On Sun, Nov 05, 2023 at 12:13:17PM +0000, Matthias Nagel via Postfix-users wrote:
> Viktor, you recommend to use proxymap in combination with LDAP, Yes. > especially if all LDAP lookups use the same connection. Regardless of whether the connection settings are the same across all tables. But if they are, then multiple tables will share connections, either per-process, or in the proxymap(8) service (really same thing, only centralised via an "RPC" indirection). > Indeed, this is the case for my setup. The LDAP server, the bind DN > and bind passwd are the same. Only the search base, the query filter > and the result is different depending on the specific lookup. In that case the connection would typically be shared. The Postfix LDAP_README notes: Multiple LDAP maps share the same LDAP connection if they differ only in their query related parameters: base, scope, query_filter, and so on. To take advantage of this, avoid spurious differences in the definitions of LDAP maps: host selection order, version, bind, tls parameters, ... should be the same for multiple maps whenever possible. > I tried to read the man page for proxymap (8). There's not much there to read, instead see DATABASE_README, and the "proxy_read_maps" and "local_recipient_maps" documentation in postconf(5). Yes, the description is somewhat terse, but there's not a lot say. > Do I understand correctly, that I only have to add „proxy:“ in front > of all my „ldap:“ lookups and that‘s it? That's all, provided that nobody made the mistake of enabling chroot also for proxymap in master.cf. > No further configuration is required? Magic... :-) > Does proxymap somehow cleverly detect if two LDAP queries use the the > same connection options and then re-uses the same connection? That's built into the Postfix LDAP driver, regardless of whether LDAP lookups are initiating in each process independently, or delegated to proxymap. > I excpected that I had to configure each connection which I would like > to run through the proxy with proxymap, but this doesn‘t seem to be > the case. The supported tables are configured via proxy_read_maps and default to all the usual tables. Customisation is only needed if you add new "proxy:" tables not tied to one of the "standard" /mumble_maps/ parameters, for example, in smtpd_recipient_restrictions. Those tables would need to be added to the definition of proxy_read_maps, which you'd have to copy and extended (there's not a "+=" syntax in main.cf for extending default values). > Wietse, you say that Postfix cannot control when the LDAP client > library opens a connection to the LDAP server. Postfix asks the LDAP library to create a logical LDAP connection, leaving it to the library to actually to the TCP connect and LDAP "bind" handshake on demand (an actual query) later. The timing of the LDAP connect is therefore determined by the LDAP library. The Postfix LDAP driver may at times ask the LDAP library to disconnect from a non-responsive server and ask it to reconnect to any of the defined servers (ideally it will choose another that is responsive, if multiple servers are defined). Bottom line, be a copycat (do what I always did, when I used LDAP), define somewhere in main.cf: ldap = proxy:ldap:${config_directory}/ cidr = cidr:${config_directory}/ pcre = pcre:${config_directory}/ indexed = ${default_database_type}:${config_directory}/ ... and then when defining LDAP tables, write: # For all /mumble_maps/: mumble_maps = ${ldap}config.cf instead of: mumble_maps = ldap:/etc/postfix/config.cf and likewise for other tables: ... header_checks = ${pcre}header-checks.pcre smtpd_client_restrictions = ... check_client_access ${cidr}client-access.cidr check_sender_access ${indexed}sender-access ... ... -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org