RE: SigningTable and LDAP

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Wed, 2 May 2012 04:45:44 +0000

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users- bounce_at_lists.opendkim.org] On Behalf Of Quanah Gibson-Mount
> Sent: Tuesday, May 01, 2012 9:13 PM
> To: opendkim-users_at_lists.opendkim.org
> Subject: SigningTable and LDAP
>
> Hi list,
>
> In looking at opendkim.conf(5) and the README file for using LDAP with
> OpenDKIM, I'm not sure how you specify multiple LDAP URI's to the
> SigningTable parameter.
>
> For example, most of our customers have multiple LDAP replicas. I
> would want the SigningTable parameter to be able to reference any of
> those replicas, for failover purposes.
>
> Do I specify SigningTable multiple times, once per ldap server? Or can
> I provide the LDAP URI's multiple times with the SigningTable parameter?
> Same goes for the KeyTable paramater.
> [...]

The latter. The code that parses the provided value splits them first on spaces and tabs, and what's between those delimiters is assumed to be an LDAP URI that it should use to contact a server. Order is preserved. They're all passed individually to ldap_is_ldap_url() first for a basic sanity check.

One caveat is that we assume symmetry for the schemas for the various URIs provided. That is, we drop everything that's not part of the scheme://host:port and pass that list to ldap_initialize(); what's left is kept only from the first one and used to construct the actual queries when the time comes. Hopefully that's a sane assumption.
 
> For example, would I want:
>
> SigningTable ldap://192.0.2.1/""?DKIMSelector?sub?(DKIMIdentity =$d)
> ldap://192.0.2.2/""?DKIMSelector?sub?(DKIMIdentity=$d)
>
> or
>
> SigningTable ldap://192.0.2.1/""?DKIMSelector?sub?(DKIMIdentity=$d)
> SigningTable ldap://192.0.2.2/""?DKIMSelector?sub?(DKIMIdentity=$d)

The first one.

-MSK
Received on Wed May 02 2012 - 04:45:58 PST