| blob | 2c027b8bc9f923a2f13c1f822e51850228140a4a |
3 <html> <head>
6 </head> <body> <pre>
10 ldap_table - Postfix LDAP client configuration
13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/filename</b>
15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
18 The Postfix mail system uses optional tables for address
22 Alternatively, lookup tables can be specified as LDAP
23 databases.
25 In order to use LDAP lookups, define an LDAP source as a
28 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
30 The file /etc/postfix/ldap-aliases.cf has the same format
32 ters described below. An example is given at the end of
33 this manual.
35 This configuration method is available with Postfix ver-
37 BILITY" below for older Postfix versions.
39 For details about LDAP SSL and STARTTLS, see the section
40 on SSL and STARTTLS below.
43 For backwards compatibility with Postfix version 2.0 and
45 Specify as LDAP source a name that doesn't begin with a
46 slash or a dot. The LDAP parameters will then be accessi-
47 ble as the name you've given the source in its definition,
48 an underscore, and the name of the parameter. For exam-
51 as "<i>ldapsource</i>_server_host".
53 Note: with this form, the passwords for the LDAP sources
55 Support for this form will be removed in a future Postfix
56 version.
58 For backwards compatibility with the pre 2.2 LDAP clients,
61 name better reflects the function of the parameter. This
62 compatibility interface may be removed in a future
63 release.
67 $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,
68 etc., it is important to understand that the table must
69 store each list member as a separate key. The table lookup
70 verifies the *existence* of the key. See "Postfix lists
72 cussion.
74 Do NOT create tables that return the full list of domains
75 in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses
78 DO create tables with each matching item as a key and with
79 an arbitrary value. With LDAP databases it is not uncommon
80 to return the key itself.
82 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-
85 query_filter = domain=*
86 result_attribute = domain
88 Do this instead:
90 query_filter = domain=%s
91 result_attribute = domain
94 In the text below, default values are given in parenthe-
95 ses. Note: don't use quotes in these variables; at least,
96 not until the Postfix configuration routines understand
97 how to deal with quoted strings.
100 The name of the host running the LDAP server, e.g.
102 server_host = ldap.example.com
104 Depending on the LDAP client library you're using,
105 it should be possible to specify multiple servers
106 here, with the library trying them in order should
107 the first one fail. It should also be possible to
108 give each server in the list a different port
111 server_host = ldap.example.com:1444
113 With OpenLDAP, a (list of) LDAP URLs can be used to
114 specify both the hostname(s) and the port(s):
119 All LDAP URLs accepted by the OpenLDAP library are
120 supported, including connections over UNIX domain
121 sockets, and LDAP SSL (the last one provided that
122 OpenLDAP was compiled with support for SSL):
125 ldaps://ldap.example.com:636
128 The port the LDAP server listens on, e.g.
130 server_port = 778
133 The number of seconds a search can take before tim-
134 ing out, e.g.
136 timeout = 5
139 The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search,
140 e.g.
142 search_base = dc=your, dc=com
144 With Postfix 2.2 and later this parameter supports
145 the following '%' expansions:
149 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>
150 quoting is used to make sure that the input
151 key does not add unexpected metacharacters.
157 search string. If the localpart is empty,
158 the search is suppressed and returns no
159 results.
164 Otherwise, the search is suppressed and
165 returns no results.
168 case equivalents of the above expansions
169 behave identically to their lower-case
172 the COMPATIBILITY section and below), they
173 expand to the corresponding components of
174 input key rather than the result value.
177 the corresponding most significant component
178 of the input key's domain. If the input key
181 is unqualified or does not have enough
182 domain components to satisfy all the speci-
183 fied patterns, the search is suppressed and
184 returns no results.
187 The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,
189 trying to resolve, e.g.
191 query_filter = (&(mail=%s)(paid_up=true))
193 This parameter supports the following '%' expan-
194 sions:
197 (Postfix 2.2 and later).
199 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>
200 quoting is used to make sure that the input
201 key does not add unexpected metacharacters.
207 search string. If the localpart is empty,
208 the search is suppressed and returns no
209 results.
214 Otherwise, the search is suppressed and
215 returns no results.
219 eter identically to their lower-case
222 the COMPATIBILITY section and below), they
223 expand to the corresponding components of
224 input key rather than the result value.
226 The above %S, %U and %D expansions are
227 available with Postfix 2.2 and later.
230 the corresponding most significant component
231 of the input key's domain. If the input key
234 is unqualified or does not have enough
235 domain components to satisfy all the speci-
236 fied patterns, the search is suppressed and
237 returns no results.
240 able with Postfix 2.2 and later.
242 The "domain" parameter described below limits the
243 input keys to addresses in matching domains. When
244 the "domain" parameter is non-empty, LDAP queries
245 for unqualified addresses or addresses in non-
246 matching domains are suppressed and return no
247 results.
250 parameter.
254 2.2. Format template applied to result attributes.
255 Most commonly used to append (or prepend) text to
256 the result. This parameter supports the following
257 '%' expansions:
260 (Postfix 2.2 and later).
263 attribute. When result is empty it is
264 skipped.
268 replaced by the local part of the address.
269 When the result has an empty localpart it is
270 skipped.
274 the domain part of the attribute value. When
275 the result is unqualified it is skipped.
278 The upper-case and decimal digit expansions
279 interpolate the parts of the input key
280 rather than the result. Their behavior is
283 known in advance, lookups whose key does not
284 contain all the information specified in the
285 result template are suppressed and return no
286 results.
289 sions are available with Postfix 2.2 and
290 later.
293 allows one to use a mailHost attribute as the basis
295 format, multiple values are concatenated as comma
296 separated strings. The expansion_limit and
297 size_limit parameters explained below allow one to
298 restrict the number of values in the result, which
299 is especially useful for maps that should return a
300 single value.
303 value should be used as is.
307 specified, the value of "result_filter" will be
308 used instead before resorting to the default value.
309 This provides compatibility with old configuration
310 files.
312 NOTE: DO NOT put quotes around the result format!
315 This is a list of domain names, paths to files, or
316 dictionaries. When specified, only fully qualified
317 search keys with a *non-empty* localpart and a
318 matching domain are eligible for lookup: 'user'
319 lookups, bare domain lookups and "@domain" lookups
320 are not performed. This can significantly reduce
321 the query load on the LDAP server.
323 domain = postfix.org, hash:/etc/postfix/searchdomains
325 It is best not to use LDAP to store the domains
326 eligible for LDAP lookups.
329 aliases.
331 This feature is available in Postfix 1.0 and later.
334 The attribute(s) Postfix will read from any direc-
335 tory entries returned by the lookup, to be resolved
336 to an email address.
338 result_attribute = mailbox, maildrop
340 Don't rely on the default value ("maildrop"). Set
341 the result_attribute explicitly in all ldap table
342 configuration files. This is particularly relevant
343 when no result_attribute is applicable, e.g. cases
344 in which leaf_result_attribute and/or termi-
345 nal_result_attribute are used instead. The default
346 value is harmless if "maildrop" is also listed as a
347 leaf or terminal result attribute, but it is best
348 to not leave this to chance.
351 The attribute(s) of directory entries that can con-
352 tain DNs or <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recur-
353 sive search is performed to retrieve the entry ref-
354 erenced by the DN, or the entries matched by the
355 URL query.
357 special_result_attribute = memberdn
359 DN recursion retrieves the same result_attributes
360 as the main query, including the special attributes
361 for further recursion.
363 URL processing retrieves only those attributes that
364 are included in both the URL definition and as
365 result attributes (ordinary, special, leaf or ter-
366 minal) in the Postfix table definition. If the URL
367 lists any of the table's special result attributes,
368 these are retrieved and used recursively. A URL
369 that does not specify any attribute selection, is
370 equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a URL that selects all
371 attributes, in which case the selected attributes
372 will be the full set of result attributes in the
373 Postfix table.
375 If an LDAP URL attribute-descriptor or the corre-
376 sponding Postfix LDAP table result attribute (but
378 ("attr;option"), the attribute requested from the
379 LDAP server will include the sub-type option. In
380 all other cases, the URL attribute and the table
381 attribute must match exactly. Attributes with
382 options in both the URL and the Postfix table are
383 requested only when the options are identical. LDAP
384 attribute-descriptor options are very rarely used,
385 most LDAP users will not need to concern themselves
386 with this level of nuanced detail.
389 When one or more terminal result attributes are
390 found in an LDAP entry, all other result attributes
391 are ignored and only the terminal result attributes
392 are returned. This is useful for delegating expan-
393 sion of group members to a particular host, by
394 using an optional "maildrop" attribute on selected
395 groups to route the group to a specific host, where
396 the group is expanded, possibly via mailing-list
397 manager or other special processing.
399 result_attribute =
400 terminal_result_attribute = maildrop
402 When using terminal and/or leaf result attributes,
403 the result_attribute is best set to an empty value
404 when it is not used, or else explicitly set to the
405 desired value, even if it is the default value
406 "maildrop".
408 This feature is available with Postfix 2.4 or
409 later.
412 When one or more special result attributes are
413 found in a non-terminal (see above) LDAP entry,
414 leaf result attributes are excluded from the expan-
415 sion of that entry. This is useful when expanding
416 groups and the desired mail address attribute(s) of
417 the member objects obtained via DN or URI recursion
418 are also present in the group object. To only
419 return the attribute values from the leaf objects
420 and not the containing group, add the attribute to
421 the leaf_result_attribute list, and not the
422 result_attribute list, which is always expanded.
