Hi, Cheng.
We use a MySQL backend for lookups, however, Dspam is set to auto-populate the
"dspam_virtual_uids" table. This is safe because postfix uses
"reject_unverified_recipient" as a "smpd_recipient_restriction" rule. The
recipient of any incoming mail is verified against our groupwise mail server.
If Groupwise cannot verify the recipient, the mail never makes it to Dspam.
Only validated accounts are automatically created by Dspam.
The verified recipients are cached in the "address_verify_map" file, so the
performance hit is negligible.
###
### Begin main.cf excerpt.
###
address_verify_map = btree:/usr/local/var/db/postfix/verify
relayhost = [YOUR_GROUPWISE_SERVER_NAME_HERE]
...
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
...
reject_unverified_recipient
...
###
### End main.cf excerpt.
###
On another note, I had to make a modification to the script sent previously.
The following line:
$LDAP->unbind
or die "Could not disconnect from LDAP server.";
Needs to be added after the $RESULT variable is assigned the value of
$LDAP->search.
Also, admin.cgi needs to be altered in the same manner as dspam.cgi. The same
code should work with minor alterations.
Thanks,
-Gary
~~~~~~~~~~~~~~~~~~~~~~~~~~
Gary J. Waters Jr.
Mohave County Information Technology
700 W. Beale St.
Kingman, AZ 86401
(928)753-0740x4137
[EMAIL PROTECTED]
http://www.co.mohave.az.us
>>> "Cheng Gang, Yap Ye" <[EMAIL PROTECTED]> 08/24/2007 11:35 PM >>>
Hello,
Did you managed to make DSPAM not lookup user from its storage driver, for
example, MySQL? I have done something similar to your setup, but DSPAM
still requires MySQL (in my setup, dspam_virtual_uids).
Regards,
Cheng
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gary
Waters
Sent: Saturday, August 25, 2007 6:38 AM
To: [email protected]
Subject: [dspam-users] Working - LDAP WebUI Authentication
FreeBSD 6.2
Postfix 2.4.5
DSpam 3.8.0
Clamav 0.91
Apache 2.2.8
If anyone's interested, I've got LDAP authentication working for the WebUI
between Novell and Apache22.
Two things needed to be done:
1. Make sure Apache is compiled with LDAP support and the appropriate module
is loaded...
LoadModule authnz_ldap_module libexec/apache22/mod_authnz_ldap.so
..In httpd.conf, set up Apache to authenticate via LDAP in the WebUI's
directory tags:
AuthType basic
AuthName "DSPAM Control Center"
AuthBasicProvider ldap
AuthLDAPRemoteUserIsDN on
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://YOUR_LDAP_SERVER_HOSTNAME/o=YOUR_ROOT?cn?sub";
Require valid-user
..make sure the "o=" matches your organization. Also "cn" is sometimes
"uid" in Novell. The search will cover all subdirectories (hence the "sub"),
so it's important each cn (or uid) is unique in the directory.
2. Modify dspam.cgi to look up the user's "mail" via LDAP based on the
context passed in as "ENV{'REMOTE_USER'}". For example, REMOTE_USER may
appear to be "cn=YOUR_USERNAME,ou=YOUR_DEPT,o=YOUR_ROOT" after LDAP
authentication. This needs to be converted to an email address for the web
interface to work. Below is the code I used; it replaces the "CURRENT_USER =
.." line and the "#Determine admin status" block at around lines 60 through
80 in dspam.cgi:
###
### Begin MCIT
###
use vars qw { $LDAP_SERVER $LDAP_BASE @LDAP_ATTRS $LDAP
@FIELDS $RESULT $EMAIL $ENTRY };
use Net::LDAP;
$LDAP_SERVER = "YOUR_LDAP_SERVER_HOSTNAME";
$LDAP_BASE = "o=YOUR_ROOT";
@LDAP_ATTRS = ["mail"];
# Initialize the ldap object.
$LDAP = Net::LDAP->new($LDAP_SERVER)
or die "Could not initialize LDAP object.";
# Connect to the ldap server.
$LDAP->bind
or die "Could not connect to LDAP server.";
# Get the cn from the supplied $REMOTE_NAME.
@FIELDS = split(/\,/, $ENV{'REMOTE_USER'})
or die "Could not split cn= tag from the REMOTE_NAME.";
$RESULT = $LDAP->search (base => $LDAP_BASE,
scope => "sub",
filter => "($FIELDS[0])",
attrs => @LDAP_ATTRS);
if ($RESULT->code) {
die "Could not connect to LDAP server."
};
$EMAIL = "[EMAIL PROTECTED]";
foreach $ENTRY ($RESULT->entries) {
$EMAIL = lc($ENTRY->get_value("mail"));
};
$CURRENT_USER = $EMAIL;
# Determine admin status
$CONFIG{'ADMIN'} = 0;
if ($CURRENT_USER ne "") {
open(FILE, "<./admins");
while(<FILE>) {
chomp;
if ($_ eq $CURRENT_USER) {
$CONFIG{'ADMIN'} = 1;
}
}
close(FILE);
}
###
### End MCIT
###
..we no longer need to manage local accounts on the Dspam server. The end
users use their Novell username and password and they're in.
Thanks,
-Gary
~~~~~~~~~~~~~~~~~~~~~~~~~~
Gary J. Waters Jr.
Mohave County Information Technology
700 W. Beale St.
Kingman, AZ 86401
(928)753-0740x4137
[EMAIL PROTECTED]
http://www.co.mohave.az.us
!DSPAM:46cfc45e573828141519563!
