search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / html / ldap_table.5.html
blob1c0e35f2cefbc2508fd001e08e5eb96b237221b5
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
3 <html> <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
5 <title> Postfix manual - ldap_table(5) </title>
6 </head> <body> <pre>
7 LDAP_TABLE(5) LDAP_TABLE(5)
8
9 <b>NAME</b>
10 ldap_table - Postfix LDAP client configuration
11
12 <b>SYNOPSIS</b>
13 <b>postmap -q "</b><i>string</i><b>" <a href="ldap_table.5.html">ldap</a>:/etc/postfix/filename</b>
14
15 <b>postmap -q - <a href="ldap_table.5.html">ldap</a>:/etc/postfix/</b><i>filename</i> &lt;<i>inputfile</i>
16
17 <b>DESCRIPTION</b>
18 The Postfix mail system uses optional tables for address
19 rewriting or mail routing. These tables are usually in <b>dbm</b>
20 or <b>db</b> format.
21
22 Alternatively, lookup tables can be specified as LDAP
23 databases.
24
25 In order to use LDAP lookups, define an LDAP source as a
26 lookup table in <a href="postconf.5.html">main.cf</a>, for example:
27
28 <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
29
30 The file /etc/postfix/ldap-aliases.cf has the same format
31 as the Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parame-
32 ters described below. An example is given at the end of
33 this manual.
34
35 This configuration method is available with Postfix ver-
36 sion 2.1 and later. See the section "BACKWARDS COMPATI-
37 BILITY" below for older Postfix versions.
38
39 For details about LDAP SSL and STARTTLS, see the section
40 on SSL and STARTTLS below.
41
42 <b>BACKWARDS COMPATIBILITY</b>
43 For backwards compatibility with Postfix version 2.0 and
44 earlier, LDAP parameters can also be defined in <a href="postconf.5.html">main.cf</a>.
45 Specify as LDAP source a name that doesn't begin with a
46 slash or a dot. The LDAP parameters will then be accessi-
47 ble as the name you've given the source in its definition,
48 an underscore, and the name of the parameter. For exam-
49 ple, if the map is specified as "<a href="ldap_table.5.html">ldap</a>:<i>ldapsource</i>", the
50 "server_host" parameter below would be defined in <a href="postconf.5.html">main.cf</a>
51 as "<i>ldapsource</i>_server_host".
52
53 Note: with this form, the passwords for the LDAP sources
54 are written in <a href="postconf.5.html">main.cf</a>, which is normally world-readable.
55 Support for this form will be removed in a future Postfix
56 version.
57
58 Postfix 2.2 has enhanced query interfaces for MySQL and
59 PostgreSQL. These include features that were previously
60 available only in the Postfix LDAP client. This work also
61 created an opportunity for improvements in the LDAP inter-
62 face. The primary compatibility issue is that <b>result_fil-</b>
63 <b>ter</b> (a name that has caused some confusion as to its mean-
64 ing in the past) has been renamed to <b>result_format</b>. For
65 backwards compatibility with the pre 2.2 LDAP client,
66 <b>result_filter</b> can for now be used instead of <b>result_for-</b>
67 <b>mat</b>, when the latter parameter is not also set. The new
68 name better reflects the function of the parameter. This
69 compatibility interface may be removed in a future
70 release.
71
72 <b>LIST MEMBERSHIP</b>
73 When using LDAP to store lists such as $<a href="postconf.5.html#mynetworks">mynetworks</a>,
74 $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#relay_domains">relay_domains</a>, $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>,
75 etc., it is important to understand that the table must
76 store each list member as a separate key. The table lookup
77 verifies the *existence* of the key. See "Postfix lists
78 versus tables" in the <a href="DATABASE_README.html">DATABASE_README</a> document for a dis-
79 cussion.
80
81 Do NOT create tables that return the full list of domains
82 in $<a href="postconf.5.html#mydestination">mydestination</a> or $<a href="postconf.5.html#relay_domains">relay_domains</a> etc., or IP addresses
83 in $<a href="postconf.5.html#mynetworks">mynetworks</a>.
84
85 DO create tables with each matching item as a key and with
86 an arbitrary value. With LDAP databases it is not uncommon
87 to return the key itself.
