[Fwd: ldap users & aliases config]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: ldap users & aliases config]

Wojtek Bogusz-2
dear postfix'ers, please help. i cannot find the solution to my problem.
i do not understand what am i doing wrong.  Wojtek

-------- Original Message --------
Subject: ldap users & aliases config
Date: Fri, 02 May 2008 17:18:45 +0100
From: Wojtek Bogusz <[hidden email]>
To: [hidden email]

hi. i am looking for help in setting up users and aliases in ldap for
postfix. i am running on Ubuntu 7.10 with postfix 2.3.8-2

in main.cf i defined source for user accounts as:

        accounts_server_host = localhost
        accounts_search_base = ou=Users,dc=frontline
        accounts_query_filter = (&(objectClass=posixAccount)(uid=%u))
        accounts_result_attribute = uid
        accounts_bind = no
        virtual_transport = dovecot
        virtual_mailbox_base = /home/vmail/domains
        virtual_mailbox_maps = ldap:accounts
        virtual_mailbox_domains = frontlinedefenders.org
        virtual_domain = frontlinedefenders.org
        virtual_minimum_uid = 30000
        virtual_uid_maps = static:30000
        virtual_gid_maps = static:33

and source for user aliases as:
        aliases_server_host = localhost
        aliases_search_base = ou=EmailAliases,dc=frontline
        aliases_query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
        aliases_result_attribute = cn
        aliases_bind = no
        virtual_alias_maps = ldap:aliases, hash:/etc/aliases

i defined ou=EmailAliases,dc=frontline records as inetOrgPerson class
type. so i have as 'cn' a user name (eg. 'wojtek') and as 'sn' different
aliases for this user name (eg. 'wojtekbogusz', 'admin', ...). so for
example you can do anonymous ldapsearch like this from command line:

$ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn
# extended LDIF
#
# LDAPv3
# base <ou=EmailAliases,dc=frontline> with scope subtree
# filter: sn=admin
# requesting: cn
#

# wojtek, EmailAliases, frontline
dn: cn=wojtek,ou=EmailAliases,dc=frontline

# john, EmailAliases, frontline
dn: cn=john,ou=EmailAliases,dc=frontline

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


i was trying to debug ldap by specifying 'loglevel acl filter' in
/etc/ldap/slapd.conf. but most bizarre is that when i am feeding postfix
by hand over smtp and give 'rcpt to:
[hidden email]'. 'wojtekbogusz' does not appear in
the /var/log/syslog (or debug or mail.info) at all. i can see a lot of
activity, looking through the entries in ldap but nothing corresponding
to query_filer specified above '(&(objectClass=inetOrgPerson)(sn=%u))' -
where i believe %u should be set to 'wojtekbogusz'........?

i do not understand this all and i am a bit crossed :-)
can anybody advice please?

best regards, Wojtek


Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Brian Evans - Postfix List
Wojtek Bogusz wrote:

> dear postfix'ers, please help. i cannot find the solution to my
> problem. i do not understand what am i doing wrong.  Wojtek
>
> -------- Original Message --------
> Subject: ldap users & aliases config
> Date: Fri, 02 May 2008 17:18:45 +0100
> From: Wojtek Bogusz <[hidden email]>
> To: [hidden email]
>
> hi. i am looking for help in setting up users and aliases in ldap for
> postfix. i am running on Ubuntu 7.10 with postfix 2.3.8-2
>
> in main.cf i defined source for user accounts as:
>
>     accounts_server_host = localhost
>     accounts_search_base = ou=Users,dc=frontline
>     accounts_query_filter = (&(objectClass=posixAccount)(uid=%u))
>     accounts_result_attribute = uid
>     accounts_bind = no
>     virtual_transport = dovecot
>     virtual_mailbox_base = /home/vmail/domains
>     virtual_mailbox_maps = ldap:accounts
>     virtual_mailbox_domains = frontlinedefenders.org
>     virtual_domain = frontlinedefenders.org
>     virtual_minimum_uid = 30000
>     virtual_uid_maps = static:30000
>     virtual_gid_maps = static:33
>
> and source for user aliases as:
>     aliases_server_host = localhost
>     aliases_search_base = ou=EmailAliases,dc=frontline
>     aliases_query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
>     aliases_result_attribute = cn
>     aliases_bind = no
>     virtual_alias_maps = ldap:aliases, hash:/etc/aliases
I hope these are not the same files. Be more specific with paths to
avoid confusion.

