Q: How can I use LDAP and Dynamic Query Lists with LISTSERV Maestro?
Answer by Ben Parker
Chief Corporate Consultant, L-Soft
With version 16.0 and later, LISTSERV can connect to an LDAP directory either to authenticate user logins or to return results for Dynamic Query Lists (lists of addresses to be mailed to, resulting from a real-time LDAP query). LISTSERV Maestro can also make use of this Dynamic Query process for doing mailings. LISTSERV Maestro passes the query to LISTSERV, which in turn passes the query to LDAP. Results are returned to LISTSERV (not to LISTSERV Maestro), and the mailing is sent out.
Additional attributes (directory data associated with each address, such as Full Name, Department/Division, etc.) can be included in the query and used for mail-merge or conditional block purposes. It should be noted that (at this time) queries from LISTSERV or LISTSERV Maestro to LDAP are read-only, which means that no updating of LDAP data can be managed through LISTSERV or LISTSERV Maestro. Also, although LDAP can be used to authenticate LISTSERV logins, LDAP cannot presently be used to authenticate LISTSERV Maestro logins.
Let's first look at what is necessary to configure in LISTSERV to connect to an LDAP directory. These configuration settings fall into 4 groups:
- Settings required to connect LISTSERV to an LDAP Directory
- Additional settings required for LISTSERV authentication purposes
- Additional settings applicable to both Dynamic Queries and authentication
- Additional settings required for miscellaneous purposes
Here is an example for a Windows site.cfg file configured for connecting LISTSERV to a Unix-based LDAP server. Settings for LISTSERV on Unix would be made in go.user. Remember, on Unix you must 'export' all the LDAP configuration variables and all string values must be inside "double quotes".
****************************
* Managing LDAP resources
****************************
** Define LDAP Servers
** following settings are server-specific
** LDAP connection to tech-unix server (openldap on Unix)
* This server nickname= TECH
*
LDAP_SERVER_TECH=ldap://tech-unix.example.com:389
*
* privileged user to perform searchs or attempt bind on login
LDAP_UID_TECH=cn=Manager,dc=tech-unix,dc=example,dc=com
LDAP_AUTH_TECH=password
* (not used for DQL)
* for login authentication define search base & filter
LDAP_PW_BASE_TECH=dc=tech-unix,dc=example,dc=com
LDAP_PW_FILTER_TECH=mail=%s
* %s = email address
* The string that LISTSERV will use to bind (log in) on behalf of an
* end-user.
* Default setting %n = distinguishedName
LDAP_PW_BIND_TECH=%n
*
* Attributes for user authentication or for dynamic queries
LDAP_DEFAULT_EMAIL_TECH=mail
LDAP_DEFAULT_NAME_TECH=displayName
*
********************************
* Misc settings follow
* define search order for Authentication if multiple LDAP servers
LDAP_PW_SERVERS=TECH WINAD
* these settings make least security, but best for initial testing
* if 1, only users with LDAP accounts can login (internal Auth off)
LDAP_PW_ONLY=0
* if 1, require LDAP passwords from WWW to come via SSL
LDAP_PW_REQUIRE_SSL=0
* if 1, require all passwords (LDAP and internal) from WWW via SSL
SIGNUP_REQUIRE_SSL=0
* enable special extended logging for ldap troubleshooting
DEBUG_FLAGS=00000080
* enable extended logging ldap data transfer for troubleshooting
* DEBUG_FLAGS=000000100
********************************
The following shows the site.cfg file configured for connection to a Windows Active Directory instead of openldap on Unix. The only differences are a different search Base and different Filter, reflecting the different structure of the directory.
** LDAP connection to ActiveDirectory on Windows
* 389 is the assumed LDAP port. Add :636 to force SSL
* Server nickname is WINAD
LDAP_SERVER_WINAD=sbs.example.com
* privileged user to perform search (all on 1 line!)
LDAP_UID_WINAD=CN=Ben Parker,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=sbs,DC=example,DC=com
LDAP_AUTH_WINAD=password
* for user authentication (not used for DQL)
LDAP_PW_BASE_WINAD=dc=sbs,dc=example,dc=com
LDAP_PW_FILTER_WINAD=mail=%s
* for user authentication and/or for dynamic queries
LDAP_DEFAULT_EMAIL_WINAD=mail
LDAP_DEFAULT_NAME_WINAD=name
This is an ldapsearch command executed from the command line on the Unix LDAP server. It is important to test LDAP search queries before implementing them in LISTSERV or LISTSERV Maestro because there is no facility in either for doing a 'preview' or test of the results.
