perditiondb(5) perdition modular popmap support

DESCRIPTION

Perdition supports a dynamic library mechanism to access arbitrary databases that resolve a user to a host and port.

DATABASE ACCESS LIBRARIES

If you are using the -s|--default server option then creating an empty database will cause all users to use the default server. Alternatively, setting no popmap by passing an empty string to the -m|--map_name option will cause no map lookups to take place and only the default server to be used.

E.g.: perdition -m ""

In this case, if no default server is set then perdition will still run but users will not be able to connect to a real server.

GDBM

This is the default library used by perdition. The gdbm library reads server and port information from a GDBM database. The database is opened each time perdition looks up a server and port pair. The information for each lookup key is stored in a flat file, popmap with the format:

<key>:[<username><domain_delimiter>]<host>[:<port>]

Where:
host: hostname or ip address
port: port name or number

E.g.

horms:foo.bar:110
jain:[email protected]

A domain_delimiter of "@" is used in the example above. For more information on keys and the domain delimiter, see perdition(8).

If the -n|--no_lookup option is in effect, then ip addresses and port names should be used as host and port names will not be resolved.

To build the flat file into a binary format the makegdbm utility, which is provided as part of perdition should be used.

makegdbm popmap.gdbm.db < popmap

A makefile is provided and you can simply run make to rebuild the popmap. This is installed into /etc/perdition/ in the RPM and Debian distributions.

An alternate location for the popmap.gdbm.db can be specified using the -m|--map_library_opt command line option or configuration file option.

E.g.

perdition -m /etc/my_popmap.gdbm.db

This map library is the default. It may also be used explicitly, used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_gdbm.so.0

Where /usr/lib is the directory in which the perdition libraries were installed.

Berkeley DB

This is analogous to the GDBM library, except that a popmap.bdb.db should be created using makebdb.

This library may be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_bdb.so.0

Where /usr/lib is the directory in which the perdition libraries were installed.

YP/NIS

The NIS library reads a YP/NIS map, the key is the userid, the value is the servername.

The default map name is 'user_mail_server', and can be changed by specifying the map name with the -m flag.

To use this library, you need to specify:

perdition -M /usr/lib/libperditiondb_nis.so.0

Where /usr/lib is the directory in which the perdition libraries were installed. You will need to customise your yp server's Makefile to actually get a new map on the server. This map library is intended for sites that already have a significant infrastructure based around YP/NIS.

POSIX REGULAR EXPRESSIONS

This library allows users to be looked matched against a list of regular expressions.

This library can be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_posix_regex.so.0

Where /usr/lib is the directory in which the perdition libraries were installed.

The regular expression is kept in a flat file, by default /etc/perdition/popmap.re . A sample map file is shipped with the source and can be found in etc/perdition/popmap.re, this is installed into /etc/perdition/popmap.re in the RPM and Debian distributions. The format for the flat file is:

<regular expression>: [<username><domain_delimiter>]<server>[:<port>]

A single colon may follow a regular_expression Some amount of white space must follow this colon or the regular_expression if the colon is omitted. Blank lines are ignored, as is anything including and after a # (hash) on a line. If a  precedes a new line then the lines will be concatenated. If a  precedes any other character, including a # (hash) it will be treated as a literal. Anything inside single quotes (') will be treated as a literal. Anything other than a (') inside double quotes (") will be treated as a literal. Whitespace in a regular_expression must be escaped or quoted. Whitespace in a substitution need not be escaped or quoted.

Information on setting the domain_delimiter is found in perdition(8), "@" is used in this example.

E.g.

^[a-k]: localhost
^[^a-k]: localhost:110
^user: user2@localhost
(.*)@(.*): $1_$2@localhost

The first matching regular expression will be used. The regular expressions are extended posix regular expressions. The last example illustrates the ability to expand backreferances. Backreferences may be used by inserting $n in the substitution where n is in the range 1..9. The backreference substitution code in this library is courtesy of Wim Bonis and in turn the PHP3 project.

