Re: postmap ldap lookups and case folding
> On Apr 26, 2012, at 18.47, Wietse Venema wrote:Most table lookup mechanisms say that NIS, LDAP or SQL etc. use the
> >>postmap appears to fold to lowercase by default for ldap queries:
> >That is documented under the -f option.
> am i misunderstanding the last paragraph under "input file format"?
> the postmap documentation seems to state that case folding happens
> by default only with certain tables.
same lookups as with db or dbm files.
For example, quote from access(5):
Normally, the access(5) table is specified as a text file that serves
as input to the postmap(1) command. The result, an indexed file in dbm
or db format, is used for fast searching by the mail system. [...]
When the table is provided via other means such as NIS, LDAP or SQL,
the same lookups are done as for ordinary indexed files.
- On Apr 26, 2012, at 19.59, Wietse Venema wrote:
> When the table is provided via other means such as NIS, LDAP or SQL,ok, thanks for the clarification. the impetus for this question - i was setting up check_ccert_access to use an ldap lookup, and was using an ldap attribute whose matching rules happened to be case sensitive. i'd copied/pasted the fingerprint from the log messages [uppercase] for the ldap attribute value. this introduced a bit of an incongruence in my testing with postmap, since i didn't then know that case was being folded. it also appears that case folding occurs during actual operation [e.g. not just with postmap]?:
> the same lookups are done as for ordinary indexed files.
postfix log file:
Apr 26 20:32:49 exo postfix/smtpd: unknown[220.127.116.11]: Trusted: subject_CN=msa.example.net, issuer=example corp, fingerprint=86:A5:5C:85:A3:98:2E:19:7A:54:57:99:76:9D:D5:A3:7E:46:85:C5
Apr 26 20:32:49 exo postfix/smtpd: dict_ldap_lookup: /etc/postfix/tables/ccert_access.cf: Searching with filter (&?????(objectclass=mailserver)?????(certfingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)?????(memberof=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net)????)
slapd log file:
Apr 26 20:19:32 exo slapd: conn=1107 op=2 SRCH base="ou=hosts,ou=mail,dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=mailServer)(certFingerprint=86:a5:5c:85:a3:98:2e:19:7a:54:57:99:76:9d:d5:a3:7e:46:85:c5)(memberOf=cn=mail_relayers-hosts,ou=exo,ou=servers,ou=groups,dc=example,dc=net))"
in this particular case, i've accommodated for this on the ldap side, by modifying the attribute's matching rules to be case insensitive [and it makes more sense anyway for an attribute like this] - i'm wondering though if there might be value in not case folding ldap lookups.