Postfix+LDAP

0

3

Народ, помогите, устал биться уже. Постфикс не цепляет пользователей из лдап. Конфиг постфикса:

    queue_directory = /var/spool/postfix
    command_directory = /usr/local/sbin
    daemon_directory = /usr/local/libexec/postfix
    data_directory = /var/db/postfix
    mail_owner = postfix
    myhostname = lst103.ls1.ru
    mydomain = mydomain.ru
    mydestination = $myhostname, localhost, localhost.localdomain, localhost.$mydomain, $mydomain, mydomain.ru
    myorigin = $mydomain
    inet_interfaces = all
    local_recipient_maps = unix:passwd.byname $alias_maps
    unknown_local_recipient_reject_code = 550
    mynetworks_style = subnet
    mynetworks =192.168.0.0/16, 127.0.0.0/8
    biff = no
    debug_peer_list = 127.0.0.1 192.168.0.241
    virtual_transport       = virtual
    mailbox_transport       = virtual
    local_transport         = virtual
    message_size_limit = 10280000
    mailbox_size_limit = 20480000
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_application_name = smtpd
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    cyrus_destination_recipient_limit=1
    broken_sasl_auth_clients = yes
    smtpd_pw_server_security_options = noanonymous
    virtual_uid_maps = static:1001
    virtual_gid_maps = static:1001
    virtual_recipient_maps = ldap:ldapsource
    #virtual_alias_maps = ldap:ldapsourcealias
    #virtual_alias_maps = ldap:ldapsource
    virtual_mailbox_size_limit =  20480000
    virtual_minimum_uid = 500
    virtual_mailbox_base =/var/spool/mail
    virtual_result_attribute = mailbox
    #virtual_mailbox_maps = ldap:ldapsource
    virtual_maildir_extended = yes
    ldapsource_server_host = 192.168.101.104
    ldapsource_search_base = ou=people,dc=mydomain,dc=ru
    ldapsource_server_port = 389
    #ldapsource_domain = mydomain.ru
    ldapsource_query_filter = (&(mail=%s))
    #ldapsource_result_attribute = mailbox
    ldapsourcealias_server_host = 192.168.101.104
    ldapsource_bind = yes
    ldapsource_bind_dn = cn=ldapadmin,dc=mydomain,dc=ru
    ldapsource_bind_pw = secret
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    mail_name = exchange
    mail_version = 0.1
    smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Windows 3.11)
    debug_peer_level = 4
    debugger_command =
                       PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                       xxgdb $daemon_directory/$process_name $process_id & sleep 5
    delay_warning_time = 4
    sendmail_path = /usr/local/sbin/sendmail
    newaliases_path = /usr/local/bin/newaliases
    mailq_path = /usr/local/bin/mailq
    setgid_group = maildrop
    manpage_directory = /usr/local/man

Судя по всему - к лдапу оно подключается, и он постфиксу что то даже отдает, судя по логу:

    May  6 07:34:04 lst104 slapd[4352]: connection_get(10): got connid=1034
    May  6 07:34:04 lst104 slapd[4352]: connection_read(10): checking for input on id=1034
    May  6 07:34:04 lst104 slapd[4352]: op tag 0x63, time 1304667244
    May  6 07:34:04 lst104 slapd[4352]: conn=1034 op=101 do_search
    May  6 07:34:04 lst104 slapd[4352]: >>> dnPrettyNormal: <dc=mydomain,dc=ru>
    May  6 07:34:04 lst104 slapd[4352]: <<< dnPrettyNormal: <dc=mydomain,dc=ru>, <dc=mydomain,dc=ru>
    May  6 07:34:04 lst104 slapd[4352]: => bdb_search
    May  6 07:34:04 lst104 slapd[4352]: bdb_dn2entry("dc=mydomain,dc=ru")
    May  6 07:34:04 lst104 slapd[4352]: search_candidates: base="dc=mydomain,dc=ru" (0x00000001) scope=2
    May  6 07:34:04 lst104 slapd[4352]: => bdb_dn2idl("dc=mydomain,dc=ru")
    May  6 07:34:04 lst104 slapd[4352]: => bdb_equality_candidates (objectClass)
    May  6 07:34:04 lst104 slapd[4352]: => key_read
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_index_read: failed (-30989)
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_equality_candidates: id=0, first=0, last=0
    May  6 07:34:04 lst104 slapd[4352]: => bdb_equality_candidates (objectClass)
    May  6 07:34:04 lst104 slapd[4352]: => key_read
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_index_read 2 candidates
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_equality_candidates: id=2, first=17, last=27
    May  6 07:34:04 lst104 slapd[4352]: => bdb_equality_candidates (mail)
    May  6 07:34:04 lst104 slapd[4352]: => key_read
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_index_read 1 candidates
    May  6 07:34:04 lst104 slapd[4352]: <= bdb_equality_candidates: id=1, first=27, last=27
    May  6 07:34:04 lst104 slapd[4352]: bdb_search_candidates: id=1 first=27 last=27
    May  6 07:34:04 lst104 slapd[4352]: => send_search_entry: conn 1034 dn="cn=user11,ou=people,dc=mydomain,dc=ru"
    May  6 07:34:04 lst104 slapd[4352]: <= send_search_entry: conn 1034 exit.
    May  6 07:34:04 lst104 slapd[4352]: send_ldap_result: conn=1034 op=101 p=3
    May  6 07:34:04 lst104 slapd[4352]: send_ldap_response: msgid=102 tag=101 err=0

А сам постфикс при попытке написать письмо говорит:

    May  6 07:49:37 lst103 postfix/smtpd[60539]: connect from unknown[192.168.0.241]
    May  6 07:49:38 lst103 postfix/smtpd[60539]: NOQUEUE: reject: RCPT from unknown[192.168.0.241]: 550 5.1.1 <user11@mydomain.ru>: Recipient address rejected: User unknown in local recipient table; from=<user11@mydomain.ru> to=<user11@mydomain.ru> proto=ESMTP helo=<[192.168.0.241]>
    May  6 07:49:38 lst103 postfix/smtpd[60539]: disconnect from unknown[192.168.0.241]

В лдапе соответственно корень dc=mydomain, dc=ru, там объект ou=people, в нем user11, в атрибутах которого прописан mail user11@mydomain.ru

Ссылка

←	проброс портов в одной подсети

Удаленный ubuntu-server 10.10 зависает.

→

По-моему ты забыл

ldapsource_result_attribute = mail

router ★★★★★
(06.05.11 12:29:01 MSK)

Ответ на: комментарий от router 06.05.11 12:29:01 MSK

хотя нет, для recipient_map результат должен быть вида 'OK'

router ★★★★★
(06.05.11 12:37:54 MSK)

Ссылка

Ответ на: комментарий от router 06.05.11 12:29:01 MSK

Да, забыл, поменял, но результата не принесло, все тоже самое.

Slack ★★★★★
(06.05.11 12:38:42 MSK) автор топика

Ответ на: комментарий от Slack 06.05.11 12:38:42 MSK

Можешь куда-нибудь выложить вывод postconf ? Только не забудь пароли затереть :)

В голове компилировать этот конфиг я пока не могу :)

router ★★★★★
(06.05.11 12:48:29 MSK)

Ответ на: комментарий от router 06.05.11 12:48:29 MSK

Да, и пример записи в ou=people,dc=mydomain,dc=ru

router ★★★★★
(06.05.11 12:49:19 MSK)

Ссылка

Ответ на: комментарий от Slack 06.05.11 12:38:42 MSK

Поменял, теперь опять показывай вывод LDAP

~~zgen~~ ★★★★★
(06.05.11 13:11:05 MSK)

Ответ на: комментарий от router 06.05.11 12:48:29 MSK

http://narod.ru/disk/12065621001/postconf.txt.html

Оть он.