88
89 For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-
90 <a href="postconf.5.html#mydestination">tion</a>:
91
92 query_filter = domain=*
93 result_attribute = domain
94
95 Do this instead:
96
97 query_filter = domain=%s
98 result_attribute = domain
99
100 <b>GENERAL LDAP PARAMETERS</b>
101 In the text below, default values are given in parenthe-
102 ses. Note: don't use quotes in these variables; at least,
103 not until the Postfix configuration routines understand
104 how to deal with quoted strings.
105
106 <b>server_host (default: localhost)</b>
107 The name of the host running the LDAP server, e.g.
108
109 server_host = ldap.example.com
110
111 Depending on the LDAP client library you're using,
112 it should be possible to specify multiple servers
113 here, with the library trying them in order should
114 the first one fail. It should also be possible to
115 give each server in the list a different port
116 (overriding <b>server_port</b> below), by naming them like
117
118 server_host = ldap.example.com:1444
119
120 With OpenLDAP, a (list of) LDAP URLs can be used to
121 specify both the hostname(s) and the port(s):
122
123 server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
124 <a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
125
126 All LDAP URLs accepted by the OpenLDAP library are
127 supported, including connections over UNIX domain
128 sockets, and LDAP SSL (the last one provided that
129 OpenLDAP was compiled with support for SSL):
130
131 server_host = ldapi://%2Fsome%2Fpath
132 ldaps://ldap.example.com:636
133
134 <b>server_port (default: 389)</b>
135 The port the LDAP server listens on, e.g.
136
137 server_port = 778
138
139 <b>timeout (default: 10 seconds)</b>
140 The number of seconds a search can take before tim-
141 ing out, e.g.
142
143 timeout = 5
144
145 <b>search_base (No default; you must configure this)</b>
146 The <a href="http://tools.ietf.org/html/rfc2253">RFC2253</a> base DN at which to conduct the search,
147 e.g.
148
149 search_base = dc=your, dc=com
150
151 With Postfix 2.2 and later this parameter supports
152 the following '%' expansions:
153
154 <b>%%</b> This is replaced by a literal '%' character.
155
156 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2253">RFC 2253</a>
157 quoting is used to make sure that the input
158 key does not add unexpected metacharacters.
159
160 <b>%u</b> When the input key is an address of the form
161 user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
162 <a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted local part of the address.
163 Otherwise, <b>%u</b> is replaced by the entire
164 search string. If the localpart is empty,
165 the search is suppressed and returns no
166 results.
167
168 <b>%d</b> When the input key is an address of the form
169 user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2253">RFC</a>
170 <a href="http://tools.ietf.org/html/rfc2253">2253</a>) quoted domain part of the address.
171 Otherwise, the search is suppressed and
172 returns no results.
173
174 <b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-
175 case equivalents of the above expansions
176 behave identically to their lower-case
177 counter-parts. With the <b>result_format</b> param-
178 eter (previously called <b>result_filter</b> see
179 the COMPATIBILITY section and below), they
180 expand to the corresponding components of
181 input key rather than the result value.
182
183 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
184 the corresponding most significant component
185 of the input key's domain. If the input key
186 is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
187 is <b>example</b> and %3 is <b>mail</b>. If the input key
188 is unqualified or does not have enough
189 domain components to satisfy all the speci-
190 fied patterns, the search is suppressed and
191 returns no results.
192
193 <b>query_filter (default: mailacceptinggeneralid=%s)</b>
194 The <a href="http://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory,
195 where <b>%s</b> is a substitute for the address Postfix is
196 trying to resolve, e.g.
197
198 query_filter = (&amp;(mail=%s)(paid_up=true))
199
200 This parameter supports the following '%' expan-
201 sions:
202
203 <b>%%</b> This is replaced by a literal '%' character.
204 (Postfix 2.2 and later).
205
206 <b>%s</b> This is replaced by the input key. <a href="http://tools.ietf.org/html/rfc2254">RFC 2254</a>
207 quoting is used to make sure that the input
208 key does not add unexpected metacharacters.
209
210 <b>%u</b> When the input key is an address of the form
211 user@domain, <b>%u</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
212 <a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted local part of the address.