423 Note, the default value of "result_attribute" is
424 not empty, you may want to set it explicitly empty
425 when using "leaf_result_attribute" to expand the
426 group to a list of member DN addresses. If groups
427 have both member DN references AND attributes that
428 hold multiple string valued rfc822 addresses, then
429 the string attributes go in "result_attribute".
430 The attributes that represent the email addresses
431 of objects referenced via a DN (or LDAP URI) go in
432 "leaf_result_attribute".
434 result_attribute = memberaddr
435 special_result_attribute = memberdn
436 terminal_result_attribute = maildrop
437 leaf_result_attribute = mail
439 When using terminal and/or leaf result attributes,
440 the result_attribute is best set to an empty value
441 when it is not used, or else explicitly set to the
442 desired value, even if it is the default value
443 "maildrop".
445 This feature is available with Postfix 2.4 or
446 later.
450 translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
451 and LDAP_SCOPE_ONELEVEL.
454 Whether or how to bind to the LDAP server. Newer
455 LDAP implementations don't require clients to bind,
456 which saves time. Example:
458 # Don't bind
459 bind = no
460 # Use SIMPLE bind
461 bind = yes
462 # Use SASL bind
463 bind = sasl
467 means do a SIMPLE bind. Postfix 2.8 and later also
468 supports "bind = SASL" when compiled with LDAP SASL
472 SASL section below for additional parameters avail-
473 able with "bind = sasl".
475 If you do need to bind, you might consider config-
476 uring Postfix to connect to the local machine on a
477 port that's an SSL tunnel to your LDAP server. If
478 your LDAP server doesn't natively support SSL, put
479 a tunnel (wrapper, proxy, whatever you want to call
480 it) on that system too. This should prevent the
481 password from traversing the network in the clear.
484 If you do have to bind, do it with this distin-
485 guished name. Example:
487 bind_dn = uid=postfix, dc=your, dc=com
488 With "bind = sasl" (see above) the DN may be
489 optional for some SASL mechanisms, don't specify a
490 DN if not needed.
493 The password for the distinguished name above. If
494 you have to use this, you probably want to make the
495 map configuration file readable only by the Postfix
498 sible to securely store the bind password. This is
500 local accounts to submit mail via the sendmail com-
501 mand. Example:
503 bind_pw = postfixpw
504 With "bind = sasl" (see above) the password may be
505 optional for some SASL mechanisms, don't specify a
506 password if not needed.
513 The above parameters are NO LONGER SUPPORTED by
514 Postfix. Cache support has been dropped from
515 OpenLDAP as of release 2.1.13.
518 A limit on the nesting depth of DN and URL special
519 result attribute evaluation. The limit must be a
520 non-zero positive number.
523 A limit on the total number of result elements
524 returned (as a comma separated list) by a lookup
525 against the map. A setting of zero disables the
526 limit. Lookups fail with a temporary error if the
527 limit is exceeded. Setting the limit to 1 ensures
528 that lookups do not return multiple values.
531 A limit on the number of LDAP entries returned by
532 any single LDAP search performed as part of the
533 lookup. A setting of 0 disables the limit. Expan-
534 sion of DN and URL references involves nested LDAP
535 queries, each of which is separately subjected to
536 this limit.
538 Note: even a single LDAP entry can generate multi-
539 ple lookup results, via multiple result attributes
540 and/or multi-valued result attributes. This limit
541 caps the per search resource utilization on the
542 LDAP server, not the final multiplicity of the
543 lookup result. It is analogous to the "-z" option
544 of "ldapsearch".
547 When to dereference LDAP aliases. (Note that this
548 has nothing do with Postfix aliases.) The permitted
549 values are those legal for the OpenLDAP/UM LDAP
550 implementations:
552 0 never
554 1 when searching
556 2 when locating the base object for the search
558 3 always
561 pages for more information. And if you're using an
562 LDAP package that has other possible values, please
563 bring it to the attention of the postfix-
564 users@postfix.org mailing list.
567 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP
568 version 3 support).
571 Specifies the LDAP protocol version to use.
574 What level to set for debugging in the OpenLDAP
575 libraries.
578 If you're using the OpenLDAP libraries compiled with SASL
579 support, Postfix 2.8 and later built with LDAP SASL sup-
581 servers via SASL.
583 This enables authentication to the LDAP server via mecha-
584 nisms other than a simple password. The added flexibility
585 has a cost: it is no longer practical to set an explicit
586 timeout on the duration of an LDAP bind operation. Under
587 adverse conditions, whether a SASL bind times out, or if
588 it does, the duration of the timeout is determined by the
589 LDAP and SASL libraries.
593 proxymap request. This also lets you tailer the process
596 may be needed to configure GSSAPI credential caches or
597 other SASL mechanism specific options. The GSSAPI creden-
598 tials used for LDAP lookups may need to be different than
599 say those used for the Postfix SMTP client to authenticate
600 to remote servers.
602 Using SASL mechanisms requires LDAP protocol version 3,
603 the default protocol version is 2 for backwards compati-
605 sasl".
607 The following parameters are relevant to using LDAP with
608 SASL
611 Whether or not to use SASL binds to the server.
612 Can be yes or no.
615 Space separated list of SASL mechanism(s) to try.
618 SASL Realm to use, if applicable.
621 The SASL authorization identity to assert, if
622 applicable.
625 The minimum required sasl security factor required
626 to establish a connection.
629 If you're using the OpenLDAP libraries compiled with SSL
630 support, Postfix can connect to LDAP SSL servers and can
631 issue the STARTTLS command.
633 LDAP SSL service can be requested by using a LDAP SSL URL
634 in the server_host parameter:
636 server_host = ldaps://ldap.example.com:636
638 STARTTLS can be turned on with the start_tls parameter:
640 start_tls = yes
642 Both forms require LDAP protocol version 3, which has to
643 be set explicitly with:
645 version = 3
647 If any of the Postfix programs querying the map is config-
649 and keys involved have to be copied to the chroot jail. Of
650 course, the private keys should only be readable by the
651 user "postfix".
653 The following parameters are relevant to LDAP SSL and
654 STARTTLS:
657 Whether or not to issue STARTTLS upon connection to
658 the server. Don't set this with LDAP SSL (the SSL
659 session is setup automatically when the TCP connec-
660 tion is opened).
664 Directory containing X509 Certificate Authority
665 certificates in PEM format which are to be recog-
666 nized by the client in SSL/TLS connections. The
667 files each contain one CA certificate. The files
668 are looked up by the CA subject name hash value,
669 which must hence be available. If more than one CA
670 certificate with the same name hash value exist,
671 the extension must be different (e.g. 9d66eef0.0,
672 9d66eef0.1 etc). The search is performed in the
673 ordering of the extension number, regardless of
674 other properties of the certificates. Use the
675 c_rehash utility (from the OpenSSL distribution) to
676 create the necessary links.
680 File containing the X509 Certificate Authority cer-
681 tificates in PEM format which are to be recognized
682 by the client in SSL/TLS connections. This setting
683 takes precedence over tls_ca_cert_dir.
686 File containing client's X509 certificate to be
687 used by the client in SSL/ TLS connections.
690 File containing the private key corresponding to
691 the above tls_cert.
694 Whether or not to request server's X509 certificate
695 and check its validity when establishing SSL/TLS
699 checked, but with OpenLDAP prior to 2.1.13, the
700 name in the server certificate must still match the
702 server name is not necessarily what you specified,
703 rather it is determined (by reverse lookup) from
704 the IP address of the LDAP server connection. With
705 OpenLDAP prior to 2.0.13, subjectAlternativeName
706 extensions in the LDAP server certificate are
707 ignored: the server name must match the subject
710 files.
712 Don't use TLS with OpenLDAP 2.0.x (and especially
716 a trusted CA, and not be expired. The LDAP server
717 name must match one of the name(s) found in the
718 certificate (see above for OpenLDAP library version
721 figuration files.
724 equivalents here. They are not available with
725 OpenLDAP 2.0, and in any case have questionable
726 security properties. Either you want TLS verified
727 LDAP connections, or you don't.
730 and later, or with OpenLDAP 2.0. Earlier Postfix
731 releases or later OpenLDAP releases don't work
732 together with this setting. Support for LDAP over
733 TLS was added to Postfix based on the OpenLDAP 2.0
734 API.
737 Path of a file to obtain random bits from when
738 /dev/[u]random is not available, to be used by the
739 client in SSL/TLS connections.
742 Cipher suite to use in SSL/TLS negotiations.
753 server_host = ldap.example.com
754 search_base = dc=example, dc=com
756 Upon receiving mail for a local address "ldapuser" that
757 isn't found in the /etc/aliases database, Postfix will
758 search the LDAP server listening at port 389 on ldap.exam-
759 ple.com. It will bind anonymously, search for any direc-
760 tory entries whose mailacceptinggeneralid attribute is
762 and build a list of their maildrops, which will be treated
763 as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
764 ered.
777 The Secure Mailer license must be distributed with this
778 software.
781 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
782 Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
783 Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
784 Victor Duchovni, and many others.
786 LDAP_TABLE(5)
787 </pre> </body> </html>