summaryrefslogtreecommitdiffstats
path: root/html/ldap_table.5.html
diff options
context:
space:
mode:
Diffstat (limited to 'html/ldap_table.5.html')
-rw-r--r--html/ldap_table.5.html674
1 files changed, 674 insertions, 0 deletions
diff --git a/html/ldap_table.5.html b/html/ldap_table.5.html
new file mode 100644
index 0000000..8d4ee06
--- /dev/null
+++ b/html/ldap_table.5.html
@@ -0,0 +1,674 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+<title> Postfix manual - ldap_table(5) </title>
+</head> <body> <pre>
+LDAP_TABLE(5) LDAP_TABLE(5)
+
+<b>NAME</b>
+ ldap_table - Postfix LDAP client configuration
+
+<b>SYNOPSIS</b>
+ <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i>
+
+ <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
+
+<b>DESCRIPTION</b>
+ The Postfix mail system uses optional tables for address rewriting or
+ mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format.
+
+ Alternatively, lookup tables can be specified as LDAP databases.
+
+ In order to use LDAP lookups, define an LDAP source as a lookup table
+ in <a href="postconf.5.html">main.cf</a>, for example:
+
+ <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
+
+ The file /etc/postfix/ldap-aliases.cf has the same format as the Post-
+ fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below. An
+ example is given at the end of this manual.
+
+ This configuration method is available with Postfix version 2.1 and
+ later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older
+ Postfix versions.
+
+ For details about LDAP SSL and STARTTLS, see the section on SSL and
+ STARTTLS below.
+
+<b>LIST MEMBERSHIP</b>
+ When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>, $<a href="postconf.5.html#mydestination">mydestination</a>,
+ $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, etc., it is important to under-
+ stand that the table must store each list member as a separate key. The
+ table lookup verifies the *existence* of the key. See "Postfix lists
+ versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a discussion.
+
+ Do NOT create tables that return the full list of domains in $<a href="postconf.5.html#mydestination">mydesti</a>-
+ <a href="postconf.5.html#mydestination">nation</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses in $<a href="postconf.5.html#mynetworks">mynetworks</a>.
+
+ DO create tables with each matching item as a key and with an arbitrary
+ value. With LDAP databases it is not uncommon to return the key itself.
+
+ For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestination</a>:
+
+ query_filter = domain=*
+ result_attribute = domain
+
+ Do this instead:
+
+ query_filter = domain=%s
+ result_attribute = domain
+
+<b>GENERAL LDAP PARAMETERS</b>
+ In the text below, default values are given in parentheses. Note:
+ don't use quotes in these variables; at least, not until the Postfix
+ configuration routines understand how to deal with quoted strings.
+
+ <b>server_host (default: localhost)</b>
+ The name of the host running the LDAP server, e.g.
+
+ server_host = ldap.example.com
+
+ Depending on the LDAP client library you're using, it should be
+ possible to specify multiple servers here, with the library try-
+ ing them in order should the first one fail. It should also be
+ possible to give each server in the list a different port (over-
+ riding <b>server_port</b> below), by naming them like
+
+ server_host = ldap.example.com:1444
+
+ With OpenLDAP, a (list of) LDAP URLs can be used to specify both
+ the hostname(s) and the port(s):
+
+ server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
+ <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
+
+ All LDAP URLs accepted by the OpenLDAP library are supported,
+ including connections over UNIX domain sockets, and LDAP SSL
+ (the last one provided that OpenLDAP was compiled with support
+ for SSL):
+
+ server_host = ldapi://%2Fsome%2Fpath
+ ldaps://ldap.example.com:636
+
+ <b>server_port (default: 389)</b>
+ The port the LDAP server listens on, e.g.
+
+ server_port = 778
+
+ <b>timeout (default: 10 seconds)</b>
+ The number of seconds a search can take before timing out, e.g.
+
+ timeout = 5
+
+ <b>search_base (No default; you must configure this)</b>
+ The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search, e.g.
+
+ search_base = dc=your, dc=com
+
+ With Postfix 2.2 and later this parameter supports the following
+ '%' expansions:
+
+ <b>%%</b> This is replaced by a literal '%' character.
+
+ <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a> quoting is
+ used to make sure that the input key does not add unex-
+ pected metacharacters.
+
+ <b>%u</b> When the input key is an address of the form user@domain,
+ <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted local part of the
+ address. Otherwise, <b>%u</b> is replaced by the entire search
+ string. If the localpart is empty, the search is sup-
+ pressed and returns no results.
+
+ <b>%d</b> When the input key is an address of the form user@domain,
+ <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>) quoted domain part of
+ the address. Otherwise, the search is suppressed and
+ returns no results.
+
+ <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents
+ of the above expansions behave identically to their
+ lower-case counter-parts. With the <b>result_format</b> parame-
+ ter (previously called <b>result_filter</b> see the COMPATIBIL-
+ ITY section and below), they expand to the corresponding
+ components of input key rather than the result value.
+
+ <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre-
+ sponding most significant component of the input key's
+ domain. If the input key is <i>user@mail.example.com</i>, then
+ %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
+ is unqualified or does not have enough domain components
+ to satisfy all the specified patterns, the search is sup-
+ pressed and returns no results.
+
+ <b>query_filter (default: mailacceptinggeneralid=%s)</b>
+ The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a
+ substitute for the address Postfix is trying to resolve, e.g.
+
+ query_filter = (&amp;(mail=%s)(paid_up=true))
+
+ This parameter supports the following '%' expansions:
+
+ <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2
+ and later).
+
+ <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
+ used to make sure that the input key does not add unex-
+ pected metacharacters.
+
+ <b>%u</b> When the input key is an address of the form user@domain,
+ <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
+ address. Otherwise, <b>%u</b> is replaced by the entire search
+ string. If the localpart is empty, the search is sup-
+ pressed and returns no results.
+
+ <b>%d</b> When the input key is an address of the form user@domain,
+ <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
+ the address. Otherwise, the search is suppressed and
+ returns no results.
+
+ <b>%[SUD]</b> The upper-case equivalents of the above expansions behave
+ in the <b>query_filter</b> parameter identically to their
+ lower-case counter-parts. With the <b>result_format</b> parame-
+ ter (previously called <b>result_filter</b> see the COMPATIBIL-
+ ITY section and below), they expand to the corresponding
+ components of input key rather than the result value.
+
+ The above %S, %U and %D expansions are available with
+ Postfix 2.2 and later.
+
+ <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre-
+ sponding most significant component of the input key's
+ domain. If the input key is <i>user@mail.example.com</i>, then
+ %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
+ is unqualified or does not have enough domain components
+ to satisfy all the specified patterns, the search is sup-
+ pressed and returns no results.
+
+ The above %1, ..., %9 expansions are available with Post-
+ fix 2.2 and later.
+
+ The "domain" parameter described below limits the input keys to
+ addresses in matching domains. When the "domain" parameter is
+ non-empty, LDAP queries for unqualified addresses or addresses
+ in non-matching domains are suppressed and return no results.
+
+ NOTE: DO NOT put quotes around the <b>query_filter</b> parameter.
+
+ <b>result_format (default: %s</b>)
+ Called <b>result_filter</b> in Postfix releases prior to 2.2. Format
+ template applied to result attributes. Most commonly used to
+ append (or prepend) text to the result. This parameter supports
+ the following '%' expansions:
+
+ <b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2
+ and later).
+
+ <b>%s</b> This is replaced by the value of the result attribute.
+ When result is empty it is skipped.
+
+ <b>%u</b> When the result attribute value is an address of the form
+ user@domain, <b>%u</b> is replaced by the local part of the
+ address. When the result has an empty localpart it is
+ skipped.
+
+ <b>%d</b> When a result attribute value is an address of the form
+ user@domain, <b>%d</b> is replaced by the domain part of the
+ attribute value. When the result is unqualified it is
+ skipped.
+
+ <b>%[SUD1-9]</b>
+ The upper-case and decimal digit expansions interpolate
+ the parts of the input key rather than the result. Their
+ behavior is identical to that described with <b>query_fil-</b>
+ <b>ter</b>, and in fact because the input key is known in
+ advance, lookups whose key does not contain all the
+ information specified in the result template are sup-
+ pressed and return no results.
+
+ The above %S, %U, %D and %1, ..., %9 expansions are
+ available with Postfix 2.2 and later.
+
+ For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use
+ a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After
+ applying the result format, multiple values are concatenated as
+ comma separated strings. The expansion_limit and size_limit
+ parameters explained below allow one to restrict the number of
+ values in the result, which is especially useful for maps that
+ should return a single value.
+
+ The default value <b>%s</b> specifies that each attribute value should
+ be used as is.
+
+ This parameter was called <b>result_filter</b> in Postfix releases
+ prior to 2.2. If no "result_format" is specified, the value of
+ "result_filter" will be used instead before resorting to the
+ default value. This provides compatibility with old configura-
+ tion files.
+
+ NOTE: DO NOT put quotes around the result format!
+
+ <b>domain (default: no domain list)</b>
+ This is a list of domain names, paths to files, or dictionaries.
+ When specified, only fully qualified search keys with a
+ *non-empty* localpart and a matching domain are eligible for
+ lookup: 'user' lookups, bare domain lookups and "@domain"
+ lookups are not performed. This can significantly reduce the
+ query load on the LDAP server.
+
+ domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains
+
+ It is best not to use LDAP to store the domains eligible for
+ LDAP lookups.
+
+ NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a> aliases.
+
+ This feature is available in Postfix 1.0 and later.
+
+ <b>result_attribute (default: maildrop)</b>
+ The attribute(s) Postfix will read from any directory entries
+ returned by the lookup, to be resolved to an email address.
+
+ result_attribute = mailbox, maildrop
+
+ Don't rely on the default value ("maildrop"). Set the
+ result_attribute explicitly in all ldap table configuration
+ files. This is particularly relevant when no result_attribute is
+ applicable, e.g. cases in which leaf_result_attribute and/or
+ terminal_result_attribute are used instead. The default value is
+ harmless if "maildrop" is also listed as a leaf or terminal
+ result attribute, but it is best to not leave this to chance.
+
+ <b>special_result_attribute (default: empty)</b>
+ The attribute(s) of directory entries that can contain DNs or
+ <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a> LDAP URLs. If found, a recursive search is performed to
+ retrieve the entry referenced by the DN, or the entries matched
+ by the URL query.
+
+ special_result_attribute = memberdn
+
+ DN recursion retrieves the same result_attributes as the main
+ query, including the special attributes for further recursion.
+
+ URL processing retrieves only those attributes that are included
+ in both the URL definition and as result attributes (ordinary,
+ special, leaf or terminal) in the Postfix table definition. If
+ the URL lists any of the table's special result attributes,
+ these are retrieved and used recursively. A URL that does not
+ specify any attribute selection, is equivalent (<a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>) to a
+ URL that selects all attributes, in which case the selected
+ attributes will be the full set of result attributes in the
+ Postfix table.
+
+ If an LDAP URL attribute-descriptor or the corresponding Postfix
+ LDAP table result attribute (but not both) uses <a href="http://tools.ietf.org/html/rfc2255">RFC 2255</a>
+ sub-type options ("attr;option"), the attribute requested from
+ the LDAP server will include the sub-type option. In all other
+ cases, the URL attribute and the table attribute must match
+ exactly. Attributes with options in both the URL and the Postfix
+ table are requested only when the options are identical. LDAP
+ attribute-descriptor options are very rarely used, most LDAP
+ users will not need to concern themselves with this level of
+ nuanced detail.
+
+ <b>terminal_result_attribute (default: empty)</b>
+ When one or more terminal result attributes are found in an LDAP
+ entry, all other result attributes are ignored and only the ter-
+ minal result attributes are returned. This is useful for dele-
+ gating expansion of group members to a particular host, by using
+ an optional "maildrop" attribute on selected groups to route the
+ group to a specific host, where the group is expanded, possibly
+ via mailing-list manager or other special processing.
+
+ result_attribute =
+ terminal_result_attribute = maildrop
+
+ When using terminal and/or leaf result attributes, the
+ result_attribute is best set to an empty value when it is not
+ used, or else explicitly set to the desired value, even if it is
+ the default value "maildrop".
+
+ This feature is available with Postfix 2.4 or later.
+
+ <b>leaf_result_attribute (default: empty)</b>
+ When one or more special result attributes are found in a
+ non-terminal (see above) LDAP entry, leaf result attributes are
+ excluded from the expansion of that entry. This is useful when
+ expanding groups and the desired mail address attribute(s) of
+ the member objects obtained via DN or URI recursion are also
+ present in the group object. To only return the attribute values
+ from the leaf objects and not the containing group, add the
+ attribute to the leaf_result_attribute list, and not the
+ result_attribute list, which is always expanded. Note, the
+ default value of "result_attribute" is not empty, you may want
+ to set it explicitly empty when using "leaf_result_attribute" to
+ expand the group to a list of member DN addresses. If groups
+ have both member DN references AND attributes that hold multiple
+ string valued rfc822 addresses, then the string attributes go in
+ "result_attribute". The attributes that represent the email
+ addresses of objects referenced via a DN (or LDAP URI) go in
+ "leaf_result_attribute".
+
+ result_attribute = memberaddr
+ special_result_attribute = memberdn
+ terminal_result_attribute = maildrop
+ leaf_result_attribute = mail
+
+ When using terminal and/or leaf result attributes, the
+ result_attribute is best set to an empty value when it is not
+ used, or else explicitly set to the desired value, even if it is
+ the default value "maildrop".
+
+ This feature is available with Postfix 2.4 or later.
+
+ <b>scope (default: sub)</b>
+ The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These translate into
+ LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
+
+ <b>bind (default: yes)</b>
+ Whether or how to bind to the LDAP server. Newer LDAP implemen-
+ tations don't require clients to bind, which saves time. Exam-
+ ple:
+
+ # Don't bind
+ bind = no
+ # Use SIMPLE bind
+ bind = yes
+ # Use SASL bind
+ bind = sasl
+
+ Postfix versions prior to 2.8 only support "bind = no" which
+ means don't bind, and "bind = yes" which means do a SIMPLE bind.
+ Postfix 2.8 and later also supports "bind = SASL" when compiled
+ with LDAP SASL support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds
+ the synonyms "bind = none" and "bind = simple" for "bind = no"
+ and "bind = yes" respectively. See the SASL section below for
+ additional parameters available with "bind = sasl".
+
+ If you do need to bind, you might consider configuring Postfix
+ to connect to the local machine on a port that's an SSL tunnel
+ to your LDAP server. If your LDAP server doesn't natively sup-
+ port SSL, put a tunnel (wrapper, proxy, whatever you want to
+ call it) on that system too. This should prevent the password
+ from traversing the network in the clear.
+
+ <b>bind_dn (default: empty)</b>
+ If you do have to bind, do it with this distinguished name.
+ Example:
+
+ bind_dn = uid=postfix, dc=your, dc=com
+ With "bind = sasl" (see above) the DN may be optional for some
+ SASL mechanisms, don't specify a DN if not needed.
+
+ <b>bind_pw (default: empty)</b>
+ The password for the distinguished name above. If you have to
+ use this, you probably want to make the map configuration file
+ readable only by the Postfix user. When using the obsolete
+ <a href="ldap_table.5.html">ldap</a>:ldapsource syntax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is
+ not possible to securely store the bind password. This is
+ because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow local
+ accounts to submit mail via the sendmail command. Example:
+
+ bind_pw = postfixpw
+ With "bind = sasl" (see above) the password may be optional for
+ some SASL mechanisms, don't specify a password if not needed.
+
+ <b>cache (IGNORED with a warning)</b>
+
+ <b>cache_expiry (IGNORED with a warning)</b>
+
+ <b>cache_size (IGNORED with a warning)</b>
+ The above parameters are NO LONGER SUPPORTED by Postfix. Cache
+ support has been dropped from OpenLDAP as of release 2.1.13.
+
+ <b>recursion_limit (default: 1000)</b>
+ A limit on the nesting depth of DN and URL special result
+ attribute evaluation. The limit must be a non-zero positive num-
+ ber.
+
+ <b>expansion_limit (default: 0)</b>
+ A limit on the total number of result elements returned (as a
+ comma separated list) by a lookup against the map. A setting of
+ zero disables the limit. Lookups fail with a temporary error if
+ the limit is exceeded. Setting the limit to 1 ensures that
+ lookups do not return multiple values.
+
+ <b>size_limit (default: $expansion_limit)</b>
+ A limit on the number of LDAP entries returned by any single
+ LDAP search performed as part of the lookup. A setting of 0 dis-
+ ables the limit. Expansion of DN and URL references involves
+ nested LDAP queries, each of which is separately subjected to
+ this limit.
+
+ Note: even a single LDAP entry can generate multiple lookup
+ results, via multiple result attributes and/or multi-valued
+ result attributes. This limit caps the per search resource uti-
+ lization on the LDAP server, not the final multiplicity of the
+ lookup result. It is analogous to the "-z" option of
+ "ldapsearch".
+
+ <b>dereference (default: 0)</b>
+ When to dereference LDAP aliases. (Note that this has nothing do
+ with Postfix aliases.) The permitted values are those legal for
+ the OpenLDAP/UM LDAP implementations:
+
+ 0 never
+
+ 1 when searching
+
+ 2 when locating the base object for the search
+
+ 3 always
+
+ See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for
+ more information. And if you're using an LDAP package that has
+ other possible values, please bring it to the attention of the
+ postfix-users@postfix.org mailing list.
+
+ <b>chase_referrals (default: 0)</b>
+ Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3
+ support).
+
+ <b>version (default: 2)</b>
+ Specifies the LDAP protocol version to use.
+
+ <b>debuglevel (default: 0)</b>
+ What level to set for debugging in the OpenLDAP libraries.
+
+<b>LDAP SASL PARAMETERS</b>
+ If you're using the OpenLDAP libraries compiled with SASL support,
+ Postfix 2.8 and later built with LDAP SASL support as described in
+ <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP servers via SASL.
+
+ This enables authentication to the LDAP server via mechanisms other
+ than a simple password. The added flexibility has a cost: it is no
+ longer practical to set an explicit timeout on the duration of an LDAP
+ bind operation. Under adverse conditions, whether a SASL bind times
+ out, or if it does, the duration of the timeout is determined by the
+ LDAP and SASL libraries.
+
+ It is best to use tables that use SASL binds via <a href="proxymap.8.html">proxymap(8)</a>, this way
+ the requesting process can time-out the proxymap request. This also
+ lets you tailer the process environment by overriding the <a href="proxymap.8.html">proxymap(8)</a>
+ <a href="postconf.5.html#import_environment">import_environment</a> setting in <a href="master.5.html">master.cf</a>(5). Special environment set-
+ tings may be needed to configure GSSAPI credential caches or other SASL
+ mechanism specific options. The GSSAPI credentials used for LDAP
+ lookups may need to be different than say those used for the Postfix
+ SMTP client to authenticate to remote servers.
+
+ Using SASL mechanisms requires LDAP protocol version 3, the default
+ protocol version is 2 for backwards compatibility. You must set "ver-
+ sion = 3" in addition to "bind = sasl".
+
+ The following parameters are relevant to using LDAP with SASL
+
+ <b>sasl_mechs (default: empty)</b>
+ Space separated list of SASL mechanism(s) to try.
+
+ <b>sasl_realm (default: empty)</b>
+ SASL Realm to use, if applicable.
+
+ <b>sasl_authz_id (default: empty)</b>
+ The SASL authorization identity to assert, if applicable.
+
+ <b>sasl_minssf (default: 0)</b>
+ The minimum required sasl security factor required to establish
+ a connection.
+
+<b>LDAP SSL AND STARTTLS PARAMETERS</b>
+ If you're using the OpenLDAP libraries compiled with SSL support, Post-
+ fix can connect to LDAP SSL servers and can issue the STARTTLS command.
+
+ LDAP SSL service can be requested by using a LDAP SSL URL in the
+ server_host parameter:
+
+ server_host = ldaps://ldap.example.com:636
+
+ STARTTLS can be turned on with the start_tls parameter:
+
+ start_tls = yes
+
+ Both forms require LDAP protocol version 3, which has to be set explic-
+ itly with:
+
+ version = 3
+
+ If any of the Postfix programs querying the map is configured in <a href="master.5.html">mas-
+ ter.cf</a> to run chrooted, all the certificates and keys involved have to
+ be copied to the chroot jail. Of course, the private keys should only
+ be readable by the user "postfix".
+
+ The following parameters are relevant to LDAP SSL and STARTTLS:
+
+ <b>start_tls (default: no)</b>
+ Whether or not to issue STARTTLS upon connection to the server.
+ Don't set this with LDAP SSL (the SSL session is setup automati-
+ cally when the TCP connection is opened).
+
+ <b>tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)</b>
+ Directory containing X509 Certification Authority certificates
+ in PEM format which are to be recognized by the client in
+ SSL/TLS connections. The files each contain one CA certificate.
+ The files are looked up by the CA subject name hash value, which
+ must hence be available. If more than one CA certificate with
+ the same name hash value exist, the extension must be different
+ (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in
+ the ordering of the extension number, regardless of other prop-
+ erties of the certificates. Use the c_rehash utility (from the
+ OpenSSL distribution) to create the necessary links.
+
+ <b>tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)</b>
+ File containing the X509 Certification Authority certificates in
+ PEM format which are to be recognized by the client in SSL/TLS
+ connections. This setting takes precedence over tls_ca_cert_dir.
+
+ <b>tls_cert (No default; you must set this)</b>
+ File containing client's X509 certificate to be used by the
+ client in SSL/ TLS connections.
+
+ <b>tls_key (No default; you must set this)</b>
+ File containing the private key corresponding to the above
+ tls_cert.
+
+ <b>tls_require_cert (default: no)</b>
+ Whether or not to request server's X509 certificate and check
+ its validity when establishing SSL/TLS connections. The sup-
+ ported values are <b>no</b> and <b>yes</b>.
+
+ With <b>no</b>, the server certificate trust chain is not checked, but
+ with OpenLDAP prior to 2.1.13, the name in the server certifi-
+ cate must still match the LDAP server name. With OpenLDAP 2.0.0
+ to 2.0.11 the server name is not necessarily what you specified,
+ rather it is determined (by reverse lookup) from the IP address
+ of the LDAP server connection. With OpenLDAP prior to 2.0.13,
+ subjectAlternativeName extensions in the LDAP server certificate
+ are ignored: the server name must match the subject CommonName.
+ The <b>no</b> setting corresponds to the <b>never</b> value of <b>TLS_REQCERT</b> in
+ LDAP client configuration files.
+
+ Don't use TLS with OpenLDAP 2.0.x (and especially with x &lt;= 11)
+ if you can avoid it.
+
+ With <b>yes</b>, the server certificate must be issued by a trusted CA,
+ and not be expired. The LDAP server name must match one of the
+ name(s) found in the certificate (see above for OpenLDAP library
+ version dependent behavior). The <b>yes</b> setting corresponds to the
+ <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client configuration files.
+
+ The "try" and "allow" values of <b>TLS_REQCERT</b> have no equivalents
+ here. They are not available with OpenLDAP 2.0, and in any case
+ have questionable security properties. Either you want TLS veri-
+ fied LDAP connections, or you don't.
+
+ The <b>yes</b> value only works correctly with Postfix 2.5 and later,
+ or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
+ releases don't work together with this setting. Support for LDAP
+ over TLS was added to Postfix based on the OpenLDAP 2.0 API.
+
+ <b>tls_random_file (No default)</b>
+ Path of a file to obtain random bits from when /dev/[u]random is
+ not available, to be used by the client in SSL/TLS connections.
+
+ <b>tls_cipher_suite (No default)</b>
+ Cipher suite to use in SSL/TLS negotiations.
+
+<b>EXAMPLE</b>
+ Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a> aliases.
+ Assume that in <a href="postconf.5.html">main.cf</a>, you have:
+
+ <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases,
+ <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
+
+ and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
+
+ server_host = ldap.example.com
+ search_base = dc=example, dc=com
+
+ Upon receiving mail for a local address "ldapuser" that isn't found in
+ the /etc/aliases database, Postfix will search the LDAP server listen-
+ ing at port 389 on ldap.example.com. It will bind anonymously, search
+ for any directory entries whose mailacceptinggeneralid attribute is
+ "ldapuser", read the "maildrop" attributes of those found, and build a
+ list of their maildrops, which will be treated as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to
+ which the message will be delivered.
+
+<b>OBSOLETE MAIN.CF PARAMETERS</b>
+ For backwards compatibility with Postfix version 2.0 and earlier, LDAP
+ parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as LDAP source a
+ name that doesn't begin with a slash or a dot. The LDAP parameters
+ will then be accessible as the name you've given the source in its def-
+ inition, an underscore, and the name of the parameter. For example, if
+ the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the "server_host" parameter
+ below would be defined in <a href="postconf.5.html">main.cf</a> as "<i>ldapsource</i>_server_host".
+
+ Note: with this form, the passwords for the LDAP sources are written in
+ <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will
+ be removed in a future Postfix version.
+
+<b>OTHER OBSOLETE FEATURES</b>
+ For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b>
+ <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter
+ parameter is not also set. The new name better reflects the function
+ of the parameter. This compatibility interface may be removed in a
+ future release.
+
+<b>SEE ALSO</b>
+ <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
+ <a href="postconf.5.html">postconf(5)</a>, configuration parameters
+ <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables
+ <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables
+
+<b>README FILES</b>
+ <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
+ <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
+
+<b>LICENSE</b>
+ The Secure Mailer license must be distributed with this software.
+
+<b>AUTHOR(S)</b>
+ Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
+ ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,
+ Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
+
+ LDAP_TABLE(5)
+</pre> </body> </html>