E.g.

For the regex (.*)@(.*): $1_$2@localhost
[email protected]
would return
user_x.y.z.de@localhost

Note that there is no implicit ^ or $ around the regular expressions. The popmap entry "flim: localhost" will match "flim", "flimstix", "itsflim" and "totallyflimless". To only match "flim" you need the popmap entry "^flim$: localhost".

The map file is read once on startup and cached. This is to increase performance as the regular expressions must be compiled internally before they can be used. The map file can be re read by sending perdition a SIGHUP. An alternate location for the popmap.re can be specified using the -m|--map_library_opt command line option or configuration file option.

E.g.

perdition -m /etc/perdition/my_popmap.re

MYSQL

This map library can be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_mysql.so.0

Where /usr/lib is the directory in which the perdition libraries were installed.

The library will connect to a MySQL database and do a query on a table expected to have the columns:

+------------+--------------+------+-----+---------+-------+
| Field      | Type         | Null | Key | Default | Extra |
+------------+--------------+------+-----+---------+-------+
| user       | varchar(128) |      | PRI |         |       |
| servername | varchar(255) |      |     |         |       |
| port       | varchar(8)   | YES  |     | NULL    |       |
+------------+--------------+------+-----+---------+-------+

The fields may be in a different order and other, non-perdition fields may also be present in this table. The names of the columns can be other than their above defaults by using the library option string described below. All fields must be literal character strings. The allowed length of the strings is not important, however, it is recommended that the length of the user field be kept under 128 to avoid exceeding perdition's internal query length limit, PERDITIONDB_MYSQL_QUERY_LENGTH which is 256 by default. This may be altered by recompiling perdition. The user field must also be a unique index as an exact match will be made of this field from the username supplied by the user.

The servername is of the form.

[<username><domain_delimiter>]<host>[:<port>]

Where:
host: hostname or ip address
port: port name or number

If the -n|--no_lookup option is in effect then ip addresses and port numbers should be used as host and port names will not be resolved.

The port is the TCP port to use when connecting to the server. This field can be specified if the back-end server answers on a non-standard port (standard ports being 110 for POP3 and 143 for IMAP). Only specify this field in the database if you intend to use POP3 or IMAP exclusively as it will try to use this port no matter what protocol is being used. If POP3 and IMAP are both being used on non-standard back-end server ports, those ports can be specified with the -p argument when you invoke the perdition executable.

The database is accessed each time perdition needs to find the host and port for a user. The default database values are as follows:

database host: localhost
database port: (MySQL Client Default: usually 3306)
database name: dbPerdition
database table: tblPerdition
database user: perdition
database password: perdition
user column: user
server column: servername
port column: port

A script, perditiondb_mysql_makedb, is provided to initialise such a database. Alternate values can be set using the -m|--map_library_opt command line option or configuration file option with an argument of the following form. (N.B.: this example has been split over multiple lines for ease of reading)

<dbhost>[:<dbport>[:<dbname>[:<dbtable>[:<dbuser>
[:<dbpwd>[:<dbservercol>[:<dbusercol>[:<dbportcol>]]]]]]]]

E.g.

perdition -m "some.host.com:3306:aDb:bTable:cUser:"\
"dPassword:eSrvCol:fUserCol:gPortCol"

Arguments may be omitted from the end of the option string with no consequence other than that the default value for any omitted argument will be used. Arguments may not be omitted if any argument to its right is defined. Someone seeking to set only the server and password to something other than the default might attempt the following:

perdition -m some.host.com:::::OddPassword

This will not work. It will set the server and password to the values shown, but all arguments in between will be set as NULL rather than the default. In the author's opinion it is always best to specify all of the arguments to avoid confusion.

Database servers may be grouped together for higher performance or high availability by using ODBC and accessing them using the ODBC module.

Multiple MySQL Servers

It is possible to specify multiple MySQL servers by specifying them, comma separated (without any space), in the dbhost column. In this case all MySQL servers need to have an identical configuration, because all other options are shared. If the first server is not reachable, perdition will fall back to the second etc.

