Tuesday, December 01, 2020

Re: OpenSMTPD and ldap+tls

On 12/1/20 1:31 AM, Martijn van Duren wrote:
> Hello,
>
> There is table_ldap in the opensmtpd-extras package, but I've never used
> it, it's undocumented and I've heard that the author sees it as a proof
> of concept only at this point. So no idea how far this will take you,
> but it's your best shot. :-)
>
> A quick look through the source shows me the following snippet of the
> config parser:
>
> else if (!strcmp(key, "username"))
> read_value(&username, key, value);
> else if (!strcmp(key, "password"))
> read_value(&password, key, value);
> else if (!strcmp(key, "basedn"))
> read_value(&basedn, key, value);
> else if (!strcmp(key, "alias_filter"))
> read_value(&queries[LDAP_ALIAS].filter, key, value);
> else if (!strcmp(key, "alias_attributes")) {
> ldap_parse_attributes(&queries[LDAP_ALIAS],
> key, value, 1);
> } else if (!strcmp(key, "credentials_filter"))
> read_value(&queries[LDAP_CREDENTIALS].filter, key, value);
> else if (!strcmp(key, "credentials_attributes")) {
> ldap_parse_attributes(&queries[LDAP_CREDENTIALS],
> key, value, 2);
> } else if (!strcmp(key, "domain_filter"))
> read_value(&queries[LDAP_DOMAIN].filter, key, value);
> else if (!strcmp(key, "domain_attributes")) {
> ldap_parse_attributes(&queries[LDAP_DOMAIN],
> key, value, 1);
> } else if (!strcmp(key, "userinfo_filter"))
> read_value(&queries[LDAP_USERINFO].filter, key, value);
> else if (!strcmp(key, "userinfo_attributes")) {
> ldap_parse_attributes(&queries[LDAP_USERINFO],
> key, value, 3);
> } else if (!strcmp(key, "mailaddr_filter"))
> read_value(&queries[LDAP_MAILADDR].filter, key, value);
> else if (!strcmp(key, "mailaddr_attributes")) {
>
> Hope this works for you.
>
> martijn@
>
> On Tue, 2020-12-01 at 09:02 +0300, Родин Максим wrote:
>> Hello
>> Is there a way to make opensmtpd work
>> with ldap aliases over a secure connection?
>>
>> I do not know where to find working examples of this
>> My current /etc/mail/ldap.conf look like this:
>>    1 url>---->------->-------ldap://ldap1.mydomain.ru
>>    2 basedn>->------->-------dc=mydomain,dc=ru
>>    3 username>------->-------cn=service,dc=mydomain,dc=ru
>>    4 password>------->-------passpasspass
>>    5
>>    6 domain_filter>-->-------(&(objectClass=domain)(dc=%s))
>>    7 domain_attributes>------dc
>>    8
>>    9 credentials_filter>-----(&(objectClass=posixAccount)(uid=%s))
>>   10 credentials_attributes>-uid,userPassword
>>   11
>>   12 userinfo_filter>>-------(&(objectClass=posixAccount)(uid=%s))
>>   13 userinfo_attributes>----uid,uidNumber,gidNumber,homeDirectory
>>   14
>>   15 alias_filter>--->-------(&(objectClass=nisMailAlias)(cn=%s))
>>   16 alias_attributes>-------rfc822MailMember
>>
>> ldapd daemon is set up on another host to work over tls and ssl and
>> working correctly.
>>
>> If I change url to ldaps://ldap1.mydomain.ru
>> or to ldap+tls://ldap1.mydomain.ru
>> then smtpd -dv shows:
>> """
>> _____________________________________________
>> vdomains[50952]: warn: ldap_parse_url fail
>> vdomains[50952]: warn: ldap_connect error
>> vdomains[50952]: fatal: failed to connect
>> """
>> _____________________________________________
>>
>

Is the table-procexec a viable alternative?
You can create shell wrappers to call ldap functions
and then call the shell wrappers from procexec with
the correct parameters.
This seems very possible, assuming table-procexec is usable.
Last time I checked, procexec didn't have a lot of documentation.

Best,
Aisha

No comments:

Post a Comment