ldap source: ftp://terminator.rs.itd.umich.edu
ldap explain(ldap.ps.gz): ldap.ps(http://trade.chonbuk.ac.kr/~leesl/mail/ldap/ldap.ps.gz)
ldap and sendmail: http://www.stanford.edu/~bbense/Inst.html
Using LDAP with sendmail.8..x
Sendmail.8..x (http://www.sendmail.org/) now has the ability to use the LDAP (http://www.stanford.edu/group/networking/directory/x500ldapfaq.html) protocol to do address lookups. I wrote this in order to support campus-wide email addresses at Stanford University. (i.e. Booker.Bense@stanford.edu type addressing )
LDAP and release 8.9.2
센드메일 8.9.2버전의 ldap map에는 버그가 있으므로 8.9.3으로 업그레이드 하는게 좋습니다.
센드메일이 LDAP을 지원하도록 컴파일하기 위해서는 umich에 있는 ldap3.3 (http://www.umich.edu/~rsug/ldap/)나 openldap (http://www.openldap.org/)가 필요합니다. ldap관련 화일이 설치되었으면 sendmail에서는 Makefile에 MAPDEF= -DNEWDB 정의하는 부분에 LDAPMAP을 지정하고 LIBS= -ldb에 -lldap를 추가하여야 합니다.
넷스케이프에서 ldap client 라이브러리 사용
현재는 지원하지 않고 있지만 sendmail 8.10(?)에서는 지원할지도 모릅니다
먼저 어떤 전달방법(kind of delivery)을 사용할 것인지를 결정합니다. 예를들어 ip주소가 매일 달라지는 네트웍의 경우 maildrop (Mailacceptinggeneralid)을 이용하게 됩니다. 이와 관련된 정보는 Jeff Hodges의 rfc(http://trade.chonbuk.ac.kr/~leesl/mail/draft-ietf-asid-email-routing-su-00.shtml)을 방문해보세요.
maildrop는 id와 email을 전달하기 원하는 메일주소로 구성된다. 예를 들면
We use a special algorithm to convert arbitrary strings to generalid form. I recommend that you consider using one as well. (-DSUNET_ID will enable this algorithm in the ldap map. Look at the source code if you are interested.sunet_id_hash in map.c )
Maildrop은 rfc822에서 규정하고 있는 수신자 메일주소이다. 예를들면 다음과 같다.
sendmail.cf에서는 다음과 같이 지정한다.
Kluser ldapx -b"ou=People, o=Stanford University , c=US" -h"localhost directory-a.stanford.edu directory-b.stanford.edu directory-c.stanford.edu" -k"mailaccepinggeneralid=%s" -v maildrop
Quite a mouthful, heh? This map type supports all of the standard sendmail map arguements, plus most of the command line arguements of ldapsearch(http://www.umich.edu/cgi-bin/ldapman?1+ldapsearch). If you are not familiar with ldapsearch, stop now and go read it's man page. If you still have questions, READ THE SOURCE. In general sendmail is one of the most readable and internally documented programs on the net.
This map is also slightly different from the other sendmail maps in that it supports quoted strings. The strings MUST BE DOUBLE-QUOTED. ldap options and sendmail map options have totally different parsing rules. Any "ldap-style" options must be double-quoted and must follow immediate after the option (i.e. no spaces between the option and the quote).
For most applications the four options above are all you should need. Here they are in closer detail.
-b"ldap search base"
The is the "directory" in your ldap "tree" that you are going to search in.
This is a space separated string of servers that support ldap at your site. The ldap libraries will attempt to connect to these machines in the order that they are listed.
-k"ldap search string"
This is a "sprintf" style string that defines how the map takes it's input value and constructs an ldap search. It MUST be of the form "attribute=%s". It and the base used above should define a search that returns AT MOST ONE ENTRY. The ldap map will only use the first entry it recieves.
The value that replaces the origin string in the map. In most cases this will be your rfc822 email address.
Once you've defined the map, you now need to use it. At stanford we use the map in the S5 ruleset. All address that look like "local" email addresses are passed through the S5 ruleset before they are bounced. I choose to implement the addressing this way so that any local aliases or usernames will override the ldap entries. Here's what our S5 looks like :
# deal with plussed users so aliases work nicely
R$+ + * $#local $@ $&h $: $1
R$+ + $* $#local $@ $2 $: $1 + *
# prepend an empty "forward host" on the front
R$+ $: <> $1
# send unrecognized local users to a relay host
R< > $+ + $* $: < $L . > $( user $1 $) + $2
R< > $+ $: < $L . > $( user $1 $) look up user
R< $* > $+ <> $* $: < > $2 $3 found; strip $L
R< $* . > $+ $: < $1 > $2 strip extra dot
# Now attempt to lookup in luser (ldap map)
R< $L > $+ $: < $L > $( luser $1 $)
R< $* > $+ @ $+ $: < $3 > $2 Rewrite if forward
The important thing to note here is that this code assumes that the map is going to return an address that looks like someone@something. You need to be very careful in what you allow users to put in the directory as their email drop off.
Speed, Speed, Speed...
This implementation requires two ldap lookups for every message processed. Your ldap server must be fast enough to avoid sendmail timeouts at a minimum. If you plan to use this on a busy mailhub, the response to your queries should perform on roughly the same speed as DNS queries. We've had pretty good luck using slapd from the Umich ldap3.2 release. It has some memory problems, but Jeff Hodges(http://www.stanford.edu/~hodges) has fixed these in our version of the server. This and other ldap patches are available from the LDAP(http://www.stanford.edu/group/networking/directory/x500ldapfaq.html) roadmap. The OpenLdap(http://www.openldap.org/) group is also working on improving the umich3.3 release.
What happens when ldap breaks?
First you should have more than one ldap server and you should include all your ldap servers in the host list for the -h option. Secondly the map attempts to be as robust as possible, if the ldap lookup fails to return an result due to network or server problems the message will be queued. This has both good and bad implications. Messages won't be lost, but queues will grow enormously at a reasonably busy site.
Can I use it as an alias file replacement?
There are some hacks you can do with the currently distributed version. This was never my goal, so there is limited support for doing this. Here's an email message that outlines the issues involved.
The web page and the source code is free, my time is not. If you are absolutely convinced that my expertise is needed for your problem, I am available at ridculously expensive consulting rates.
I've made some further changes to the ldap_map source code. They have been submitted to sendmail.org, but did not make it into the 8.9.1 release. You can find them here(http://trade.chonbuk.ac.kr/~leesl/mail/ldap)
Last modified: Fri Oct 18 12:18:07 PDT 1996