[2024-09-19 16:38] Aly Dharshi <aly.dhar...@edmonton.ca> > As per my note in the other thread, OpenDJ as the DS did the trick and things > are working. Now I have to figure out how to store a > list of domains in LDAP (which attribute to use) and also what is not working > is ldaps. When I provide > ldaps://ip.address.of.ldap.server is will not accept this. Neither will it > accept things on tacking on :636 to the end of the > ldap uri. There are no FWs or anything in between.
Without the error message I can only guess. This sounds like the host verification fails. First of all it might help to use the hostname of the ldap server. Also for not public trusted certs table-ldap has a ca_cert option. > Additionally, can one also feed into table-ldap multiple hosts to use as ldap > servers? Is it just a comma separated list. Thanks. This is a bit more complicated then it sounds like in the first place. In order to implement this correct the ldap implementation must fixed to be completely nonblocking. Also a nonblocking dns implementation is needed. Philipp > > Cheers, > > ASD. > > --- > Aly Dharshi B.Sc., RHCE > Communications Design Specialist > ETS Technical Services > CITY OPERATIONS | TRANSIT > > Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > 780-619-1585 MOBILE > > City of Edmonton > DL MacDonald Transit Yards > ROW Building > 13304 50A Street > Edmonton AB T5A 4P6 > > All information contained in this email post is proprietary to the City of > Edmonton, confidential and intended only for the addresse > d recipient. If you have received this post in error, please disregard the > contents, inform the sender of the misdirection, and remo > ve it from your system. The copying, dissemination or distribution of this > email, if misdirected, is strictly prohibited. > > > > On Sep 15, 2024 at 5:58 PM -0600, Aly Dharshi <aly.dharshi@edmontonca>, wrote: > > Hello Philipp, > > > > I figured out the issue at hand sigh. The issue is AD as I suspected. Your > > article first of all was superb and I think it helped m > e most of the way. Here is what I would say OpenSMTPD's users who want to use > AD should do: > > > > 1. Follow your instructions as you gave them to me. I am more than happy to > > write it up and see if helps others. > > 2. User port 3268 which is the AD Global Catalog LDAP port. > > 3. Use person for the object class. > > > > I don't seem to have ldaps working and I have a suspicious that START TLS > > maybe involved. I think I have to investigate that furth > er. Stay tuned as I get more results back for you. Thanks. > > > > Cheers, > > > > ASD. > > > > --- > > Aly Dharshi B.Sc., RHCE > > Communications Design Specialist > > ETS Technical Services > > CITY OPERATIONS | TRANSIT > > > > Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > > > > 780-619-1585 MOBILE > > > > City of Edmonton > > DL MacDonald Transit Yards > > ROW Building > > 13304 50A Street > > Edmonton AB T5A 4P6 > > > > All information contained in this email post is proprietary to the City of > > Edmonton, confidential and intended only for the addres > sed recipient. If you have received this post in error, please disregard the > contents, inform the sender of the misdirection, and re > move it from your system. The copying, dissemination or distribution of this > email, if misdirected, is strictly prohibited. > > > > > > > > > > > On Sat, Sep 14, 2024 at 9:18 PM Aly Dharshi <aly.dhar...@edmonton.ca> > > > wrote: > > > > Hello Phillip, > > > > > > > > Thanks for your reply, I did put some information from memory and > > > > intend to give you a glimpse of the fuller configs on Monday > . > > > > > > > > If I run an ldap search against port 389 to AD I get the values back > > > > inclusive of the mail attribute, correctly. I haven’t trie > d port that pumps the GC out 3286 iirc. I expect that it give you lesser info. > > > > > > > > When I say it’s a mystery I mean in relation to using posixAccount as > > > > AD doesn’t have this. It has person and I did try this and > to no avail. I will read the man page as per your suggestion as well and see > if I am doing something wrong. > > > > > > > > To be sure I will run smtpd -d -v again. The debugs do for sure say I > > > > have a connection to the ldap server. Can I specify more > than on ldap server? I’ll check the man page on this as well. > > > > > > > > Thanks and Cheers, > > > > > > > > ASD. > > > > > > > > --- > > > > Aly Dharshi B.Sc., RHCE > > > > Communications Design Specialist > > > > ETS Technical Services > > > > CITY OPERATIONS | TRANSIT > > > > > > > > Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > > > > > > > > > > 780-619-1585 MOBILE > > > > > > > > City of Edmonton > > > > DL MacDonald Transit Yards > > > > ROW Building > > > > 13304 50A Street > > > > Edmonton AB T5A 4P6 > > > > > > > > All information contained in this email post is proprietary to the City > > > > of Edmonton, confidential and intended only for the ad > dressed recipient. If you have received this post in error, please disregard > the contents, inform the sender of the misdirection, an > d remove it from your system. The copying, dissemination or distribution of > this email, if misdirected, is strictly prohibited. > > > > > > > > > > > > > > > > > > > > > On Sat, Sep 14, 2024 at 5:25 PM Philipp <phil...