Previous | Contents | Index |
When a service type of 2
is specified, the directory
channel performs LDAP queries, querying an LDAP
directory or X.500 DSA
via an LDAP server, to look up mailbox names. The types of queries can
be controlled with an LDAP filter file (e.g., exact matches,
fuzzy matches, searches down the entire directory, etc.). In
the event of an ambiguous match, the possible choices can be returned
along with the original message to the message originator.
The directory channel queries an LDAP
directory or X.500 DSA
via either a local or remote LDAP server. TCP/IP is used to communicate
with the LDAP server; on OpenVMS systems UCX emulation is required of
your TCP/IP package.
3.2.7.1 Required Options
When performing LDAP
or X.500
directory look ups, the directory channel needs to know the LDAP server to which to connect and the point in the LDAP/X.500
hierarchy to which to bind and from which to base searches. Additional
options, described in Section 3.2.7.3, may be used to control other
aspects of the LDAP querying process.
3.2.7.1.1 LDAP_SERVERS Option
The LDAP_SERVERS
option must be used to specify the LDAP server and port to which to
connect. The format of this option is
LDAP_SERVERS=host1+port1|host2+port2|host3+port3... |
LDAP_SERVERS=ldap.example.com |
LDAP_SERVERS=192.135.12.1 |
LDAP_SERVERS=ldap.example.com+389 |
3.2.7.1.2 LDAP_BASE Option
The LDAP_BASE
option must also be specified in the option file. This option specifies the distinguished name of the location in the LDAP or X.500 directory information tree from which to base searches. The LDAP_BASE
is specified in LDAP DN
syntax according to RFC 1485; e.g.,
LDAP_BASE=o=Example Computing,st=California,c=US |
3.2.7.2 TLS Options
PMDF has the ability to access LDAP servers using TLS authentication.
Note that in order to use this feature, your LDAP server must be set up
to do TLS. To configure the directory channel to use TLS, you must
specify the following options.
TLS_MODE (1 or 2)
TheTLS_MODE
option is used to specify whether to use TLS. A value of 1 tells the directory channel to try to use TLS, but continue without it if TLS is not available. A value of 2 tells the directory channel to require TLS. The default is to not use TLS.CACERTFILE (file name)
You may need to have the Certificate Authority (CA) certificate to be used by LDAP on your PMDF system. If so, by default the CA certificate should be placed in the filepmdf_table:ldap-cacert.pem
. Use theCACERTFILE
option if you wish to specify a different file name, for example if you need to use different CA certificates for different domains.
An example directory
channel option file which includes TLS options is as follows:
example.org=2 example.org_ldap_servers=ldap.example.org example.org_ldap_base=dc=ldap.example,dc=com example.org_tls_mode=2 example.org_cacertfile=/pmdf/table/example-cacert.pem |
3.2.7.3 Additional Options
Additional channel options are shown below:
BIND (0 or 1)
TheBIND
option is used to specify whether an LDAP bind operation is sent to theLDAP
directory before a search operation is attempted. Unlike LDAPv2, LDAPv3 does not require a bind operation to take place. The default value is 1, meaning that a bind operation will be performed. If authentication is not required on the LDAPv3 server, performance can be improved by disabling bind operations by settingBIND=0
. TheBIND
option is ignored when using the connectionless protocol over a UDP transport.DISPLAY_MAIL_TYPE (attribute type)
When multiple matches to a search are found, thedirectory
channel returns choices to the sender. Thedirectory
channel returns the distinguished name and e-mail address. By default, the e-mail address which the channel would use to deliver the mail (as specified by theMAIL_TYPE
option) is displayed in such returns. TheDISPLAY_MAIL_TYPE
option can be used to specify an alternate mail address attribute to be returned. In particular, when redefiningMAIL_TYPE
to something other than the mail attribute, you may still want the directory channel to display the mail attribute when returning address choices to users. For example:
DISPLAY_MAIL_TYPE=mailDISPLAY_MAIL_TYPE
defaults to the value ofMAIL_TYPE
if not specified.DN
The DN option is used to specify theLDAP
orX.500 Distinguished Name
used to bind to theLDAP
directory orX.500 DSA
--- theDN
is essentially the username to use to login to the server --- although when using thedirectory
channel over UDP transport, theDN
is used by the LDAP server only for logging purposes and it is not passed to an X.500 DSA (if an X.500 DSA is backing up the LDAP server) during the bind. The DN is specified inLDAP DN
syntax according to RFC 1485; e.g.,
DN=cn=Directory Channel,o=Example Computing,st=California,c=USFILTERFILE
The directory channel processes each name by performing a regular expression match on thepmdf_dirchan
group of rules in theldapfilter.conf
file in the PMDF table directory, i.e., the filePMDF_TABLE:ldapfilter.conf
(OpenVMS) or the file/pmdf/table/ldapfilter.conf
(UNIX) or normally (the exact drive may be different depending upon installation) the fileC:\pmdf\table\ldapfilter.conf
(NT). Do not modify the suppliedldapfilter.conf
file, as your changes will be lost when you upgrade or reinstall PMDF. Instead, to use a different file, specify theFILTERFILE
option with the filename of the desired file. For example, on OpenVMS
or on UNIX
FILTERFILE=PMDF_TABLE:example_ldapfilter.txt
or on NT
FILTERFILE=/pmdf/table/example_ldapfilter.txt
The default
