetypegt
  • ltattributetypegt ","
    ltattributelistgt
  • ltattributetypegt a string as defined in
    RFC 1777
  • ltscopegt "base" "one" "sub"
  • ltfiltergt a string as defined in RFC 2254

15
LDAP URL example
  • ldap//server1 server2387/dccom?cn,mail?sub?((
    cndouglas)(lcambridge))
  • Specifies that
  • there are two servers to try (server1, then
    server2). Note the second server is on a non
    standard port (387)
  • a search root of dccom
  • attributes cn and mail should be returned
  • the sub tree should be searched
  • using a filter ((cndouglas)(lcambridge))

16
LDAP authentication
  • LDAP has 3 types of authentication (binding)
  • Anonymous (client gives no DN or password)
  • Unauthenticated (client gives a DN that may or
    may not exist and no password (a null password)
  • Authenticated(client gives a DN that must exist,
    and the correct password for that DN).

17
Building Exim
  • Requires that the LDAP libraries be available
  • OpenLDAP (http//www.openldap.org/)
  • SunOne (previously Netscape/iPlanet)
    (http//www.sun.com/software/products/directory_sr
    vr_ee/ )
  • Specify in Makefile
  • LOOKUP_LDAPyes
  • LDAP_LIB_TYPEOPENLDAP1/OPENLDAP2/NETSCAPE/SOLARIS
  • LOOKUP_INCLUDE-I /???/include
  • LOOKUP_LIBS-L/???/lib -lldap -llber

18
Configuring Exim
  • Location of LDAP servers
  • ldap_default_servers \
  • localhost389 \
  • server1389 \
  • server2387
  • Some router/transport commands to make use of
    LDAP (use anywhere that you would use the exim
    lookup functionality).

19
LDAP lookups in Exim
  • Types of lookups
  • ldap requires the result to contain just one
    entry if there are more, it gives an error.
  • ldapdn also requires the result to contain just
    one entry, but it is the Distinguished Name that
    is returned rather than any attribute values.
  • ldapm permits the result to contain more than one
    entry the attributes from all of them are
    returnedeach entry in result string is on a
    separate line

20
LDAP lookup results
  • ldap///obase?attr1?sub?(uidfrederic)
  • value1.1, value1.2
  • ldap///obase?attr2?sub?(uidfrederic)
  • value two
  • ldap///obase?attr1,attr2?sub?(uidfrederic)
  • attr1"value1.1, value1.2" attr2"value two"
  • ldap///obase?objectclass,cn,sn?sub?(uidfrederic
    )
  • objectClass"top, person" cnFrederic Smith,
    Fred Smith" snSmith
  • ldapm///obase??sub?(uidfred)
  • objectClass"top,person" attr1"value1.1,
    value1.2" attr2"value two
  • objectClass"top,person" . Etc. for the
    second match

21
Case study
  • Objective
  • Look up names in LDAP and forward to appropriate
    person
  • Handle instance when multiple matches
  • Handle instance when there is no email address
  • Enable user to control lookup options (so
    limiting spam).

22
Details of mail handling
  • Addresses of the form uid_at_company.com will always
    be sent to only one person, since a uid is by
    definition unique within the directory.
  • Addresses of the form abc.efg_hij-mno_at_company.com
    will be processed according to the following
    rules.
  • Forward to record that matches uid and has email
    address
  • Forward to record that matches the common name(s)
  • Forward to record that givename/surname
  • Forward to a record that contains all the words
    in the common name(s)
  • If record does not have email address, return
    phone number
  • If there are 2 to 5 matches, give more details to
    sender
  • If there are more than 5 matches, bounce message

23
Mail processing
  • For a single match, the message is forwarded to
    that address
  • For 2 to 5 matches, the message is bounced back
    to the sender along with details of the matches.
    The sender is asked to try again.
  • For more than 5 matches, the message is bounced
    back to the sender. The sender is asked to be
    more specific about the address.

24
Message flow
Zero or more than one matches is failure for
ldapm lookup
Loop through series of LDAP lookups
  • Perl code alias_bounce handles
  • no matches
  • 2 to 5 matches
  • more than 5 matches
  • No email address (snail mail details)

Perl code ldap_one sets new_address and status
25
Exim Global parameters
  • ldap_default_servers server1 server2387
  • What should be returned LDAP_URL
    ldap///dccomany1,dccom?uid,mail,cn,ou,telephone
    number,o?sub?
  • Search definitions for different lookups
  • MAIL_UID_MATCH (mail)(uidperlpunc_to_dash
    local_part
  • MAIL_CN_MATCH (mail)(cnperlpunc_to_spc
    local_part)
  • MAIL_GIVENNAME_SN_MATCH (mail)(perlgive
    nname_sn_matchlocal_part)
  • MAIL_CN_WORDS_MATCH (mail)(perlcn_match
    local_part)

