The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

Using an AD Group or Exchange Distribution List as external datasource for a sympa list.

 

I’ve recently worked out how to do this, so I’m documenting it here in the hope that it will help someone (and maybe get incorporated into the Sympa documentation?)

 

I have some users who wish to link either list subscribers or list admins to an Active Directory group, via LDAP.  This is how to do it:

 

First, create a service account in your LDAP so that Sympa can connect.  This only needs read-only access.

You need to use a 2level query, since AD stores DNs against group membership.  Also, note that if using a .incl file to define external list admins, you cannot pass a full DN as a parameter as it contains commas (I’ve logged a bug report for this).

 

In this example, replace [% param.0 %] with the group name (the cn, not the dn).  Obviously, change the host, user and passwd to the appropriate values for your site, and also the suffix1 to match your tree base.

 

include_ldap_2level_query

name  ad_group_[% param.0 %]

host  uoa.auckland.ac.nz

port  3269

user  uoasvcsympa

passwd XXXXXXXXX

use_ssl yes

ssl_version tls

suffix1 DC=UoA,DC=auckland,DC=ac,DC=nz

filter1 (&(cn=[% param.0 %])(objectClass=group))

attrs1  member

select1 all

timeout1 60

scope1 sub

suffix2 [attrs1]

filter2 (objectClass=person)

attrs2 mail

select2 first

scope2 base

timeout2 10

 

Note that we’re forcing TLS (since Poodle should have had you disabling SSLv2/3 on your AD LDAP!) and have a 60s timeout, which might be too low for huge groups with a slow AD.  We have patched our Sympa to also retrieve displayName on the final lookup to populate the gecos data; however with vanilla Sympa you don’t get this.

 

Now, how about an Exchange distribution list?  You can always just chain to one, but why not use the distribution list as an external datasource so that the members can be properly loaded in?

 

In this example, [% param.0 %] is the full email address of the distribution list, such as address@concealed.  Again, we use a 2level lookup, since a distribution list holds the DN of the members rather than their email addresses.  Filter1 is possibly overkill, but we want to cover all different possible configurations of AD (you might be able to simplify it for your system).

 

include_ldap_2level_query

name exchange_[% param.0 %]

host uoa.auckland.ac.nz

port 3269

user uoasvcsympa

passwd XXXXXXX

use_ssl yes

ssl_version tls

suffix1 DC=UoA,DC=auckland,DC=ac,DC=nz

filter1 (|(proxyAddresses=[% param.0 %])(proxyAddresses=smtp:[% param.0 %])(mailLocalAddress=[% param.0 %])(mail=[% param.0 %]))

attrs1 member

select1 all

timeout1 60

scope1 sub

suffix2 [attrs1]

filter2 (objectClass=person)

attrs2 mail

select2 first

scope2 base

timeout2 10

 

Both of these .incl templates work for us on our Windows2013 system, and are in active use for list configurations.  I hope that someone finds this useful…

 

Feedback and comments are welcome.

 

Steve

 

 

Steve Shipway

University of Auckland

UNIX Systems Design Team Lead

address@concealed

+64 (9) 3737 599 ext 86487

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature