Sendmail + LDAP HOWTO
Jason Christopher Radford, jradford@cat.com
V.1, August 16, 2000
1. Introduction
1.1 Purpose/Introduction
1.2 What is LDAP
1.3 How can Sendmail benefit from using LDAP
1.4 How do I decide if I can benefit from using LDAP
1.5 LASER IETF LDAP routing specification
2. Installing the LDAP Server
2.1 Download the OpenLdap tarball
2.2 Unpacking the tarball
2.3 Configuring/Compiling the LDAP Server
3. Configuring the LDAP Server
3.1 Installed file Map
3.2 Configuring slapd.conf
3.3 Adding the LASER schema definition file
3.4 Starting the LDAP server
3.5 Populating the database
3.6 Testing the LDAP server
3.7 Adding a test user using LASER attributes
3.8 Stopping the LDAP server
4. Configuring Sendmail
5.1 Dowload the Sendmail tarball
5.2 Unpacking the tarball
5.3 Configuring/Compiling Sendmail
5.4 Creating an .m4 configuration file
5.5 Generating a sendmail.cf
5. Testing Sendmail LDAP lookups
Not finished yet
1. Introduction
1.1. Purpose/Introduction
The purpose of this document is to setup an LDAP directory with Sendmail and detail the advantages
of using such a system. The reader will learn the basic setup of the OpenLdap directory and how
to compile and interface Sendmail with ldap support to take advantage of this LDAP directory.
An LDAP directory with standards based LDAP entries will be created, allowing Sendmail to replace
the alias table normally stored in a database map file on that Sendmail server.
The information presented in this document should give reader a gentle introduction to LDAP,
adding LDAP entries, and configuring Sendmail to utilize these entries for mail routing purposes
using an extended schema entitled LASER(what it stands for). Additional information reguarding
LDAP, OpenLdap LDAP server administration, Sendmail administration, and pertinant RFC information
may be found in the reference section of this howto document.
1.2. What is LDAP ?
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for accessing information
services. The protocol runs over Internet transport protocols, such as TCP, and can be used to
access stand-alone servers or X.500 directories. LDAP is a lightweight alternative to the X.500
Directory Access Protocol (DAP).
1.3. How can Sendmail benefit from LDAP ?
Historically information associated with the lookup and routing of user smtp information has been
stored individually on each Sendmail server in the form of database maps or flat files. While
this does not pose a problem for a single server, multiple Sendmail servers had to somehow keep
these files in syncronization with each other or required the email administrator to update these
files on each server individually. The LDAP protocol enables Sendmail to access a cross-plateform,
standards based central repository of user information. Another key benefit of LDAP is that now
companies can use standards based tools, using almost any development language which is LDAP enabled,
to create a customized directory of information for company wide access by all applications
(Not limited to email).
1.4 How do I decide if I should use LDAP ?
LDAP servers are heavily optimized for read-intensive operations. This differs from conventional
RDBS (Relational Database System) systems where data stored in a SQL database is constantly being
written or updated. Another difference is the lack of referential integrity of an LDAP directory,
there are no concepts in LDAP such as 'Primary Keys' to ensure uniqueness of the directory entries
as a whole. These types of concepts are required of the applications which add/delete/modify LDAP
entries and their respective attributes. An LDAP directory would be beneficial in the following
cases:
- A need for data to be accesseble in a cross-plateform, vendor neutral manner
- Access to this data from a number of disparete systems and applications is desired
- The entries to be accessed are seldom added or modified with-in a days time
- The referential integrity afforded by a RDBMS (SQL) system is not needed
1.5 LASER LDAP SMTP Routing Specification
LASER is an IETF draft document providing an LDAP schema for Intranet mail routing. A key part of
this document defines and LDAP object class called 'inetLocalMailRecipient' along with it's respective attributes. A note that this schema is intended only to be used in the process of routing email
in a private enterprise, not the public Internet. The OpenLdap directory will include this schema
and rely heavily on it's respective attributes for smtp mail routing via sendmail's LDAP maps.
Further information about LASER can be found in the reference section of this document.
2. Installing the LDAP Server
2.1 Download the latest stable release of OpenLdap at www.openldap.org, at the time of this
document the current stable version is 1.2.11.
2.2 Place the document in your home directory on the server it's goinh be running on. For clarity
I'll assume the filename is openldap-1.2.11.tgz.
