Linux.pl
Opcje wyszukiwania podręcznika man:
Lista stron man zaczynających się od znaku:
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z   ALPHA   NUM   OTHER   ALL
LDAP_TABLE(5)                                                    LDAP_TABLE(5)

NAME
       ldap_table - Postfix LDAP client configuration

SYNOPSIS
       postmap -q "string" ldap:/etc/postfix/filename

       postmap -q - ldap:/etc/postfix/filename <inputfile

DESCRIPTION
       The  Postfix  mail system uses optional tables for address rewriting or
       mail routing. These tables are usually in dbm or db format.

       Alternatively, lookup tables can be specified as LDAP databases.

       In order to use LDAP lookups, define an LDAP source as a  lookup  table
       in main.cf, for example:

           alias_maps = ldap:/etc/postfix/ldap-aliases.cf

       The  file /etc/postfix/ldap-aliases.cf has the same format as the Post-
       fix main.cf file, and can specify the parameters  described  below.  An
       example is given at the end of this manual.

       This  configuration  method  is  available with Postfix version 2.1 and
       later.  See the section "BACKWARDS COMPATIBILITY" below for older Post-
       fix versions.

       For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
       STARTTLS below.

BACKWARDS COMPATIBILITY
       For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
       parameters  can  also  be defined in main.cf.  Specify as LDAP source a
       name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
       will then be accessible as the name you've given the source in its def-
       inition, an underscore, and the name of the parameter.  For example, if
       the  map is specified as "ldap:ldapsource", the "server_host" parameter
       below would be defined in main.cf as "ldapsource_server_host".

       Note: with this form, the passwords for the LDAP sources are written in
       main.cf,  which is normally world-readable.  Support for this form will
       be removed in a future Postfix version.

       Postfix 2.2 has enhanced query interfaces  for  MySQL  and  PostgreSQL.
       These include features that were previously available only in the Post-
       fix LDAP client. This work also created an opportunity for improvements
       in  the  LDAP  interface.  The  primary  compatibility  issue  is  that
       result_filter (a name that has caused some confusion as to its  meaning
       in the past) has been renamed to result_format.  For backwards compati-
       bility with the pre 2.2 LDAP client, result_filter can for now be  used
       instead  of  result_format,  when the latter parameter is not also set.
       The new name better reflects the function of the parameter.  This  com-
       patibility interface may be removed in a future release.

LIST MEMBERSHIP
       When  using  LDAP  to  store lists such as $mynetworks, $mydestination,
       $relay_domains, $local_recipient_maps, etc., it is important to  under-
       stand that the table must store each list member as a separate key. The
       table lookup verifies the *existence* of the key.  See  "Postfix  lists
       versus tables" in the DATABASE_README document for a discussion.

       Do  NOT  create  tables  that  return  the  full  list  of  domains  in
       $mydestination or $relay_domains etc., or IP addresses in  $mynetworks.

       DO create tables with each matching item as a key and with an arbitrary
       value. With LDAP databases it is not uncommon to return the key itself.

       For example, NEVER do this in a map defining $mydestination:

           query_filter = domain=*
           result_attribute = domain

       Do this instead:

           query_filter = domain=%s
           result_attribute = domain

GENERAL LDAP PARAMETERS
       In  the  text  below,  default  values are given in parentheses.  Note:
       don't use quotes in these variables; at least, not  until  the  Postfix
       configuration routines understand how to deal with quoted strings.

       server_host (default: localhost)
              The name of the host running the LDAP server, e.g.

                  server_host = ldap.example.com

              Depending  on the LDAP client library you're using, it should be
              possible to specify multiple servers here, with the library try-
              ing  them  in order should the first one fail. It should also be
              possible to give each server in the list a different port (over-
              riding server_port below), by naming them like

                  server_host = ldap.example.com:1444

              With OpenLDAP, a (list of) LDAP URLs can be used to specify both
              the hostname(s) and the port(s):

                  server_host = ldap://ldap.example.com:1444
                              ldap://ldap2.example.com:1444

              All LDAP URLs accepted by the OpenLDAP  library  are  supported,
              including  connections  over  UNIX  domain sockets, and LDAP SSL
              (the last one provided that OpenLDAP was compiled  with  support
              for SSL):

                  server_host = ldapi://%2Fsome%2Fpath
                              ldaps://ldap.example.com:636

       server_port (default: 389)
              The port the LDAP server listens on, e.g.

                  server_port = 778

       timeout (default: 10 seconds)
              The  number of seconds a search can take before timing out, e.g.

                  timeout = 5

       search_base (No default; you must configure this)
              The RFC2253 base DN at which to conduct the search, e.g.

                  search_base = dc=your, dc=com

              With Postfix 2.2 and later this parameter supports the following
              '%' expansions:

              %%     This is replaced by a literal '%' character.

              %s     This  is  replaced by the input key.  RFC 2253 quoting is
                     used to make sure that the input key does not  add  unex-
                     pected metacharacters.

              %u     When the input key is an address of the form user@domain,
                     %u is replaced by the (RFC 2253) quoted local part of the
                     address.   Otherwise, %u is replaced by the entire search
                     string.  If the localpart is empty, the  search  is  sup-
                     pressed and returns no results.

              %d     When the input key is an address of the form user@domain,
                     %d is replaced by the (RFC 2253) quoted  domain  part  of
                     the  address.   Otherwise,  the  search is suppressed and
                     returns no results.

              %[SUD] For the search_base parameter, the upper-case equivalents
                     of  the  above  expansions  behave  identically  to their
                     lower-case counter-parts. With the result_format  parame-
                     ter  (previously called result_filter see the COMPATIBIL-
                     ITY section and below), they expand to the  corresponding
                     components of input key rather than the result value.

              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
                     sponding most significant component of  the  input  key's
                     domain.  If  the input key is user@mail.example.com, then
                     %1 is com, %2 is example and %3 is mail. If the input key
                     is  unqualified or does not have enough domain components
                     to satisfy all the specified patterns, the search is sup-
                     pressed and returns no results.

       query_filter (default: mailacceptinggeneralid=%s)
              The  RFC2254  filter used to search the directory, where %s is a
              substitute for the address Postfix is trying to resolve, e.g.

                  query_filter = (&(mail=%s)(paid_up=true))

              This parameter supports the following '%' expansions:

              %%     This is replaced by a literal '%' character. (Postfix 2.2
                     and later).

              %s     This  is  replaced by the input key.  RFC 2254 quoting is
                     used to make sure that the input key does not  add  unex-
                     pected metacharacters.

              %u     When the input key is an address of the form user@domain,
                     %u is replaced by the (RFC 2254) quoted local part of the
                     address.   Otherwise, %u is replaced by the entire search
                     string.  If the localpart is empty, the  search  is  sup-
                     pressed and returns no results.

              %d     When the input key is an address of the form user@domain,
                     %d is replaced by the (RFC 2254) quoted  domain  part  of
                     the  address.   Otherwise,  the  search is suppressed and
                     returns no results.

              %[SUD] The upper-case equivalents of the above expansions behave
                     in the query_filter parameter identically to their lower-
                     case  counter-parts.  With  the  result_format  parameter
                     (previously  called  result_filter  see the COMPATIBILITY
                     section and below), they expand to the corresponding com-
                     ponents of input key rather than the result value.

                     The  above  %S,  %U  and %D expansions are available with
                     Postfix 2.2 and later.

              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
                     sponding  most  significant  component of the input key's
                     domain. If the input key is  user@mail.example.com,  then
                     %1 is com, %2 is example and %3 is mail. If the input key
                     is unqualified or does not have enough domain  components
                     to satisfy all the specified patterns, the search is sup-
                     pressed and returns no results.

                     The above %1, ..., %9 expansions are available with Post-
                     fix 2.2 and later.

              The  "domain" parameter described below limits the input keys to
              addresses in matching domains. When the  "domain"  parameter  is
              non-empty,  LDAP  queries for unqualified addresses or addresses
              in non-matching domains are suppressed and return no results.

              NOTE: DO NOT put quotes around the query_filter parameter.

       result_format (default: %s)
              Called result_filter in Postfix releases prior to  2.2.   Format
              template  applied  to  result  attributes. Most commonly used to
              append (or prepend) text to the result. This parameter  supports
              the following '%' expansions:

              %%     This is replaced by a literal '%' character. (Postfix 2.2
                     and later).

              %s     This is replaced by the value of  the  result  attribute.
                     When result is empty it is skipped.

              %u     When the result attribute value is an address of the form
                     user@domain, %u is replaced by  the  local  part  of  the
                     address.  When  the  result  has an empty localpart it is
                     skipped.

              %d     When a result attribute value is an address of  the  form
                     user@domain,  %d  is  replaced  by the domain part of the
                     attribute value. When the result  is  unqualified  it  is
                     skipped.

              %[SUD1-9]
                     The  upper-case  and decimal digit expansions interpolate
                     the parts of the input key rather than the result.  Their
                     behavior  is  identical to that described with query_fil-
                     ter, and in fact  because  the  input  key  is  known  in
                     advance,  lookups  whose  key  does  not  contain all the
                     information specified in the  result  template  are  sup-
                     pressed and return no results.

                     The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
                     available with Postfix 2.2 and later.

              For example, using "result_format = smtp:[%s]" allows one to use
              a mailHost attribute as the basis of a transport(5) table. After
              applying the result format, multiple values are concatenated  as
              comma  separated  strings.  The  expansion_limit  and size_limit
              parameters explained below allow one to restrict the  number  of
              values  in  the result, which is especially useful for maps that
              should return a single value.

              The default value %s specifies that each attribute value  should
              be used as is.

              This  parameter  was  called  result_filter  in Postfix releases
              prior to 2.2. If no "result_format" is specified, the  value  of
              "result_filter"  will  be  used  instead before resorting to the
              default value. This provides compatibility with  old  configura-
              tion files.

              NOTE: DO NOT put quotes around the result format!

       domain (default: no domain list)
              This is a list of domain names, paths to files, or dictionaries.
              When specified, only fully qualified search keys  with  a  *non-
              empty*  localpart and a matching domain are eligible for lookup:
              'user' lookups, bare domain lookups and  "@domain"  lookups  are
              not  performed.  This can significantly reduce the query load on
              the LDAP server.

                  domain = postfix.org, hash:/etc/postfix/searchdomains

              It is best not to use LDAP to store  the  domains  eligible  for
              LDAP lookups.

              NOTE: DO NOT define this parameter for local(8) aliases.

              This feature is available in Postfix 1.0 and later.

       result_attribute (default: maildrop)
              The  attribute(s)  Postfix  will read from any directory entries
              returned by the lookup, to be resolved to an email address.

                  result_attribute = mailbox, maildrop

       special_result_attribute (default: empty)
              The attribute(s) of directory entries that can  contain  DNs  or
              URLs.  If  found,  a  recursive  subsequent search is done using
              their values.

                  special_result_attribute = memberdn

              DN recursion retrieves the same result_attributes  as  the  main
              query,  including  the special attributes for further recursion.
              URI processing retrieves only those attributes that are included
              in    the    URI   definition   and   are   *also*   listed   in
              "result_attribute". If the URI lists any of  the  map's  special
              result  attributes,  these  are  also  retrieved and used recur-
              sively.

       terminal_result_attribute (default: empty)
              When one or more terminal result attributes are found in an LDAP
              entry, all other result attributes are ignored and only the ter-
              minal result attributes are returned. This is useful  for  dele-
              gating expansion of group members to a particular host, by using
              an optional "maildrop" attribute on selected groups to route the
              group  to a specific host, where the group is expanded, possibly
              via mailing-list manager or other special processing.

                  terminal_result_attribute = maildrop

              This feature is available with Postfix 2.4 or later.

       leaf_result_attribute (default: empty)
              When one or more special result attributes are found in  a  non-
              terminal  (see  above)  LDAP  entry,  leaf result attributes are
              excluded from the expansion of that entry. This is  useful  when
              expanding  groups  and  the desired mail address attribute(s) of
              the member objects obtained via DN or  URI  recursion  are  also
              present in the group object. To only return the attribute values
              from the leaf objects and not  the  containing  group,  add  the
              attribute   to  the  leaf_result_attribute  list,  and  not  the
              result_attribute list,  which  is  always  expanded.  Note,  the
              default  value  of "result_attribute" is not empty, you may want
              to set it explicitly empty when using "leaf_result_attribute" to
              expand  the  group  to  a list of member DN addresses. If groups
              have both member DN references AND attributes that hold multiple
              string valued rfc822 addresses, then the string attributes go in
              "result_attribute".  The attributes  that  represent  the  email
              addresses  of  objects  referenced  via a DN (or LDAP URI) go in
              "leaf_result_attribute".

                  result_attribute = memberaddr
                  special_result_attribute = memberdn
                  terminal_result_attribute = maildrop
                  leaf_result_attribute = mail

              This feature is available with Postfix 2.4 or later.

       scope (default: sub)
              The LDAP search scope: sub, base, or one.  These translate  into
              LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.

       bind (default: yes)
              Whether  or not to bind to the LDAP server. Newer LDAP implemen-
              tations don't require clients to bind, which saves  time.  Exam-
              ple:

                  bind = no

              If  you  do need to bind, you might consider configuring Postfix
              to connect to the local machine on a port that's an  SSL  tunnel
              to  your  LDAP server. If your LDAP server doesn't natively sup-
              port SSL, put a tunnel (wrapper, proxy,  whatever  you  want  to
              call  it)  on  that system too. This should prevent the password
              from traversing the network in the clear.

       bind_dn (default: empty)
              If you do have to bind, do  it  with  this  distinguished  name.
              Example:

                  bind_dn = uid=postfix, dc=your, dc=com

       bind_pw (default: empty)
              The  password  for  the distinguished name above. If you have to
              use this, you probably want to make the map  configuration  file
              readable  only  by  the  Postfix  user.  When using the obsolete
              ldap:ldapsource syntax, with map parameters in  main.cf,  it  is
              not  possible  to  securely  store  the  bind  password. This is
              because main.cf needs  to  be  world  readable  to  allow  local
              accounts to submit mail via the sendmail command. Example:

                  bind_pw = postfixpw

       cache (IGNORED with a warning)

       cache_expiry (IGNORED with a warning)

       cache_size (IGNORED with a warning)
              The  above parameters are NO LONGER SUPPORTED by Postfix.  Cache
              support has been dropped from OpenLDAP as of release 2.1.13.

       recursion_limit (default: 1000)
              A limit on the nesting  depth  of  DN  and  URL  special  result
              attribute evaluation. The limit must be a non-zero positive num-
              ber.

       expansion_limit (default: 0)
              A limit on the total number of result elements  returned  (as  a
              comma separated list) by a lookup against the map.  A setting of
              zero disables the limit. Lookups fail with a temporary error  if
              the  limit  is  exceeded.   Setting  the limit to 1 ensures that
              lookups do not return multiple values.

       size_limit (default: $expansion_limit)
              A limit on the number of LDAP entries  returned  by  any  single
              LDAP  search  performed  as  part  of the lookup. A setting of 0
              disables the limit.  Expansion of DN and URL references involves
              nested  LDAP  queries,  each of which is separately subjected to
              this limit.

              Note: even a single LDAP  entry  can  generate  multiple  lookup
              results,  via  multiple  result  attributes  and/or multi-valued
              result attributes. This limit caps the per search resource  uti-
              lization  on  the LDAP server, not the final multiplicity of the
              lookup  result.  It  is  analogous  to  the   "-z"   option   of
              "ldapsearch".

       dereference (default: 0)
              When to dereference LDAP aliases. (Note that this has nothing do
              with Postfix aliases.) The permitted values are those legal  for
              the OpenLDAP/UM LDAP implementations:

              0      never

              1      when searching

              2      when locating the base object for the search

              3      always

              See  ldap.h  or  the ldap_open(3) or ldapsearch(1) man pages for
              more information. And if you're using an LDAP package  that  has
              other  possible  values, please bring it to the attention of the
              postfix-users@postfix.org mailing list.

       chase_referrals (default: 0)
              Sets (or clears) LDAP_OPT_REFERRALS  (requires  LDAP  version  3
              support).

       version (default: 2)
              Specifies the LDAP protocol version to use.

       debuglevel (default: 0)
              What level to set for debugging in the OpenLDAP libraries.

LDAP SSL AND STARTTLS PARAMETERS
       If you're using the OpenLDAP libraries compiled with SSL support, Post-
       fix can connect to LDAP SSL servers and can issue the STARTTLS command.

       LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
       server_host parameter:

           server_host = ldaps://ldap.example.com:636

       STARTTLS can be turned on with the start_tls parameter:

           start_tls = yes

       Both forms require LDAP protocol version 3, which has to be set explic-
       itly with:

           version = 3

       If  any  of the Postfix programs querying the map is configured in mas-
       ter.cf to run chrooted, all the certificates and keys involved have  to
       be  copied  to the chroot jail. Of course, the private keys should only
       be readable by the user "postfix".

       The following parameters are relevant to LDAP SSL and STARTTLS:

       start_tls (default: no)
              Whether or not to issue STARTTLS upon connection to the  server.
              Don't set this with LDAP SSL (the SSL session is setup automati-
              cally when the TCP connection is opened).

       tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
              Directory containing X509 Certificate Authority certificates  in
              PEM  format  which are to be recognized by the client in SSL/TLS
              connections. The files each contain  one  CA  certificate.   The
              files  are  looked  up  by the CA subject name hash value, which
              must hence be available. If more than one  CA  certificate  with
              the  same name hash value exist, the extension must be different
              (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
              the  ordering of the extension number, regardless of other prop-
              erties of the certificates. Use the c_rehash utility  (from  the
              OpenSSL distribution) to create the necessary links.

       tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
              File  containing  the X509 Certificate Authority certificates in
              PEM format which are to be recognized by the client  in  SSL/TLS
              connections. This setting takes precedence over tls_ca_cert_dir.

       tls_cert (No default; you must set this)
              File containing client's X509 certificate  to  be  used  by  the
              client in SSL/ TLS connections.

       tls_key (No default; you must set this)
              File  containing  the  private  key  corresponding  to the above
              tls_cert.

       tls_require_cert (default: no)
              Whether or not to request server's X509  certificate  and  check
              its  validity  when  establishing SSL/TLS connections.  The sup-
              ported values are no and yes.

              With no, the server certificate trust chain is not checked,  but
              with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
              cate must still match the LDAP server name. With OpenLDAP  2.0.0
              to 2.0.11 the server name is not necessarily what you specified,
              rather it is determined (by reverse lookup) from the IP  address
              of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
              subjectAlternativeName extensions in the LDAP server certificate
              are  ignored: the server name must match the subject CommonName.
              The no setting corresponds to the never value of TLS_REQCERT  in
              LDAP client configuration files.

              Don't  use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
              if you can avoid it.

              With yes, the server certificate must be issued by a trusted CA,
              and  not  be expired. The LDAP server name must match one of the
              name(s) found in the certificate (see above for OpenLDAP library
              version  dependent behavior). The yes setting corresponds to the
              demand value of TLS_REQCERT in LDAP client configuration  files.

              The  "try" and "never" values of TLS_REQCERT have no equivalents
              here. They are not available with OpenLDAP 2.0, and in any  case
              have questionable security properties. Either you want TLS veri-
              fied LDAP connections, or you don't.

              The yes value only works correctly with Postfix 2.5  and  later,
              or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
              releases don't work together with this setting. Support for LDAP
              over TLS was added to Postfix based on the OpenLDAP 2.0 API.

       tls_random_file (No default)
              Path of a file to obtain random bits from when /dev/[u]random is
              not available, to be used by the client in SSL/TLS  connections.

       tls_cipher_suite (No default)
              Cipher suite to use in SSL/TLS negotiations.

EXAMPLE
       Here's  a  basic  example  for  using LDAP to look up local(8) aliases.
       Assume that in main.cf, you have:

           alias_maps = hash:/etc/aliases,
                   ldap:/etc/postfix/ldap-aliases.cf

       and in ldap:/etc/postfix/ldap-aliases.cf you have:

           server_host = ldap.example.com
           search_base = dc=example, dc=com

       Upon receiving mail for a local address "ldapuser" that isn't found  in
       the  /etc/aliases database, Postfix will search the LDAP server listen-
       ing at port 389 on ldap.example.com.  It will bind anonymously,  search
       for  any  directory  entries  whose mailacceptinggeneralid attribute is
       "ldapuser", read the "maildrop" attributes of those found, and build  a
       list  of  their maildrops, which will be treated as RFC822 addresses to
       which the message will be delivered.

SEE ALSO
       postmap(1), Postfix lookup table manager
       postconf(5), configuration parameters
       mysql_table(5), MySQL lookup tables
       pgsql_table(5), PostgreSQL lookup tables

README FILES
       Use "postconf readme_directory" or "postconf html_directory" to  locate
       this information.
       DATABASE_README, Postfix lookup table overview
       LDAP_README, Postfix LDAP client guide

LICENSE
       The Secure Mailer license must be distributed with this software.

AUTHOR(S)
       Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
       ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
       Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.

                                                                 LDAP_TABLE(5)

Time taken: 0.00023 seconds


Created with the man page lookup class by Andrew Collington, php@amnuts.com