>
> i defined ou=EmailAliases,dc=frontline records as inetOrgPerson class
> type. so i have as 'cn' a user name (eg. 'wojtek') and as 'sn' different
> aliases for this user name (eg. 'wojtekbogusz', 'admin', ...). so for
> example you can do anonymous ldapsearch like this from command line:
>
> $ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn
> # extended LDIF
> #
> # LDAPv3
> # base <ou=EmailAliases,dc=frontline> with scope subtree
> # filter: sn=admin
> # requesting: cn
> #
>
> # wojtek, EmailAliases, frontline
> dn: cn=wojtek,ou=EmailAliases,dc=frontline
>
> # john, EmailAliases, frontline
> dn: cn=john,ou=EmailAliases,dc=frontline
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
> i was trying to debug ldap by specifying 'loglevel acl filter' in
> /etc/ldap/slapd.conf. but most bizarre is that when i am feeding postfix
> by hand over smtp and give 'rcpt to:
> [hidden email]'. 'wojtekbogusz' does not appear in
> the /var/log/syslog (or debug or mail.info) at all. i can see a lot of
> activity, looking through the entries in ldap but nothing corresponding
> to query_filer specified above '(&(objectClass=inetOrgPerson)(sn=%u))' -
> where i believe %u should be set to 'wojtekbogusz'........?

Show 'postconf -n'.  Show result of 'postmap -q
[hidden email] ldap:/path/to/aliases'
Logging can be done in other places too (mail.warn, maillog, mail.err,
etc.) depending on how your syslogger is setup.

Brian
>
> i do not understand this all and i am a bit crossed :-)
> can anybody advice please?
>
> best regards, Wojtek
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Wojtek Bogusz-2
thank you for reply.

$ sudo postconf -n
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = /usr/local/libexec/dovecot/deliver
mailbox_size_limit = 0
mydestination = frontlinedefeders.org, base.localhost, base, localhost
myhostname = base
mynetworks = 127.0.0.0/8,192.168.0.0/28
myorigin = "frontlinedefenders.org"
recipient_delimiter = +
relayhost = mail.localhost
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
virtual_gid_maps = static:33
virtual_mailbox_base = /home/vmail/domains
virtual_mailbox_domains = frontlinedefenders.org
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
virtual_minimum_uid = 30000
virtual_transport = dovecot
virtual_uid_maps = static:30000

$ cat /etc/postfix/ldap-accounts.cf
server_host = localhost
search_base = ou=Users,dc=frontline
query_filter = (&(objectClass=posixAccount)(uid=%u))
result_attribute = uid
bind = no
version = 3

$ cat /etc/postfix/ldap-aliases.cf
server_host = localhost
search_base = ou=EmailAliases,dc=frontline
query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
result_attribute = cn
bind = no
version = 3

output from

$ sudo postmap -q [hidden email]
ldap:/etc/postfix/ldap-aliases.cf
$ sudo postmap -q wojtekbogusz ldap:/etc/postfix/ldap-aliases.cf

is nothing... and smtp still rejects the address (any address admin,
[hidden email], wojtekbogusz,
[hidden email], etc.)

cheers, Wojtek

Brian Evans wrote:

