Recipe 6.3 Reading the access Database via LDAP

Previous page
Table of content
Next page

Problem

You have been asked to configure sendmail to read the access database from an LDAP server.

Solution

If necessary, recompile and reinstall sendmail to add LDAP support to the sendmail host, and add the sendmail schema to the LDAP configuration on the LDAP server. Both of these steps are shown in Recipe 1.3.

On the LDAP server, enter the access database records in an LDIF file using the sendmailMTAMap object class format defined by the sendmail schema. Use the ldapadd script to store the access records in the LDAP database.

On the sendmail host, add the confLDAP_CLUSTER define and the access_db feature to the sendmail configuration. Set the confLDAP_CLUSTER to the same value used for the sendmailMTACluster attribute in the access LDAP records. Add the string LDAP to the access_db FEATURE command to tell sendmail to read the access data via LDAP. Here are sample lines that could be added to the sendmail configuration: 

 dnl Define the LDAP cluster name define(`confLDAP_CLUSTER', `wrotethebook.com') dnl Read the access database via LDAP FEATURE(`access_db', `LDAP')

Rebuild and reinstall sendmail.cf file, then restart sendmail. See Recipe 1.8 for an example.

Discussion

The sendmail distribution provides an LDAP schema file that defines the basic attributes needed for sendmail databases and classes. You can, of course, define your own custom schema. However, using the sendmail schema simplifies both the LDAP and sendmail configurations. Using the sendmail schema to define the access entries for LDAP database, the following example converts the access entries used in Recipe 6.1 into LDAP records: 

 #  cat > ldap-access   dn: sendmailMTAMapName=access, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAMap   sendmailMTACluster: wrotethebook.com   sendmailMTAMapName: access   dn: sendmailMTAKey=example.com, sendmailMTAMapName=access, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAMap   objectClass: sendmailMTAMapObject   sendmailMTAMapName: access   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: example.com   sendmailMTAMapValue: REJECT   dn: sendmailMTAKey=wrotethebook.net, sendmailMTAMapName=access, dc=wrotethebook,  dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAMap   objectClass: sendmailMTAMapObject   sendmailMTAMapName: access   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: wrotethebook.net   sendmailMTAMapValue: ERROR:5.7.1:550 Invalid mail source   dn: sendmailMTAKey=fake.ora.com, sendmailMTAMapName=access, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAMap   objectClass: sendmailMTAMapObject   sendmailMTAMapName: access   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: fake.ora.com   sendmailMTAMapValue: DISCARD   Ctrl-D  #  ldapadd -x -D "cn=Manager,dc=wrotethebook,dc=com" \   > -W -f ldap-access  Enter LDAP Password:  SecretLDAPpassword  adding new entry "sendmailMTAMapName=access, dc=wrotethebook, dc=com" adding new entry "sendmailMTAKey=example.com, sendmailMTAMapName=access,  dc=wrotethebook, dc=com" adding new entry "sendmailMTAKey=wrotethebook.net, sendmailMTAMapName=access,  dc=wrotethebook, dc=com" adding new entry "sendmailMTAKey=fake.ora.com, sendmailMTAMapName=access,  dc=wrotethebook, dc=com"

Four LDAP records are used to add the three access entries from Recipe 6.1. The first record tells LDAP the access database map name. Subsequent LDAP records reference that map name to add access records to the LDAP database.

The next three LDAP records define the three access entries described in Recipe 6.1. Notice that the sendmailMTAKey and the sendmailMTAMapValue attributes of each record match the key/value pairs from the original access entries. By varying the values stored in the sendmailMTAMapName , sendmailMTAKey , and sendmailMTAMapValue attributes, the basic LDAP record format used for the access database can be used for any sendmail database.

