Hi,
I am trying to use LDAP from exim to determine which (MS Exchange) machine to
deliver mail to.
This is in a largish (1500) company with multiple sites. I am querying the
local MS Active Directory servers.
My Linux box is relegated to the DMZ and is restricted to what it can see.
My router looks like:
internal:
driver = manualroute
no_more
domains = +ag_domains
transport = remote_smtp
route_data = ${sg{${lookup ldap \
{user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com"
pass=ldappass \
dereference=never time=5 nettime=5 \
ldap:///OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com?msExchHomeServerName?sub? \
(proxyAddresses=smtp:[EMAIL PROTECTED])} \
{$value}fail}}{^.*/cn=(\\w+)\$}{\$1}}.example.com
That seems to work well enough with ldap returning something like:
/O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=EXCHANGEBOXNAME
Unfortunately the baseDN above only works for people within
OU=USERS,OU=BUSSERV,OU=MAN, ... so I
get it to search a bit wider by replacing the URL line with:
ldap:///DC=example,DC=com?msExchHomeServerName?sub? \
When using ldapsearch this approach works fine, it finds records like:
proxyAddresses=smtp:[EMAIL PROTECTED]
in all business units.
Exim, however, does the lookup and gets a result from ldap, apparently decides
that it wants another and
then hangs. It seems to be trying to connect LDAP servers that are not in
ldap_default_servers, and never times out.
The connects don't work since the organisation firewalls don't allow it -
reasonably enough.
They do admit that their ldap setup could be neater, but I'm not going to get
it changed.
I have dug through the code. After getting a good enough result, it calls
ldap_result() again, presumably to
get more, stopping this loop when it gets LDAP_RES_SEARCH_ENTRY. In fact it
just loops trying to connect to
the same set of ldap servers over & over.
Anyone any suggestions -- please.
I put the debug output below:
expanding: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com"
pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])
result: user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com"
pass=ldappass dereference=never
time=5 nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])search_open: ldap "NULL"
search_find: file="NULL"
key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com"
pass=ldappass dereference=never time=5
nettime=5 ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])" partial=-1 affix=NULL starflags=0
LRU list:
internal_search_find: file="NULL"
type=ldap
key="user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com"
pass=ldappass
dereference=never time=5 nettime=5
ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])"
database lookup required for
user="CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com" pass=ldappass
dereference=never time=5 nettime=5
ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])
LDAP parameters: user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com
pass=ldappass size=0 time=5
connect=5 dereference=0
perform_ldap_search: ldap URL =
"ldap:///DC=example,DC=com?msExchHomeServerName?sub?
(proxyAddresses=smtp:[EMAIL PROTECTED])" server=vega.example.com port=0
sizelimit=0 timelimit=5
tcplimit=5
after ldap_url_parse: host=vega.example.com port=0
ldap_initialize with URL ldap://vega.example.com:389/
initialized for LDAP (v3) server vega.example.com:389
LDAP_OPT_X_TLS_TRY set
binding with user=CN=ldapuser,OU=USERS,OU=BUSSERV,OU=MAN,DC=example,DC=com
password=ldappass
Start search
ldap_result loop
LDAP entry loop
LDAP attr loop
msExchHomeServerName:/O=ABC/OU=Manchester/cn=Configuration/cn=Servers/cn=SHIRKAHREXC
*** hangs here ***
--
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
#include <std_disclaimer.h>
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