> Wojtek Bogusz wrote:
>> dear postfix'ers, please help. i cannot find the solution to my
>> problem. i do not understand what am i doing wrong.  Wojtek
>>
>> -------- Original Message --------
>> Subject: ldap users & aliases config
>> Date: Fri, 02 May 2008 17:18:45 +0100
>> From: Wojtek Bogusz <[hidden email]>
>> To: [hidden email]
>>
>> hi. i am looking for help in setting up users and aliases in ldap for
>> postfix. i am running on Ubuntu 7.10 with postfix 2.3.8-2
>>
>> in main.cf i defined source for user accounts as:
>>
>>     accounts_server_host = localhost
>>     accounts_search_base = ou=Users,dc=frontline
>>     accounts_query_filter = (&(objectClass=posixAccount)(uid=%u))
>>     accounts_result_attribute = uid
>>     accounts_bind = no
>>     virtual_transport = dovecot
>>     virtual_mailbox_base = /home/vmail/domains
>>     virtual_mailbox_maps = ldap:accounts
>>     virtual_mailbox_domains = frontlinedefenders.org
>>     virtual_domain = frontlinedefenders.org
>>     virtual_minimum_uid = 30000
>>     virtual_uid_maps = static:30000
>>     virtual_gid_maps = static:33
>>
>> and source for user aliases as:
>>     aliases_server_host = localhost
>>     aliases_search_base = ou=EmailAliases,dc=frontline
>>     aliases_query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
>>     aliases_result_attribute = cn
>>     aliases_bind = no
>>     virtual_alias_maps = ldap:aliases, hash:/etc/aliases
> I hope these are not the same files. Be more specific with paths to
> avoid confusion.
>
>>
>> i defined ou=EmailAliases,dc=frontline records as inetOrgPerson class
>> type. so i have as 'cn' a user name (eg. 'wojtek') and as 'sn' different
>> aliases for this user name (eg. 'wojtekbogusz', 'admin', ...). so for
>> example you can do anonymous ldapsearch like this from command line:
>>
>> $ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=EmailAliases,dc=frontline> with scope subtree
>> # filter: sn=admin
>> # requesting: cn
>> #
>>
>> # wojtek, EmailAliases, frontline
>> dn: cn=wojtek,ou=EmailAliases,dc=frontline
>>
>> # john, EmailAliases, frontline
>> dn: cn=john,ou=EmailAliases,dc=frontline
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 3
>> # numEntries: 2
>>
>>
>> i was trying to debug ldap by specifying 'loglevel acl filter' in
>> /etc/ldap/slapd.conf. but most bizarre is that when i am feeding postfix
>> by hand over smtp and give 'rcpt to:
>> [hidden email]'. 'wojtekbogusz' does not appear in
>> the /var/log/syslog (or debug or mail.info) at all. i can see a lot of
>> activity, looking through the entries in ldap but nothing corresponding
>> to query_filer specified above '(&(objectClass=inetOrgPerson)(sn=%u))' -
>> where i believe %u should be set to 'wojtekbogusz'........?
>
> Show 'postconf -n'.  Show result of 'postmap -q
> [hidden email] ldap:/path/to/aliases'
> Logging can be done in other places too (mail.warn, maillog, mail.err,
> etc.) depending on how your syslogger is setup.
>
> Brian
>>
>> i do not understand this all and i am a bit crossed :-)
>> can anybody advice please?
>>
>> best regards, Wojtek
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Victor Duchovni
On Thu, May 08, 2008 at 03:47:12PM +0100, Wojtek Bogusz wrote:

> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf

This applies to all recipient addresses, not just those in your domain.


> $ cat /etc/postfix/ldap-aliases.cf
> server_host = localhost
> search_base = ou=EmailAliases,dc=frontline
> query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
> result_attribute = cn
> bind = no
> version = 3

This ignores the domain part without restricting it. The result is that
you rewrite <localpart>@<any.domain> provided the local part is the "sn"
of one of your users. A terrible idea.

> output from
>
> $ sudo postmap -q [hidden email]
> ldap:/etc/postfix/ldap-aliases.cf
> $ sudo postmap -q wojtekbogusz ldap:/etc/postfix/ldap-aliases.cf
>
> is nothing...

Good. Are these expected to match anything?

> and smtp still rejects the address (any address admin,
> [hidden email], wojtekbogusz,
> [hidden email], etc.)

