Recipe 2.3 Reading Aliases via LDAP

Problem

When your organization stores aliases on an LDAP server, you need to configure sendmail to read aliases from the LDAP server.

Solution

Use sendmail -bt -d0.1 to check the sendmail compiler options. If sendmail was not compiled with LDAP support, recompile and reinstall sendmail as described in Recipe 1.3.

If the LDAP server has not yet been configured to support sendmail queries, copy the sendmail.schema file to the appropriate location on the LDAP server and update the server configuration to use the schema file. Recipe 1.3 covers the necessary LDAP server configuration.

Once the LDAP server is configured to support the sendmail schema, add sendmail aliases to the LDAP database using the format defined by that schema. When OpenLDAP is used, this is done by first creating an LDIF file containing the LDAP records and then running ldapadd to add these records to the LDAP database. The Discussion section shows an example of doing this for alias records.

On the sendmail system, add an ALIAS_FILE define, containing the string ldap :, to the sendmail configuration. Also add a confLDAP_CLUSTER define containing the same value as the sendmailMTACluster attribute used in the entries added to the LDAP server. Here is an example of these configuration commands:

 # Set the LDAP cluster value define(`confLDAP_CLUSTER', `wrotethebook.com') # Tell sendmail that aliases are available via LDAP define(`ALIAS_FILE', `ldap:') 

Build the sendmail configuration file, copy it to /etc/mail/sendmail.cf , and restart sendmail with the new configuration, as described in Recipe 1.8.

Discussion

This recipe provides instructions for both the sendmail administrator and the LDAP administrator because the LDAP server must be properly installed, configured, and running, and it must include the sendmail schema in order to understand and properly process queries from sendmail. Nothing in this recipe will work without the close cooperation of the LDAP administrator. In fact, the bulk of the configuration takes place on the LDAP server. You should have some experience with LDAP before attempting to use it with sendmail.

To add sendmail aliases to the LDAP database, start by building an LDIF file formatted according to the sendmail schema. Here is an example that adds the mailer-daemon , postmaster , and root aliases from Recipe 2.2 to the LDAP database:

 #  cat > ldap-aliases   dn: sendmailMTAKey=mailer-daemon, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAAlias   objectClass: sendmailMTAAliasObject   sendmailMTAAliasGrouping: aliases   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: mailer-daemon   sendmailMTAAliasValue: postmaster   dn: sendmailMTAKey=postmaster, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAAlias   objectClass: sendmailMTAAliasObject   sendmailMTAAliasGrouping: aliases   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: postmaster   sendmailMTAAliasValue: root   dn: sendmailMTAKey=root, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAAlias   objectClass: sendmailMTAAliasObject   sendmailMTAAliasGrouping: aliases   sendmailMTACluster: wrotethebook.com   sendmailMTAKey: root   sendmailMTAAliasValue: logan   Ctrl-D  #  ldapadd -x -D "cn=Manager,dc=wrotethebook,dc=com" \   > -W -f ldap-aliases  Enter LDAP Password:  SecretLDAPpassword  adding new entry "sendmailMTAKey=mailer-daemon, dc=wrotethebook, dc=com" adding new entry "sendmailMTAKey=postmaster, dc=wrotethebook, dc=com" adding new entry "sendmailMTAKey=root, dc=wrotethebook, dc=com" 

The example just shown names the LDIF file ldap-aliases . Running the ldapadd command adds these entries to the LDAP database. A quick check with the ldapsearch command shows the newly added records:

 #  ldapsearch -x '(objectclass=sendmailMTAAlias)' \   > sendmailMTAKey sendmailMTAAliasValue  version: 2 # # filter: (objectclass=sendmailMTAAlias) # requesting: sendmailMTAKey sendmailMTAAliasValue # # mailer-daemon, wrotethebook, com dn: sendmailMTAKey=mailer-daemon, dc=wrotethebook, dc=com sendmailMTAKey: mailer-daemon sendmailMTAAliasValue: postmaster # postmaster, wrotethebook, com dn: sendmailMTAKey=postmaster, dc=wrotethebook, dc=com sendmailMTAKey: postmaster sendmailMTAAliasValue: root # root, wrotethebook, com dn: sendmailMTAKey=root, dc=wrotethebook, dc=com sendmailMTAKey: root sendmailMTAAliasValue: logan # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 

Notice that this ldapsearch command works without either an -h or a -b argument. ( -h defines the LDAP server name and -b defines the LDAP default base distinguished name.) This test works without these arguments because the correct LDAP server hostname and base distinguished name are defined in the ldap.conf file. If those ldap.conf values are not correct for the sendmail query, provide the correct -h and -b values on the ldapsearch command line. If you must provide -h and -b values to ldapsearch to successfully run this test, the sendmail administrator must provide the same values to sendmail. Use the confLDAP_DEFAULT_SPEC define to set -h and -b values for sendmail. See Recipe 5.9 for an example of how confLDAP_DEFAULT_SPEC is used.

The ldapsearch test shows that the LDAP server is now ready to answer sendmail's queries for aliases. sendmail must also be properly prepared to work with LDAP. sendmail must be compiled with LDAP support, as described in Recipe Recipe 1.3, and it must have the correct configuration. In most cases, adding two define s to a basic sendmail configuration is all that is required to configure sendmail to read aliases via LDAP. The two defines are:

 define(`confLDAP_CLUSTER', `wrotethebook.com') define(`ALIAS_FILE', `ldap:') 

ALIAS_FILE defines the location of the aliases database. Instead of providing a file path as the argument for the ALIAS_FILE define, the example provides the string ldap :, which tells sendmail to read aliases from the LDAP server using the standard sendmail schema. The ALIAS_FILE define just shown is equivalent to:

 define(`ALIAS_FILE', `ldap: -k (&(objectClass=sendmailMTAAliasObject)  (sendmailMTAAliasGrouping=aliases) ((sendmailMTACluster=${sendmailMTACluster}) (sendmailMTAHost=$j)) (sendmailMTAKey=%0)) -v sendmailMTAAliasValue') 

The expanded command shows the search key, which is defined by the -k argument, and the return value, which is defined by the -v argument. The return value is easy to understand, it is the value stored in the sendmailMTAAliasValue attribute. The search key is more complex; however, it is the same search criteria syntax used with the ldapsearch command, which is something all LDAP administrators are familiar with. The tricky part is that the key combines basic LDAP search criteria with sendmail macros. ${sendmailMTACluster} holds the value defined by confLDAP_CLUSTER in the master configuration file. $j returns the fully qualified name of the local host. In this case, %0 is the alias for which sendmail is searching. Put all together, this key searches for a record with:

  • An objectClass of sendmailMTAAliasObject

  • A sendmailMTAAliasGrouping of aliases

  • Either a sendmailMTACluster matching the value defined by confLDAP_CLUSTER or a sendmailMTAHost attribute containing the name of the local host

  • A sendmailMTAKey matching the desired alias

The effect of the search key can be easily simulated using the ldapsearch command:

 #  ldapsearch -LLL -x '(&(objectClass=sendmailMTAAliasObject) \   > (sendmailMTAAliasGrouping=aliases) \   > ((sendmailMTACluster=wrotethebook.com) \   > (sendmailMTAHost=rodent.wrotethebook.com)) \   > (sendmailMTAKey=postmaster))' \   > sendmailMTAAliasValue  dn: sendmailMTAKey=postmaster, dc=wrotethebook, dc=com sendmailMTAAliasValue: root 

This ldapsearch command shows the key that sendmail would use to look up the postmaster alias when running on a host named rodent.wrotethebook.com with confLDAP_CLUSTER defined as wrotethebook.com . The value returned is root .

This recipe uses the confLDAP_CLUSTER define to set a value for ${sendmailMTACluster} because all of the entries added to the LDAP database in this recipe contain a sendmailMTACluster attribute. In order to match those LDAP records, sendmail queries must containing the correct ${sendmailMTACluster} value.

The alternative to using a cluster value is to have LDAP database entries defined for individual hosts . In that case, the LDAP entry does not use the sendmailMTACluster attribute. Instead, it uses the sendmailMTAHost attribute, and the value assigned to the attribute is the fully qualified hostname of a specific host. If you decide to create LDAP entries for individual hosts, the sendmailMTAHost attribute must be specified in each LDAP entry. But no special host value needs to be configured for sendmail because sendmail uses the value in $j . When the sendmailMTACluster attribute is not used on the LDAP records, the confLDAP_CLUSTER define is not required for the sendmail configuration. However, when the confLDAP_CLUSTER define is not used, sendmail can retrieve only those LDAP records that contain a sendmailMTAHost attribute that matches the value returned by $j .

The cluster value provides a way for a group of hosts to share common LDAP data. It is similar to a NIS domain. The sample confLDAP_CLUSTER define uses the DNS domain name as the cluster value. However, the cluster value is arbitrary and does not need to be a NIS or DNS domain name.

After configuring the LDAP server and the sendmail system, a test shows that aliases are successfully retrieved from the LDAP server. The effect of the aliases can be seen using the sendmail -bv command:

 #  sendmail -bv -Cgeneric-linux.cf mailer-daemon  root... deliverable: mailer local, user root #  sendmail -bv mailer-daemon  logan... deliverable: mailer local, user logan 

This test shows the LDAP server in action. When the first test is run using the generic configuration, the mailer-daemon alias is resolved using the local aliases database because the generic configuration does not override the default ALIAS_FILE path. The second test uses the sendmail configuration created in this recipe, which points to the LDAP server. The mailer-daemon alias is resolved using the three records added to the LDAP database earlier in this section.

See Also

Refer to the other recipes in this chapter for descriptions of the various alias formats ”all of which can be read from an LDAP server. For information on LDAP, see Understanding and Deploying LDAP Directory Services by Howes, Smith, and Good (Macmillan) and LDAP System Administration by Gerald Carter (O'Reilly). The cf/README file covers this topic in the Using LDAP for Aliases, Maps, and Classes section. The sendmail book covers the ALIAS_FILE define in Section 24.9.1 and the confLDAP_CLUSTER define in Section 21.9.82.



Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net