The ldap_compare() command compares a given value to the value of an LDAP attribute.
This command connects to an LDAP server and checks the value of an attribute.
If none of the specified LDAP servers is reached, the email is rejected with a temporary error (420, could not connect to LDAP server).
Structure of the command
ldap_compare('ldap','attr','value');
Return value
The return value depends on the variable used in the LDAP search string.
Parameters
Variables available!
|
The contents of the variables in the "Filter" parameter deviate from the default variables!
|
ldap
The parameter is structured as follows:
'URI;BindDN;Password;SearchBase;Filter'
The meaning of the individual part strings is described in the following table:
Parameters |
Description |
||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
URI |
Specifies the LDAP(S) server to be queried. The hostname or IP address is accepted as input. Several, comma-separated values can also be specified. In this case, the system automatically accesses the next server if the previous one cannot be reached.
|
||||||||||||||||||||||||||||
BindDN |
Input of the full distinguished name (DN) of the (read-only) account that is authorised to search the path of the LDAP directory structure specified under "SearchBase". |
||||||||||||||||||||||||||||
Password |
The password of the user specified under BindDN
|
||||||||||||||||||||||||||||
SearchBase |
Search path: Specifies the branch of the LDAP directory in which the object to be checked for the presence of the attribute 'attr’ with the indicated value 'value’ is to be searched for recursively by means of the search filter (see line below). |
||||||||||||||||||||||||||||
Filter |
Indication of the search attribute/value by means of which the object is be searched for in the "SearchBase" branch. The search attribute is generally "(mail=...)". For evaluating the email address(es), the variables indicated below are available.
Variables
$sender This variable returns the envelope sender of the email. Return value when using this variable
$from This variable returns the email address of the sender from the FROM header of the email. This is particularly necessary for out of office notifications, since no envelope sender is set in these. If the sender of the FROM header is not internal - i.e. cannot be assigned to a Managed domain - the system checks for the presence of the SENDER header. If this is present and the sender contained therein is internal, it is output instead of the sender of the FROM header. This avoids problems when forwarding calendar invitations. Return value when using this variable
$rcptdomain This variable returns the recipient domain of an email. The email is split into two groups. One group with the recipients of the domain(s) for which the value 'value’ is present for the indicated attribute 'attr’ in the object found by means of the LDAP search string (ldap/Filter), and another group for the recipients who do not have this. Return value when using this variable
$rcptaddress or $recipient This variable outputs the recipients of an email. The email is split into two groups. One group with the recipients for whom the value 'value' is present for the indicated attribute 'attr' in the object found by means of the LDAP search string (ldap/Filter), and another group for the recipients who do not have this. Return value when using this variable
$one_recipient If an email contains several recipients, the value 'value' for the indicated attribute 'attr’, in the corresponding objects found by means of the LDAP search string (ldap/Filter), is checked for all recipients. Return value when using this variable
$all_recipients If an email contains several recipients, the value 'value' for the indicated attribute 'attr’, in the corresponding objects found by means of the LDAP search string (ldap/Filter), is checked for all recipients. Return value when using this variable
|
attr
Attribute to search for in the LDAP directory.
|
If several attributes 'attr' with the searched name are found, all attributes will be evaluated (multi value). |
value
Value which is to occur in the queried attribute 'attr'.
|
If 'value' has several entries, the search is terminated after the first match. The comparison is case-sensitive. |
Example 1
The affiliation of the internal sender of an email "(mail=$from)" to the group "MailCrypt" is to be checked in the LDAP based on the sender entered in the envelope of the email, e.g. to determine whether they are entitled to send cryptographically treated emails.
The statement looks like this:
Line |
Code |
|---|---|
01 |
if (ldap_compare('192.168.10.10;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$from)','memberOF','MailCrypt')) { |
02 |
log(1,'Member of the AD group MailCrypt, mark email for signature'); |
03 |
tagsubject('[sign]'); |
04 |
} else { |
05 |
log(1, 'not a member of the AD-Group Exchange, deliver without treatment'); |
06 |
deliver(); |
07 |
} |
Explanation
In (line 01), the
•LDAP server with the IP address 192.168.10.10 (and the default port 389) is queried.
•the distinguished name (DN) of the user under which the query is executed (this user must have the appropriate permissions) is
CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local
•the following password is used for this user
mypassword
•the LDAP path in which the search filter (mail=$sender) is to be applied is
OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local
•the user whose group membership is to be determined is defined by the sender email address from the FROM header of the email (mail=$from).
At least one value of the attribute "memberOF" must have the value "MailCrypt", for the return value to be positiv and thus the application block from (lines 02, 03) is executed. If the value "MailCrypt" is not present in the attribute, or the attribute "memberOF" is not, the return value is negativ, due to which the application block (lines 05, 06) is executed.