Запись:

dn: cn=user11,ou=people,dc=mydomain,dc=ru
sn: user11
givenName: user11
uid: user11
structuralObjectClass: inetOrgPerson
entryUUID: d02083c6-0b70-1030-8cd4-13cd44152f90
creatorsName: cn=ldapadmin,dc=mydomain,dc=ru
createTimestamp: 20110505143631Z
mail: user11@mydomain.ru
gosaMailServer: mail
gosaMailDeliveryMode: [L]
gosaSpamSortLevel: 0
gosaSpamMailbox: INBOX
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: gosaMailAccount
sambaLMPassword: AEBD4DE384C7EC43AAD3B435B51404EE
sambaNTPassword: 7A21990FCD3D759941E45C490F143D5F
sambaPwdLastSet: 1304606201
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
cn: user11
userPassword:: e01ENX1reEwxUm1IZkpHNE55UFVMUUFQcjl3PT0=
entryCSN: 20110506080431.175465Z#000000#000#000000
modifiersName: cn=ldapadmin,dc=mydomain,dc=ru
modifyTimestamp: 20110506080431Z

Slack ★★★★★
(06.05.11 13:13:47 MSK) автор топика

Ссылка

Ответ на: комментарий от zgen 06.05.11 13:11:05 MSK

May  6 09:18:42 lst104 slapd[4352]: connection_get(10): got connid=1034

May  6 09:18:42 lst104 slapd[4352]: connection_read(10): checking for input on id=1034

May  6 09:18:42 lst104 slapd[4352]: op tag 0x63, time 1304673522

May  6 09:18:42 lst104 slapd[4352]: conn=1034 op=124 do_search

May  6 09:18:42 lst104 slapd[4352]: >>> dnPrettyNormal: <dc=mydomain,dc=ru>

May  6 09:18:42 lst104 slapd[4352]: <<< dnPrettyNormal: <dc=mydomain,dc=ru>, <dc=mydomain,dc=ru>

May  6 09:18:42 lst104 slapd[4352]: => bdb_search

May  6 09:18:42 lst104 slapd[4352]: bdb_dn2entry("dc=mydomain,dc=ru")

May  6 09:18:42 lst104 slapd[4352]: search_candidates: base="dc=mydomain,dc=ru" (0x00000001) scope=2

May  6 09:18:42 lst104 slapd[4352]: => bdb_dn2idl("dc=mydomain,dc=ru")

May  6 09:18:42 lst104 slapd[4352]: => bdb_equality_candidates (objectClass)

May  6 09:18:42 lst104 slapd[4352]: => key_read

May  6 09:18:42 lst104 slapd[4352]: <= bdb_index_read: failed (-30989)

May  6 09:18:42 lst104 slapd[4352]: <= bdb_equality_candidates: id=0, first=0, last=0

May  6 09:18:42 lst104 slapd[4352]: => bdb_equality_candidates (objectClass)

May  6 09:18:42 lst104 slapd[4352]: => key_read

May  6 09:18:42 lst104 slapd[4352]: <= bdb_index_read 2 candidates

May  6 09:18:42 lst104 slapd[4352]: <= bdb_equality_candidates: id=2, first=17, last=27

May  6 09:18:42 lst104 slapd[4352]: => bdb_equality_candidates (mail)

May  6 09:18:42 lst104 slapd[4352]: => key_read

May  6 09:18:42 lst104 slapd[4352]: <= bdb_index_read 1 candidates

May  6 09:18:42 lst104 slapd[4352]: <= bdb_equality_candidates: id=1, first=27, last=27

May  6 09:18:42 lst104 slapd[4352]: bdb_search_candidates: id=1 first=27 last=27

May  6 09:18:42 lst104 slapd[4352]: => send_search_entry: conn 1034 dn="cn=user11,ou=people,dc=mydomain,dc=ru"

May  6 09:18:42 lst104 slapd[4352]: <= send_search_entry: conn 1034 exit.