Do show the relevant ": reject: " log entries and explain why you expect
these to be accepted.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Wojtek Bogusz-2
>> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
>
> This applies to all recipient addresses, not just those in your domain.

yes. we have just one domain. and i wanted to avoid writing this domain
in all aliases and addresses. so instead i am just checking the user
names / alias names and leave the domain static listed in other settings.

>> $ cat /etc/postfix/ldap-aliases.cf
>> server_host = localhost
>> search_base = ou=EmailAliases,dc=frontline
>> query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
>> result_attribute = cn
>> bind = no
>> version = 3
>
> This ignores the domain part without restricting it. The result is that
> you rewrite <localpart>@<any.domain> provided the local part is the "sn"
> of one of your users. A terrible idea.

why is it terrible idea?


>> output from
>>
>> $ sudo postmap -q [hidden email]
>> ldap:/etc/postfix/ldap-aliases.cf
>> $ sudo postmap -q wojtekbogusz ldap:/etc/postfix/ldap-aliases.cf
>>
>> is nothing...
>
> Good. Are these expected to match anything?

yes. if you do:

$ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn
# extended LDIF
#
# LDAPv3
# base <ou=EmailAliases,dc=frontline> with scope subtree
# filter: sn=admin
# requesting: cn
#

# wojtek, EmailAliases, frontline
dn: cn=wojtek,ou=EmailAliases,dc=frontline

# nikt, EmailAliases, frontline
dn: cn=john,ou=EmailAliases,dc=frontline

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


but when you do:

$ sudo postmap -q [hidden email]
ldap:/etc/postfix/ldap-aliases.cf
or:
$ sudo postmap -q admin ldap:/etc/postfix/ldap-aliases.cf

you get nothing

>> and smtp still rejects the address (any address admin,
>> [hidden email], wojtekbogusz,
>> [hidden email], etc.)
>
> Do show the relevant ": reject: " log entries and explain why you expect
> these to be accepted.

May  8 17:13:01 base postfix/smtpd[16729]: NOQUEUE: reject: RCPT from
unknown[192.168.0.3]: 550 5.1.1 <[hidden email]>:
Recipient address rejected: User unknown in virtual mailbox table
; from=<[hidden email]> to=<[hidden email]> proto=SMTP
helo=<vortex.localhost>

i do not know how i can motivate more that i expect this address
resolved :-) i have relevant record in ldap -> address should resolve
fine. i must be doing something wrong with the configuration.

cheers, Wojtek
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Victor Duchovni
On Thu, May 08, 2008 at 05:16:27PM +0100, Wojtek Bogusz wrote:

> >>virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
> >
> >This applies to all recipient addresses, not just those in your domain.
>
> yes. we have just one domain. and i wanted to avoid writing this domain
> in all aliases and addresses. so instead i am just checking the user
> names / alias names and leave the domain static listed in other settings.

You never send any mail out? Not even legitimate bounces? Seems unlikely.

> >This ignores the domain part without restricting it. The result is that
> >you rewrite <localpart>@<any.domain> provided the local part is the "sn"
> >of one of your users. A terrible idea.
>
> why is it terrible idea?
>

You will rewrite "[hidden email]" to "[hidden email]"
even though the "gmail.com" address has nothing to do with you or your
account.

> >>$ sudo postmap -q [hidden email]
> >>ldap:/etc/postfix/ldap-aliases.cf
> >>$ sudo postmap -q wojtekbogusz ldap:/etc/postfix/ldap-aliases.cf
> >>
> >>is nothing...
> >
> >Good. Are these expected to match anything?
>
> yes. if you do:

The strings "admin" and "wojtekbogusz" are not the same.

> $ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn

This query filter is not the one you are using in the Postfix
table definitions. Compare apples with apples.

> May  8 17:13:01 base postfix/smtpd[16729]: NOQUEUE: reject: RCPT from
> unknown[192.168.0.3]: 550 5.1.1 <[hidden email]>:
> Recipient address rejected: User unknown in virtual mailbox table
> ; from=<[hidden email]> to=<[hidden email]> proto=SMTP
> helo=<vortex.localhost>

Naturally, since "postmap -q" does not see "admin". Fix that first. Try
"postmap -vq" and see what query Postfix sends, try that query for
yourself with "ldapsearch" if you like. Make sure your result_attribute
is valid.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Wojtek Bogusz-2
Victor Duchovni wrote:
> On Thu, May 08, 2008 at 05:16:27PM +0100, Wojtek Bogusz wrote:
>
>>>> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
>>> This applies to all recipient addresses, not just those in your domain.
>> yes. we have just one domain. and i wanted to avoid writing this domain
>> in all aliases and addresses. so instead i am just checking the user
>> names / alias names and leave the domain static listed in other settings.
>
> You never send any mail out? Not even legitimate bounces? Seems unlikely.

we do. but i thought that the way it works is that postfix will relay
email as long as either from or to/cc/bcc will match the domain name
that is relayed and account/alias name that is relayed within this domain.


>>> This ignores the domain part without restricting it. The result is that
>>> you rewrite <localpart>@<any.domain> provided the local part is the "sn"
>>> of one of your users. A terrible idea.
>> why is it terrible idea?
>
> You will rewrite "[hidden email]" to "[hidden email]"
> even though the "gmail.com" address has nothing to do with you or your
> account.

does it mean that there is no other way than have all the accounts and
aliases repeating domain part ('@frontlinedefenders.org')?


>>>> $ sudo postmap -q [hidden email]
>>>> ldap:/etc/postfix/ldap-aliases.cf
>>>> $ sudo postmap -q wojtekbogusz ldap:/etc/postfix/ldap-aliases.cf
>>>>
>>>> is nothing...
>>> Good. Are these expected to match anything?
>> yes. if you do:
>
> The strings "admin" and "wojtekbogusz" are not the same.

lets forget about 'wojtekbogusz' here please. and do exercise on
'admin'. it is the same with 'wojtekbogusz'.


>> $ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn
>
> This query filter is not the one you are using in the Postfix
> table definitions. Compare apples with apples.

how come. in /etc/postfix/ldap-aliases.cf i have:
server_host = localhost
search_base = ou=EmailAliases,dc=frontline
query_filter = (&(objectClass=inetOrgPerson)(sn=%u))

this is exactly what i am ldapsearch'ing above i think.


>> May  8 17:13:01 base postfix/smtpd[16729]: NOQUEUE: reject: RCPT from
>> unknown[192.168.0.3]: 550 5.1.1 <[hidden email]>:
>> Recipient address rejected: User unknown in virtual mailbox table
>> ; from=<[hidden email]> to=<[hidden email]> proto=SMTP
>> helo=<vortex.localhost>
>
> Naturally, since "postmap -q" does not see "admin". Fix that first. Try
> "postmap -vq" and see what query Postfix sends, try that query for
> yourself with "ldapsearch" if you like. Make sure your result_attribute
> is valid.

ok. i guess those are the lines from 'postmap -vq'

postmap: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Searching with
filter (&(objectClass=inetOrgPerson)(sn=admin))
postmap: dict_ldap_get_values[1]: Search found 2 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing

so to my untrained eye the search string
'(&(objectClass=inetOrgPerson)(sn=admin))' is ok. and than there is the
part i do not understand: found 2 matches = returned nothing.

cheers, Wojtek
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Victor Duchovni
On Thu, May 08, 2008 at 05:41:28PM +0100, Wojtek Bogusz wrote:

> >You will rewrite "[hidden email]" to "[hidden email]"
> >even though the "gmail.com" address has nothing to do with you or your
> >account.
>
> does it mean that there is no other way than have all the accounts and
> aliases repeating domain part ('@frontlinedefenders.org')?

No, you just need to make your rewriting rules apply *ONLY* to address in
your domain. Failure to do that will yield unacceptable erratic results.

> >>$ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x 'sn=admin' cn

Query filter in this case is?

> how come. in /etc/postfix/ldap-aliases.cf i have:
> server_host = localhost
> search_base = ou=EmailAliases,dc=frontline
> query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
>
> this is exactly what i am ldapsearch'ing above i think.