FILTERFILE=C:\pmdf\table\example_ldapfilter.txtldapfilter.conf
file contains a rich set of default rules which provide for exact and approximate matching of names and initials. However, if you want to make changes, see the comments in the file and Section 3.2.7.6 for details. The filters specified in this file are as defined in RFC 2254 (which obsoletes RFCs 1960 and 1558, the earlier descriptions of such filters).FILTERTAG
Thedirectory
channel processes each name by performing a regular expression match on a group of rules found in the file specified by theFILTERFILE
option. TheFILTERTAG
option is used to specify the group of rules to use. For example:
The default is
FILTERTAG=example_dirchanpmdf_dirchan
. Do not modify the suppliedldapfilter.conf
file, as your changes will be lost when you upgrade or reinstall PMDF. Instead, to use a different file, see theFILTERFILE
option.HINT_TYPE
When multiple matches to a search are found, thedirectory
channel returns choices to the sender. In addition to the distinguished name and e-mail address, thedirectory
channel can optionally return one more attribute from the entries to help the sender choose between them. For example,
While any attribute can be specified, some suggestions are title, uid, telephoneNumber, or description.
HINT_TYPE=titleLDAP_BASE (distinguished name)
TheLDAP_BASE
specifies the distinguished name of the location in theLDAP
orX.500
directory information tree from which to base searches. See Section 3.2.7.1.2 for details.LDAP_SERVERS (domain name or IP address)
TheLDAP_SERVERS
option is used to specify the IP address or domain name of the LDAP server to use. See Section 3.2.7.1.1 for details.MAIL_TYPE (attribute type)
When the directory channel searches theLDAP
directory orX.500
directory for a name, it requests that an e-mail address be returned. TheMAIL_TYPE
option is used to specify the attribute type requested from the directory.MAIL_TYPE
must match the attribute type returned by your LDAP server; (while servers may accept aliases, they return one specific attribute type with the value). The default isMAIL_TYPE=mail
. You may need to specify this option if you are using a non-PMDF LDAP server or you are using an LDAP or X.500 schema other than COSINE/Internet schema (RFC 1274). You will want to specify this option if you use a different directory attribute, such aspMDFMailAddress
to specify a local delivery address. For example:
MAIL_TYPE=pMDFMailAddressPASSWORD (string)
ThePASSWORD
option is used to specify a simple authentication credential to be sent with theDN
(that specified by the DN option) when binding to theLDAP
directory or X.500 DSA. This can be used to allow thedirectory
channel more access to the directory than is allowed for anonymous users. For example:
If a
PASSWORD=secretPASSWORD
is specified, aDN
must also be specified, although a DN may be specified without aPASSWORD
. ThePASSWORD
value is ignored when using the connectionless protocol over a UDP transport.SIZELIMIT (integer >= -1)
When thedirectory
channel performs a search for an e-mail address, many entries may match the search criteria. If this is the case, the original mail message is returned to the sender along with a list of possible address choices. TheSIZELIMIT
option controls the maximum number of choices which are returned; e.g.,
The default value for
SIZELIMIT=10SIZELIMIT
is 50. You may want to make this limit smaller to reduce "trawling" of your database. Note that this limit may be superseded by a smaller limit which has been imposed by the manager of theLDAP
directory or X.500 DSA. Specify a value of-1
to allow any number of matches to be returned; specify a value of0
to suppress the return of possible matches. Note that this is a change of behavior from versions of PMDF prior to V5.1-9 when a value of0
allowed any number of matches to be returned.TRANSPORT (TCP or UDP)
TheTRANSPORT
option is used to specify whether to use connection orientedLDAP
protocol over TCP or connectionless oriented protocol over UDP. For example:
The default is
TRANSPORT=UDPTRANSPORT=TCP
. When running over UDP, the slightly differentCLDAP
protocol is actually used.CLDAP
is more suited for lower overhead over reliable network connections. Use LDAP over TCP if you may have packet loss to your server. When using UDP, all information must fit in a single UDP datagram. If you use UDP, it is suggested that you specify a smallSIZELIMIT
option, e.g., 10 or less. If the response from the LDAP server exceeds the size of a UDP datagram, you will not get any choices returned for ambiguous names.TRIM (integer)
When multiple matches to a search are found, thedirectory
channel returns to the sender a list of the matches.TRIM
affects the level of detail provided in the returned information. IfTRIM
is a positive integer, it specifies how many elements to trim off of each matching distinguished name starting with the most general element and working down to the most specific element. ATRIM
value of zero specifies that no trimming is to be done. A negative value specifies the number of elements to leave. For example, if the returned match isJoe User, Accounting, Example Computing, California, US
then the following table shows the results of variousTRIM
values.The default value of
TRIM Result 4 Joe User 3 Joe User, Accounting 0 Joe User, Accounting, Example Computing, California, US -1 Joe User -2 Joe User, Accounting TRIM
is-1
so that only the most specific element is returned. A common choice forTRIM
is the number of elements in yourLDAP_BASE
distinguished name.
