Loading ...
Sorry, an error occurred while loading the content.

LDAP Lookup Tables

Expand Messages
  • Richard Greaney
    Hi all I have a desired goal in mind but I m not sure whether using an ldap lookup table will do what I want. I thought I d bring it up here and see what
    Message 1 of 8 , Nov 29, 2006
    • 0 Attachment
      Hi all

      I have a desired goal in mind but I'm not sure whether using an ldap
      lookup table will do what I want. I thought I'd bring it up here and see
      what others thought.

      I am running a Postfix server as part of a Windows network. Users are
      stored in Active Directory and replicated onto the Linux server using
      Winbind. However, I don't always want to give every AD user a mail
      account. On the Windows server, there is a group called "Email-Access".
      Each person who belongs to this group is able to send e-mail. How I have
      been governing this up until now is by a script that runs every so
      often, querying all members of this group and writing their addresses to
      a lookup table (hash:/etc/postfix/email-access). At the bottom of this
      list of users is an explicit REJECT for the entire domain.

      What I would like to do is to start having more groups on the AD server
      defining certain policies. For instance, one group enables e-mail access
      while another might enable remote email and another might enable the
      right to attach certain filetypes to messages. In theory, all of this
      could be done using my current method, but there are more areas to fail.

      Ultimately, I'd like to look up each group from the AD server in
      real-time. From what I've read so far, it appears that using LDAP lookup
      tables is more suited to "I have a whole list of users in this OU,
      reproduce them here please" rather than "show me only users who belong
      to this group". I can almost guarantee that if it were possible to do
      group-based lookups, they wouldn't handle nested groups (a user belongs
      to a group, and that group belongs to 'Email-Access') but I'm happy to
      be proven wrong on this.


      Is this pushing the limits of what LDAP Lookup Tables were designed to
      do in Postfix?

      Any advice is welcomed.

      Regards
      Richard

      --
    • Tony Earnshaw
      Richard Greaney wrote: [...] ... I don t know AD at all but begun with Novell Directory Services (eDirectory now) and moved on to OpenLDAP. With both of them
      Message 2 of 8 , Nov 29, 2006
      • 0 Attachment
        Richard Greaney wrote:
        [...]

        > Ultimately, I'd like to look up each group from the AD server in
        > real-time. From what I've read so far, it appears that using LDAP lookup
        > tables is more suited to "I have a whole list of users in this OU,
        > reproduce them here please" rather than "show me only users who belong
        > to this group". I can almost guarantee that if it were possible to do
        > group-based lookups, they wouldn't handle nested groups (a user belongs
        > to a group, and that group belongs to 'Email-Access') but I'm happy to
        > be proven wrong on this.

        I don't know AD at all but begun with Novell Directory Services
        (eDirectory now) and moved on to OpenLDAP. With both of them you can
        have nested groups (groups within groups) and even membership across
        hierarchies. For me OpenLDAP is the easiest to configure after having
        got the gist of the whole idea with NDS (graphic), although I still have
        a favorite GUI for OL (GQ, which makes drag 'n drop possible). With
        OpenLDAP one can have POSIX groups with CNs rather than OUs (latter of
        which are merely amorphous containers for stuffing CNs - groups and
        accounts - into). With POSIX groups (containers) containing POSIX
        accounts (leaves) one can have endless hierarchies. We're a high school,
        we have a CN group pupils, for example, but that group can have classes
        and those classes can have interest groups. All of these can be related
        to teacher groups, etc.

        > Is this pushing the limits of what LDAP Lookup Tables were designed to
        > do in Postfix?

        Not at all. The Postfix LDAP tools are only designed for table lookups
        (whereas the OL tools give one endless possibilities for manipulation of
        the DIT and DSA as well, with scripting), but I'm sure you could do what
        you want of lookups in Postfix. Use recent Postfix versions ...

        > Any advice is welcomed.

        AD gives you Kerberos authentication, you can also use Kerberos auth for
        OL with GSSAPI (but not for Postfix), my advice would be to play around
        with the latest OL alongside AD (it'll cost you a lot of time and
        headaches, but it's worth it). OL doesn't put you into a strait jacket.

        --Tonni

        --
        Tonni Earnshaw
        tonni @ barlaeus.nl
      • Victor Duchovni
        ... If this group is a set of member DNs, rather than a set of email addresses, it is difficult to construct a query (using LDAP) that matches as keys (rather
        Message 3 of 8 , Nov 29, 2006
        • 0 Attachment
          On Thu, Nov 30, 2006 at 01:45:04PM +1300, Richard Greaney wrote:

          > On the Windows server, there is a group called "Email-Access".
          > Each person who belongs to this group is able to send e-mail. How I have
          > been governing this up until now is by a script that runs every so
          > often, querying all members of this group and writing their addresses to
          > a lookup table (hash:/etc/postfix/email-access). At the bottom of this
          > list of users is an explicit REJECT for the entire domain.