POSTGRESQL

This is a port of the MySQL library to PostgreSQL, The library can be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_postgresql.so.0

Where /usr/lib is the directory in which the perdition libraries were installed. A script, perditiondb_postgresql_makedb is provided to initialise the database. For more information please see the MySQL documentation above.

ODBC

This is a port of the MySQL library to ODBC. It may be used to access databases that do not have a perditiondb module. It may also be used to group database servers into clusters.

The library can be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_odbc.so.0

Where /usr/lib is the directory in which the perdition libraries were installed. A script, perditiondb_odbc_makedb is provided to seed the. For more information please see the MySQL documentation above. The database options passed using -m are the same as for MySQL except that the database name (dbname) is the Data Source Name (DSN).

<dbhost>[:<dbport>[:<DSN>[:<dbtable>[:<dbuser>
[:<dbpwd>[:<dbsrvcol>[:<dbusercol>[:<dbportcol>]]]]]]]]

E.g.

perdition -m "some.host.com:3306:aDb:bTable:cUser:"\
"dPassword:eSrvCol:fUserCol:gPortCol"

As per the notes in the MySQL documentation above, please avoid omitting values.

LDAP

This library allows access to LDAP based popmaps. This library can be used by specifying the full path to the library using the -M|--map_library command line option or configuration file option.

E.g.

perdition -M /usr/lib/libperditiondb_ldap.so.0

Where /usr/lib is the directory in which the perdition libraries were installed.

Options are parsed to this module using the -m|--map_library_opt command line option or configuration file option. It has the form:

[ldap_version:][ldap_url]

The ldap_version is the version of the ldap procotol used. It should be a numeric value. At the time of writing, OpenLdap supports 2 or 3, and defaults to 2. This may vary between different ldap implementations. If you inspect the local ldap.h file, the values of LDAP_VERSION_MIN, LDAP_VERSION_MAX and LDAP_VERSION should reflect the minimum, maximum and default ldap protocol versions respectively.

The ldap_url is the query made to the ldap server. The default URL is as follows. Note that this has been split onto multiple lines for ease of reading.

ldap://localhost/ou=mailbox,dc=nodomain?
username,mailhost,port?one?(uid=%s)

Perdition will replace any instance of %s with the key being used for the lookup. Optionally, there may be an integer between the % and the s, in which case the key will be white-space padded to this width, with the key right justified.

The attribute names (username, mailhost and port) may be changed. But the first attribute will be used as the username, the second attribute as the host and the third atribute as the port. Any subsequent attributes will be ignored. Trailing attributes may also be omitted. So if there are only two attributes the port will not be read from the database.

A script, perditiondb_ldap_makedb is provided to initialise LDAP.

x-bindpw bindname

Perdition can be configured to use use an alternate bind name, and the non-standard "x-bindpw". In fact perdition can use any extensions that are supported by openldap. (N.B.: these examples have been split over multiple lines for ease or reading)

ldap://ldap.mydomain.com/o=domain.com?
uid,mailhost,port?sub?(uid=%s)?!bindname=uid=perdition%2co=domain.com

ldap://ldap.mydomain.com/o=domain.com?uid,mailhost,port?
sub?(uid=%s)?!BINDNAME=uid=perdition%2co=domain.com,X-BINDPW=secret

The first example does the usual LDAP lookup, but tries to bind to the server with "uid=perdition,o=domain.com" rather than the usual anonymous binding. Note: The commas inside the bind string itself must be URL encoded, thus the %2c.

The second example is the same as the first, but in addition to specifying a bind string it also uses the non-standard "x-bindpw" extension to specify a password, in this case "secret".

The "!" character is used to ensure Perdition supports the "bindname" extension. If it didn't, the LDAP connection would be aborted. Right now it isn't really needed, but it may become useful as other extensions appear. For full details of this, take a look at RFC2255.

