240 likes | 459 Views
OpenLDAP Directory Administration Email and LDAP. Table of Contents. Introduction Representing Users Email Clients and LDAP Mail Transfer Agents (MTAs). Table of Contents. Introduction Representing Users Email Clients and LDAP Mail Transfer Agents (MTAs). Introduction.
E N D
Table of Contents • Introduction • Representing Users • Email Clients and LDAP • Mail Transfer Agents (MTAs)
Table of Contents • Introduction • Representing Users • Email Clients and LDAP • Mail Transfer Agents (MTAs)
Introduction • One of the most important applications of a directory is storing email addresses and contact information • This chapter explores the ins and outs of integrating email clients (MUAs) and mail servers (MTAs) with an LDAP directory • Clients: • Mozilla Mail • Pine • Microsoft Outlook • Eudora • Servers: • Sendmail • Postfix • Exim
Table of Contents • Introduction • Representing Users • Email Clients and LDAP • Mail Transfer Agents (MTAs)
Representing Users • This chapter builds on chapter 4 and 6 • Chapter 4: white pages server • Chapter 6: administrative database, NIS replacement • Both servers use the ou=people container • posixAccount and inetOrgPerson can be used to store a single user entry for both authentication and contact information
Representing Users (cont.) • Compare: • Issues: • Different RDNs – we will use uid attribute • Both account and inetOrgPerson object classes are structural object classes, an object can have only one structural object class • We will create each entry with the inetOrgPerson class and then extend it using the posixAccount auxiliary class dn: cn=Kristi W. Carter,ou=people, dc=plainjoe,dc=org objectClass: inetOrgPerson cn: Kristi W. Carter sn: Carter mail: kcarter@plainjoe.org labelURI: http://www.plainjoe.org/kristi roomNumber: 102 Ramsey Hall telephoneNumber: 222-555-2356 dn: uid=kristi,ou=people, dc=plainjoe,dc=org uid: kristi cn: Kristi Carter objectClass: account objectClass: posixAccount userPassword: {crypt}... loginShell: /bin/bash uidNumber: 781 gidNumber: 100 homeDirectory: /home/kristi gecos: Kristi Carter
Representing Users (cont.) • We filter out the account entry from the output of PADL's migration scripts: • Combined entry: $ ./migrate_passwd.pl /etc/passwd | \ > grep -iv “objectclass: account” > passwd.ldif dn: uid=kristi,ou=people,dc=plainjoe,dc=org objectClass: inetOrgPerson objectClass: posixAccount cn: Kristi Carter cn: Kristi W. Carter sn: Carter mail: kcarter@plainjoe.org labelURI: http://www.plainjoe.org/kristi roomNumber: 102 Ramsey Hall telephoneNumber: 222-555-2356 uid: kristi userPassword: {crypt}... loginShell: /bin/bash uidNumber: 781 gidNumber: 100 homeDirectory: /home/kristi gecos: Kristi Carter
Table of Contents • Introduction • Representing Users • Email Clients and LDAP • Mail Transfer Agents (MTAs)
Email Clients and LDAP • Examine applications and determine what schema has the ability to support it • Using a standard schema is vastly preferred to building your own • Fortunately, the inetOrgPerson schema supports all of of the information items we are interested in • Information: • LDAP server is ldap.plainjoe.org • Base DN suffix is ou=people,dc=plainjoe,dc=org • Know the LDAP version the clients will use • eg. If you want to allow LDAPv2 binds in OpenLDAP: allow bind_v2
Email Clients and LDAP Mozilla Mail • http://www.mozilla.org/, based on code from Netscape • Ask yourself: • Should users be required to authenticate, or should they be able to access information anonymously • Should the information be sent to and retrieved from the LDAP server be set in clear-text or over SSL
Email Clients and LDAP Mozilla Mail (cont.) • Use anonymous bind or a simple bind (Mozilla will prompt for the password) • Once you are in the application, this is the query the client uses when you look up a text field “carter”: (|(mail=*carter*)(cn=*carter*)(givenName=*carter*)(sn=*carter*))
Email Clients and LDAP Mozilla Mail (cont.) • Advanced search dialog box allows more elaborate searches
Table of Contents • Introduction • Representing Users • Email Clients and LDAP • Mail Transfer Agents (MTAs)
Mail Transfer Agents (MTAs) • Popular MTAs that can use LDAP for user lookups and mail routing: • Sendmail (not covered here) • Postfix • Exim (not covered here)
Mail Transfer Agents (MTAs) (cont.) Postfix • Popular replacement for Sendmail as an MTA because • Features and interface comparable with Sendmail • Simpler configuration than Sendmail • A history of fewer security holes • http://www.postfix.org/ • Compiling Postfix with LDAP support: • Verify LDAP support with postconf: $ cd postfix-1.1.2 $ make tidy $ make makefiles CCARGS=”-I/usr/local/include -DHAS_LDAP” \ > AUXLIBS=”-L/usr/local/lib -lldap -llber” $ make $ /bin/su -c “make install” $ /usr/sbin/postconf -m ... ldap ...
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) • Postfix maintains six tables, any of which may be stored on the media reported by “postconf -m”
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) • Starting point configuration file (/etc/postfix/main.cf): # /etc/postfix/main.cf # Host/domain information myhostname = garion.plainjoe.org mydomain = plainjoe.org myorigin = plainjoe.org # Who is local? mydestination = localhost $myhostname # Who to accept mail relaying from? mynetworks = 192.168.1.0/24 127.0.0.0/8 # Program locations command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix queue_directory = /var/spool/postfix mail_owner = postfix # Sendmail-compatible mail spool directory mail_spool_directory = /var/spool/mail
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) • Local user is represented by uid attribute of posixAccount object class; aliased entry is represented by the mail attribute of the inetOrgPerson object class. • No need for sendmailMTA and related schema objects • Because of our attributes chosen: • No support for mapping one local user to another for email delivery • No mailing list addresses in external files • This is not a Postfix limitation, but a limitation of our attribute choices • Inform Postfix about LDAP use: alias_maps = ldap:ldapalias name of the table
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) • More definitions are needed now (in /etc/postfix/main.cf): • Test alias lookups: • Sending a testmail message, check log files ldapalias_server_host = localhost ldapalias_search_base = ou=people,dc=plainjoe,dc=org ldapalias_scope = sub ldapalias_query_filer = (uid=%s) ldapalias_result_attribute = mail $ postmap -q guest1 ldap:ldapalias jerry@plainjoe.org
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) • LDIF entry for a normal user account: # User account including a mail alias dn: uid=guest1,ou=people,dc=plainjoe,dc=org uid: guest1 cn: Guest Account objectClass: posixAccount objectClass: inetOrgPerson userPassword: {CRYPT}Fd8nE1RtCh5G6 loginShell: /bin/bash uidNumber: 783 gidNumber: 1000 homeDirectory: /home/giest1 gecos: Guest Account sn: Account mail: jerry@plainjoe.org
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) LDAP-related Postfix parameters
Mail Transfer Agents (MTAs) (cont.) Postfix (cont.) LDAP-related Postfix parameters (cont.)