213 Otherwise, <b>%u</b> is replaced by the entire
214 search string. If the localpart is empty,
215 the search is suppressed and returns no
216 results.
217
218 <b>%d</b> When the input key is an address of the form
219 user@domain, <b>%d</b> is replaced by the (<a href="http://tools.ietf.org/html/rfc2254">RFC</a>
220 <a href="http://tools.ietf.org/html/rfc2254">2254</a>) quoted domain part of the address.
221 Otherwise, the search is suppressed and
222 returns no results.
223
224 <b>%[SUD]</b> The upper-case equivalents of the above
225 expansions behave in the <b>query_filter</b> param-
226 eter identically to their lower-case
227 counter-parts. With the <b>result_format</b> param-
228 eter (previously called <b>result_filter</b> see
229 the COMPATIBILITY section and below), they
230 expand to the corresponding components of
231 input key rather than the result value.
232
233 The above %S, %U and %D expansions are
234 available with Postfix 2.2 and later.
235
236 <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by
237 the corresponding most significant component
238 of the input key's domain. If the input key
239 is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2
240 is <b>example</b> and %3 is <b>mail</b>. If the input key
241 is unqualified or does not have enough
242 domain components to satisfy all the speci-
243 fied patterns, the search is suppressed and
244 returns no results.
245
246 The above %1, ..., %9 expansions are avail-
247 able with Postfix 2.2 and later.
248
249 The "domain" parameter described below limits the
250 input keys to addresses in matching domains. When
251 the "domain" parameter is non-empty, LDAP queries
252 for unqualified addresses or addresses in non-
253 matching domains are suppressed and return no
254 results.
255
256 NOTE: DO NOT put quotes around the <b>query_filter</b>
257 parameter.
258
259 <b>result_format (default: %s</b>)
260 Called <b>result_filter</b> in Postfix releases prior to
261 2.2. Format template applied to result attributes.
262 Most commonly used to append (or prepend) text to
263 the result. This parameter supports the following
264 '%' expansions:
265
266 <b>%%</b> This is replaced by a literal '%' character.
267 (Postfix 2.2 and later).
268
269 <b>%s</b> This is replaced by the value of the result
270 attribute. When result is empty it is
271 skipped.
272
273 <b>%u</b> When the result attribute value is an
274 address of the form user@domain, <b>%u</b> is
275 replaced by the local part of the address.
276 When the result has an empty localpart it is
277 skipped.
278
279 <b>%d</b> When a result attribute value is an address
280 of the form user@domain, <b>%d</b> is replaced by
281 the domain part of the attribute value. When
282 the result is unqualified it is skipped.
283
284 <b>%[SUD1-9]</b>
285 The upper-case and decimal digit expansions
286 interpolate the parts of the input key
287 rather than the result. Their behavior is
288 identical to that described with <b>query_fil-</b>
289 <b>ter</b>, and in fact because the input key is
290 known in advance, lookups whose key does not
291 contain all the information specified in the
292 result template are suppressed and return no
293 results.
294
295 The above %S, %U, %D and %1, ..., %9 expan-
296 sions are available with Postfix 2.2 and
297 later.
298
299 For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]"
300 allows one to use a mailHost attribute as the basis
301 of a <a href="transport.5.html">transport(5)</a> table. After applying the result
302 format, multiple values are concatenated as comma
303 separated strings. The expansion_limit and
304 size_limit parameters explained below allow one to
305 restrict the number of values in the result, which
306 is especially useful for maps that should return a
307 single value.
308
309 The default value <b>%s</b> specifies that each attribute
310 value should be used as is.
311
312 This parameter was called <b>result_filter</b> in Postfix
313 releases prior to 2.2. If no "result_format" is
314 specified, the value of "result_filter" will be
315 used instead before resorting to the default value.
316 This provides compatibility with old configuration
317 files.
318
319 NOTE: DO NOT put quotes around the result format!
320
321 <b>domain (default: no domain list)</b>
322 This is a list of domain names, paths to files, or
323 dictionaries. When specified, only fully qualified
324 search keys with a *non-empty* localpart and a
325 matching domain are eligible for lookup: 'user'
326 lookups, bare domain lookups and "@domain" lookups
327 are not performed. This can significantly reduce
328 the query load on the LDAP server.