3.2.7.4 Example Option Files
An example option file is shown below.
example.com=2 LDAP_SERVERS=ldap.example.com LDAP_BASE=o=Example Computing,st=California,c=US |
example.com=2
option specifies that LDAP directory or X.500 directory operations are to be done for the example.com pseudo domain. The LDAP server ldap.example.com
is used; queries will begin at the position o=Example Computing,
st=California, c=US in the LDAP or X.500 directory hierarchy.
Shown below is an example of an option file for a directory
channel which services two different pseudo domains.
example.com=2 sales.example.com=2 LDAP_SERVERS=ldap.example.com example.com_LDAP_BASE=o=Example Computing, st=California, c=US example.com_TRIM=3 example.com_HINT_TYPE=title sales.example.com_LDAP_BASE=ou=Sales, o=Example Computing, st=California, c=US sales.example.com_TRIM=4 sales.example.com_HINT_TYPE=telephoneNumber |
3.2.7.5 Default Mailbox Syntax Supported
The ldapfilter.conf
file provided with PMDF supports a number of syntaxes. For the exact
syntaxes supported, see the file itself, located in the PMDF table
directory, and Section 3.2.7.6. Here are a few examples of syntaxes that
are likely to match "Joe Wilson":
"Joe Wilson"@example.com Joe_Wilson@example.com Joe.Wilson@example.com J.Wilson@example.com Wilson@example.com Wilsen@example.com title=President@example.com |
3.2.7.6 LDAP Filter Configuration File, ldapfilter.conf
The file ldapfilter.conf
contains information used by LDAP clients, e.g., the PMDF directory channel doing an LDAP or X.500 directory lookup. Blank lines and lines that start with the hash character, #
, are treated as comments and ignored. The configuration information consists of lines that contain one to five tokens. Tokens are separated by white space. Double quotes can be used to include white space inside a token, e.g., "text moretext"
.
3.2.7.6.1 Filter Sets
The file consists of a sequence of one or more filter sets. A filter
set begins with a line containing a single token called a tag. The tag
is used by the client to select the filter set.
3.2.7.6.2 Filter Lists
A filter set consists of a sequence of one or more filter lists. The
first line in a filter list must contain four or five tokens: The value
pattern, the delimiter list, a filter template, a match description,
and an optional search scope.
printf
style format string. Everything is taken literally except for the character sequences:
Sequence | Description |
---|---|
%v
|
Substitute with entire search string value |
%v$
|
Substitute with last word of search string value |
%v
n
|
Substitute word
n
;
n
is a single digit 1-9
|
%v
m
-
n
|
Substitute words
m
through
n
|
%v
m
-
|
Substitute word
m
through the last word
|
One "match description" match was found for... |
Three "match description" matches were found for.... |
base
onelevel
, or subtree
. If search scope is not provided, the default is subtree
.
The remaining lines of the filter list should each contain two or three tokens: A filter template, a match description and an optional search scope. The value pattern and delimiter list tokens are the same as previously specified.
3.2.7.6.3 Example LDAP Filter Configuration File
Example 3-6 shows a sample LDAP filter configuration file containing one filter set, pmdf_lookup
, which contains three filter lists.
Example 3-6 Sample LDAP Filter File |
---|
# ldap filter file # pmdf_lookup "[0-9][0-9-]*" " " "(telephoneNumber=*%v)" "phone number" "@" " " "(mail=%v)" "email address" "(mail=%v*)" "start of email address" "=" " " "%v" "arbitrary filter" |
Previous | Next | Contents | Index |