          If this group is a set of member DNs, rather than a set of email
          addresses, it is difficult to construct a query (using LDAP) that
          matches as keys (rather than returns as values) the members of
          the group.

          > What I would like to do is to start having more groups on the AD server
          > defining certain policies. For instance, one group enables e-mail access
          > while another might enable remote email and another might enable the
          > right to attach certain filetypes to messages. In theory, all of this
          > could be done using my current method, but there are more areas to fail.

          Once again inverse queries are difficult in LDAP.

          > Ultimately, I'd like to look up each group from the AD server in
          > real-time. From what I've read so far, it appears that using LDAP lookup
          > tables is more suited to "I have a whole list of users in this OU,
          > reproduce them here please" rather than "show me only users who belong
          > to this group".

          Yep, that's right.

          > I can almost guarantee that if it were possible to do
          > group-based lookups, they wouldn't handle nested groups (a user belongs
          > to a group, and that group belongs to 'Email-Access') but I'm happy to
          > be proven wrong on this.

          Well, nested groups work, but only in the forward direction, group name
          to member addresses, not member address to isMember().

          > Is this pushing the limits of what LDAP Lookup Tables were designed to
          > do in Postfix?

          Not even Postfix. LDAP is just not SQL.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Richard Greaney
          ... The reason I ask is that I ve found a large number of LDAP authenticators don t handle recursion very well if at all. squid_ldap_group is a classic
          Message 4 of 8 , Nov 30, 2006
          • 0 Attachment
            Victor Duchovni wrote:
            > On Thu, Nov 30, 2006 at 01:45:04PM +1300, Richard Greaney wrote:
            >

            >> Is this pushing the limits of what LDAP Lookup Tables were designed to
            >> do in Postfix?
            >
            > Not even Postfix. LDAP is just not SQL.
            >

            The reason I ask is that I've found a large number of LDAP
            authenticators don't handle recursion very well if at all.
            squid_ldap_group is a classic example. It returns a boolean result
            depending on whether the user in question belongs to the group in
            question, but no nested groups. However, since Squid is designed so that
            admins can write their own authenticators, I've been able to replace
            squid_ldap_group with my own authenticator that handles nested groups
            through recursion. Problem solved.

            The reason I worded my question at Postfix is that while LDAP is limited
            in how it handles ismember() or memberof() recursively, there are ways
            around it, provided the software talking to it lets you do it. I was
            hoping there might be a way to add external lookup table types to Postfix.

            Richard

            --

            Richard Greaney
            Senior Technician
            NET Solutions
            Massey University College of Education
            Palmerston North

            e-mail: richard@...
            Phone: 06 351 3323
          • Victor Duchovni
            ... The Postfix LDAP driver is designed for address - address or group - members expansion. There is no support for ismember() queries. -- Viktor.
            Message 5 of 8 , Nov 30, 2006
            • 0 Attachment
              On Fri, Dec 01, 2006 at 09:12:10AM +1300, Richard Greaney wrote:

              > Victor Duchovni wrote:
              > >On Thu, Nov 30, 2006 at 01:45:04PM +1300, Richard Greaney wrote:
              > >
              >
              > >>Is this pushing the limits of what LDAP Lookup Tables were designed to
              > >>do in Postfix?
              > >
              > >Not even Postfix. LDAP is just not SQL.
              > >
              >
              > The reason I ask is that I've found a large number of LDAP
              > authenticators don't handle recursion very well if at all.
              > squid_ldap_group is a classic example. It returns a boolean result
              > depending on whether the user in question belongs to the group in
              > question, but no nested groups. However, since Squid is designed so that
              > admins can write their own authenticators, I've been able to replace
              > squid_ldap_group with my own authenticator that handles nested groups
              > through recursion. Problem solved.
              >
              > The reason I worded my question at Postfix is that while LDAP is limited
              > in how it handles ismember() or memberof() recursively, there are ways
              > around it, provided the software talking to it lets you do it. I was
              > hoping there might be a way to add external lookup table types to Postfix.

              The Postfix LDAP driver is designed for address -> address or group ->
              members expansion. There is no support for ismember() queries.