329
330 domain = postfix.org, hash:/etc/postfix/searchdomains
331
332 It is best not to use LDAP to store the domains
333 eligible for LDAP lookups.
334
335 NOTE: DO NOT define this parameter for <a href="local.8.html">local(8)</a>
336 aliases.
337
338 This feature is available in Postfix 1.0 and later.
339
340 <b>result_attribute (default: maildrop)</b>
341 The attribute(s) Postfix will read from any direc-
342 tory entries returned by the lookup, to be resolved
343 to an email address.
344
345 result_attribute = mailbox, maildrop
346
347 <b>special_result_attribute (default: empty)</b>
348 The attribute(s) of directory entries that can con-
349 tain DNs or URLs. If found, a recursive subsequent
350 search is done using their values.
351
352 special_result_attribute = memberdn
353
354 DN recursion retrieves the same result_attributes
355 as the main query, including the special attributes
356 for further recursion. URI processing retrieves
357 only those attributes that are included in the URI
358 definition and are *also* listed in
359 "result_attribute". If the URI lists any of the
360 map's special result attributes, these are also
361 retrieved and used recursively.
362
363 <b>terminal_result_attribute (default: empty)</b>
364 When one or more terminal result attributes are
365 found in an LDAP entry, all other result attributes
366 are ignored and only the terminal result attributes
367 are returned. This is useful for delegating expan-
368 sion of group members to a particular host, by
369 using an optional "maildrop" attribute on selected
370 groups to route the group to a specific host, where
371 the group is expanded, possibly via mailing-list
372 manager or other special processing.
373
374 terminal_result_attribute = maildrop
375
376 This feature is available with Postfix 2.4 or
377 later.
378
379 <b>leaf_result_attribute (default: empty)</b>
380 When one or more special result attributes are
381 found in a non-terminal (see above) LDAP entry,
382 leaf result attributes are excluded from the expan-
383 sion of that entry. This is useful when expanding
384 groups and the desired mail address attribute(s) of
385 the member objects obtained via DN or URI recursion
386 are also present in the group object. To only
387 return the attribute values from the leaf objects
388 and not the containing group, add the attribute to
389 the leaf_result_attribute list, and not the
390 result_attribute list, which is always expanded.
391 Note, the default value of "result_attribute" is
392 not empty, you may want to set it explicitly empty
393 when using "leaf_result_attribute" to expand the
394 group to a list of member DN addresses. If groups
395 have both member DN references AND attributes that
396 hold multiple string valued rfc822 addresses, then
397 the string attributes go in "result_attribute".
398 The attributes that represent the email addresses
399 of objects referenced via a DN (or LDAP URI) go in
400 "leaf_result_attribute".
401
402 result_attribute = memberaddr
403 special_result_attribute = memberdn
404 terminal_result_attribute = maildrop
405 leaf_result_attribute = mail
406
407 This feature is available with Postfix 2.4 or
408 later.
409
410 <b>scope (default: sub)</b>
411 The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
412 translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
413 and LDAP_SCOPE_ONELEVEL.
414
415 <b>bind (default: yes)</b>
416 Whether or not to bind to the LDAP server. Newer
417 LDAP implementations don't require clients to bind,
418 which saves time. Example:
419
420 bind = no
421
422 If you do need to bind, you might consider config-
423 uring Postfix to connect to the local machine on a
424 port that's an SSL tunnel to your LDAP server. If
425 your LDAP server doesn't natively support SSL, put
426 a tunnel (wrapper, proxy, whatever you want to call
427 it) on that system too. This should prevent the
428 password from traversing the network in the clear.
429
430 <b>bind_dn (default: empty)</b>
431 If you do have to bind, do it with this distin-
432 guished name. Example:
433
434 bind_dn = uid=postfix, dc=your, dc=com
435
436 <b>bind_pw (default: empty)</b>
437 The password for the distinguished name above. If
438 you have to use this, you probably want to make the
439 map configuration file readable only by the Postfix
440 user. When using the obsolete <a href="ldap_table.5.html">ldap</a>:ldapsource syn-
441 tax, with map parameters in <a href="postconf.5.html">main.cf</a>, it is not pos-
442 sible to securely store the bind password. This is
443 because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow
444 local accounts to submit mail via the sendmail com-
445 mand. Example:
446
447 bind_pw = postfixpw
448
449 <b>cache (IGNORED with a warning)</b>
450
451 <b>cache_expiry (IGNORED with a warning)</b>
452
453 <b>cache_size (IGNORED with a warning)</b>
454 The above parameters are NO LONGER SUPPORTED by
455 Postfix. Cache support has been dropped from
456 OpenLDAP as of release 2.1.13.
457
458 <b>recursion_limit (default: 1000)</b>
459 A limit on the nesting depth of DN and URL special
460 result attribute evaluation. The limit must be a
461 non-zero positive number.
