On Sun, Nov 05, 2023 at 12:13:17PM +0000, Matthias Nagel via Postfix-users
wrote:
> Viktor, you recommend to use proxymap in combination with LDAP,
Yes.
> especially if all LDAP lookups use the same connection.
Regardless of whether the connection settings are the same across all
tables. But if they are, then multiple tables will share connections,
either per-process, or in the proxymap(8) service (really same thing,
only centralised via an "RPC" indirection).
> Indeed, this is the case for my setup. The LDAP server, the bind DN
> and bind passwd are the same. Only the search base, the query filter
> and the result is different depending on the specific lookup.
In that case the connection would typically be shared. The Postfix
LDAP_README notes:
Multiple LDAP maps share the same LDAP connection if they differ
only in their query related parameters: base, scope, query_filter,
and so on. To take advantage of this, avoid spurious differences in
the definitions of LDAP maps: host selection order, version, bind,
tls parameters, ... should be the same for multiple maps whenever
possible.
> I tried to read the man page for proxymap (8).
There's not much there to read, instead see DATABASE_README, and the
"proxy_read_maps" and "local_recipient_maps" documentation in
postconf(5). Yes, the description is somewhat terse, but there's not
a lot say.
> Do I understand correctly, that I only have to add „proxy:“ in front
> of all my „ldap:“ lookups and that‘s it?
That's all, provided that nobody made the mistake of enabling chroot
also for proxymap in master.cf.
> No further configuration is required?
Magic... :-)
> Does proxymap somehow cleverly detect if two LDAP queries use the the
> same connection options and then re-uses the same connection?
That's built into the Postfix LDAP driver, regardless of whether LDAP
lookups are initiating in each process independently, or delegated to
proxymap.
> I excpected that I had to configure each connection which I would like
> to run through the proxy with proxymap, but this doesn‘t seem to be
> the case.
The supported tables are configured via proxy_read_maps and default to
all the usual tables. Customisation is only needed if you add new
"proxy:" tables not tied to one of the "standard" /mumble_maps/
parameters, for example, in smtpd_recipient_restrictions. Those
tables would need to be added to the definition of proxy_read_maps,
which you'd have to copy and extended (there's not a "+=" syntax
in main.cf for extending default values).
> Wietse, you say that Postfix cannot control when the LDAP client
> library opens a connection to the LDAP server.
Postfix asks the LDAP library to create a logical LDAP connection,
leaving it to the library to actually to the TCP connect and LDAP
"bind" handshake on demand (an actual query) later.
The timing of the LDAP connect is therefore determined by the LDAP
library. The Postfix LDAP driver may at times ask the LDAP library
to disconnect from a non-responsive server and ask it to reconnect
to any of the defined servers (ideally it will choose another that
is responsive, if multiple servers are defined).
Bottom line, be a copycat (do what I always did, when I used LDAP),
define somewhere in main.cf:
ldap = proxy:ldap:${config_directory}/
cidr = cidr:${config_directory}/
pcre = pcre:${config_directory}/
indexed = ${default_database_type}:${config_directory}/
...
and then when defining LDAP tables, write:
# For all /mumble_maps/:
mumble_maps = ${ldap}config.cf
instead of:
mumble_maps = ldap:/etc/postfix/config.cf
and likewise for other tables:
...
header_checks = ${pcre}header-checks.pcre
smtpd_client_restrictions =
...
check_client_access ${cidr}client-access.cidr
check_sender_access ${indexed}sender-access
...
...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
