search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
211 stars 93 forks source link

RFE: Support sendmail LDAP routing schema #22

Closed 389-ds-bot closed 4 years ago

389-ds-bot commented 4 years ago

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/22

https://bugzilla.redhat.com/show_bug.cgi?id=745645

Description of problem:

sendmail supports using ldap routing:
http://www.sendmail.org/m4/ldap_routing.html

This is the schema it expects: http://www.sendmail.org/m4/laser.txt

I'm not sure the draft is complete (it has [[TBD]] in the object class uid
definition.

The 60inetmail.ldif is similar but different. I don't know if they are
compatible or not.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.9.9-1.el5
389-ds-bot commented 4 years ago

Comment from orion at 2012-01-19 05:34:33

50ldap-mail-routing.ldif 50ldap-mail-routing.ldif

389-ds-bot commented 4 years ago

Comment from orion at 2012-01-19 05:35:22

Updated 50ns-mail.ldif 50ns-mail.ldif

389-ds-bot commented 4 years ago

Comment from orion at 2012-01-19 05:40:33

This is the ldap-routing schema I'm using. To remove conflicts it needs the attached updated 50ns-mail.ldif file. Changes are:

# diff  ../../schema/50ns-mail.ldif 50ns-mail.ldif 
56d55
< attributeTypes: ( 2.16.840.1.113730.3.1.13 NAME ( 'mailAlternateAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15  X-ORIGIN 'Netscape Messaging Server 4.x' )
65d63
< attributeTypes: ( 2.16.840.1.113730.3.1.24 NAME ( 'mailRoutingAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15  X-ORIGIN 'Netscape Messaging Server 4.x' )
76c74
< objectclasses: ( 2.16.840.1.113730.3.2.3 NAME 'mailRecipient' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mailAccessDomain $ mailAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddress $ mailMessageStore $ mailProgramDeliveryInfo $ mailQuota $ multiLineDescription $ uid $ userPassword ) X-ORIGIN 'Netscape Messaging Server 4.x' )
---
> objectclasses: ( 2.16.840.1.113730.3.2.3 NAME 'mailRecipient' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailHost $ mailRoutingAddress $ mailAccessDomain $ mailAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddress $ mailMessageStore $ mailProgramDeliveryInfo $ mailQuota $ multiLineDescription $ uid $ userPassword ) X-ORIGIN 'Netscape Messaging Server 4.x' )
78c76
< objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' )
---
> objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailHost $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' )

Now mailRoutingAddress is changing OID number, not sure that is acceptable. Droping mailAlternateAddress because it's OID conflicts with mailLocalAddress.

Hope this helps.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-01-28 00:52:11

0001-Ticket-22-RFE-Support-sendmail-LDAP-routing-schema.patch 0001-Ticket-22-RFE-Support-sendmail-LDAP-routing-schema.patch

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-01-28 05:55:57

To ssh://git.fedorahosted.org/git/389/ds.git 24731b3..64d2bc6 master -> master commit changeset:64d2bc6af815bd872096a8c490c65cb751ed488b/389-ds-base Author: Rich Megginson richm@redhat.com Date: Fri Jan 27 11:45:55 2012 -0700 Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: First I had to fix the OID for ntGroupType. I assigned a new OID to it from our OID range. Next, I added a new file 60sendmail.ldif containing the new sendmail schema. This must be in a separate file. The problem is that the new schema is incompatible with the existing schema of the same name - different syntaxes and matching rules. So if you use 60sendmail.ldif, you must not use 50ns-mail.ldif, 60inetmail.ldif, or 60qmail.ldif. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no

389-ds-bot commented 4 years ago

Comment from orion at 2012-01-30 22:53:51

I'm also looking to make use of email group aliases in LDAP. The default sendmail schema is like:

dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject sendmailMTAAliasGrouping: aliases sendmailMTAHost: etrn.sendmail.org sendmailMTAKey: sendmail-list sendmailMTAAliasValue: ca@example.org

See http://www.sendmail.org/m4/ldap.html

Now, this seems like a crazy schema to me (has the MTA name in the attributes rather than something generic). You can make it use other schema though with:

define(ALIAS_FILE',ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember')

Postfix also as a default schema using maildrop and other attributes that at least look generic:

http://www.postfix.org/LDAP_README.html

The 389 wiki has a howto http://directory.fedoraproject.org/wiki/Howto:Postfix that uses the mgrpDeliverTo attribute defined in 50ns-mail.ldif

So, if the sendmail routing attributes are going to conflict with the 50ns-mail.ldif schema, it seems like we need to have some kind of generic ldap email alias schema as well.

I can file a separate ticket if that seems more appropriate, but it was the conflict between 60sendmail.ldif and 50ns-mail.ldif that prompted this response.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-01-31 06:34:47

Replying to [comment:10 orion]:

I'm also looking to make use of email group aliases in LDAP. The default sendmail schema is like:

dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject sendmailMTAAliasGrouping: aliases sendmailMTAHost: etrn.sendmail.org sendmailMTAKey: sendmail-list sendmailMTAAliasValue: ca@example.org

See http://www.sendmail.org/m4/ldap.html

Now, this seems like a crazy schema to me (has the MTA name in the attributes rather than something generic). You can make it use other schema though with:

define(ALIAS_FILE',ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember')

Postfix also as a default schema using maildrop and other attributes that at least look generic:

http://www.postfix.org/LDAP_README.html

The 389 wiki has a howto http://directory.fedoraproject.org/wiki/Howto:Postfix that uses the mgrpDeliverTo attribute defined in 50ns-mail.ldif

So, if the sendmail routing attributes are going to conflict with the 50ns-mail.ldif schema, it seems like we need to have some kind of generic ldap email alias schema as well.

I can file a separate ticket if that seems more appropriate, but it was the conflict between 60sendmail.ldif and 50ns-mail.ldif that prompted this response.

So since 60sendmail.ldif and 50ns-mail.ldif cannot co-exist, it sounds like we need to either move some schema out of 50ns-mail.ldif, or perhaps copy it into 60sendmail.ldif? If so, which ones?

Also, looks like it's even more complicated than that, since mgrpRFC822MailMember is defined in both 50ns-mail.ldif and 60nis.ldif (!)

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-02-09 04:47:05

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=788746

389-ds-bot commented 4 years ago

Comment from orion at 2012-03-10 03:46:29

Reopening as there seem to be unresolved issues with schema conflicts.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-03-12 19:18:09

Replying to [comment:13 orion]:

Reopening as there seem to be unresolved issues with schema conflicts.

What seems to be the problem?

389-ds-bot commented 4 years ago

Comment from orion at 2012-03-12 19:44:03

See comments 10 and 11 - there are conflicts with other schema.

389-ds-bot commented 4 years ago

Comment from orion at 2012-03-20 02:44:13

Another wrinkle, 

(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to. Any progress?

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-03-30 21:06:16

Replying to [comment:17 orion]:

Another wrinkle, 

(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to.

Where does this ACI come from?

Any progress?

Not really. The mail schema is a real mess. There are a couple of IETF documents that attempted to "standardize" the old Netscape Messaging schema:

http://tools.ietf.org/html/draft-steinback-ldap-mailgroups-00 and http://tools.ietf.org/id/draft-lachman-ldap-mail-routing-03.txt

50ns-mail contains what looks like an older version of draft-steinback + stuff from NMS - some of these schema are redefined in other user contributed schema such as 60inetmail, 60qmail, etc. In addition, some of these redefinitions use the newer definitions from draft-steinback which in some cases are not compatible.

So I'm not really sure what to do at this point. I dare not change 50ns-mail.ldif for fear of breaking many existing installations. What would you suggest?

389-ds-bot commented 4 years ago

Comment from orion at 2012-04-06 23:41:51

Replying to [comment:18 richm]:

Replying to [comment:17 orion]:

Another wrinkle, 

(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to.

Where does this ACI come from?

I don't remember adding it myself, so I really have no idea.

Any progress?

Not really. The mail schema is a real mess. There are a couple of IETF documents that attempted to "standardize" the old Netscape Messaging schema:

http://tools.ietf.org/html/draft-steinback-ldap-mailgroups-00 and http://tools.ietf.org/id/draft-lachman-ldap-mail-routing-03.txt

50ns-mail contains what looks like an older version of draft-steinback + stuff from NMS - some of these schema are redefined in other user contributed schema such as 60inetmail, 60qmail, etc. In addition, some of these redefinitions use the newer definitions from draft-steinback which in some cases are not compatible.

So I'm not really sure what to do at this point. I dare not change 50ns-mail.ldif for fear of breaking many existing installations. What would you suggest?

I really have no idea. I feel way over my head here. I would just like to be able to ldap mail routing and a set of standard mail groups/aliases at the same time.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2012-08-14 19:57:05

set default ticket origin to Community

389-ds-bot commented 4 years ago

Comment from nkinder (@nkinder) at 2012-08-28 04:14:46

Added initial screened field value.

389-ds-bot commented 4 years ago

Comment from orion at 2013-08-14 23:56:15

Any hope of progress here? This is one of my blockers for moving to FreeIPA.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2013-08-16 03:56:01

Replying to [comment:25 orion]:

Any hope of progress here?

Not lately, no.

This is one of my blockers for moving to FreeIPA.

389-ds-bot commented 4 years ago

Comment from rmeggins (@richm) at 2017-02-11 22:59:31

Metadata Update from @richm:

389-ds-bot commented 4 years ago

Comment from mreynolds (@mreynolds389) at 2020-03-18 16:53:16

@Firstyear - is this related to the openldap migration work you are doing? Is this ticket even applicable anymore?

389-ds-bot commented 4 years ago

Comment from mreynolds (@mreynolds389) at 2020-03-18 16:53:16

Metadata Update from @mreynolds389:

389-ds-bot commented 4 years ago

Comment from firstyear (@Firstyear) at 2020-03-19 01:14:37

@mreynolds389 No, this isn't needed for my work. I'll close it :)

389-ds-bot commented 4 years ago

Comment from firstyear (@Firstyear) at 2020-03-19 01:14:38

Metadata Update from @Firstyear: