LDAP Rejection
Daniel Maher
daniel.maher at ubisoft.com
Thu Sep 21 19:25:48 IST 2006
Querying from your MTA to an Active Directory server isn't as straightforward as it should be. This is due to the fact that Active Directory does not use the same format as LDAP by default; there are both missing and extra fields that make them different.
Unless your MTA allows for fairly advanced manipulations of both the query and result, you may need to set up an LDAP server (OpenLDAP, for example) to act as a proxy between your MTA and the AD server. The advantage here is that you can configure the LDAP proxy to cache results as well, which lowers load on your AD server.
The LDAP proxy can (and should) be configured to deal with the pure LDAP requests coming from your MTA, forward them to the AD server, then sanitize and cache result before delivering it back to the MTA.
In our environment, each of the incoming mail servers in our cluster has a local slapd (the OpenLDAP daemon) process running on it, which performs the functions outlined above.
This is only one option of course. Another option is to pull down the entire contents of the Active Directory on a nightly basis, and build a static map out of it that your MTA can reference directly. This is likely less work infrastructurally, but is also not real-time, so there's a trade off there.
In any case, I can forward the relevant portions of the slapd.conf to anybody who is interested - it's a bit of a pain to set up if you've never done it before. :P
--
_
°v° Daniel Maher
/(_)\ Administrateur Système Unix
^ ^ Unix System Administrator
Sentio aliquos togatos contra me conspirare.
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Richard Frovarp
> Sent: September 21, 2006 1:59 PM
> To: MailScanner discussion
> Subject: Re: LDAP Rejection
>
> I don't know. We use OpenLDAP. Does AD follow LDAP norms or not? If so,
> it should work. LDAP should be LDAP, except certain companies can't be
> trusted to always follow the norms.
>
> Devon Harding wrote:
> > Yes, but does this 'LDAP Routing' feature extends to Active Directory?
> >
> > On 9/21/06, *Richard Frovarp* < Richard.Frovarp at sendit.nodak.edu
> > <mailto:Richard.Frovarp at sendit.nodak.edu>> wrote:
> >
> > Glenn Steen wrote:
> > > On 21/09/06, Devon Harding < devonharding at gmail.com
> > <mailto:devonharding at gmail.com>> wrote:
> > >> Using sendmail on FC5
> > >>
> > > Sendmail is not my forte, but as mentioned by Kevin, you could
> > > probably use a milter for recipient verification.
> > >
> > > You should be able to use the access feature and a modified
> > perl/shell
> > > LDAP hack as outlined for Postfix, but... well, no one has ever
> > > bothered documenting anything like that (probably because
> > they're busy
> > > using the mentioned milters:-).
> > > It should acutally be pretty easy... Too bad I've not got (the
> > > inklination to install) any sendmail around to play with...:)
> > >
> > Sendmail has support for LDAP right in it without using a milter.
> Not
> > familiar with the exact steps, but there is documentation out there
> if
> > you just google for sendmail and ldap.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > <mailto:mailscanner at lists.mailscanner.info>
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> > <http://wiki.mailscanner.info/posting>
> >
> > Support MailScanner development - buy the book off the website!
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by EduTech's *MailScanner*
> > <http://www.mailscanner.info/> Vaccine4, and is
> > believed to be clean.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list