56
56
written in main.cf, which is normally world-readable. Support
57
57
for this form will be removed in a future Postfix version.
59
Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL.
60
These include features that were previously available only in the
61
Postfix LDAP client. This work also created an opportunity for
62
improvements in the LDAP interface. The primary compatibility
63
issue is that \fBresult_filter\fR (a name that has caused some
64
confusion as to its meaning in the past) has been renamed to
65
\fBresult_format\fR. For backwards compatibility with the pre
66
2.2 LDAP client, \fBresult_filter\fR can for now be used instead
59
For backwards compatibility with the pre
60
2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
67
61
of \fBresult_format\fR, when the latter parameter is not also set.
68
62
The new name better reflects the function of the parameter. This
69
63
compatibility interface may be removed in a future release.
333
327
result_attribute = mailbox, maildrop
330
Don't rely on the default value ("maildrop"). Set the
331
result_attribute explicitly in all ldap table configuration
332
files. This is particularly relevant when no result_attribute
333
is applicable, e.g. cases in which leaf_result_attribute and/or
334
terminal_result_attribute are used instead. The default value
335
is harmless if "maildrop" is also listed as a leaf or terminal
336
result attribute, but it is best to not leave this to chance.
335
337
.IP "\fBspecial_result_attribute (default: empty)\fR"
336
338
The attribute(s) of directory entries that can contain DNs
337
or URLs. If found, a recursive subsequent search is done
339
or RFC 2255 LDAP URLs. If found, a recursive search
340
is performed to retrieve the entry referenced by the DN, or
341
the entries matched by the URL query.
341
344
special_result_attribute = memberdn
344
347
DN recursion retrieves the same result_attributes as the
345
348
main query, including the special attributes for further
346
recursion. URI processing retrieves only those attributes
347
that are included in the URI definition and are *also*
348
listed in "result_attribute". If the URI lists any of the
349
map's special result attributes, these are also retrieved
350
and used recursively.
351
URL processing retrieves only those attributes that are included
352
in both the URL definition and as result attributes (ordinary,
353
special, leaf or terminal) in the Postfix table definition.
354
If the URL lists any of the table's special result attributes,
355
these are retrieved and used recursively. A URL that does not
356
specify any attribute selection, is equivalent (RFC 2255) to a
357
URL that selects all attributes, in which case the selected
358
attributes will be the full set of result attributes in the
361
If an LDAP URL attribute-descriptor or the corresponding Postfix
362
LDAP table result attribute (but not both) uses RFC 2255 sub-type
363
options ("attr;option"), the attribute requested from the LDAP server
364
will include the sub-type option. In all other cases, the URL
365
attribute and the table attribute must match exactly. Attributes
366
with options in both the URL and the Postfix table are requested
367
only when the options are identical. LDAP attribute-descriptor
368
options are very rarely used, most LDAP users will not
369
need to concern themselves with this level of nuanced detail.
351
370
.IP "\fBterminal_result_attribute (default: empty)\fR"
352
371
When one or more terminal result attributes are found in an LDAP
353
372
entry, all other result attributes are ignored and only the terminal
358
377
other special processing.
361
381
terminal_result_attribute = maildrop
384
When using terminal and/or leaf result attributes, the
385
result_attribute is best set to an empty value when it is not
386
used, or else explicitly set to the desired value, even if it is
387
the default value "maildrop".
364
389
This feature is available with Postfix 2.4 or later.
365
390
.IP "\fBleaf_result_attribute (default: empty)\fR"
366
391
When one or more special result attributes are found in a non-terminal
386
411
leaf_result_attribute = mail
414
When using terminal and/or leaf result attributes, the
415
result_attribute is best set to an empty value when it is not
416
used, or else explicitly set to the desired value, even if it is
417
the default value "maildrop".
389
419
This feature is available with Postfix 2.4 or later.
390
420
.IP "\fBscope (default: sub)\fR"
391
421
The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
392
422
These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
393
423
and LDAP_SCOPE_ONELEVEL.
394
424
.IP "\fBbind (default: yes)\fR"
395
Whether or not to bind to the LDAP server. Newer LDAP
425
Whether or how to bind to the LDAP server. Newer LDAP
396
426
implementations don't require clients to bind, which saves
438
Postfix versions prior to 2.8 only support "bind = no" which
439
means don't bind, and "bind = yes" which means do a SIMPLE bind.
440
Postfix 2.8 and later also supports "bind = SASL" when compiled
441
with LDAP SASL support as described in LDAP_README, it also adds
442
the synonyms "bind = none" and "bind = simple" for "bind = no"
443
and "bind = yes" respectively. See the SASL section below for
444
additional parameters available with "bind = sasl".
403
446
If you do need to bind, you might consider configuring
404
447
Postfix to connect to the local machine on a port that's
405
448
an SSL tunnel to your LDAP server. If your LDAP server
414
457
bind_dn = uid=postfix, dc=your, dc=com
459
With "bind = sasl" (see above) the DN may be optional for some SASL
460
mechanisms, don't specify a DN if not needed.
416
461
.IP "\fBbind_pw (default: empty)\fR"
417
462
The password for the distinguished name above. If you have
418
463
to use this, you probably want to make the map configuration
427
472
bind_pw = postfixpw
474
With "bind = sasl" (see above) the password may be optional
475
for some SASL mechanisms, don't specify a password if not needed.
429
476
.IP "\fBcache (IGNORED with a warning)\fR"
430
477
.IP "\fBcache_expiry (IGNORED with a warning)\fR"
431
478
.IP "\fBcache_size (IGNORED with a warning)\fR"
482
529
Specifies the LDAP protocol version to use.
483
530
.IP "\fBdebuglevel (default: 0)\fR"
484
531
What level to set for debugging in the OpenLDAP libraries.
532
.SH "LDAP SASL PARAMETERS"
537
If you're using the OpenLDAP libraries compiled with SASL
538
support, Postfix 2.8 and later built with LDAP SASL support
539
as described in LDAP_README can authenticate to LDAP servers
542
This enables authentication to the LDAP server via mechanisms
543
other than a simple password. The added flexibility has a cost:
544
it is no longer practical to set an explicit timeout on the duration
545
of an LDAP bind operation. Under adverse conditions, whether a SASL
546
bind times out, or if it does, the duration of the timeout is
547
determined by the LDAP and SASL libraries.
549
It is best to use tables that use SASL binds via proxymap(8), this
550
way the requesting process can time-out the proxymap request. This
551
also lets you tailer the process environment by overriding the
552
proxymap(8) import_environment setting in master.cf(5). Special
553
environment settings may be needed to configure GSSAPI credential
554
caches or other SASL mechanism specific options. The GSSAPI
555
credentials used for LDAP lookups may need to be different than
556
say those used for the Postfix SMTP client to authenticate to remote
559
Using SASL mechanisms requires LDAP protocol version 3, the default
560
protocol version is 2 for backwards compatibility. You must set
561
"version = 3" in addition to "bind = sasl".
563
The following parameters are relevant to using LDAP with SASL
564
.IP "\fBsasl_mechs (default: empty)\fR"
565
Space separated list of SASL mechanism(s) to try.
566
.IP "\fBsasl_realm (default: empty)\fR"
567
SASL Realm to use, if applicable.
568
.IP "\fBsasl_authz_id (default: empty)\fR"
569
The SASL authorization identity to assert, if applicable.
570
.IP "\fBsasl_minssf (default: 0)\fR"
571
The minimum required sasl security factor required to establish a
485
573
.SH "LDAP SSL AND STARTTLS PARAMETERS"