Discussion:
postfix and LDAP usage
(too old to reply)
Sun Chong
2011-06-22 07:56:59 UTC
Permalink
Hello, all,

I had no luck on postfix-users, so I'm posting this here...

Four things I have noticed while installing/using Postfix 2.7.2:

1. Does the install script not set the correct permissions/ownerships
   on installed files? From the logs:

Jun 19 01:58:16 localhost postfix/postfix-script[10742]: warning: not owned by root: /usr/local/var/spool/postfix//pid
Jun 19 01:58:16 localhost postfix/postfix-script[10748]: warning: not owned by postfix: /usr/local/var/lib/postfix//.
Jun 19 01:58:16 localhost postfix/postfix-script[10756]: warning: not owned by group postdrop: /usr/local/sbin//postqueue
Jun 19 01:58:16 localhost postfix/postfix-script[10757]: warning: not owned by group postdrop: /usr/local/sbin//postdrop
Jun 19 01:58:16 localhost postfix/postfix-script[10758]: warning: not owned by group postdrop: /usr/local/var/spool/postfix//public
Jun 19 01:58:16 localhost postfix/postfix-script[10759]: warning: not owned by group postdrop: /usr/local/var/spool/postfix//maildrop
Jun 19 01:58:16 localhost postfix/postfix-script[10761]: warning: not set-gid or not owner+group+world executable: /usr/local/sbin//postqueue
Jun 19 01:58:16 localhost postfix/postfix-script[10762]: warning: not set-gid or not owner+group+world executable: /usr/local/sbin//postdrop

I saw this after a fresh install. Did I miss something out?

2. Why is local(8) trying to expand search_base from ldap_table(5)?

From the logs:

Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: version = 3
Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: server_host = auth.example.net
Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: search_base = ou=People,dc=example,dc=net
Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: scope = one
Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: query_filter = mail=%u@%d
Jun 22 00:25:01 localhost postfix/local[14185]: dict_update: result_attribute = mail
...
Jun 22 00:25:01 localhost postfix/local[14185]: deliver_alias: hash:/usr/local/etc/postfix/aliases(0,lock|no_regsub|no_proxy|no_unauth|fold_fix): root = blubb
Jun 22 00:25:01 localhost postfix/local[14185]: deliver_alias[3]: reset user_attr
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_lookup: In dict_ldap_lookup
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_lookup: No existing connection for LDAP source /usr/local/etc/postfix/aliases-ldap, reopening
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_connect: Connecting to server ldap://auth.example.net:389
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_connect: Actual Protocol version used is 3.
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_connect: Binding to server ldap://auth.example.net:389 as dn uid=auth,ou=People,dc=example,dc=net
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_connect: Successful bind to server ldap://auth.example.net:389 as uid=auth,ou=People,dc=example,dc=net
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_connect: Cached connection handle for LDAP source /usr/local/etc/postfix/aliases-ldap
Jun 22 00:25:01 localhost postfix/local[14185]: dict_ldap_lookup: /usr/local/etc/postfix/aliases-ldap: Empty expansion for ou=People,dc=example,dc=net

In particular the last line worries me as it only appears if I set query_filter to
mail=%u@%d. If I set it to mail=%s or even uid=%s, is does not attempt
this expansion.

3a. Do LDAP users need to exist as local UNIX users as well?

From the logs:

Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: In dict_ldap_lookup
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: Using existing connection for LDAP source /usr/local/etc/postfix/aliases-ldap
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: /usr/local/etc/postfix/aliases-ldap: Searching with filter uid=blubb
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_get_values[1]: Search found 1 match(es)
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_get_values[1]: search returned 1 value(s) for requested result attribute mail
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: Search returned ***@example.net
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_alias: ldap:/usr/local/etc/postfix/aliases-ldap(0,lock|no_regsub|no_proxy|no_unauth|fold_fix): blubb = ***@example.net
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_alias[7]: reset user_attr
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: In dict_ldap_lookup
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: Using existing connection for LDAP source /usr/local/etc/postfix/aliases-ldap
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: /usr/local/etc/postfix/aliases-ldap: Searching with filter uid=owner-blubb
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_get_values[1]: Search found 0 match(es)
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
Jun 22 01:02:01 localhost postfix/local[15050]: dict_ldap_lookup: Search returned nothing
...
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_switch[10]: local blubb recip ***@example.net exten  deliver ***@localhost.localdomain exp_from blubb
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_alias[11]: local blubb recip ***@example.net exten  deliver ***@localhost.localdomain exp_from blubb
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_dotforward[11]: local blubb recip ***@example.net exten  deliver ***@localhost.localdomain exp_from blubb
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_mailbox[11]: local blubb recip ***@example.net exten  deliver ***@localhost.localdomain exp_from blubb
Jun 22 01:02:01 localhost postfix/local[15050]: been_here: mailbox blubb: 0
Jun 22 01:02:01 localhost postfix/local[15050]: deliver_unknown[11]: local blubb recip ***@example.net exten  deliver ***@localhost.localdomain exp_from blubb

User blubb does exist as LDAP user, but not as local UNIX user. However,
local(8) would look up user blubb on the local passwd database and bail
out since it does not exist there.

3b. Why does local(8) lookup owner-blubb even if the search for blubb succeeds?

See above log.

I can hack these things out myself in the Postfix code (essentially creating
a branch for myself), I just wanted to know if there is anybody on this list
who has observed these quirks him-/herself, or is it just me who missed out
something. Thanks.

Chong
Noel Jones
2011-06-22 16:02:07 UTC
Permalink
Post by Sun Chong
Hello, all,
I had no luck on postfix-users, so I'm posting this here...
Please post your questions to postfix-users.

Thank you.


-- Noel Jones

Loading...