Linux am LSG: |
||
Administration / Linux / Domänen unter Linux / Windows Domäne mit LDAP / Grundsätzliche Überlegungen / Quellenangabe / | ||
Sendmail + LDAP HOWTO Jason Christopher Radford, jradford@iconimaging.net August 16, 2000
1. Introduction
2. Installing the ldap Server
3. Configuring the ldap Server
4. Configuring Sendmail
5. Testing Sendmail ldap lookups--Not finished yet
6. Troubleshooting--Not finished yet
1. Introduction1.1. Purpose/IntroductionThe purpose of this document is to setup an ldap directory with sendmail and detail the advantages of using such a system. The reader will learn the basic setup of the OpenLdap directory and how to compile and interface sendmail with ldap support to take advantage of this ldap directory.An ldap directory with standards based ldap entries will be created, allowing sendmail to replace the alias table normally stored in a database map file on that Sendmail server. The information presented in this document should give reader a gentle introduction to ldap, adding ldap entries, and configuring Sendmail to utilize these entries for mail routing purposes using an extended schema entitled LASER(what it stands for). Additional information reguarding ldap, OpenLdap ldap server administration, sendmail administration, and pertinant RFC information may be found in the reference section of this howto document. 1.2. What is ldap ?Lightweight Directory Access Protocol (ldap) is an open-standard protocol for accessing information services. The protocol runs over Internet transport protocols, such as TCP, and can be used to access stand-alone servers or X.500 directories. ldap is a lightweight alternative to the X.500 Directory Access Protocol (DAP).1.3. How can sendmail benefit from ldap ?Historically information associated with the lookup and routing of user smtp information has been stored individually on each sendmail server in the form of database maps or flat files. While this does not pose a problem for a single server, multiple Sendmail servers had to somehow keep these files in syncronization with each other or required the email administrator to update these files on each server individually.The ldap protocol enables sendmail to access cross-plateform, standards based central repository of user information. Another key benefit of ldap is that now companies can use standards based tools, using almost any development language which is ldap enabled, to create a customized directory of information for company wide access by all applications (Not limited to email). 1.4 How do I decide if I should use ldap ?ldap servers are heavily optimized for read-intensive operations. This differs from conventional RDBS (Relational Database System) systems where data stored in a SQL database is constantly being written or updated. Another difference is the lack of referential integrity of an ldap directory, there are no concepts in ldap such as 'Primary Keys' to ensure uniqueness of the directory entries as a whole. These types of concepts are required of the applications which add/delete/modify ldap entries and their respective attributes. An ldap directory would be beneficial in the following cases:
1.5 LASER ldap SMTP Routing SpecificationLASER is an IETF draft document providing an ldap schema for Intranet mail routing. A key part of this document defines and ldap object class called 'inetLocalMailRecipient' along with it's respective attributes. A note that this schema is intended only to be used in the process of routing email in a private enterprise, not the public Internet.The Openldap directory will include this schema and rely heavily on it's respective attributes for smtp mail routing via sendmail's ldap maps. Further information about LASER can be found in the reference section of this document. 2. Installing the ldap Server2.1 Downloading OpenLdapThe openldap package can be found at www.openldap.org, at the time of this document the current stable version is 1.2.11.2.2 Unpacking the Openldap tarball.Place the document in your home directory on the server it's going be running on. For clarity I'll assume the filename is openldap-1.2.11.tgz. Execute the following command:example: tar xvfz openldap-1.2.11.tgz NOTE: some systems do not support the z option in tar, you will need to use an unzip utility such as gzip first, this would be as follows: example: gzip -d openldap-1.2.11.tgz example: tar xvf openldap-1.2.11.tar 2.3 Configuring/Compiling the ldap ServerChange directories into the newly untar'ed directory:example: cd openldap-1.2.11 Run the configuration script so that it may properly query your system and generate a makefile. example: ./configure Now you should properly make the dependencies for compiling. example: make depend Type make to compile and build the Openldap binaries. This step may take some time depending on the speed of your system. example: make Change into the tests directory. example: cd tests Type make to execute a series of tests to insure the ldap server is properly compiled and working for your machine. example: make Once all of the test have successfully completed change directories one level up, become root (type su and enter root's password at the prompt), type make install. This will install the ldap server properly onto the machine. example: cd .. example: su example: make install Now that the binaries and basic configuration files are installed we can progress on to the final configuration stages of the ldap server. 