Multiple LDAP Servers

It is possible to specify multiple LDAP servers by specifying them, space delimited, in the LDAP UDL. If this is the case an attempt will be made to open a connection to each host in order, the first host to which a connection is successfully made will be used.

For example: (N.B.: this example has been split over multiple lines for ease or reading)

ldap://host1 host2 host3/ou=mailbox,dc=nodomain?
username,mailhost,port?one?(uid=%s)

perdition.schema

A schema has been defined for perdition and is supplied as part of perdition. To use this you should install it on the LDAP server in the LDAP daemon's schema directory and include it in slapd.conf, after other includes and before any database definitions.

LIBRARY FUNCTIONS

The database is accessed using the dlopen(3) mechanism on a library. The library should define the symbol dbserver_get with the following semantics.

int (*dbserver_get)(char *, char *, char **, size_t *)

Find the server (value) given the user (key)

pre:
key_str: Key as a null terminated string

options_str: Options string. The usage of this is implementation dependent.

str_return: Value is returned here

len_return: Length of value is returned here

post:
The str_key is looked up and the corresponding value is returned in str_return and len_return.
return:
0 on success

-1 on db access error This includes file, connection and other data access errors. It does not cover memory allocation problems.

-2 if key cannot be found in map

-3 on other error

Note:
The string returned in str_return should be in the following form. Setting the domain_delimiter is discussed in the perdition(8), "@" is used in this example.

[<username><domain_delimiter>]<servername>[:<port>]

E.g.:

localhost:110
user@localhost:110
user@localhost
localhost

As the library is opened using the dlopen(3) mechanism the library may also export functions _init and _fini that will be executed when the library is opened and closed respectively. In addition if the symbols following symbols are defined then these are run when the library is opened and closed respectively. If defined these symbols should have the following semantics.


int *(*dbserver_init)(char *)

Initialise db as necessary

pre:
options_str: Options string. The usage of this is implementation dependent.
post:
db is initialised
return:
0 on success

-1 on db access error This includes file, connection and other data access errors. It does not cover memory allocation problems.

-2 if key cannot be found in map

-3 on other error

int *(*dbserver_fini)(void)

Shut down db as necessary

pre:
none
post:
db is shut down
return:
0 on success

-1 on db access error This includes file, connection and other data access errors. It does not cover memory allocation problems.

-2 if key cannot be found in map

-3 on other error

In addition, if a SIGHUP is sent to a process then a signal handler will call dbserver_fini if it is defined and then dbserver_init if it is defined. Note: dbserver_init will be called if defined, even if dbserver_fini is not defined.

In the case of the posix regular expressions library this will cause popmap.re to be re-parsed, hence effecting any changes that have been made to that file. For the GDBM library it will reopen the database and for the other libraries it will reinitialise its connection to the database, LDAP or NIS server.

The shared library has access to the following global symbols exported by perdition.

struct utsname *system_uname
The uname information for the system as per uname(2)
struct sockaddr_in *peername
The sockaddr_in for address and port of the client end of the connection.
struct sockaddr_in *sockname
The sockaddr_in for the local address and port that the client connected to. Note: Under Solaris 7 and above, this is actually the sockaddr_in bound to, not the address and port the connection was accepted on.

AUTHORS

Lead
Horms <[email protected]>

Perditiondb Library Authors
Frederic Delchambre <[email protected]> (MySQL)
Chris Stratford: <[email protected]> (LDAP and BDB)
Nathan Neulinger <[email protected]> (NIS)

Contributing Authors
Daniel Roesen <[email protected]>
Clinton Work <[email protected]>
Youri <[email protected]>
Jeremy Nelson <[email protected]>
Wim Bonis <[email protected]>
Arvid Requate <[email protected]>
Mikolaj J. Habryn <[email protected]>
Ronny Cook <[email protected]>
Geoff Mitchell <[email protected]>
Willi Langenberger <[email protected]>
Matt Prigge <[email protected]>
Wolfgang Breyha <[email protected]>