After the records are converted from the LDIF file and added to the LDAP database, they can be examined using ldapsearch : 

 #  ldapsearch -LLL -x '(sendmailMTAMapName=access)' sendmailMTAMapValue  dn: sendmailMTAMapName=access, dc=wrotethebook, dc=com dn: sendmailMTAKey=example.com, sendmailMTAMapName=access, dc=wrotethebook, dc=com sendmailMTAMapValue: REJECT dn: sendmailMTAKey=wrotethebook.net, sendmailMTAMapName=access, dc=wrotethebook, dc=com sendmailMTAMapValue: ERROR:5.7.1:550 Invalid mail source dn: sendmailMTAKey=fake.ora.com, sendmailMTAMapName=access, dc=wrotethebook, dc=com sendmailMTAMapValue: DISCARD

This test shows that the access database records are available from the LDAP server. If your sendmail system requires -h and -b values for the ldapsearch test, those same values will be required for the sendmail configuration. Set -h and -b using the confLDAP_DEFAULT_SPEC define, as shown in Recipe Recipe 5.9.

Now, sendmail needs to be configured to use the LDAP server. First, the confLDAP_CLUSTER command is added to the sendmail configuration to tell sendmail the LDAP cluster name. The sendmail schema allows for records that apply to a single host or to a group of hosts , called a cluster . If LDAP records apply to a single host, they use the sendmailMTAHost attribute. sendmail only retrieves records that use the sendmailMTAHost attribute if the value assigned to that attribute is the fully qualified name of the sendmail host. Records that apply to a group of hosts use the sendmailMTACluster attribute. To retrieve records that use that attribute, sendmail must be configured with the cluster name. That is exactly what this recipe does. It defines the LDAP access records using the sendmailMTACluster attribute and informs sendmail of the cluster name using the confLDAP_CLUSTER define.

Adding the LDAP argument to the access_db FEATURE command tells sendmail to read the access database from the LDAP server using the standard sendmail schema. If you define a custom schema, you must tell sendmail how to use it to retrieve access records. For example: 

 FEATURE(`access_db', `ldap: -1 -k (&(objectClass=OurAccessDB)(OurAccesDBKey=%0))  -v OurAccessDBValue')

The sample attribute names should be ignored. However, the format of the FEATURE command is similar to the one you would need to define in order to retrieve access data using a custom LDAP schema. The -k option defines the LDAP search criteria used as a database key. The attributes used in that search criteria must match the attributes defined in your schema. The -v option specifies the LDAP attribute that contains the return value. Again, this must match the attribute from your custom schema. Using the default sendmail schema simplifies the sendmail configuration. Simply use the LDAP string in the access_db FEATURE command, as shown in the Solution section.

A few tests, run after this recipe is installed, show that sendmail is reading the LDAP data. First, run a sendmail -bt test and use the /map command to retrieve an access record from the LDAP server: 

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  /map access fake.ora.com  map_lookup: access (fake.ora.com) returns DISCARD (0) >  /quit

This test shows that the access database functions in the same manner whether it is read from a local database or from an LDAP server. Rerunning the test used in Recipe 6.1 shows that sendmail blocks mail using LDAP exactly as it did using a local access database: 

 #  sendmail -bs  220 rodent.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Thu, 27 Mar 2003 12:42:41 - 0500  MAIL From:<crooks@example.com>  550 5.7.1 <crooks@example.com>... Access denied  MAIL From:<thieves@wrotethebook.net>  550 5.7.1 <thieves@wrotethebook.net>... Invalid mail source  QUIT  221 2.0.0 rodent.wrotethebook.com closing connection

LDAP does not change the way sendmail works. The decision to use LDAP is not driven by sendmail; it is driven by LDAP. If you already use LDAP to centralize the management of information, you may choose to add sendmail configuration data to your LDAP server.

See Also

Recipe 6.1 and Recipe 6.2 explain how the access database is used to control spam; in particular, Recipe 6.1 explains the specific access database entries used for this recipe. The cf/README file covers this topic in the Using LDAP for Aliases, Maps, and Classes section. The sendmail book covers the access_db feature in Section 7.5 and the confLDAP_CLUSTER define in Section 21.9.82.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Strategies for Information Technology Governance
VBScript Programmers Reference
Snort Cookbook
Cisco Voice Gateways and Gatekeepers
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy