diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:46:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:46:30 +0000 |
commit | b5896ba9f6047e7031e2bdee0622d543e11a6734 (patch) | |
tree | fd7b460593a2fee1be579bec5697e6d887ea3421 /html/ldap_table.5.html | |
parent | Initial commit. (diff) | |
download | postfix-b5896ba9f6047e7031e2bdee0622d543e11a6734.tar.xz postfix-b5896ba9f6047e7031e2bdee0622d543e11a6734.zip |
Adding upstream version 3.4.23.upstream/3.4.23upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'html/ldap_table.5.html')
-rw-r--r-- | html/ldap_table.5.html | 674 |
1 files changed, 674 insertions, 0 deletions
diff --git a/html/ldap_table.5.html b/html/ldap_table.5.html new file mode 100644 index 0000000..8d4ee06 --- /dev/null +++ b/html/ldap_table.5.html @@ -0,0 +1,674 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> <head> +<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> +<title> Postfix manual - ldap_table(5) </title> +</head> <body> <pre> +LDAP_TABLE(5) LDAP_TABLE(5) + +<b>NAME</b> + ldap_table - Postfix LDAP client configuration + +<b>SYNOPSIS</b> + <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> + + <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> + +<b>DESCRIPTION</b> + The Postfix mail system uses optional tables for address rewriting or + mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format. + + Alternatively, lookup tables can be specified as LDAP databases. + + In order to use LDAP lookups, define an LDAP source as a lookup table + in <a href="postconf.5.html">main.cf</a>, for example: + + <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf + + The file /etc/postfix/ldap-aliases.cf has the same format as the Post- + fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below. An + example is given at the end of this manual. + + This configuration method is available with Postfix version 2.1 and + later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older + Postfix versions. + + For details about LDAP SSL and STARTTLS, see the section on SSL and + STARTTLS below. + +<b>LIST MEMBERSHIP</b> + When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, + $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under- + stand that the table must store each list member as a separate key. The + table lookup verifies the *existence* of the key. See "Postfix lists + versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion. + + Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>- + <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>. + + DO create tables with each matching item as a key and with an arbitrary + value. With LDAP databases it is not uncommon to return the key itself. + + For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>: + + query_filter = domain=* + result_attribute = domain + + Do this instead: + + query_filter = domain=%s + result_attribute = domain + +<b>GENERAL LDAP PARAMETERS</b> + In the text below, default values are given in parentheses. Note: + don't use quotes in these variables; at least, not until the Postfix + configuration routines understand how to deal with quoted strings. + + <b>server_host (default: localhost)</b> + The name of the host running the LDAP server, e.g. + + server_host = ldap.example.com + + Depending on the LDAP client library you're using, it should be + possible to specify multiple servers here, with the library try- + ing them in order should the first one fail. It should also be + possible to give each server in the list a different port (over- + riding <b>server_port</b> below), by naming them like + + server_host = ldap.example.com:1444 + + With OpenLDAP, a (list of) LDAP URLs can be used to specify both + the hostname(s) and the port(s): + + server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444 + <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444 + + All LDAP URLs accepted by the OpenLDAP library are supported, + including connections over UNIX domain sockets, and LDAP SSL + (the last one provided that OpenLDAP was compiled with support + for SSL): + + server_host = ldapi://%2Fsome%2Fpath + ldaps://ldap.example.com:636 + + <b>server_port (default: 389)</b> + The port the LDAP server listens on, e.g. + + server_port = 778 + + <b>timeout (default: 10 seconds)</b> + The number of seconds a search can take before timing out, e.g. + + timeout = 5 + + <b>search_base (No default; you must configure this)</b> + The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g. + + search_base = dc=your, dc=com + + With Postfix 2.2 and later this parameter supports the following + '%' expansions: + + <b>%%</b> This is replaced by a literal '%' character. + + <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is + used to make sure that the input key does not add unex- + pected metacharacters. + + <b>%u</b> When the input key is an address of the form user@domain, + <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the + address. Otherwise, <b>%u</b> is replaced by the entire search + string. If the localpart is empty, the search is sup- + pressed and returns no results. + + <b>%d</b> When the input key is an address of the form user@domain, + <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of + the address. Otherwise, the search is suppressed and + returns no results. + + <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents + of the above expansions behave identically to their + lower-case counter-parts. With the <b>result_format</b> parame- + ter (previously called <b>result_filter</b> see the COMPATIBIL- + ITY section and below), they expand to the corresponding + components of input key rather than the result value. + + <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- + sponding most significant component