Query filter in this case is? Are the two the same? What is your
result_attribute?

> >"postmap -vq" and see what query Postfix sends, try that query for
> >yourself with "ldapsearch" if you like. Make sure your result_attribute
> >is valid.
>
> ok. i guess those are the lines from 'postmap -vq'
>
> postmap: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Searching with
> filter (&(objectClass=inetOrgPerson)(sn=admin))
> postmap: dict_ldap_get_values[1]: Search found 2 match(es)
> postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
> postmap: dict_ldap_lookup: Search returned nothing
>
> so to my untrained eye the search string
> '(&(objectClass=inetOrgPerson)(sn=admin))' is ok. and than there is the
> part i do not understand: found 2 matches = returned nothing.

No non-empty values of the requested result_attribute.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Wojtek Bogusz-2
thank you.

let me try hopefully more precise this time :-)

$ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x
'(&(objectClass=inetOrgPerson)(sn=admin))' cn
# extended LDIF
#
# LDAPv3
# base <ou=EmailAliases,dc=frontline> with scope subtree
# filter: (&(objectClass=inetOrgPerson)(sn=admin))
# requesting: cn
#

# wojtek, EmailAliases, frontline
dn: cn=wojtek,ou=EmailAliases,dc=frontline

# john, EmailAliases, frontline
dn: cn=john,ou=EmailAliases,dc=frontline

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

and:

$ sudo postmap -v -q [hidden email]
ldap:/etc/postfix/ldap-aliases.cf
[... many lines here ...]
postmap: dict_ldap_lookup: /etc/postfix/ldap-aliases.cf: Searching with
filter (&(objectClass=inetOrgPerson)(sn=admin))
postmap: dict_ldap_get_values[1]: Search found 2 match(es)
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned nothing
postmap: dict_ldap_close: Closed connection handle for LDAP source
/etc/postfix/ldap-aliases.cf


so in ldapsearch:
- base: 'ou=EmailAliases,dc=frontline' with scope subtree
- filter: (&(objectClass=inetOrgPerson)(sn=admin))
- requesting: cn

in postmap -vq (also from the /etc/postfix/ldap-aliases.cf see below):
- base: 'ou=EmailAliases,dc=frontline' (see: 'search_base =
ou=EmailAliases,dc=frontline' below)
- filter: '(&(objectClass=inetOrgPerson)(sn=admin))'
- requesting: cn ('result_attribute = cn' below)

seems the same to me...

maybe i should setup some other 'result_filter' - now it is %s. and as i
can see in ldapsearch the result looks like this:
'cn=nikt,ou=EmailAliases,dc=frontline'. maybe i should define the
structure of this response for postfix-ldap? i do not know...

>>> You will rewrite "[hidden email]" to "[hidden email]"
>>> even though the "gmail.com" address has nothing to do with you or your
>>> account.
>> does it mean that there is no other way than have all the accounts and
>> aliases repeating domain part ('@frontlinedefenders.org')?
>
> No, you just need to make your rewriting rules apply *ONLY* to address in
> your domain. Failure to do that will yield unacceptable erratic results.

i am really sorry to be a bit slow here. but how do i do it? how would
you modify my confing to do this. see below:

$ postconf -n
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = /usr/local/libexec/dovecot/deliver
mailbox_size_limit = 0
mydestination = frontlinedefeders.org, base.localhost, base, localhost
myhostname = base
mynetworks = 127.0.0.0/8,192.168.0.0/28
myorigin = "frontlinedefenders.org"
recipient_delimiter = +
relayhost = mail.localhost
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases
virtual_gid_maps = static:33
virtual_mailbox_base = /home/vmail/domains
virtual_mailbox_domains = frontlinedefenders.org
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
virtual_minimum_uid = 30000
virtual_transport = dovecot
virtual_uid_maps = static:30000

$ cat /etc/postfix/ldap-accounts.cf
server_host = localhost
search_base = ou=Users,dc=frontline
query_filter = (&(objectClass=posixAccount)(uid=%u))
result_attribute = uid
bind = no
version = 3