Example 1a
The parameters 'ldap’ and 'attr' (line 02) are read from a previously defined variable $ldap_attr (line 01).
Line |
Code |
|---|---|
01 |
if (compare('from','match','@customer1\.tld') { |
02 |
setvar('ldap_attr','ldaps://directory.domain.tld;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=firma,DC=local;(mail=$header_from)'); |
03 |
} |
04 |
if (ldap_compare('$ldap_attr','memberOf','MailCrypt')) { |
05 |
... |
06 |
} |
Explanation
This is particularly helpful in client-capable systems. It is thus possible to first define the access to the LDAP belonging to the client based on the sender address. The actual LDAP branch then remains identical for all clients.
|
With this example, it is to be observed that, for ldap_compare() the FROM header (mail=$from) is to be used. Since setvar() uses the default variables, however, and already is resolved when the variable is written, the command setvar() must use the variable $header_from. |
Example 2
The affiliation of the internal sender of an email "(mail=$sender)" to the group "MailCrypt" is to be checked in the LDAP based on the sender entered in the FROM header of the email, e.g. to determine whether they are entitled to send cryptographically treated emails.
The statement looks like this:
Line |
Code |
|---|---|
01 |
ldap_compare('ldaps://192.168.10.10;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$sender)','memberOF','MailCrypt'); |
Explanation
Generally, the expression in this example seems to be the same as in example 1 (line 01), with the difference that the sender is searched for in the envelope instead of the FROM header of the email.
Example 3
The starting point are two different groupware (internal email) servers (for example Exchange and Domino), which are used in parallel.
It is to be queried whether the mailbox of at least one internal recipient of an incoming email - with possibly several recipients - is an Exchange mailbox.
The statement looks like this:
Line |
Code |
|---|---|
01 |
if (ldap_compare('ldap://192.168.10.10,ldap://192.168.10.11;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$rcptaddress)','MailServerGruppe','Exchange')){ |
02 |
log(1,'Member of the AD-Group Exchange'); |
03 |
} else { |
04 |
log(1,'no Member of the AD-Group Exchange'); |
05 |
} |
Explanation
In the LDAP search path (SearchBase) the search filter (Filter) "(mail=$recipients)" is applied (line 01).
For the recipients of the email found in the LDAP directory, who have the specified attribute and if the value of this attribute corresponds to the specification, the log entry "Member of the AD group Exchange" is generated (line 02). All other recipients receive the log entry "not a member of the AD group Exchange" (line 04).
Example 4
Starting point are again two different groupware servers, which are used in parallel.
It should be queried whether the mailbox of at least one internal recipient of an incoming email - with possibly several recipients - is an Exchange mailbox.
The statement looks like this:
Line |
Code |
|---|---|
01 |
ldap_compare('ldaps://myldap.local;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$one_recipient)','MailServer','Exchange'); |
Explanation
In the LDAP search path (SearchBase) the search filter (Filter) "(mail=$one_recipient)" is applied.
If at least one recipient of the email "(mail=$one_recipient)" has the value "Exchange" in the attribute "MailServer", the return value is positiv.
Example 5
It should be queried whether the mailbox of all internal recipients of an incoming email - with several recipients if necessary - are Domino mailboxes.
The statement looks like this:
Line |
Code |
|---|---|
01 |
ldap_compare('ldaps://myldap.local;CN=Peter Mueller,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=firma,DC=local;mypassword;OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Firma,DC=local;(mail=$all_recipients)','MailServer','Domino'); |
Explanation
In the LDAP search path (SearchBase) the search filter (Filter) "(mail=$all_recipients)" is applied.
Only if all internal recipients of the email 04 "(mail=$all_recipients)" have the value "Domino" in the attribute "MailServer", the return value is positiv.
Example 6
It is to be checked whether the internal sender of an email "(proxyadresses=smtp:$sender)" is a user of the firma.local domain.
The statement looks like this:
Line |
Code |
|---|---|
01 |
ldap_compare('ldaps://192.168.10.10;Administrator@myldap.local;mypassword;DC=firma,DC=local;(proxyaddresses=smtp:$sender)';'objectclass','user'); |
Explanation
In the LDAP search path (SearchBase) the search filter (Filter) "(proxadresses=smtp:$sender)" is applied.
If the sender address of the envelope of the email (smtp:$sender) is found in a user object (objectclass=user), the return value is positive.
Since, email aliases may also be listed in the attribute proxadresses in an AD user object,, this query only works with all email addresses of the user and not only with the main address (attribute email).