of the input key's + domain. If the input key is <i>user@mail.example.com</i>, then + %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key + is unqualified or does not have enough domain components + to satisfy all the specified patterns, the search is sup- + pressed and returns no results. + + <b>query_filter (default: mailacceptinggeneralid=%s)</b> + The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a + substitute for the address Postfix is trying to resolve, e.g. + + query_filter = (&(mail=%s)(paid_up=true)) + + This parameter supports the following '%' expansions: + + <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 + and later). + + <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is + used to make sure that the input key does not add unex- + pected metacharacters. + + <b>%u</b> When the input key is an address of the form user@domain, + <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the + address. Otherwise, <b>%u</b> is replaced by the entire search + string. If the localpart is empty, the search is sup- + pressed and returns no results. + + <b>%d</b> When the input key is an address of the form user@domain, + <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of + the address. Otherwise, the search is suppressed and + returns no results. + + <b>%[SUD]</b> The upper-case equivalents of the above expansions behave + in the <b>query_filter</b> parameter identically to their + lower-case counter-parts. With the <b>result_format</b> parame- + ter (previously called <b>result_filter</b> see the COMPATIBIL- + ITY section and below), they expand to the corresponding + components of input key rather than the result value. + + The above %S, %U and %D expansions are available with + Postfix 2.2 and later. + + <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- + sponding most significant component of the input key's + domain. If the input key is <i>user@mail.example.com</i>, then + %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key + is unqualified or does not have enough domain components + to satisfy all the specified patterns, the search is sup- + pressed and returns no results. + + The above %1, ..., %9 expansions are available with Post- + fix 2.2 and later. + + The "domain" parameter described below limits the input keys to + addresses in matching domains. When the "domain" parameter is + non-empty, LDAP queries for unqualified addresses or addresses + in non-matching domains are suppressed and return no results. + + NOTE: DO NOT put quotes around the <b>query_filter</b> parameter. + + <b>result_format (default: %s</b>) + Called <b>result_filter</b> in Postfix releases prior to 2.2. Format + template applied to result attributes. Most commonly used to + append (or prepend) text to the result. This parameter supports + the following '%' expansions: + + <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2 + and later). + + <b>%s</b> This is replaced by the value of the result attribute. + When result is empty it is skipped. + + <b>%u</b> When the result attribute value is an address of the form + user@domain, <b>%u</b> is replaced by the local part of the + address. When the result has an empty localpart it is + skipped. + + <b>%d</b> When a result attribute value is an address of the form + user@domain, <b>%d</b> is replaced by the domain part of the + attribute value. When the result is unqualified it is + skipped. + + <b>%[SUD1-9]</b> + The upper-case and decimal digit expansions interpolate + the parts of the input key rather than the result. Their + behavior is identical to that described with <b>query_fil-</b> + <b>ter</b>, and in fact because the input key is known in + advance, lookups whose key does not contain all the + information specified in the result template are sup- + pressed and return no results. + + The above %S, %U, %D and %1, ..., %9 expansions are + available with Postfix 2.2 and later. + + For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use + a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After + applying the result format, multiple values are concatenated as + comma separated strings. The expansion_limit and size_limit + parameters explained below allow one to restrict the number of + values in the result, which is especially useful for maps that + should return a single value. + + The default value <b>%s</b> specifies that each attribute value should + be used as is. + + This parameter was called <b>result_filter</b> in Postfix releases + prior to 2.2. If no "result_format" is specified, the value of + "result_filter" will be used instead before resorting to the + default value. This provides compatibility with old configura- + tion files. + + NOTE: DO NOT put quotes around the result format! + + <b>domain (default: no domain list)</b> + This is a list of domain names, paths to files, or dictionaries. + When specified, only fully qualified search keys with a + *non-empty* localpart and a matching domain are eligible for + lookup: 'user' lookups, bare domain lookups and "@domain" + lookups are not performed. This can significantly reduce the + query load on the LDAP server. + + domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains + + It is best not to use LDAP to store the domains eligible for + LDAP lookups. + + NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases. + + This feature is available in Postfix 1.0 and later. + + <b>result_attribute (default: maildrop)</b> + The attribute(s) Postfix will read from any directory entries + returned by the lookup, to be resolved to an email address. + + result_attribute = mailbox, maildrop + + Don't rely on the default value ("maildrop"). Set the + result_attribute explicitly in all ldap table configuration + files. This is particularly relevant when no result_attribute is + applicable, e.g. cases in which leaf_result_attribute and/or + terminal_result_attribute are used instead. The default value is + harmless if "maildrop" is also listed as a leaf or terminal + result attribute, but it is best to not leave this to chance. + + <b>special_result_attribute (default: empty)</b> + The attribute(s) of directory entries that can contain DNs or + <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to + retrieve the entry referenced by the DN, or the entries matched + by the URL query. + + special_result_attribute = memberdn + + DN recursion retrieves the same result_attributes as the main + query, including the special attributes for further recursion. + + URL processing retrieves only those attributes that are included + in both the URL definition and as result attributes (ordinary, + special, leaf or terminal) in the Postfix table definition. If + the URL lists any of the table's special result attributes, + these are retrieved and used recursively. A URL that does not + specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a + URL that selects all attributes, in which case the selected + attributes will be the full set of result attributes in the + Postfix table. + + If an LDAP URL attribute-descriptor or the corresponding Postfix + LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> + sub-type options ("attr;option"), the attribute requested from + the LDAP server will include the sub-type option. In all other + cases, the URL attribute and the table attribute must match + exactly. Attributes with options in both the URL and the Postfix + table are requested only when the options are identical. LDAP + attribute-descriptor options are very rarely used, most LDAP + users will not need to concern themselves with this level of + nuanced detail. + + <b>terminal_result_attribute (default: empty)</b> + When one or more terminal result attributes are found in an LDAP + entry, all other result attributes are ignored and only the ter- + minal result attributes are returned. This is useful for dele- + gating expansion of group members to a particular host, by using + an optional "maildrop" attribute on selected groups to route the + group to a specific host, where the group is expanded, possibly + via mailing-list manager or other special processing. + + result_attribute = + terminal_result_attribute = maildrop + + When using terminal and/or leaf result attributes, the + result_attribute is best set to an empty value when it is not + used, or else explicitly set to the desired value, even if it is + the default value "maildrop". + + This feature is available with Postfix 2.4 or later. + + <b>leaf_result_attribute (default: empty)</b> + When one or more special result attributes are found in a + non-terminal (see above) LDAP entry, leaf result attributes are + excluded from the expansion of that entry. This is useful when + expanding groups and the desired mail address attribute(s) of + the member objects obtained via DN or URI recursion are also + present in the group object. To only return the attribute values + from the leaf objects and not the containing group, add the + attribute to the leaf_result_attribute list, and not the + result_attribute list, which is always expanded. Note, the + default value of "result_attribute" is not empty, you may want + to set it explicitly empty when using "leaf_result_attribute" to + expand the group to a list of member DN addresses. If groups + have both member DN references AND attributes that hold multiple + string valued rfc822 addresses, then the string attributes go in + "result_attribute". The attributes that represent the email + addresses of objects referenced via a DN (or LDAP URI) go in + "leaf_result_attribute". + + result_attribute = memberaddr + special_result_attribute = memberdn + terminal_result_attribute = maildrop + leaf_result_attribute = mail + + When using terminal and/or leaf result attributes, the + result_attribute is best set to an empty value when it is not + used, or else explicitly set to the desired value, even if it is + the default value "maildrop". + + This feature is available with Postfix 2.4 or later. + + <b>scope (default: sub)</b> + The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These translate into + LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL. + + <b>bind (default: yes)</b> + Whether or how to bind to the LDAP server. Newer LDAP implemen- + tations don't require clients to bind, which saves time. Exam- + ple: + + # Don't bind + bind = no + # Use SIMPLE bind + bind = yes + # Use SASL bind + bind = sasl + + Postfix versions prior to 2.8 only support "bind = no" which + means don't bind, and "bind = yes" which means do a SIMPLE bind. + Postfix 2.8 and later also supports "bind = SASL" when compiled + with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds + the synonyms "bind = none" and "bind = simple" for "bind = no" + and "bind = yes" respectively. See the SASL section below for + additional parameters available with "bind = sasl". + + If you do need to bind, you might consider configuring Postfix + to connect to the local machine on a port that's an SSL tunnel + to your LDAP server. If your LDAP server doesn't natively sup- + port SSL, put a tunnel (wrapper, proxy, whatever you want to + call it) on that system too. This should prevent the password + from traversing the network in the clear. + + <b>bind_dn (default: empty)</b> + If you do have to bind, do it with this distinguished name. + Example: + + bind_dn = uid=postfix, dc=your, dc=com + With "bind = sasl" (see above) the DN may be optional for some + SASL mechanisms, don't specify a DN if not needed. + + <b>bind_pw (default: empty)</b> + The password for the distinguished name above. If you have to + use this, you probably want to make the map configuration file + readable only by the Postfix user. When using the obsolete + <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is + not possible to securely store the bind password. This is + because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local + accounts to submit mail via the sendmail command. Example: + + bind_pw = postfixpw + With "bind = sasl" (see above) the password may be optional for + some SASL mechanisms, don't specify a password if not needed. + + <b>cache (IGNORED with a warning)</b> + + <b>cache_expiry (IGNORED with a warning)</b> + + <b>cache_size (IGNORED with a warning)</b> + The above parameters are NO LONGER SUPPORTED by Postfix. Cache + support has been dropped from OpenLDAP as of release 2.1.13. + + <b>recursion_limit (default: 1000)</b> + A limit on the nesting depth of DN and URL special result + attribute evaluation. The limit must be a non-zero positive num- + ber. + + <b>expansion_limit (default: 0)</b> + A limit on the total number of result elements returned (as a + comma separated list) by a lookup against the map. A setting of + zero disables the limit. Lookups fail with a temporary error if + the limit is exceeded. Setting the limit to 1 ensures that + lookups do not return multiple values. + + <b>size_limit (default: $expansion_limit)</b> + A limit on the number of LDAP entries returned by any single + LDAP search performed as part of the lookup. A setting of 0 dis- + ables the limit. Expansion of DN and URL references involves + nested LDAP queries, each of which is separately subjected to + this limit. + + Note: even a single LDAP entry can generate multiple lookup + results, via multiple result attributes and/or multi-valued + result attributes. This limit caps the per search resource uti- + lization on the LDAP server, not the final multiplicity of the + lookup result. It is analogous to the "-z" option of + "ldapsearch". + + <b>dereference (default: 0)</b> + When to dereference LDAP aliases. (Note that this has nothing do + with Postfix aliases.) The permitted values are those legal for + the OpenLDAP/UM LDAP implementations: + + 0 never + + 1 when searching + + 2 when locating the base object for the search + + 3 always + + See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for + more information. And if you're using an LDAP package that has + other possible values, please bring it to the attention of the + postfix-users@postfix.org mailing list. + + <b>chase_referrals (default: 0)</b> + Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3 + support). + + <b>version (default: 2)</b> + Specifies the LDAP protocol version to use. + + <b>debuglevel (default: 0)</b> + What level to set for debugging in the OpenLDAP libraries. + +<b>LDAP SASL PARAMETERS</b> + If you're using the OpenLDAP libraries compiled with SASL support, + Postfix 2.8 and later built with LDAP SASL support as described in + <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL. + + This enables authentication to the LDAP server via mechanisms other + than a simple password. The added flexibility has a cost: it is no + longer practical to set an explicit timeout on the duration of an LDAP + bind operation. Under adverse conditions, whether a SASL bind times + out, or if it does, the duration of the timeout is determined by the + LDAP and SASL libraries. + + It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way + the requesting process can time-out the proxymap request. This also + lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> + <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set- + tings may be needed to configure GSSAPI credential caches or other SASL + mechanism specific options. The GSSAPI credentials used for LDAP + lookups may need to be different than say those used for the Postfix + SMTP client to authenticate to remote servers. + + Using SASL mechanisms requires LDAP protocol version 3, the default + protocol version is 2 for backwards compatibility. You must set "ver- + sion = 3" in addition to "bind = sasl". + + The following parameters are relevant to using LDAP with SASL + + <b>sasl_mechs (default: empty)</b> + Space separated list of SASL mechanism(s) to try. + + <b>sasl_realm (default: empty)</b> + SASL Realm to use, if applicable. + + <b>sasl_authz_id (default: empty)</b> + The SASL authorization identity to assert, if applicable. + + <b>sasl_minssf (default: 0)</b> + The minimum required sasl security factor required to establish + a connection. + +<b>LDAP SSL AND STARTTLS PARAMETERS</b> + If you're using the OpenLDAP libraries compiled with SSL support, Post- + fix can connect to LDAP SSL servers and can issue the STARTTLS command. + + LDAP SSL service can be requested by using a LDAP SSL URL in the + server_host parameter: + + server_host = ldaps://ldap.example.com:636 + + STARTTLS can be turned on with the start_tls parameter: + + start_tls = yes + + Both forms require LDAP protocol version 3, which has to be set explic- + itly with: + + version = 3 + + If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas- + ter.cf</a> to run chrooted, all the certificates and keys involved have to + be copied to the chroot jail. Of course, the private keys should only + be readable by the user "postfix". + + The following parameters are relevant to LDAP SSL and STARTTLS: + + <b>start_tls (default: no)</b> + Whether or not to issue STARTTLS upon connection to the server. + Don't set this with LDAP SSL (the SSL session is setup automati- + cally when the TCP connection is opened). + + <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b> + Directory containing X509 Certification Authority certificates + in PEM format which are to be recognized by the client in + SSL/TLS connections. The files each contain one CA certificate. + The files are looked up by the CA subject name hash value, which + must hence be available. If more than one CA certificate with + the same name hash value exist, the extension must be different + (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in + the ordering of the extension number, regardless of other prop- + erties of the certificates. Use the c_rehash utility (from the + OpenSSL distribution) to create the necessary links. + + <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b> + File containing the X509 Certification Authority certificates in + PEM format which are to be recognized by the client in SSL/TLS + connections. This setting takes precedence over tls_ca_cert_dir. + + <b>tls_cert (No default; you must set this)</b> + File containing client's X509 certificate to be used by the + client in SSL/ TLS connections. + + <b>tls_key (No default; you must set this)</b> + File containing the private key corresponding to the above + tls_cert. + + <b>tls_require_cert (default: no)</b> + Whether or not to request server's X509 certificate and check + its validity when establishing SSL/TLS connections. The sup- + ported values are <b>no</b> and <b>yes</b>. + + With <b>no</b>, the server certificate trust chain is not checked, but + with OpenLDAP prior to 2.1.13, the name in the server certifi- + cate must still match the LDAP server name. With OpenLDAP 2.0.0 + to 2.0.11 the server name is not necessarily what you specified, + rather it is determined (by reverse lookup) from the IP address + of the LDAP server connection. With OpenLDAP prior to 2.0.13, + subjectAlternativeName extensions in the LDAP server certificate + are ignored: the server name must match the subject CommonName. + The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b> in + LDAP client configuration files. + + Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) + if you can avoid it. + + With <b>yes</b>, the server certificate must be issued by a trusted CA, + and not be expired. The LDAP server name must match one of the + name(s) found in the certificate (see above for OpenLDAP library + version dependent behavior). The <b>yes</b> setting corresponds to the + <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration files. + + The "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents + here. They are not available with OpenLDAP 2.0, and in any case + have questionable security properties. Either you want TLS veri- + fied LDAP connections, or you don't. + + The <b>yes</b> value only works correctly with Postfix 2.5 and later, + or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP + releases don't work together with this setting. Support for LDAP + over TLS was added to Postfix based on the OpenLDAP 2.0 API. + + <b>tls_random_file (No default)</b> + Path of a file to obtain random bits from when /dev/[u]random is + not available, to be used by the client in SSL/TLS connections. + + <b>tls_cipher_suite (No default)</b> + Cipher suite to use in SSL/TLS negotiations. + +<b>EXAMPLE</b> + Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases. + Assume that in <a href="postconf.5.html">main.cf</a>, you have: + + <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, + <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf + + and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have: + + server_host = ldap.example.com + search_base = dc=example, dc=com + + Upon receiving mail for a local address "ldapuser" that isn't found in + the /etc/aliases database, Postfix will search the LDAP server listen- + ing at port 389 on ldap.example.com. It will bind anonymously, search + for any directory entries whose mailacceptinggeneralid attribute is + "ldapuser", read the "maildrop" attributes of those found, and build a + list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to + which the message will be delivered. + +<b>OBSOLETE MAIN.CF PARAMETERS</b> + For backwards compatibility with Postfix version 2.0 and earlier, LDAP + parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as LDAP source a + name that doesn't begin with a slash or a dot. The LDAP parameters + will then be accessible as the name you've given the source in its def- + inition, an underscore, and the name of the parameter. For example, if + the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter + below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host". + + Note: with this form, the passwords for the LDAP sources are written in + <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will + be removed in a future Postfix version. + +<b>OTHER OBSOLETE FEATURES</b> + For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b> + <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter + parameter is not also set. The new name better reflects the function + of the parameter. This compatibility interface may be removed in a + future release. + +<b>SEE ALSO</b> + <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager + <a href="postconf.5.html">postconf(5)</a>, configuration parameters + <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables + <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables + +<b>README FILES</b> + <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview + <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide + +<b>LICENSE</b> + The Secure Mailer license must be distributed with this software. + +<b>AUTHOR(S)</b> + Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM- + ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh, + Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others. + + LDAP_TABLE(5) +</pre> </body> </html> |