May  6 09:18:42 lst104 slapd[4352]: send_ldap_result: conn=1034 op=124 p=3

May  6 09:18:42 lst104 slapd[4352]: send_ldap_response: msgid=125 tag=101 err=0

Slack ★★★★★
(06.05.11 13:21:05 MSK) автор топика

Ответ на: комментарий от Slack 06.05.11 13:21:05 MSK

Поменяйте уровень на 254, будет видно, какой результат возвращается.

~~zgen~~ ★★★★★
(06.05.11 13:33:05 MSK)

Ответ на: комментарий от zgen 06.05.11 13:33:05 MSK

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 busy

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: waked

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: daemon: listen=6, new connection on 10

May  6 09:42:42 lst104 slapd[77957]: daemon: added 10r (active) listener=0x0

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: waked

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on:

May  6 09:42:42 lst104 slapd[77957]:  10r

May  6 09:42:42 lst104 slapd[77957]: 

May  6 09:42:42 lst104 slapd[77957]: daemon: read activity on 10

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: connection_get(10)

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: waked

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: ==> bdb_bind: dn: cn=ldapadmin,dc=mydomain,dc=ru

May  6 09:42:42 lst104 slapd[77957]: send_ldap_result: err=0 matched="" text=""

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on:

May  6 09:42:42 lst104 slapd[77957]:  10r

May  6 09:42:42 lst104 slapd[77957]: 

May  6 09:42:42 lst104 slapd[77957]: daemon: read activity on 10

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: connection_get(10)

May  6 09:42:42 lst104 slapd[77957]: daemon: activity on 1 descriptor

May  6 09:42:42 lst104 slapd[77957]: daemon: waked

May  6 09:42:42 lst104 slapd[77957]: daemon: select: listen=6 active_threads=0 tvp=zero

May  6 09:42:42 lst104 slapd[77957]: SRCH "dc=mydomain,dc=ru" 2 0

May  6 09:42:42 lst104 slapd[77957]:     0 0 0

May  6 09:42:42 lst104 slapd[77957]: begin get_filter

May  6 09:42:42 lst104 slapd[77957]: AND

May  6 09:42:42 lst104 slapd[77957]: begin get_filter_list

May  6 09:42:42 lst104 slapd[77957]: begin get_filter

May  6 09:42:42 lst104 slapd[77957]: EQUALITY

May  6 09:42:42 lst104 slapd[77957]: end get_filter 0

May  6 09:42:42 lst104 slapd[77957]: begin get_filter

May  6 09:42:42 lst104 slapd[77957]: EQUALITY

May  6 09:42:42 lst104 slapd[77957]: end get_filter 0

May  6 09:42:42 lst104 slapd[77957]: end get_filter_list

May  6 09:42:42 lst104 slapd[77957]: end get_filter 0

May  6 09:42:42 lst104 slapd[77957]:     filter: (&(objectClass=gosaMailAccount)(mail=user11@mydomain.ru))

May  6 09:42:42 lst104 slapd[77957]:     attrs:

May  6 09:42:42 lst104 slapd[77957]:  mail

May  6 09:42:42 lst104 slapd[77957]:  userPassword

May  6 09:42:42 lst104 slapd[77957]: 

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access to "dc=mydomain,dc=ru" "entry" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	AND

May  6 09:42:42 lst104 slapd[77957]: => bdb_list_candidates 0xa0

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	OR

May  6 09:42:42 lst104 slapd[77957]: => bdb_list_candidates 0xa1

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	EQUALITY

May  6 09:42:42 lst104 slapd[77957]: bdb_idl_fetch_key: [b49d1940]

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=0 first=0 last=0

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	AND

May  6 09:42:42 lst104 slapd[77957]: => bdb_list_candidates 0xa0

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	EQUALITY

May  6 09:42:42 lst104 slapd[77957]: bdb_idl_fetch_key: [1536e43b]

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=2 first=17 last=27

May  6 09:42:42 lst104 slapd[77957]: => bdb_filter_candidates

May  6 09:42:42 lst104 slapd[77957]: 	EQUALITY

May  6 09:42:42 lst104 slapd[77957]: bdb_idl_fetch_key: [bcc38c39]

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_list_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_list_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_list_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: <= bdb_filter_candidates: id=1 first=27 last=27

May  6 09:42:42 lst104 slapd[77957]: => test_filter

May  6 09:42:42 lst104 slapd[77957]:     AND

May  6 09:42:42 lst104 slapd[77957]: => test_filter_and

May  6 09:42:42 lst104 slapd[77957]: => test_filter

May  6 09:42:42 lst104 slapd[77957]:     EQUALITY

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access to "cn=user11,ou=people,dc=mydomain,dc=ru" "objectClass" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: <= test_filter 6

May  6 09:42:42 lst104 slapd[77957]: => test_filter

May  6 09:42:42 lst104 slapd[77957]:     EQUALITY

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access to "cn=user11,ou=people,dc=mydomain,dc=ru" "mail" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: search access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: <= test_filter 6

May  6 09:42:42 lst104 slapd[77957]: <= test_filter_and 6

May  6 09:42:42 lst104 slapd[77957]: <= test_filter 6

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access to "cn=user11,ou=people,dc=mydomain,dc=ru" "entry" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: result not in cache (mail)

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access to "cn=user11,ou=people,dc=mydomain,dc=ru" "mail" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: result not in cache (userPassword)

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access to "cn=user11,ou=people,dc=mydomain,dc=ru" "userPassword" requested

May  6 09:42:42 lst104 slapd[77957]: <= root access granted

May  6 09:42:42 lst104 slapd[77957]: => access_allowed: read access granted by manage(=mwrscxd)

May  6 09:42:42 lst104 slapd[77957]: send_ldap_result: err=0 matched="" text=""

Slack ★★★★★
(06.05.11 13:51:18 MSK) автор топика

Ответ на: комментарий от Slack 06.05.11 13:51:18 MSK

filter: (&(objectClass=gosaMailAccount)(mail=user11@mydomain.ru))

что-то я не вижу gosaMailAccount в примере ldif. он там есть??

aol ★★★★★
(06.05.11 15:21:55 MSK)

Ссылка

Ответ на: комментарий от Slack 06.05.11 13:51:18 MSK

а, черт.. где мое зрение.. увидел. пардон.

aol ★★★★★
(06.05.11 15:23:11 MSK)

Ссылка

и всё-таки...
не нравится мне вот это:
ldapsource_query_filter = (&(mail=%s))
кажется, оно не валидно. зачем там амперсанд? попробуй вот так:
ldapsource_query_filter = (mail=%s)

aol ★★★★★
(06.05.11 18:54:00 MSK)

Ссылка

Ответ на: комментарий от Slack 06.05.11 13:21:05 MSK

Попробуй так:

ldapsource_server_host = 192.168.101.104
ldapsource_search_base = ou=people,dc=mydomain,dc=ru
ldapsource_server_port = 389
ldapsource_query_filter = (mail=%s) # условие одно, зачем & ?
ldapsource_bind = yes
ldapsource_scope = sub # лучше явно указать
ldapsource_result_attribute = mail
ldapsource_bind_dn = cn=ldapadmin,dc=mydomain,dc=ru
ldapsource_bind_pw = secret

и вместо

virtual_recipient_maps = ldap:ldapsource

добавь

virtual_maps =  = ldap:ldapsource
smtpd_recipient_restrictions = 
  check_client_access
  hash:/etc/postfix/access
  permit_auth_destination # возможно, именно этого и не хватает
  reject

router ★★★★★
(07.05.11 20:12:07 MSK)