Loading ...
Sorry, an error occurred while loading the content.

Re: postmap ldap lookups and case folding

Expand Messages
  • Wietse Venema
    ... Most table lookup mechanisms say that NIS, LDAP or SQL etc. use the same lookups as with db or dbm files. For example, quote from access(5): Normally, the
    Message 1 of 5 , Apr 26, 2012
    • 0 Attachment
      btb@...:
      > On Apr 26, 2012, at 18.47, Wietse Venema wrote:
      >
      > >>postmap appears to fold to lowercase by default for ldap queries:
      > >
      > >That is documented under the -f option.
      >
      > am i misunderstanding the last paragraph under "input file format"?
      > the postmap documentation seems to state that case folding happens
      > by default only with certain tables.

      Most table lookup mechanisms say that NIS, LDAP or SQL etc. use the
      same lookups as with db or dbm files.

      For example, quote from access(5):

      Normally, the access(5) table is specified as a text file that serves
      as input to the postmap(1) command. The result, an indexed file in dbm
      or db format, is used for fast searching by the mail system. [...]

      When the table is provided via other means such as NIS, LDAP or SQL,
      the same lookups are done as for ordinary indexed files.

      Wietse
    • btb@bitrate.net
      ... ok, thanks for the clarification. the impetus for this question - i was setting up check_ccert_access to use an ldap lookup, and was using an ldap
      Message 2 of 5 , Apr 26, 2012
      • 0 Attachment
        On Apr 26, 2012, at 19.59, Wietse Venema wrote:

        > When the table is provided via other means such as NIS, LDAP or SQL,
        > the same lookups are done as for ordinary indexed files.

        ok, thanks for the clarification. the impetus for this question - i was setting up check_ccert_access to use an ldap lookup, and was using an ldap attribute whose matching rules happened to be case sensitive. i'd copied/pasted the fingerprint from the log messages [uppercase] for the ldap attribute value. this introduced a bit of an incongruence in my testing with postmap, since i didn't then know that case was being folded. it also appears that case folding occurs during actual operation [e.g. not just with postmap]?:

        postfix log file:

        Apr 26 20:32:49 exo postfix/smtpd[10641]: unknown[50.33.151.70]: Trusted: subject_CN=msa.example.net, issuer=example corp, fingerprint=86:A5:5C:85:A3:98:2E:19:7A:54:57:99:76:9D:D5:A3:7E:46:85:C5
        [...]
        Apr 26 20:32:49 exo postfix/smtpd[10641]: dict_ldap_lookup: /etc/postfix/tables/ccert_access.cf: Searching with filter (&?????(objectclass=mailserver)?????(certfingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)?????(memberof=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net)????)

        slapd log file:

        Apr 26 20:19:32 exo slapd[8664]: conn=1107 op=2 SRCH base="ou=hosts,ou=mail,dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=mailServer)(certFingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)(memberOf=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net))"

        in this particular case, i've accommodated for this on the ldap side, by modifying the attribute's matching rules to be case insensitive [and it makes more sense anyway for an attribute like this] - i'm wondering though if there might be value in not case folding ldap lookups.

        -ben
      Your message has been successfully submitted and would be delivered to recipients shortly.