Execute the following command:
example: tar xvfz openldap-1.2.11.tgz
NOTE: some systems do not support the z option in tar, you will need to use an unzip utility such
as gzip first, this would be as follows:
example: gzip -d openldap-1.2.11.tgz
example: tar xvf openldap-1.2.11.tar
2.3 Configuring/Compiling the LDAP Server
Change directories into the newly untar'ed directory:
example: cd openldap-1.2.11
Run the configuration script so that it may properly query your system and generate a makefile.
example: ./configure
Now you should properly make the dependencies for compiling.
example: make depend
Type make to compile and build the OpenLdap binaries. This step may take some time depending on
the speed of your system.
example: make
Change into the tests directory.
example: cd tests
Type make to execute a series of tests to insure the LDAP server is properly compiled and working
for your machine.
example: make
Once all of the test have successfully completed change directories one level up, become root
(type su and enter root's password at the prompt), type make install. This will install the
LDAP server properly onto the machine.
example: cd ..
example: su
example: make install
Now that the binaries and basic configuration files are installed we can progress on to the final
configuration stages of the LDAP server.
3. Configuring the LDAP Server
3.1 The basic file map (layout) and location of the installed files are as follows:
/usr/local/etc/openldap - This directory contains all of the configuration files for the LDAP server.
/usr/local/var/openldap-ldbm/ - This directory contains the actual LDBM database where all of the
directories entries and indexes will be stored. NOTE: This directory should not be group or world
readable, writable, or executable.
/usr/local/libexec - This directory contains the LDAP server executables including slapd
(the Stand Alone LDAP Server), slurpd (what does that mean?), and few other tools. For their
respective uses consult the README file in the openldap directory that you untar'ed in your home
directory.
3.2 Configuring slapd.conf
Use a unix editor such as vi and open slapd.conf in /usr/local/etc/openldap. (You need to be root
to edit this file)
The 3 lines we are most concerned about are as follows:
suffix "dc=my-domain, dc=com"
rootdn "cn=Manager, dc=mydomain, dc=com"
rootpw secret
The values my-domain and com should be replaced with the appropriate entries, for this example
we'll assume a company named foo and their internet domain is foo.com. So we would change the
entries to the following:
suffix "dc=foo, dc=com"
rootdn "cn=Manager, dc=foo, dc=com"
The final entry rootpw is the LDAP directory's root password for modifying, deleting, adding
entries into the directory. By default anyone can bind anonymously and search the directory
however if any changes or additions need to be made you'll need to bind as the rootdn and use
the rootpw in the ldap command line tools or from what ever application/language your using.
You should now change the rootpw to a value your comfortable with.
Lastly we now need to tell the LDAP server about the extended schema that LASER provides. At the
top of the slapd.conf file you'll see 2 include statements that should look similar to this:
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
Add a line directly below the last include statement and enter the following line exactly as shown:
include /usr/local/etc/openldap/mail-routing.oc.conf
After adding the above line, save the modified slapd.conf file.
3.3 Adding the LASER schema definition file
A file must now be created to satisfy the mail-routing.oc.conf include statement we just entered
in the slapd.conf configuration file.
Create a file with the following contents in the /usr/local/etc/openldap directory with the name
mail-routing.oc.conf. (using the exact path/file name you entered in the slapd.conf)
Below is what contents of the file should contain:
# Begining of file
#
# LDAP Schema for Intranet Mail Routing
# Reference: draft-lachman-laser-ldap-mail-routing-02
#
# This file has been tested using OpenLDAP (www.openldap.org).
# Save this file as mail-routing.oc.conf and add a line to your slapd.conf:
# include /usr/local/etc/openldap/mail-routing.oc.conf
#
# Add an additional inattribute mailLocalAddress cis
attribute mailRoutingAddress cis
attribute mailHost cis
objectClass inetLocalMailRecipient
requires
objectClass
allows
mailLocalAddress,
mailRoutingAddress,
mailHost
# End of File
Save the contents of the above file in the appropriate location. The LDAP server now will include
this file at startup and will include the new objectclass 'inetLocalMailRecipient'.
3.4 Starting the LDAP server
Issue the following command as root to start the LDAP server.
example: /usr/local/libexec/slapd
3.5 Populating the LDAP database
In your home directory using a unix editor such as vi create a file called entry.ldif containing
the following:
dn: dc=foo, dc=com
dc: foo
o: foo inc.
objectclass: organization
objectclass: dcObject
dn: cn=Manager, dc=foo, dc=com
cn: Manager
sn: Manager
objectclass: person
After saving the entry.ldif file execute the following command:
example: ldapadd -D "cn=Manager, dc=foo, dc=com" -W < entry.ldif
This command will add the initial attributes for the directory from the entry.ldif file, it will
also create an person entry in the directory called Manager. This command will prompt you for
the rootdn's password which was specified in the slapd.conf configuration file. If you get an
"invalid credentials" error your either not using the proper rootdn entry or not entering the
correct password.
3.6 Testing the LDAP Server
Enter the following command, this will search for the Manager entry that was just inserted into
the directory via the ldapadd command.
example: ldapsearch -L -b "dc=foo, dc=com" -W "(objectclass=*)"
3.7 Adding a test user using the LASER attributes
blah blah blah blah blah blah blah
3.8 Stopping the LDAP server
To properly stop the LDAP server it should be issued the -TERM signal as follows:
example:
4. Configuring Sendmail
4.1 Download a current version of sendmail, as of this writing sendmail 8.11.1 is available
from ftp.sendmail.org
4.2 Using a text editor create a file in{sendmailroot}/devtools/Site/ called site.config.m4 to
store information telling sendmail to include the ldap map and libraries in the build process.
This file should contain something similiar to below:
APPENDDEF(confMAPDEF, -DLDAPMAP)
APPENDDEF(confINCDIRS, -I/home/radfojc/openldap/include)
APPENDDEF(confLIBSDIRS, -L/home/radfojc/openldap/libraries)
APPENDDEF(confLIBS, -l ldap -llber)
The first line tells sendmail to include the -DLDAPMAP option in the build process. The second
and third lines tell sendmail where to find the openldap include and libraries directories so that
the nessesary libraries can be located while building the sendmail executable. The third line
causes sendmail to include the ldap libraries needed for the build process.
4.3 Now from the root of the sendmail archive execute the Build command to compile the sendmail
binaries and the appropriate support programs. The -DLDAPMAP and -lldap -llber options should be
seen on the command line while sendmail is compiling.
example: /home/radfojc/sendmail-8.11.1/Build
After building become root and type make install to install the sendmail binaries and support files
from the root of the sendmail archive.
Example: /home/radfojc/sendmail-8.11.1/make install
4.4 Now were ready to create a basic .mc file to route email based on entries in the openldap
directory.
Create a file called ldap.mc, containing the following:
OSTYPE(linux)dnl
FEATURE(ldap_routing)
LDAPROUTE_DOMAIN(foo.com)
define(confLDAP_DEFAULT_SPEC, -h ldap.foo.com -b dc=foo,dc=com)
MAILER(local)
MAILER(smtp)
Consult the /cf/README for the proper OSTYPE variable (using linux in this example). The third
line represents the domain that is to be looked up in the ldap directory, this can have multiple
domains if needed. The fourth line instructs sendmail where to find the ldap host's dns name
(-h option) and the -b option is the default search base of the ldap directory.
Run this through the m4 compiler to process and contruct a .cf file readable by sendmail.
Assuming the ldap.mc file has been created in the root of the sendmail archive issue the following
command.
example: m4 ./cf/m4/cf.m4 ldap.mc > ldap.cf
Copy the ldap.cf file into the /etc/mail directory naming the resulting file sendmail.cf and change
the file permissions to 644. NOTE: It will be nessesary to become root for this operation
example: su root
copy ./ldap.cf /etc/mail/sendmail.cf
chmod 644 /etc/mail/sendmail.cf
Now execute sendmail in daemon mode (become daemon). NOTE: It will be nessesary to become root
for this operation.
example: su root
sendmail -bd
5. Testing sendmail LDAP lookups
5.1 The easiest method of testing sendmail is to invoke sendmail in test mode to verify the ldap
maps are being processed correctly. This can be done while sendmail is running in daemon mode
with no problems.
example: sendmail -bt
Sendmail will return a > prompt waiting for user input. Type /parse jradford@foo.com and observe
the last line sendmail returns. The final result is a triple returning mailer,host,recipient which
should show something similar to below.
mailer esmtp, host mailhost1.foo.com, user radford_jason_c@foo.com
The mailer is esmtp (or smtp), the host is mailhost1.foo.com (as set by the mailhost LASER attribute
for the jradford entry) and the final user name (as set by the mailroutingaddress LASER attribute).
The returned mailhost dns name will now be looked up in dns for valid mx records and be delivered
based upon these returned values from dns. To exit from test mode simply type the key sequence
control-d.
That's it!
Well not really, this document should be considered alpha, I put it online to help a few people out,
if anyone would be kind enough to send me constructive comments/suggestions I would appreciate
that greatly!
jradford@cat.com