462
463 <b>expansion_limit (default: 0)</b>
464 A limit on the total number of result elements
465 returned (as a comma separated list) by a lookup
466 against the map. A setting of zero disables the
467 limit. Lookups fail with a temporary error if the
468 limit is exceeded. Setting the limit to 1 ensures
469 that lookups do not return multiple values.
470
471 <b>size_limit (default: $expansion_limit)</b>
472 A limit on the number of LDAP entries returned by
473 any single LDAP search performed as part of the
474 lookup. A setting of 0 disables the limit. Expan-
475 sion of DN and URL references involves nested LDAP
476 queries, each of which is separately subjected to
477 this limit.
478
479 Note: even a single LDAP entry can generate multi-
480 ple lookup results, via multiple result attributes
481 and/or multi-valued result attributes. This limit
482 caps the per search resource utilization on the
483 LDAP server, not the final multiplicity of the
484 lookup result. It is analogous to the "-z" option
485 of "ldapsearch".
486
487 <b>dereference (default: 0)</b>
488 When to dereference LDAP aliases. (Note that this
489 has nothing do with Postfix aliases.) The permitted
490 values are those legal for the OpenLDAP/UM LDAP
491 implementations:
492
493 0 never
494
495 1 when searching
496
497 2 when locating the base object for the search
498
499 3 always
500
501 See ldap.h or the ldap_open(3) or ldapsearch(1) man
502 pages for more information. And if you're using an
503 LDAP package that has other possible values, please
504 bring it to the attention of the postfix-
505 users@postfix.org mailing list.
506
507 <b>chase_referrals (default: 0)</b>
508 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP
509 version 3 support).
510
511 <b>version (default: 2)</b>
512 Specifies the LDAP protocol version to use.
513
514 <b>debuglevel (default: 0)</b>
515 What level to set for debugging in the OpenLDAP
516 libraries.
517
518 <b>LDAP SSL AND STARTTLS PARAMETERS</b>
519 If you're using the OpenLDAP libraries compiled with SSL
520 support, Postfix can connect to LDAP SSL servers and can
521 issue the STARTTLS command.
522
523 LDAP SSL service can be requested by using a LDAP SSL URL
524 in the server_host parameter:
525
526 server_host = ldaps://ldap.example.com:636
527
528 STARTTLS can be turned on with the start_tls parameter:
529
530 start_tls = yes
531
532 Both forms require LDAP protocol version 3, which has to
533 be set explicitly with:
534
535 version = 3
536
537 If any of the Postfix programs querying the map is config-
538 ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
539 and keys involved have to be copied to the chroot jail. Of
540 course, the private keys should only be readable by the
541 user "postfix".
542
543 The following parameters are relevant to LDAP SSL and
544 STARTTLS:
545
546 <b>start_tls (default: no)</b>
547 Whether or not to issue STARTTLS upon connection to
548 the server. Don't set this with LDAP SSL (the SSL
549 session is setup automatically when the TCP connec-
550 tion is opened).
551
552 <b>tls_ca_cert_dir (No default; set either this or</b>
553 <b>tls_ca_cert_file)</b>
554 Directory containing X509 Certificate Authority
555 certificates in PEM format which are to be recog-
556 nized by the client in SSL/TLS connections. The
557 files each contain one CA certificate. The files
558 are looked up by the CA subject name hash value,
559 which must hence be available. If more than one CA
560 certificate with the same name hash value exist,
561 the extension must be different (e.g. 9d66eef0.0,
562 9d66eef0.1 etc). The search is performed in the
563 ordering of the extension number, regardless of
564 other properties of the certificates. Use the
565 c_rehash utility (from the OpenSSL distribution) to
566 create the necessary links.