$ cat /etc/postfix/ldap-aliases.cf
server_host = localhost
search_base = ou=EmailAliases,dc=frontline
query_filter = (&(objectClass=inetOrgPerson)(sn=%u))
result_attribute = cn
bind = no
version = 3

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Victor Duchovni
On Thu, May 08, 2008 at 06:12:25PM +0100, Wojtek Bogusz wrote:

> thank you.
>
> let me try hopefully more precise this time :-)
>
> $ ldapsearch -b 'ou=EmailAliases,dc=frontline' -x
> '(&(objectClass=inetOrgPerson)(sn=admin))' cn
> # extended LDIF
> #
> # LDAPv3
> # base <ou=EmailAliases,dc=frontline> with scope subtree
> # filter: (&(objectClass=inetOrgPerson)(sn=admin))
> # requesting: cn
> #
>
> # wojtek, EmailAliases, frontline
> dn: cn=wojtek,ou=EmailAliases,dc=frontline
>
> # john, EmailAliases, frontline
> dn: cn=john,ou=EmailAliases,dc=frontline

It has found two objects, but it has not found *ANY* cn attribute values.
The RDN "cn="john" does not imply an attribute value of "cn: john". Where
are attribute values?

> # search result
> search: 2
> result: 0 Success

No attribute values come back. Just as with "postmap -q".

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Wojtek Bogusz-2
> It has found two objects, but it has not found *ANY* cn attribute values.
> The RDN "cn="john" does not imply an attribute value of "cn: john". Where
> are attribute values?

ok. i thought that i can have cn returned as an attribute. so i had
wrong ldap structure.
i do not understand ldap :-( now i created records with 3 objectClass:
inetOrgPerson, top, uidObject. in phpLDAPadmin it looks like i have
fields: cn (which is rdn and required), mail, sn (which is required and
does not show in ldapsearch command line so i suppose it cannot be
attribute as well) and uid. it is a bit crazy, why cn and sn cannot be
attributes?... but it works. thank you!


can you please advice how to make rewriting rules apply only to address
in my domain?


cheers, Wojtek
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: ldap users & aliases config]

Victor Duchovni
On Thu, May 08, 2008 at 07:24:10PM +0100, Wojtek Bogusz wrote:

> ok. i thought that i can have cn returned as an attribute. so i had
> wrong ldap structure.

It will be returned as an attribute if it is actually populated as an
attribute. RDN components are not attributes.

> i do not understand ldap :-(

Why are you using LDAP?

> fields: cn (which is rdn and required)

ldapsearch does not return this field. Do you populate it?

> it is a bit crazy, why cn and sn cannot be attributes?...

Of course they can.

    $ ldapsearch ...
    dn: ...
    uid: viktor
    cn: Victor Duchovni
    sn: Duchovni

If you need help with LDAP, join an LDAP help forum.

> can you please advice how to make rewriting rules apply only to address
> in my domain?

    http://www.postfix.org/ldap_table.5.html

Frankly, the whole idea of basing mail routin people's Common Name
is a bad one. Give users a multi-valued email-address attribute, and
match addresses explicitly against addresses. DO NOT match on the SN,
what happens when you have 2 people named "Nowak"?

We use (for people).

    mail := single-valued primary address
    mailalternateaddress := mult-valued list of all valid addresses
    maildrop :+ single-valued mailbox location

The virtual table is:

        ...
        # domain=... For efficiency only, all lookup keys are full addresses
        domain = /etc/postfix/our-domains
        query_filter = mailalternateaddress = %s
        result_attribute = maildrop

Actually the virtual table also supports groups and is more complex:

        ...
        # domain=... For efficiency only, all lookup keys are full addresses
        domain = /etc/postfix/our-domains
        query_filter = mailalternateaddress = %s
        terminal_result_attribute = maildrop
        special_result_attribute = uniquemember

but the key idea is to avoid basing routing on attributes that are not
RFC822 address valued.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.