Recipe 3.9 Loading Class R via LDAP

Recipe 3.9 Loading Class $=R via LDAP

Problem

You have been asked to configure sendmail to read the names of hosts and domains that are granted relaying privileges from an LDAP server.

Solution

On the LDAP server, add support for the sendmail schema as described in Recipe 1.3. Note that this only needs to be done once.

On the LDAP server, add to the LDAP database the names of the hosts and domains that are allowed to relay. Use the sendmailMTAClass object class format defined in the sendmail.schema file. The Discussion section shows an example doing this on a server that runs OpenLDAP.

On the mail relay host, use the command sendmail -bt -d0.1 to check if sendmail was compiled with LDAP support. The string LDAPMAP must appear in the "Compiled with:" list. If sendmail was not compiled with LDAP support, recompile and reinstall sendmail as shown in Recipe 1.3. Once sendmail supports LDAP, continue with the next steps.

On the mail relay host, add a RELAY_DOMAIN_FILE macro to the sendmail configuration specifing @LDAP as the relay domain file path , which tells sendmail to read class $=R values from the LDAP server using the standard sendmail schema. Use the confLDAP_CLUSTER define to set the ${sendmailMTACluster} macro to the same value used in the sendmailMTACluster attribute of the LDAP entry. Here are sample sendmail configuration commands:

 dnl Set the LDAP cluster value define(`confLDAP_CLUSTER', `wrotethebook.com') dnl Tell sendmail to load $=R via LDAP RELAY_DOMAIN_FILE(`@LDAP') 

Build the configuration file, copy it to /etc/mail/sendmail.cf , and restart sendmail with the new configuration, as described in Recipe 1.8.

Discussion

This recipes assumes that LDAP is properly installed and running. This is not the place to start experimenting with LDAP. Both LDAP and sendmail are large, complex systems. You should have some experience with LDAP before attempting to use it with sendmail.

The sendmail.schema file that comes with the sendmail distribution must be included in the LDAP configuration in order for LDAP to understand and properly process queries from sendmail. ^[4] The LDAP administrator must ensure that LDAP is ready to work with sendmail's standard schema before adding sendmail data to the LDAP database.

^[4] You can, of course, design your own schema. But that is not a topic for a sendmail book.

The LDAP administrator builds an LDIF file using the sendmail schema to define the list of hosts granted relay privileges and then runs ldapadd to add the contents of the LDIF file to the LDAP database. Here is an example that adds all of the hostnames from the relay-domains file used in Recipe 3.7:

 #  cat > ldap-relay-domains   dn: sendmailMTAClassName=R, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAClass   sendmailMTACluster: wrotethebook.com   sendmailMTAClassName: R   sendmailMTAClassValue: rodent.wrotethebook.com   sendmailMTAClassValue: horseshoe.wrotethebook.com   sendmailMTAClassValue: jamis.wrotethebook.com   sendmailMTAClassValue: tcp.ora.com   sendmailMTAClassValue: chill.sybex.com   sendmailMTAClassValue: wrotethebook.com   Ctrl-D  #  ldapadd -x -D "cn=Manager,dc=wrotethebook,dc=com" \   > -W -f ldap-relay-domains  Enter LDAP Password:  SecretLDAPpassword  adding new entry "sendmailMTAClassName=R, dc=wrotethebook, dc=com" 

An ldapsearch test shows the data in the LDAP database: ^[5]

^[5] If ldapsearch requires -h and -b arguments, matching values will also be required by sendmail. See Recipe 5.9 for an example of setting -h and -b for sendmail.

 #  ldapsearch -LLL -x '(sendmailMTAClassName=R)' sendmailMTAClassValue  dn: sendmailMTAClassName=R, dc=wrotethebook, dc=com sendmailMTAClassValue: rodent.wrotethebook.com sendmailMTAClassValue: horseshoe.wrotethebook.com sendmailMTAClassValue: jamis.wrotethebook.com sendmailMTAClassValue: tcp.ora.com sendmailMTAClassValue: chill.sybex.com sendmailMTAClassValue: wrotethebook.com 

Once the data is added to the LDAP server, the sendmail system can be configured to read it.

The list of hosts granted relaying privileges are added to the LDAP database as values in a single sendmailMTAClass object class record. As the sendmailMTAClassName attribute makes clear, these values will be stored in class $=R . Normally, class $=R is loaded from the file /etc/mail/relay-domains . Use the RELAY_DOMAIN_FILE macro to add another source of data for class $=R . The string @LDAP in the path field of the macro tells sendmail to load class $=R with values obtained from the LDAP server. The effect of the @LDAP string on the RELAY_DOMAINS_FILE macro can be easily seen using the sendmail -bt command:

 #  rm -f /etc/mail/relay-domains  #  sendmail -bt -Cgeneric-linux.cf  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=R  >  /quit  #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=R  rodent.wrotethebook.com chill.sybex.com jamis.wrotethebook.com horseshoe.wrotethebook.com wrotethebook.com tcp.ora.com >  /quit  

The rm command in this test is just to show the reader that no values are being loaded into class $=R from the relay-domains file. On a real system, you might want to use both the relay-domains file and LDAP.

The first sendmail -bt test loads the generic-linux.cf configuration provided with the sendmail distribution. The $=R command displays the contents of the class $=R , which, in this case, is empty. The sendmail -bt test is rerun using the sendmail.cf configuration file created in this recipe. This time the $=R command displays the values retrieved from the LDAP server.

Class $=R is not the only class that can be loaded via LDAP. Any class loaded from a file can be loaded via LDAP by replacing the file pathname on the F command with the string @LDAP , using this syntax:

 F{   name   }@LDAP 

where name is the class' name. The same name is then used as the value for the sendmailMTAClassName attribute in the LDAP record that defines the values loaded into the class. Note that this is the class name without the curly braces.

This recipe uses the confLDAP_CLUSTER define because the LDAP record created for this recipe contains the sendmailMTACluster attribute. sendmail LDAP records apply to either a single host or a group of hosts, which sendmail calls a cluster . A record that applies to a single host uses the sendmailMTAHost attribute; a record that applies to a group of hosts uses the sendmailMTACluster attribute. If confLDAP_CLUSTER is not specified, a cluster name is not used, and only records with a sendmailMTAHost attribute that matches the hostname of the sendmail host are retrieved. The record added to the LDAP database in the example above used the sendmailMTACluster attribute, and sets that attribute to wrotethebook.com . Therefore, it is necessary to define a matching cluster value in the sendmail configuration. The confLDAP_CLUSTER define shown in the Solution section sets the sendmail.cf macro ${sendmailMTACluster} , which holds the cluster name, to wrotethebook.com . If that define was not used, queries from the local host would not successfully retrieve the sample class $=R values from the LDAP server.

See Also

Recipe 3.6 and Recipe 3.7 provide information about class $=R and how it is used for relaying. Information about LDAP is available in Understanding and Deploying LDAP Directory Services by Howes, Smith, and Good (Macmillan) and in LDAP System Administration by Gerald Carter (O'Reilly). The cf/README file covers this topic in the Using LDAP for Aliases, Maps, and Classes section. The sendmail book covers the RELAY_DOMAIN_FILE macro in Section 7.4.1.2 and the confLDAP_CLUSTER define in Section 21.9.82.