Mailing List Archive

Check if LDAP server can be reached
Hello,

On my setup, LDAP lookups happen through NSS. If the LDAP server goes
down, the lookup fails, and the mail gets permanently rejected. I'd like
to either reject it only temporarily or accept all messages if the LDAP
server is down/can't be reached and freeze them.

I tried a simple lookup like this
${if eq{\
${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
{$local_part}\
{true}{false}}

However, if the LDAP server can't be reached, it "generates an error"
(as described in the specification). What is the correct way to handle
such an error? Am I trying to do something stupid?


Best regards,

Moritz

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Check if LDAP server can be reached [ In reply to ]
Hello,

On Wed, Apr 04, 2012 at 18:53:50 +0200, Moritz Wilhelmy wrote:
> On my setup, LDAP lookups happen through NSS. If the LDAP server goes
> down, the lookup fails, and the mail gets permanently rejected. I'd like
> to either reject it only temporarily or accept all messages if the LDAP
> server is down/can't be reached and freeze them.
>
> I tried a simple lookup like this
> ${if eq{\
> ${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
> {$local_part}\
> {true}{false}}
>
> However, if the LDAP server can't be reached, it "generates an error"
> (as described in the specification). What is the correct way to handle
> such an error? Am I trying to do something stupid?

Guess I'll just run a local slapd instance on the mailserver...


Best,

Moritz

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Check if LDAP server can be reached [ In reply to ]
On 2012-04-04 at 18:53 +0200, Moritz Wilhelmy wrote:
> On my setup, LDAP lookups happen through NSS. If the LDAP server goes
> down, the lookup fails, and the mail gets permanently rejected. I'd like
> to either reject it only temporarily or accept all messages if the LDAP
> server is down/can't be reached and freeze them.
>
> I tried a simple lookup like this
> ${if eq{\
> ${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
> {$local_part}\
> {true}{false}}

You don't say where this query is.

The LDAP lookups always return temporary errors.

In a Router or Transport, you'll get a deferral, 4xx.

In an ACL, the condition is likely to fail. Careful construction of
your ACL rules, with "set acl_m_foo" will let you set a variable and
check for deferral, which will let you return a 4xx error from the ACL.

You can also set more than one server in ldap_default_servers which
helps with failover.

I'm guessing your expansion problem is in an ACL. If you need help
restructuring the ACL, post the relevant ACL here and people will help.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Check if LDAP server can be reached [ In reply to ]
Hello,

On Mon, Apr 09, 2012 at 07:25:19 -0700, Phil Pennock wrote:
> On 2012-04-04 at 18:53 +0200, Moritz Wilhelmy wrote:
> > On my setup, LDAP lookups happen through NSS. If the LDAP server goes
> > down, the lookup fails, and the mail gets permanently rejected. I'd like
> > to either reject it only temporarily or accept all messages if the LDAP
> > server is down/can't be reached and freeze them.
> >
> > I tried a simple lookup like this
> > ${if eq{\
> > ${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
> > {$local_part}\
> > {true}{false}}
>
> You don't say where this query is.

I tried expanding it in exim -be. The result was an error, and I wasn't
so sure how exim handles these.

> The LDAP lookups always return temporary errors.
>
> In a Router or Transport, you'll get a deferral, 4xx.

I guess it fails in the localuser router.

> In an ACL, the condition is likely to fail. Careful construction of
> your ACL rules, with "set acl_m_foo" will let you set a variable and
> check for deferral, which will let you return a 4xx error from the ACL.

Thanks for pointing this out, I wouldn't have thought of that.

> You can also set more than one server in ldap_default_servers which
> helps with failover.

We have two LDAP servers, both of which are in the configuration, but in
case the network is down during a delivery attempt, this doesn't help
too much.
We use NSS because some users insist on using procmail. NSS makes
dealing and identifying with user processes easier.

> I'm guessing your expansion problem is in an ACL. If you need help
> restructuring the ACL, post the relevant ACL here and people will help.

Which ACL should I use? The configuration file differs from the official
configuration example only marginally..
Currently, there are only two ACLs, like in the default configuration:
acl_check_data (which sounds like the wrong one to use) and
acl_check_rcpt.

My naïve attempt at this would be putting the expansion as a condition
into the localuser router:

localuser:
driver = accept
check_local_user
local_part_suffix = +* : -*
local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user
condition = ${if >={${lookup ldap{ldaps:///ou=People,dc=bla?uidNumber?sub?(uid=${quote_ldap:$local_user})}}}{1000}{yes}{no}}

Currently, the condition looks like this:
condition = ${if >={$local_user_uid}{1000}{yes}{no}}

This should generate a temporary error if the ldap lookup fails, if I'm
not mistaken?


Best regards,

Moritz

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Check if LDAP server can be reached [ In reply to ]
On 2012-04-09 at 16:54 +0200, Moritz Wilhelmy wrote:
> My naïve attempt at this would be putting the expansion as a condition
> into the localuser router:
>
> localuser:
> driver = accept
> check_local_user
> local_part_suffix = +* : -*
> local_part_suffix_optional
> transport = local_delivery
> cannot_route_message = Unknown user
> condition = ${if >={${lookup ldap{ldaps:///ou=People,dc=bla?uidNumber?sub?(uid=${quote_ldap:$local_user})}}}{1000}{yes}{no}}
>
> Currently, the condition looks like this:
> condition = ${if >={$local_user_uid}{1000}{yes}{no}}
>
> This should generate a temporary error if the ldap lookup fails, if I'm
> not mistaken?

I believe that you are correct.

If you are incorrect, then the documentation is incorrect.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/