database.sarang.net
UserID
Passwd
Database
DBMS
MySQL
PostgreSQL
Firebird
Oracle
Informix
Sybase
MS-SQL
DB2
Cache
CUBRID
ㆍLDAP
ALTIBASE
Tibero
DB 문서들
스터디
Community
공지사항
자유게시판
구인|구직
DSN 갤러리
도움주신분들
Admin
운영게시판
최근게시물
LDAP Tutorials 1686 게시물 읽기
 News | Q&A | Columns | Tutorials | Devel | Files | Links
No. 1686
Using LDAP with sendmail
작성자
정재익(advance)
작성일
2002-10-16 09:17
조회수
8,026

ldap source: ftp://terminator.rs.itd.umich.edu

ldap explain(ldap.ps.gz): ldap.ps(http://trade.chonbuk.ac.kr/~leesl/mail/ldap/ldap.ps.gz)

ldap and sendmail: http://www.stanford.edu/~bbense/Inst.html

 

Using LDAP with sendmail.8.[89].x

 

Sendmail.8.[89].x (http://www.sendmail.org/) now has the ability to use the LDAP (http://www.stanford.edu/group/networking/directory/x500ldapfaq.html) protocol to do address lookups. I wrote this in order to support campus-wide email addresses at Stanford University. (i.e. Booker.Bense@stanford.edu type addressing )

 

LDAP and release 8.9.2

 

센드메일 8.9.2버전의 ldap map에는 버그가 있으므로 8.9.3으로 업그레이드 하는게 좋습니다.

 

Compling

 

센드메일이 LDAP을 지원하도록 컴파일하기 위해서는 umich에 있는 ldap3.3 (http://www.umich.edu/~rsug/ldap/)나 openldap (http://www.openldap.org/)가 필요합니다. ldap관련 화일이 설치되었으면 sendmail에서는 Makefile에 MAPDEF= -DNEWDB 정의하는 부분에 LDAPMAP을 지정하고 LIBS= -ldb에 -lldap를 추가하여야 합니다.

 

넷스케이프에서 ldap client 라이브러리 사용

 

현재는 지원하지 않고 있지만 sendmail 8.10(?)에서는 지원할지도 모릅니다

 

사용방법

 

먼저 어떤 전달방법(kind of delivery)을 사용할 것인지를 결정합니다. 예를들어 ip주소가 매일 달라지는 네트웍의 경우 maildrop (Mailacceptinggeneralid)을 이용하게 됩니다. 이와 관련된 정보는 Jeff Hodges의 rfc(http://trade.chonbuk.ac.kr/~leesl/mail/draft-ietf-asid-email-routing-su-00.shtml)을 방문해보세요.

 

maildrop는 id와 email을 전달하기 원하는 메일주소로 구성된다. 예를 들면

         mailacceptinggeneralid=bbense
         mailacceptinggeneralid=bookerbense
         mailacceptinggeneralid=bookercbense

We use a special algorithm to convert arbitrary strings to generalid form. I recommend that you consider using one as well. (-DSUNET_ID will enable this algorithm in the ldap map. Look at the source code if you are interested.sunet_id_hash in map.c )

 

Maildrop은 rfc822에서 규정하고 있는 수신자 메일주소이다. 예를들면 다음과 같다.

          maildrop=bbense@networking.stanford.edu

 

sendmail.cf에서는 다음과 같이 지정한다.

 

Kluser ldapx -b"ou=People, o=Stanford University , c=US" -h"localhost directory-a.stanford.edu directory-b.stanford.edu directory-c.stanford.edu" -k"mailaccepinggeneralid=%s" -v maildrop

 

 

Quite a mouthful, heh? This map type supports all of the standard sendmail map arguements, plus most of the command line arguements of ldapsearch(http://www.umich.edu/cgi-bin/ldapman?1+ldapsearch). If you are not familiar with ldapsearch, stop now and go read it's man page. If you still have questions, READ THE SOURCE. In general sendmail is one of the most readable and internally documented programs on the net.

 

This map is also slightly different from the other sendmail maps in that it supports quoted strings. The strings MUST BE DOUBLE-QUOTED. ldap options and sendmail map options have totally different parsing rules. Any "ldap-style" options must be double-quoted and must follow immediate after the option (i.e. no spaces between the option and the quote).

 

For most applications the four options above are all you should need. Here they are in closer detail.

 

 

-b"ldap search base"

The is the "directory" in your ldap "tree" that you are going to search in.

-h"ldap servers"

This is a space separated string of servers that support ldap at your site. The ldap libraries will attempt to connect to these machines in the order that they are listed.

-k"ldap search string"

This is a "sprintf" style string that defines how the map takes it's input value and constructs an ldap search. It MUST be of the form "attribute=%s". It and the base used above should define a search that returns AT MOST ONE ENTRY. The ldap map will only use the first entry it recieves.

-v"ldap attribute"

The value that replaces the origin string in the map. In most cases this will be your rfc822 email address.

 

Once you've defined the map, you now need to use it. At stanford we use the map in the S5 ruleset. All address that look like "local" email addresses are passed through the S5 ruleset before they are bounced. I choose to implement the addressing this way so that any local aliases or usernames will override the ldap entries. Here's what our S5 looks like :

 

S5

# deal with plussed users so aliases work nicely
R$+ + *                 $#local $@ $&h $: $1
R$+ + $*                $#local $@ $2 $: $1 + *

# prepend an empty "forward host" on the front
R$+                     $: <> $1

# send unrecognized local users to a relay host
R< > $+ + $*            $: < $L . > $( user $1 $) + $2
R< > $+                 $: < $L . > $( user $1 $)       look up user
R< $* > $+ <> $*        $: < > $2 $3                    found; strip $L
R< $* . > $+            $: < $1 > $2                    strip extra dot
# Now attempt to lookup in luser (ldap map)
R< $L > $+              $: < $L > $( luser $1 $) 
R< $*  > $+ @ $+        $: < $3 > $2                    Rewrite if forward

 

The important thing to note here is that this code assumes that the map is going to return an address that looks like someone@something. You need to be very careful in what you allow users to put in the directory as their email drop off.

 

Operational Issues

 

Speed, Speed, Speed...

 

This implementation requires two ldap lookups for every message processed. Your ldap server must be fast enough to avoid sendmail timeouts at a minimum. If you plan to use this on a busy mailhub, the response to your queries should perform on roughly the same speed as DNS queries. We've had pretty good luck using slapd from the Umich ldap3.2 release. It has some memory problems, but Jeff Hodges(http://www.stanford.edu/~hodges) has fixed these in our version of the server. This and other ldap patches are available from the LDAP(http://www.stanford.edu/group/networking/directory/x500ldapfaq.html) roadmap. The OpenLdap(http://www.openldap.org/) group is also working on improving the umich3.3 release.

 

 

--------------------------------------------------------------------------------

 

 

What happens when ldap breaks?

 

First you should have more than one ldap server and you should include all your ldap servers in the host list for the -h option. Secondly the map attempts to be as robust as possible, if the ldap lookup fails to return an result due to network or server problems the message will be queued. This has both good and bad implications. Messages won't be lost, but queues will grow enormously at a reasonably busy site.

 

Can I use it as an alias file replacement?

 

There are some hacks you can do with the currently distributed version. This was never my goal, so there is limited support for doing this. Here's an email message that outlines the issues involved.

 

Further Help

 

The web page and the source code is free, my time is not. If you are absolutely convinced that my expertise is needed for your problem, I am available at ridculously expensive consulting rates.

 

bbense@stanford.edu

 

I've made some further changes to the ldap_map source code. They have been submitted to sendmail.org, but did not make it into the 8.9.1 release. You can find them here(http://trade.chonbuk.ac.kr/~leesl/mail/ldap)

 

Last modified: Fri Oct 18 12:18:07 PDT 1996

[Top]
No.
제목
작성자
작성일
조회
2020Using OpenLDAP
송상준
2004-03-05
12942
1915OpenLDAP SSL/TLS
박근오
2003-08-28
9573
1914Secure LDAP for Solaris (via TLS/SSL)
박근오
2003-08-28
8751
1686Using LDAP with sendmail
정재익
2002-10-16
8026
1670How to Port OpenLDAP to Windows
박근오
2002-10-02
8080
1669Solaris with OpenLDAP for Naming/Auth
박근오
2002-10-02
6644
1656Identifiers, Authentication, and Directories: Best Practices for Higher Education
정재익
2002-09-10
7091
Valid XHTML 1.0!
All about the DATABASE... Copyleft 1999-2019 DSN, All rights reserved.
작업시간: 0.068초, 이곳 서비스는
	PostgreSQL v11.5로 자료를 관리합니다