#22 RFE: Support sendmail LDAP routing schema
Opened 7 years ago by mkosek. Modified 2 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=745645

Description of problem:

sendmail supports using ldap routing:
http://www.sendmail.org/m4/ldap_routing.html

This is the schema it expects: http://www.sendmail.org/m4/laser.txt

I'm not sure the draft is complete (it has [[TBD]] in the object class uid
definition.

The 60inetmail.ldif is similar but different. I don't know if they are
compatible or not.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.9.9-1.el5

This is the ldap-routing schema I'm using. To remove conflicts it needs the attached updated 50ns-mail.ldif file. Changes are:

{{{

diff ../../schema/50ns-mail.ldif 50ns-mail.ldif

56d55
< attributeTypes: ( 2.16.840.1.113730.3.1.13 NAME ( 'mailAlternateAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' )
65d63
< attributeTypes: ( 2.16.840.1.113730.3.1.24 NAME ( 'mailRoutingAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' )
76c74
< objectclasses: ( 2.16.840.1.113730.3.2.3 NAME 'mailRecipient' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mailAccessDomain $ mailAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddress $ mailMessageStore $ mailProgramDeliveryInfo $ mailQuota $ multiLineDescription $ uid $ userPassword ) X-ORIGIN 'Netscape Messaging Server 4.x' )


objectclasses: ( 2.16.840.1.113730.3.2.3 NAME 'mailRecipient' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailHost $ mailRoutingAddress $ mailAccessDomain $ mailAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddress $ mailMessageStore $ mailProgramDeliveryInfo $ mailQuota $ multiLineDescription $ uid $ userPassword ) X-ORIGIN 'Netscape Messaging Server 4.x' )
78c76
< objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' )


objectclasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC '' SUP top AUXILIARY MUST ( objectClass ) MAY ( cn $ mail $ mailHost $ mgrpAddHeader $ mgrpAllowedBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolicy $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRejectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ mgrpRFC822MailMember $ owner ) X-ORIGIN 'Netscape Messaging Server 4.x' )
}}}

Now mailRoutingAddress is changing OID number, not sure that is acceptable. Droping mailAlternateAddress because it's OID conflicts with mailLocalAddress.

Hope this helps.

To ssh://git.fedorahosted.org/git/389/ds.git
24731b3..64d2bc6 master -> master
commit changeset:64d2bc6/389-ds-base
Author: Rich Megginson rmeggins@redhat.com
Date: Fri Jan 27 11:45:55 2012 -0700
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: First I had to fix the OID for ntGroupType. I assigned
a new OID to it from our OID range.
Next, I added a new file 60sendmail.ldif containing the new sendmail schema.
This must be in a separate file. The problem is that the new schema is
incompatible with the existing schema of the same name - different syntaxes
and matching rules. So if you use 60sendmail.ldif, you must not use
50ns-mail.ldif, 60inetmail.ldif, or 60qmail.ldif.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no

I'm also looking to make use of email group aliases in LDAP. The default sendmail schema is like:

dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTAHost: etrn.sendmail.org
sendmailMTAKey: sendmail-list
sendmailMTAAliasValue: ca@example.org

See http://www.sendmail.org/m4/ldap.html

Now, this seems like a crazy schema to me (has the MTA name in the attributes rather than something generic). You can make it use other schema though with:

define(ALIAS_FILE',ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember')

Postfix also as a default schema using maildrop and other attributes that at least look generic:

http://www.postfix.org/LDAP_README.html

The 389 wiki has a howto http://directory.fedoraproject.org/wiki/Howto:Postfix that uses the mgrpDeliverTo attribute defined in 50ns-mail.ldif

So, if the sendmail routing attributes are going to conflict with the 50ns-mail.ldif schema, it seems like we need to have some kind of generic ldap email alias schema as well.

I can file a separate ticket if that seems more appropriate, but it was the conflict between 60sendmail.ldif and 50ns-mail.ldif that prompted this response.