              --
              Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.
            • Bill Anderson
              ... How large is your AD infrastructure? Real time querying may not be as important as you think if you have replication delays. In the environment I work in
              Message 6 of 8 , Dec 1, 2006
              • 0 Attachment
                On Wednesday 29 November 2006 17:45, Richard Greaney wrote:
                > Hi all
                >
                > I have a desired goal in mind but I'm not sure whether using an ldap
                > lookup table will do what I want. I thought I'd bring it up here and see
                > what others thought.
                >
                > I am running a Postfix server as part of a Windows network. Users are
                > stored in Active Directory and replicated onto the Linux server using
                > Winbind. However, I don't always want to give every AD user a mail
                > account. On the Windows server, there is a group called "Email-Access".
                > Each person who belongs to this group is able to send e-mail. How I have
                > been governing this up until now is by a script that runs every so
                > often, querying all members of this group and writing their addresses to
                > a lookup table (hash:/etc/postfix/email-access). At the bottom of this
                > list of users is an explicit REJECT for the entire domain.
                >
                > What I would like to do is to start having more groups on the AD server
                > defining certain policies. For instance, one group enables e-mail access
                > while another might enable remote email and another might enable the
                > right to attach certain filetypes to messages. In theory, all of this
                > could be done using my current method, but there are more areas to fail.
                >
                > Ultimately, I'd like to look up each group from the AD server in
                > real-time.
                How large is your AD infrastructure? Real time querying may not be as
                important as you think if you have replication delays. In the environment I
                work in the AD replication takes a minimum of 15 minutes, usually about 30.

                In this case, I use a separate (shell) script that periodically generates a
                mapfile from the memberof queries I need to run against our AD, and if
                differences from last run are detected pushes the updated file to each relay
                and postmaps it. Works like a charm. it also allows much more flexibility as
                you can do combination queries.

                Cheers,
                Bill
              • Richard Greaney
                ... Thanks for that. It s nice to know someone else is doing it that way. I think I ll end up doing it this way also, since Postfix isn t designed to do
                Message 7 of 8 , Dec 3, 2006
                • 0 Attachment
                  Bill Anderson wrote:
                  > On Wednesday 29 November 2006 17:45, Richard Greaney wrote:
                  >> Hi all
                  >>
                  >> I have a desired goal in mind but I'm not sure whether using an ldap
                  >> lookup table will do what I want. I thought I'd bring it up here and see
                  >> what others thought.
                  >>
                  >> I am running a Postfix server as part of a Windows network. Users are
                  >> stored in Active Directory and replicated onto the Linux server using
                  >> Winbind. However, I don't always want to give every AD user a mail
                  >> account. On the Windows server, there is a group called "Email-Access".
                  >> Each person who belongs to this group is able to send e-mail. How I have
                  >> been governing this up until now is by a script that runs every so
                  >> often, querying all members of this group and writing their addresses to
                  >> a lookup table (hash:/etc/postfix/email-access). At the bottom of this
                  >> list of users is an explicit REJECT for the entire domain.
                  >>
                  >> What I would like to do is to start having more groups on the AD server
                  >> defining certain policies. For instance, one group enables e-mail access
                  >> while another might enable remote email and another might enable the
                  >> right to attach certain filetypes to messages. In theory, all of this
                  >> could be done using my current method, but there are more areas to fail.
                  >>
                  >> Ultimately, I'd like to look up each group from the AD server in
                  >> real-time.
                  > How large is your AD infrastructure? Real time querying may not be as
                  > important as you think if you have replication delays. In the environment I
                  > work in the AD replication takes a minimum of 15 minutes, usually about 30.
                  >
                  > In this case, I use a separate (shell) script that periodically generates a
                  > mapfile from the memberof queries I need to run against our AD, and if
                  > differences from last run are detected pushes the updated file to each relay
                  > and postmaps it. Works like a charm. it also allows much more flexibility as
                  > you can do combination queries.
                  >
                  > Cheers,
                  > Bill

                  Thanks for that. It's nice to know someone else is doing it that way. I
                  think I'll end up doing it this way also, since Postfix isn't designed
                  to do ismember() stuff.

                  It's not so much the realtime aspect that I was seeking, as more the
                  fact that there is one less script to run and therefore one less link in
                  the chain to fail. Still, I've been generating my access lists using a
                  separate script up until this point and it's been working fine.

                  Cheers
                  Richard

                  --

                  Richard Greaney
                  Senior Technician
                  NET Solutions
                  Massey University College of Education
                  Palmerston North

                  e-mail: richard@...
                  Phone: 06 351 3323
                • Victor Duchovni
                  ... The key thing with such scripts is to not use the output if any part of the script fails, so write code with meticulous error checking and atomic
                  Message 8 of 8 , Dec 3, 2006
                  • 0 Attachment
                    On Mon, Dec 04, 2006 at 10:32:49AM +1300, Richard Greaney wrote:

                    > Thanks for that. It's nice to know someone else is doing it that way. I
                    > think I'll end up doing it this way also, since Postfix isn't designed
                    > to do ismember() stuff.
                    >
                    > It's not so much the realtime aspect that I was seeking, as more the
                    > fact that there is one less script to run and therefore one less link in
                    > the chain to fail. Still, I've been generating my access lists using a
                    > separate script up until this point and it's been working fine.

                    The key thing with such scripts is to not use the output if any part of
                    the script fails, so write code with meticulous error checking and atomic
                    (create/lock then write temp file, then rename, don't overwrite config
                    files directly) I/O.

                    --
                    Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.
                  Your message has been successfully submitted and would be delivered to recipients shortly.