@bureaucracy.de> > > > > > wrote: > > > > > > Hello Aly > > > > > > > > > > > > [2024-09-13 18:58] Aly Dharshi <aly.dhar...@edmonton.ca> > > > > > > > Hello Philipp, > > > > > > > > > > > > > > I built the bits and have the table running. I notice that %s is > > > > > > > being > > > > > > > used. Is this just a variable to slot in a value eg email address? > > > > > > > > > > > > The %s is a format specifier for the requested key. How the key > > > > > > looks > > > > > > depends on the context (usernames, email addresses, ...). Before a > > > > > > specific search is performed the '%s' is replaced with the key. > > > > > > > > > > > > There is also a man page in the table-ldap repo, most of it also > > > > > > fits for > > > > > > the old table out of extras. Only the format specifier '%u' and '%h' > > > > > > aren't available. > > > > > > > > > > > > > I ran a test email and say the email address is m...@awesome.com, > > > > > > > then the > > > > > > > key is m...@awesome.com and when a ldap query is fired to > > > > > > > ActiveDirectory it > > > > > > > fails. Snippets are: > > > > > > > > > > > > > > table mailaddr ldap:/etc/opensmtpd/table-ldap.conf > > > > > > > > > > > > > > match from any for rcpt-to <mailaddr> action some_action > > > > > > > > > > > > What exactly do you mean when you say "it fails"? It makes it a lot > > > > > > simpler understand your problem when it's clear what is expected and > > > > > > what happen. Also without the config for table-ldap it's hard to > > > > > > say what's wrong. > > > > > > > > > > > > > I have no posixAccount ObjectClass iirc in AD, just top, > > > > > > > person,user and > > > > > > > organizationalUser if memory serves. Where the mail attribute is > > > > > > > stuffed is > > > > > > > a mystery. Thanks. > > > > > > > > > > > > I would guess the email address is stored in the 'mail' attribute > > > > > > But > > > > > > you should be able to check this with ldapsearch(1) or shelldap. > > > > > > > > > > > > In the rcpt-to context the key is the recipient email address. So > > > > > > your > > > > > > filter should check for the email address. In this context the table > > > > > > only checks if the key exists. So when the search request returns at > > > > > > least one result it passes. > > > > > > > > > > > > Btw: I have written an article[0] about how I use OpenSMTPD with > > > > > > FreeIPA. It might be interesting for you. > > > > > > > > > > > > Philipp > > > > > > > > > > > > [0] https://satanist.bureaucracy.de/smtpd/complex.md (unfinished) > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > ASD. > > > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > > > > > > > > > [image: Edmonton-signature-RGB.jpg] > > > > > > > > > > > > > > Aly Dharshi B.Sc., RHCE > > > > > > > > > > > > > > Communications Design Specialist > > > > > > > > > > > > > > ETS Technical Services > > > > > > > > > > > > > > CITY OPERATIONS | TRANSIT > > > > > > > > > > > > > > > > > > > > > > > > > > > > All information contained in this email post is proprietary to > > > > > > > the City of > > > > > > > Edmonton, confidential and intended only for the addressed > > > > > > > recipient. If > > > > > > > you have received this post in error, please disregard the > > > > > > > contents, inform > > > > > > > the sender of the misdirection, and remove it from your system. > > > > > > > The > > > > > > > copying, dissemination or distribution of this email, if > > > > > > > misdirected, is > > > > > > > strictly prohibited. > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Sep 13, 2024 at 9:43 AM Philipp <phil...@bureaucracy.de> > > > > > > > wrote: > > > > > > > > > > > > > > > [2024-09-13 07:49] Aly Dharshi <aly.dhar...@edmonton.ca> > > > > > > > > > Thanks Philipp! Is this module prebuilt on OpenBSD/OpenSMTPD? > > > > > > > > > > > > > > > > There are several packages/ports for table-ldap, including one > > > > > > > > for > > > > > > > > OpenBSD. The problem is: the last releases of table-ldap in both > > > > > > > > repos are kind of buggy and missing some featers (i.e. tls > > > > > > > > support). > > > > > > > > Thats why I would recommend using the current HEAD of the > > > > > > > > repo[0]. > > > > > > > > > > > > > > > > Also what I forgot in my last mail: table-ldap was in a buggy > > > > > > > > state > > > > > > > > and I currently work on fixing all the bugs. This fixes are not > > > > > > > > well > > > > > > > > tested[1]. So I would recommend to set up some test mailserver > > > > > > > > and > > > > > > > > carefully test it. I don't think[2] there are unknown bugs, but > > > > > > > > I also > > > > > > > > make mistakes. > > > > > > > > > > > > > > > > When you have some problems: just write to the Mailinglist. > > > > > > > > > > > > > > > > > If so I can > > > > > > > > > swap my external MX to using OpenBSD. > > > > > > > > > > > > > > > > In theory: yes. in practice: I don't know, because I don't know > > > > > > > > your > > > > > > > > requirements. > > > > > > > > > > > > > > > > > I’d rather not install a compiler and build it on the MX > > > > > > > > > servers > > > > > > > > > themselves. Or try to get a spec file together to build it as > > > > > > > > > a RPM :) > > > > > > > > > > > > > > > > You also can build table-ldap on an other host and copy the > > > > > > > > binary to > > > > > > > > your MX host. Just don't forget to install the runtime > > > > > > > > dependencies > > > > > > > > on your MX. > > > > > > > > > > > > > > > > Philipp > > > > > > > > > > > > > > > > [0] For the version out of extras: also backport the commit > > > > > > > > c64f1d3493325a231037f42f53b1d655f6dcb967 > > > > > > > > [1] I would guess only by me > > > > > > > > [2] I run table-ldap (from extras with the fix[0]) for some > > > > > > > > time and > > > > > > > > haven't seen problems. > > > > > > > > > > > > > > > > > --- > > > > > > > > > > > > > > > > > > [image: Edmonton-signature-RGB.jpg] > > > > > > > > > > > > > > > > > > Aly Dharshi B.Sc., RHCE > > > > > > > > > > > > > > > > > > Communications Design Specialist > > > > > > > > > > > > > > > > > > ETS Technical Services > > > > > > > > > > > > > > > > > > CITY OPERATIONS | TRANSIT > > > > > > > > > > > > > > > > > > > > > > > > > > > All information contained in this email post is proprietary > > > > > > > > > to the City > > > > > > > > of > > > > > > > > > Edmonton, confidential and intended only for the addressed > > > > > > > > > recipient. If > > > > > > > > > you have received this post in error, please disregard the > > > > > > > > > contents, > > > > > > > > inform > > > > > > > > > the sender of the misdirection, and remove it from your > > > > > > > > > system. The > > > > > > > > > copying, dissemination or distribution of this email, if > > > > > > > > > misdirected, is > > > > > > > > > strictly prohibited. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Sep 13, 2024 at 4:00 AM Philipp > > > > > > > > > <phil...@bureaucracy.de> wrote: > > > > > > > > > > > > > > > > > > > Hi > > > > > > > > > > > > > > > > > > > > [2024-09-12 19:39] Aly Dharshi <aly.dhar...@edmonton.ca> > > > > > > > > > > > I wanted to find out whether table-ldap is Linux > > > > > > > > > > > compatible. If so > > > > > > > > what > > > > > > > > > > is > > > > > > > > > > > the correct way to install and use it. Is it a patch or > > > > > > > > > > > is it > > > > > > > > something > > > > > > > > > > > that can be compiled as a standalone item. > > > > > > > > > > > > > > > > > > > > Yes Linux is suported. I asume you need this for the same > > > > > > > > > > system as > > > > > > > > > > in your other mail. So you need the table implementation > > > > > > > > > > from the > > > > > > > > extras > > > > > > > > > > repo[0]. Also you need to port the commit > > > > > > > > > > c64f1d3493325a231037f42f53b1d655f6dcb967 > > > > > > > > > > from the table-ldap repo[1]. To build and install run: > > > > > > > > > > > > > > > > > > > > $ ./bootstrap > > > > > > > > > > $ ./configure --prefix $prefix --with-table-ldap > > > > > > > > > > $ make > > > > > > > > > > # make install > > > > > > > > > > > > > > > > > > > > The prefix must be the same as the prefix used to install > > > > > > > > > > opensmtpd. > > > > > > > > > > This builds the table-ldap binary and installes it in > > > > > > > > > > $prefix/libexec/smtpd/. > > > > > > > > > > > > > > > > > > > > > Details seem slightly scarce on this even on the GitHub > > > > > > > > > > > repo. If > > > > > > > > there > > > > > > > > > > docs > > > > > > > > > > > somewhere that I should be reading kindly point me there > > > > > > > > > > > and I can > > > > > > > > start > > > > > > > > > > > reading that. > > > > > > > > > > > > > > > > > > > > Sadly there is currently no doku for this, but it's quite > > > > > > > > > > easy: For an > > > > > > > > > > external table (i.e. "table name > > > > > > > > > > ldap:/path/to/config/file") smtpd > > > > > > > > looks > > > > > > > > > > in $prefix/libexec/smtpd for a binary table-$backendname > > > > > > > > > > (i.e > > > > > > > > table-ldap). > > > > > > > > > > This binary is executed with the config file as first > > > > > > > > > > argument. > > > > > > > > > > > > > > > > > > > > Philipp > > > > > > > > > > > > > > > > > > > > [0] https://github.com/OpenSMTPD/OpenSMTPD-extras > > > > > > > > > > [1] https://github.com/OpenSMTPD/table-ldap > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks and Cheers, > > > > > > > > > > > > > > > > > > > > > > ASD. > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > > > > > > > > > > > > > > > > > [image: Edmonton-signature-RGB.jpg] > > > > > > > > > > > > > > > > > > > > > > Aly Dharshi B.Sc., RHCE > > > > > > > > > > > > > > > > > > > > > > Communications Design Specialist > > > > > > > > > > > > > > > > > > > > > > ETS Technical Services > > > > > > > > > > > > > > > > > > > > > > CITY OPERATIONS | TRANSIT > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Meeting Booking Link > > > > > > > > > > > https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 780-619-1585 MOBILE > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > City of Edmonton > > > > > > > > > > > > > > > > > > > > > > DL MacDonald Transit Yards > > > > > > > > > > > > > > > > > > > > > > ROW Building > > > > > > > > > > > > > > > > > > > > > > 13304 50A Street > > > > > > > > > > > > > > > > > > > > > > Edmonton AB T5A 4P6 > > > > > > > > > > > > > > > > > > > > > > All information contained in this email post is > > > > > > > > > > > proprietary to the > > > > > > > > City > > > > > > > > > > of > > > > > > > > > > > Edmonton, confidential and intended only for the addressed > > > > > > > > recipient. If > > > > > > > > > > > you have received this post in error, please disregard > > > > > > > > > > > the contents, > > > > > > > > > > inform > > > > > > > > > > > the sender of the misdirection, and remove it from your > > > > > > > > > > > system. The > > > > > > > > > > > copying, dissemination or distribution of this email, if > > > > > > > > misdirected, is > > > > > > > > > > > strictly prohibited. > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > *The contents of this message and any attachment(s) are > > > > > > > > > > > confidential, > > > > > > > > > > > proprietary to the City of Edmonton, and are intended > > > > > > > > > > > only for the > > > > > > > > > > > addressed recipient. If you have received this in error, > > > > > > > > > > > please > > > > > > > > > > disregard > > > > > > > > > > > the contents, inform the sender of the misdirection, and > > > > > > > > > > > remove it > > > > > > > > from > > > > > > > > > > > your system. The copying, dissemination, or distribution > > > > > > > > > > > of this > > > > > > > > > > message, > > > > > > > > > > > if misdirected, is strictly prohibited.* > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > *The contents of this message and any attachment(s) are > > > > > > > > > confidential, > > > > > > > > > proprietary to the City of Edmonton, and are intended only > > > > > > > > > for the > > > > > > > > > addressed recipient. If you have received this in error, > > > > > > > > > please > > > > > > > > disregard > > > > > > > > > the contents, inform the sender of the misdirection, and > > > > > > > > > remove it from > > > > > > > > > your system. The copying, dissemination, or distribution of > > > > > > > > > this > > > > > > > > message, > > > > > > > > > if misdirected, is strictly prohibited.* > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > *The contents of this message and any attachment(s) are > > > > > > > confidential, > > > > > > > proprietary to the City of Edmonton, and are intended only for the > > > > > > > addressed recipient. If you have received this in error, please > > > > > > > disregard > > > > > > > the contents, inform the sender of the misdirection, and remove > > > > > > > it from > > > > > > > your system. The copying, dissemination, or distribution of this > > > > > > > message, > > > > > > > if misdirected, is strictly prohibited.* > > -- > *The contents of this message and any attachment(s) are confidential, > proprietary to the City of Edmonton, and are intended only for the > addressed recipient. If you have received this in error, please disregard > the contents, inform the sender of the misdirection, and remove it from > your system. The copying, dissemination, or distribution of this message, > if misdirected, is strictly prohibited.*