26
LDAP router example
  • company1_user
  • driver redirect
  • allow_defer
  • allow_fail
  • condition "perlldap_who \
  • lookup ldapm LDAP_URL(MAIL_UID_MATCH)va
    lue \
  • lookup ldapm LDAP_URL(MAIL_CN_MATCH)
    value \
  • lookup ldapm LDAP_URL(MAIL_GIVENNAME_SN_MA
    TCH) value \
  • lookup ldapm LDAP_URL(MAIL_CN_WORDS_MATCH)
    value \
  • DUNNO"
  • data perlnew_address
  • domains company1.com
  • headers_add "X-LDAP-Alias V
    LDAP_ALIAS_VERSION. Sent to local_part_at_domain
    resolving to perlnew_address"
  • retry_use_local_part

27
Bounce router
  • unknownuser
  • driver accept
  • retry_use_local_part
  • transport uid_bounce
  • no_verify

28
Bounce transport
  • uid_bounce
  • driver autoreply
  • from Comapny1 Mail Server ltmailer-daemon_at_org.c
    omgt
  • headers "X-LDAP-To bouncing
    local_part_at_domain (perlfailure_reason)\
    n\
  • Mime-Version 1.0\nContent-Type
    multipart/mixed boundary\"perlmime_boundary
    \""
  • log "/var/spool/exim/log/bouncelog"
  • once "/var/spool/exim/db/bounce/local_part"
  • once_repeat 1w
  • return_message
  • subject "Unable to deliver to
    local_part_at_domain"
  • text perlmime_bouncedomain
  • to sender_address
  • transport_filter "/etc/exim/close_mime
    perlmime_boundary"

29
Sample too many matches
  • From Company1 Mail Server ltmailer-daemon_at_slb.comgt
  • Subject Unable to deliver to few_at_company1.com
  • To help you locate the correct individual,
    selected fields from the possible matches are
  • included below. The uid field is the only
    onemguaranteed unique within a given
  • community.
  • Name Andy Few
  • Uid AFew1
  • Email aFew1_at_london.company1.com
  • Organisation Company1
  • City london
  • Name Alex Few
  • Uid afew2
  • Email afew2_at_cambridge.company1.com
  • Organisation Company1

30
Example with no email address
  • From Company1 Mail Server ltmailer-daemon_at_slb.comgt
  • Subject Unable to deliver to dages1_at_company1.com
  • Dear email sender,
  • This message has been automatically generated
    because I, the email server, found a
  • single match looking for ltdages1_at_company1.comgt
    but that match contained no
  • forwarding email address and was thus
    undeliverable. The details of this match are as
  • follows
  • Name Dark Ages
  • Uid dages1
  • Organisation Company1
  • City Oxford
  • Tel 44 1865 1234567

31
Trouble shooting
  • Test out address resolution
  • exim -bt dgraystephens_at_company1.com
  • dgs1_at_skibass.org
  • lt-- dgraystephens_at_company1.com
  • router perimeter_routes, transport
    remote_smtp
  • host mail-relay.slb.com 163.184.1.20
  • host mail-relay.slb.com 134.32.26.55
  • host mail-relay.slb.com 163.187.152.23
  • host mail-relay.slb.com 163.188.150.130

32
Trouble shooting (cont)
  • Additional debugging
  • exim -dlookup -bt dgraystephens_at_company1.comShow
    s details including LDAP calls database lookup
    required for
  • ..
  • perform_ldap_search ldapm URL
    "ldap///dccompany1,dccom?uid,mail,cn,ou,telepho
    nenumber,o?sub?((mail)(uiddgraystephens))"
    serverlocalhost port389 sizelimit0 timelimit0
    tcplimit-1
  • after ldap_url_parse hostlocalhost port389
  • ldap_initialize with URL ldap//localhost389/
  • ldap_parse_result yielded 0 Success
  • LDAP search returning cn"Douglas Gray
    Stephens, Douglas Gray-Stephens, Grey Stevens"
    mail"dgs1_at_skibass.org" o"Company1" ou"Core
    services" uid"dgraystephens" telephoneNumber"44
    1223 325295
  • Check LDAP server logs for connection details

33
Controlling fuzzy logic or spam
  • Fuzzy logic is good when there is no spam
  • If spam is an issue, then enable users to opt in
    or out
  • Add new component to searches, e.g.MAIL_CN_MATCH
    (mail)(cnperlpunc_to_spclocal_part
    )becomesMAIL_CN_MATCH (mail)(cnperl
    punc_to_spclocal_part)(!(descriptionexclude
    cn))
Write a Comment
User Comments (0)
About PowerShow.com