3. Configuring the ldap Server3.1 The basic file map (layout) and location of the installed files are as follows:/usr/local/etc/openldap - This directory contains all of the configuration files for the ldap server./usr/local/var/openldap-ldbm/ - This directory contains the actual LDBM database where all of the directories entries and indexes will be stored. NOTE: This directory should not be group or world readable, writable, or executable. /usr/local/libexec - This directory contains the ldap server executables including slapd (the Stand Alone ldap Server), slurpd (what does that mean?), and few other tools. For their respective uses consult the README file in the openldap directory that you untar'ed in your home directory. 3.2 Configuring slapd.confUse a unix editor such as vi and open slapd.conf in /usr/local/etc/openldap. (You need to be rootto edit this file) The 3 lines we are most concerned about are as follows: suffix "dc=my-domain, dc=com" rootdn "cn=Manager, dc=mydomain, dc=com" rootpw secret The values my-domain and com should be replaced with the appropriate entries, for this example we'll assume a company named foo and their internet domain is foo.com. So we would change the entries to the following: suffix "dc=foo, dc=com" rootdn "cn=Manager, dc=foo, dc=com" The final entry rootpw is the ldap directory's root password for modifying, deleting, adding entries into the directory. By default anyone can bind anonymously and search the directory however if any changes or additions need to be made you'll need to bind as the rootdn and use the rootpw in the ldap command line tools or from what ever application/language your using. You should now change the rootpw to a value your comfortable with. Lastly we now need to tell the ldap server about the extended schema that LASER provides. At the top of the slapd.conf file you'll see 2 include statements that should look similar to this: include /usr/local/etc/openldap/slapd.at.conf include /usr/local/etc/openldap/slapd.oc.conf Add a line directly below the last include statement and enter the following line exactly as shown: include /usr/local/etc/openldap/mail-routing.oc.conf After adding the above line, save the modified slapd.conf file. 3.3 Adding the LASER schema definition fileA file must now be created to satisfy the mail-routing.oc.conf include statement we just enteredin the slapd.conf configuration file. Create a file with the following contents in the /usr/local/etc/openldap directory with the name mail-routing.oc.conf. (using the exact path/file name you entered in the slapd.conf) Below is what contents of the file should contain: # Begining of file # # ldap Schema for Intranet Mail Routing # Reference: draft-lachman-laser-ldap-mail-routing-02 # # This file has been tested using Openldap (www.openldap.org). # Save this file as mail-routing.oc.conf and add a line to your slapd.conf: # include /usr/local/etc/openldap/mail-routing.oc.conf # # Add an additional inattribute mailLocalAddress cis attribute mailRoutingAddress cis attribute mailHost cis objectClass inetLocalMailRecipient requires objectClass allows mailLocalAddress, mailRoutingAddress, mailHost # End of File Save the contents of the above file in the appropriate location. The ldap server now will include this file at startup and will include the new objectclass 'inetLocalMailRecipient'. 3.4 Starting the ldap serverIssue the following command as root to start the ldap server.example: /usr/local/libexec/slapd 3.5 Populating the ldap databaseIn your home directory using a unix editor such as vi create a file called entry.ldif containingthe following: dn: dc=foo, dc=com dc: foo o: foo inc. objectclass: organization objectclass: dcObject dn: cn=Manager, dc=foo, dc=com cn: Manager sn: Manager objectclass: person After saving the entry.ldif file execute the following command: example: ldapadd -D "cn=Manager, dc=foo, dc=com" -W < entry.ldif This command will add the initial attributes for the directory from the entry.ldif file, it will also create an person entry in the directory called Manager. This command will prompt you for the rootdn's password which was specified in the slapd.conf configuration file. If you get an "invalid credentials" error your either not using the proper rootdn entry or not entering the correct password. 3.6 Testing the ldap ServerEnter the following command, this will search for the Manager entry that was just inserted intothe directory via the ldapadd command. example: ldapsearch -L -b "dc=foo, dc=com" -W "(objectclass=*)" 3.7 Adding a test user using the LASER attributesnot finished yet3.8 Stopping the ldap serverTo properly stop the ldap server it should be issued the -TERM signal as follows:example: 4. Configuring sendmail4.1 Downloading sendmailAs of this writing sendmail 8.11.1 is available from ftp.sendmail.org4.2 Unpacking the tarballPlace the sendmail tarball in your home directory on the server it's going be running on. For clarity I'll assume the filename is sendmail-8.11.tar.gz. Execute the following command: example: tar xvfz sendmail-8.11.tar.gz NOTE: some systems do not support the z option in tar, you will need to use an unzip utility such as gzip first, this would be as follows: example: gzip -d sendmail-8.11.tar.gz example: tar xvf sendmail-8.11.tar.gz4.3 Configuring the sendmail build processUsing a text editor create a file in{sendmailroot}/devtools/Site/ called site.config.m4 to store information telling sendmail to include the ldap map and libraries in the build process.This file should contain something similiar to below: APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confINCDIRS', `-I/home/radfojc/openldap-1.2.11/include') APPENDDEF(`confLIBSDIRS', `-L/home/radfojc/openldap-1.2.11/libraries') APPENDDEF(`confLIBS', `-lldap -llber') The first line tells sendmail to include the -DldapMAP option in the build process. The second and third lines tell sendmail where to find the openldap include and libraries directories so that the nessesary libraries can be located while building the sendmail executable. The third line causes sendmail to include the ldap libraries needed for the build process. 4.4 Building the sendmail executableFrom the root of the sendmail archive execute the Build command to compile the sendmailbinaries and the appropriate support programs. The -DldapMAP and -lldap -llber options should be seen on the command line while sendmail is compiling. example: /home/radfojc/sendmail-8.11.1/Build After building become root and type make install to install the sendmail binaries and support files from the root of the sendmail archive. Example: /home/radfojc/sendmail-8.11.1/make install 4.5 Creating an .m4 configuration fileNow we are ready to create a basic .mc file to route email based on entries in the openldapdirectory. Create a file called ldap.mc, containing the following: OSTYPE(linux)dnl FEATURE(ldap_routing) LDAPROUTE_DOMAIN(foo.com) define(confLDAP_DEFAULT_SPEC, -h ldap.foo.com -b dc=foo,dc=com) MAILER(local) MAILER(smtp) Consult the /cf/README for the proper OSTYPE variable (using linux in this example). The third line represents the domain that is to be looked up in the ldap directory, this can have multiple domains if needed. The fourth line instructs sendmail where to find the ldap host's dns name (-h option) and the -b option is the default search base of the ldap directory. Run this through the m4 compiler to process and contruct a .cf file readable by sendmail. Assuming the ldap.mc file has been created in the root of the sendmail archive issue the following command. example: m4 ./cf/m4/cf.m4 ldap.mc > ldap.cf Copy the ldap.cf file into the /etc/mail directory naming the resulting file sendmail.cf and change the file permissions to 644. NOTE: It will be nessesary to become root for this operation example: su root copy ./ldap.cf /etc/mail/sendmail.cf chmod 644 /etc/mail/sendmail.cf Now execute sendmail in daemon mode (become daemon). NOTE: It will be nessesary to become root for this operation. example: su root sendmail -bd 5. Testing sendmail ldap lookupsInvoke sendmail in test mode to verify the ldap maps are being processed correctly. This can be done while sendmail is running in daemon mode with no problems. example: sendmail -bt Sendmail will return a > prompt waiting for user input. Type /parse jradford@foo.com and observe the last line sendmail returns. The final result is a triple returning mailer,host,recipient which should show something similar to below. mailer esmtp, host mailhost1.foo.com, user radford_jason_c@foo.com The mailer is esmtp (or smtp), the host is mailhost1.foo.com (as set by the mailhost LASER attribute for the jradford entry) and the final user name (as set by the mailroutingaddress LASER attribute). The returned mailhost dns name will now be looked up in dns for valid mx records and be delivered based upon these returned values from dns. To exit from test mode simply type the key sequence control-d. That's it! 6. Troubleshooting:6.1 Determining if sendmail was compiled properly with ldapTo chech if the sendmail binary was properly built with ldap support executethe follow command: sendmail -d0.1 -bv root Sendmail should return back "Compiled with: ldapMAP" in the list of features. -------------------------------------------------------- This document should be considered alpha, I put it online to help a few people out. If anyone would be kind enough to send me constructive comments/suggestions I would appreciate that greatly! I have put up a reference to the LASER documentation at: http://www.iconimaging.net/~jradford/sendmail/laser.txt
|