Replying to [comment:10 orion]:

I'm also looking to make use of email group aliases in LDAP. The default sendmail schema is like:

dn: sendmailMTAKey=sendmail-list, dc=sendmail, dc=org
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTAHost: etrn.sendmail.org
sendmailMTAKey: sendmail-list
sendmailMTAAliasValue: ca@example.org

See http://www.sendmail.org/m4/ldap.html

Now, this seems like a crazy schema to me (has the MTA name in the attributes rather than something generic). You can make it use other schema though with:

define(ALIAS_FILE',ldap:-k (&(objectClass=mailGroup)(mail=%0)) -v mgrpRFC822MailMember')

Postfix also as a default schema using maildrop and other attributes that at least look generic:

http://www.postfix.org/LDAP_README.html

The 389 wiki has a howto http://directory.fedoraproject.org/wiki/Howto:Postfix that uses the mgrpDeliverTo attribute defined in 50ns-mail.ldif

So, if the sendmail routing attributes are going to conflict with the 50ns-mail.ldif schema, it seems like we need to have some kind of generic ldap email alias schema as well.

I can file a separate ticket if that seems more appropriate, but it was the conflict between 60sendmail.ldif and 50ns-mail.ldif that prompted this response.

So since 60sendmail.ldif and 50ns-mail.ldif cannot co-exist, it sounds like we need to either move some schema out of 50ns-mail.ldif, or perhaps copy it into 60sendmail.ldif? If so, which ones?

Also, looks like it's even more complicated than that, since mgrpRFC822MailMember is defined in both 50ns-mail.ldif and 60nis.ldif (!)

Reopening as there seem to be unresolved issues with schema conflicts.

Replying to [comment:13 orion]:

Reopening as there seem to be unresolved issues with schema conflicts.

What seems to be the problem?

See comments 10 and 11 - there are conflicts with other schema.

Another wrinkle,
{{{
(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
}}}
References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to. Any progress?

Replying to [comment:17 orion]:

Another wrinkle,
{{{
(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
}}}
References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to.

Where does this ACI come from?

Any progress?

Not really. The mail schema is a real mess. There are a couple of IETF documents that attempted to "standardize" the old Netscape Messaging schema:

http://tools.ietf.org/html/draft-steinback-ldap-mailgroups-00
and
http://tools.ietf.org/id/draft-lachman-ldap-mail-routing-03.txt

50ns-mail contains what looks like an older version of draft-steinback + stuff from NMS - some of these schema are redefined in other user contributed schema such as 60inetmail, 60qmail, etc. In addition, some of these redefinitions use the newer definitions from draft-steinback which in some cases are not compatible.

So I'm not really sure what to do at this point. I dare not change 50ns-mail.ldif for fear of breaking many existing installations. What would you suggest?

Replying to [comment:18 rmeggins]:

Replying to [comment:17 orion]:

Another wrinkle,
{{{
(targetattr = "sambaPwdLastSet || sambaLMPassword || sambaNTPassword || userPassword || shadowLastChange || mgrpAllowedBroadcaster || cosspecifier || newRdn || telephoneNumber || facsimileTelephoneNumber") (version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
}}}
References mgrpAllowedBroadcaster so I can't really just get rid of 50ns-mail.ldif even if I wanted to.

Where does this ACI come from?

I don't remember adding it myself, so I really have no idea.

Any progress?

Not really. The mail schema is a real mess. There are a couple of IETF documents that attempted to "standardize" the old Netscape Messaging schema:

http://tools.ietf.org/html/draft-steinback-ldap-mailgroups-00
and
http://tools.ietf.org/id/draft-lachman-ldap-mail-routing-03.txt

50ns-mail contains what looks like an older version of draft-steinback + stuff from NMS - some of these schema are redefined in other user contributed schema such as 60inetmail, 60qmail, etc. In addition, some of these redefinitions use the newer definitions from draft-steinback which in some cases are not compatible.

So I'm not really sure what to do at this point. I dare not change 50ns-mail.ldif for fear of breaking many existing installations. What would you suggest?

I really have no idea. I feel way over my head here. I would just like to be able to ldap mail routing and a set of standard mail groups/aliases at the same time.

set default ticket origin to Community

Added initial screened field value.

Any hope of progress here? This is one of my blockers for moving to FreeIPA.

Replying to [comment:25 orion]:

Any hope of progress here?

Not lately, no.

This is one of my blockers for moving to FreeIPA.

Metadata Update from @rmeggins:
- Issue assigned to rmeggins
- Issue set to the milestone: FUTURE

2 years ago

Login to comment on this ticket.

Metadata