Recipe 4.13 Masquerading with LDAP

Problem

You have been asked to configure sendmail so that it reads data that controls masquerading from an LDAP server.

Solution

On the LDAP server, add the sendmail.schema file to the LDAP configuration as described in Recipe 1.3.

On the LDAP server, add the masquerade configuration data to the LDAP database. To do this, create an LDIF file containing the list of masqueraded domains and an LDIF file containing the list of exposed users. The object class of the data in both files must be the sendmailMTAClass defined in the sendmail.schema file. Use ldapadd to add this data to the LDAP database.

Check the sendmail compiler options on the sendmail host. If sendmail does not list LDAPMAP among the "Compiled with:" flags, recompile and reinstall sendmail as described in Recipe 1.3.

On the sendmail host, create a configuration that reads the MASQUERADE_DOMAIN_FILE and the EXPOSED_USER files from the LDAP server. Set confLDAP_CLUSTER to match the sendmailMTACluster attribute used in the records added to the LDAP database. Here is an example of the lines added to the sendmail configuration:

 dnl Masquerade the From address as wrotethebook.com MASQUERADE_AS(`wrotethebook.com') dnl Define the LDAP cluster to which this host belongs define(`confLDAP_CLUSTER', `wrotethebook.com')dnl  dnl Use LDAP to read usernames that are not masqueraded EXPOSED_USER_FILE(`@LDAP') dnl Get the list of masqueraded hostnames from LDAP  MASQUERADE_DOMAIN_FILE(`@LDAP') 

Build the new sendmail.cf file and copy it to /etc/mail . Restart sendmail. See Recipe 1.8 for examples.

Discussion

This recipe assumes that you have a fully functional LDAP server to which the sendmail masquerading information can be added. If you need help on LDAP, see Understanding and Deploying LDAP Directory Services , by Howes, Smith, and Good (Macmillan), and LDAP System Administration , by Gerald Carter (O'Reilly). Get the LDAP server up, running, and debugged before you attempt this recipe.

After ensuring that the LDAP server is ready to support sendmail, add the masquerade data to the LDAP database. This example creates a record for the hostnames that will be loaded into the $=M class:

 #  cat > ldap-masquerade-domains   dn: sendmailMTAClassName=M, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAClass   sendmailMTACluster: wrotethebook.com   sendmailMTAClassName: M   sendmailMTAClassValue: rodent.wrotethebook.com   sendmailMTAClassValue: horseshoe.wrotethebook.com   sendmailMTAClassValue: jamis.wrotethebook.com   Ctrl-D  #  ldapadd -x -D "cn=Manager,dc=wrotethebook,dc=com" \   > -W -f ldap-masquerade-domains  Enter LDAP Password:  SecretLDAPpassword  adding new entry "sendmailMTAClassName=M, dc=wrotethebook, dc=com" 

This example adds the list of exposed users to the LDAP database:

 #  cat > ldap-exposed-users   dn: sendmailMTAClassName=E, dc=wrotethebook, dc=com   objectClass: sendmailMTA   objectClass: sendmailMTAClass   sendmailMTACluster: wrotethebook.com   sendmailMTAClassName: E   sendmailMTAClassValue: root   Ctrl-D  #  ldapadd -x -D "cn=Manager,dc=wrotethebook,dc=com" \   > -W -f ldap-exposed-users  Enter LDAP Password:  SecretLDAPpassword  adding new entry "sendmailMTAClassName=E, dc=wrotethebook, dc=com" 

The examples above show the LDAP format used for sendmail class data. The class to which the LDAP record applies is defined by the sendmailMTAClassName attribute. The values that should be loaded into the specified class are defined in the LDAP record using one or more sendmailMTAClassValue attributes. In the examples, the record for class $=M contains three values, and the record for class $=E contains one value. Convert the LDIF data to LDAP format and add it to the LDAP database using the ldapadd command. ^[7] Use the ldapsearch command to examine the new data: ^[8]

^[7] All LDAP examples in this book assume that OpenLDAP is being used. Adjust the commands to fit your system.

^[8] If ldapsearch requires -h and -b values, use confLDAP_DEFAULT_SPEC to set the same values for sendmail, as described in Recipe 5.9.

 #  ldapsearch -LLL -x '(sendmailMTAClassName=M)' sendmailMTAClassValue  dn: sendmailMTAClassName=M, dc=wrotethebook, dc=com sendmailMTAClassValue: rodent.wrotethebook.com sendmailMTAClassValue: horseshoe.wrotethebook.com sendmailMTAClassValue: jamis.wrotethebook.com #  ldapsearch -LLL -x '(sendmailMTAClassName=E)' sendmailMTAClassValue  dn: sendmailMTAClassName=E, dc=wrotethebook, dc=com sendmailMTAClassValue: root 

LDAP is ready. Now configure sendmail to ask LDAP for the masquerade data by using the string @LDAP in place of the file path in the MASQUERADE_DOMAIN_FILE and the EXPOSED_USER_FILE macros. When @LDAP is specified, sendmail queries LDAP for the required data using the standard sendmail schema.

This recipe also defines a value for confLDAP_CLUSTER . sendmail LDAP records apply either to an individual host or to a group of hosts called a cluster . A cluster is analogous to a NIS domain ”it is a group of hosts that use the same LDAP data. The cluster name is defined in the sendmail configuration with the confLDAP_CLUSTER variable and in the LDAP records using the sendmailMTACluster attribute. If the LDAP records apply to a single host, the host is identified in the LDAP records by the sendmailMTAHost attribute, but no special sendmail configuration is needed because the hostname value returned by $j is used for the LDAP query. Note that if the confLDAP_CLUSTER variable is configured for a host that also has host-specific LDAP data, both the host data and the cluster data will be returned when that host issues an LDAP query. This recipe defines a cluster name in the sendmail configuration and uses only cluster data in the LDAP database.

A simple test shows the impact of this recipe:

 #  sendmail -bt -Cgeneric-linux.cf  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=M  >  $=E  >  /quit  #  sendmail -bt -Csendmail.cf  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $=M  rodent.wrotethebook.com jamis.wrotethebook.com horseshoe.wrotethebook.com >  $=E  root >  /quit  

A sendmail -bt test using the generic configuration shows that, by default, class $=M and class $=E are empty. When the test is rerun using the sendmail.cf file created in this recipe, class $=M and class $=E contain the data defined in the LDAP database.

The MASQUERADE_DOMAIN_FILE and the EXPOSE_USER_FILE are not the only files that can be read from LDAP. The MASQUERADE_EXCEPTION_FILE , used in Recipe 4.9, can also be read from an LDAP server by replacing the pathname in the macro command with the string @LDAP . In fact, any file that is loaded into a class can be read from LDAP. Additionally, sendmail databases can be read from LDAP, as the next recipe illustrates with the genericstable .

Because classes are loaded during startup, you must restart sendmail whenever you add, change, or delete any LDAP records that affect sendmail classes. The changes only take effect after sendmail is restarted.

See Also

Recipe 4.6 explains the role that class $=M plays in masquerading, and Recipe 4.2 explains why class $=E is needed. Recipe 3.9 is another recipe that uses LDAP to load a class, which provides additional insight on using LDAP. The sendmail book covers the MASQUERADE_DOMAIN_FILE macro in Section 4.4.4, the EXPOSE_USER_FILE macro in Section 4.4.1.1, and the confLDAP_CLUSTER define in Section 21.9.82. The cf/README file covers LDAP in the Using LDAP for Aliases, Maps, and Classes section.