567
568 <b>tls_ca_cert_file (No default; set either this or</b>
569 <b>tls_ca_cert_dir)</b>
570 File containing the X509 Certificate Authority cer-
571 tificates in PEM format which are to be recognized
572 by the client in SSL/TLS connections. This setting
573 takes precedence over tls_ca_cert_dir.
574
575 <b>tls_cert (No default; you must set this)</b>
576 File containing client's X509 certificate to be
577 used by the client in SSL/ TLS connections.
578
579 <b>tls_key (No default; you must set this)</b>
580 File containing the private key corresponding to
581 the above tls_cert.
582
583 <b>tls_require_cert (default: no)</b>
584 Whether or not to request server's X509 certificate
585 and check its validity when establishing SSL/TLS
586 connections. The supported values are <b>no</b> and <b>yes</b>.
587
588 With <b>no</b>, the server certificate trust chain is not
589 checked, but with OpenLDAP prior to 2.1.13, the
590 name in the server certificate must still match the
591 LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
592 server name is not necessarily what you specified,
593 rather it is determined (by reverse lookup) from
594 the IP address of the LDAP server connection. With
595 OpenLDAP prior to 2.0.13, subjectAlternativeName
596 extensions in the LDAP server certificate are
597 ignored: the server name must match the subject
598 CommonName. The <b>no</b> setting corresponds to the <b>never</b>
599 value of <b>TLS_REQCERT</b> in LDAP client configuration
600 files.
601
602 Don't use TLS with OpenLDAP 2.0.x (and especially
603 with x &lt;= 11) if you can avoid it.
604
605 With <b>yes</b>, the server certificate must be issued by
606 a trusted CA, and not be expired. The LDAP server
607 name must match one of the name(s) found in the
608 certificate (see above for OpenLDAP library version
609 dependent behavior). The <b>yes</b> setting corresponds to
610 the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
611 figuration files.
612
613 The "try" and "never" values of <b>TLS_REQCERT</b> have no
614 equivalents here. They are not available with
615 OpenLDAP 2.0, and in any case have questionable
616 security properties. Either you want TLS verified
617 LDAP connections, or you don't.
618
619 The <b>yes</b> value only works correctly with Postfix 2.5
620 and later, or with OpenLDAP 2.0. Earlier Postfix
621 releases or later OpenLDAP releases don't work
622 together with this setting. Support for LDAP over
623 TLS was added to Postfix based on the OpenLDAP 2.0
624 API.
625
626 <b>tls_random_file (No default)</b>
627 Path of a file to obtain random bits from when
628 /dev/[u]random is not available, to be used by the
629 client in SSL/TLS connections.
630
631 <b>tls_cipher_suite (No default)</b>
632 Cipher suite to use in SSL/TLS negotiations.
633
634 <b>EXAMPLE</b>
635 Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
636 aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
637
638 <a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
639 <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
640
641 and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
642
643 server_host = ldap.example.com
644 search_base = dc=example, dc=com
645
646 Upon receiving mail for a local address "ldapuser" that
647 isn't found in the /etc/aliases database, Postfix will
648 search the LDAP server listening at port 389 on ldap.exam-
649 ple.com. It will bind anonymously, search for any direc-
650 tory entries whose mailacceptinggeneralid attribute is
651 "ldapuser", read the "maildrop" attributes of those found,
652 and build a list of their maildrops, which will be treated
653 as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
654 ered.
655
656 <b>SEE ALSO</b>
657 <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
658 <a href="postconf.5.html">postconf(5)</a>, configuration parameters
659 <a href="mysql_table.5.html">mysql_table(5)</a>, MySQL lookup tables
660 <a href="pgsql_table.5.html">pgsql_table(5)</a>, PostgreSQL lookup tables
661
662 <b>README FILES</b>
663 <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
664 <a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
665
666 <b>LICENSE</b>
667 The Secure Mailer license must be distributed with this
668 software.
669
670 <b>AUTHOR(S)</b>
671 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
672 Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
673 Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
674 Victor Duchovni, and many others.
675
676 LDAP_TABLE(5)
677 </pre> </body> </html>
NetBSD on the FriendlyARM MINI2440