[bparker@Tech-Unix ~]$ ldapsearch -x -LLL -H 'ldap://tech-unix.example.com:389' -b 'dc=tech-unix,dc=example,dc=com' "description=Dept*"
A similar command line search on Windows uses the command line tool dsquery.exe
C:\> dsquery * "dc=sbs,dc=example,dc=com" -s sbs.example.com -filter
"(description=Dept*)" -attr displayName mail description
The results return 4 matching queries. This is a test/demo directory for proof-of-concept. It has limited Attributes (data fields) and limited members. A real directory might return many recipients, depending on the search Filter used (in this case the Filter is "description=Dept*").
dn: cn=ben2,dc=tech-unix,dc=example,dc=com
objectClass: person
displayName: Ben2 Parker
mail: bparker@besteffort.com
cn: ben2
description: Dept2
dn: cn=ben3,dc=tech-unix,dc=example,dc=com
objectClass: person
displayName: Ben3 Parker
mail: bparker@tokaimalo.com
cn: ben3
description: Dept3
dn: cn=ben4,dc=tech-unix,dc=example,dc=com
objectClass: person
displayName: Ben4 Parker
cn: ben4
mail: bparker@crazyyeti.com
description: Dept4
dn: cn=ben5,dc=tech-unix,dc=example,dc=com
objectClass: person
displayName: Ben5 Parker
cn: ben5
mail: bparker@hawk.besteffort.com
description: Dept5
Now we will implement this same query in a LISTSERV Maestro job. The first step in the Define Recipients area is to select the choice to let LISTSERV get the recipients from LDAP.
On the next screen implement the query by defining the search Base, Filter, and desired Attributes (data fields), one of which must of course be the email address.
In a manner similar to using an uploaded text file of recipients, we also need to tell LISTSERV Maestro which Attributes (fields) contain the email address, the full name, and also specify any additional Attributes that might be used for mail-merge. The names of these Attributes must be known from the LDAP directory structure. They cannot be queried from LISTSERV Maestro or from LISTSERV.
Now we can see the extended logging in the LISTSERV log, which shows the search being performed in LDAP, records being returned, and then the emails sent out to the various recipients.
9 Feb 2009 00:26:12 To maestro@TRAINING.LSOFT.COM: ***OK*** 10E45976F06364EA93
9 Feb 2009 00:26:12 From [ANONYMOUS]@TRAINING.LSOFT.COM: X-LOGCK 10E45976F06364EA93 MAKEDD(...)
LDAP> ldap_init("tech-unix.example.com:389", 389) -> SUCCESS
LDAP> ldap_set_option(ld, 17, =3) -> SUCCESS
LDAP> ldap_bind_s(ld, "cn=Manager,dc=tech-unix,dc=example,dc=com", "XXXXXXXX", 128) -> SUCCESS
9 Feb 2009 00:26:12 Executing LDAP search statements:
> BASE dc=tech-unix,dc=example,dc=com
> FILTER (&(description=Dept*))
> ATTRS mail displayName description
LDAP> ldap_search_s(ld, "dc=tech-unix,dc=example,dc=com", 2, "(&( description=Dept*))", attrs, 0, &result) -> SUCCESS
LDAP> + attrs[0] = "mail"
LDAP> + attrs[1] = "displayName"
LDAP> + attrs[2] = "description"
LDAP> ldap_first_entry(ld, 0xC43558) -> SUCCESS
9 Feb 2009 00:26:12 Fetching...
LDAP> ldap_next_entry(ld, 0xC43560) -> SUCCESS
LDAP> ldap_next_entry(ld, 0xC43560) -> SUCCESS
LDAP> ldap_next_entry(ld, 0xC43560) -> SUCCESS
LDAP> ldap_next_entry(ld, 0xC43560) -> EOF
9 Feb 2009 00:26:12 Data extracted for 4 recipients
LDAP> ldap_unbind(ld) -> SUCCESS
9 Feb 2009 00:26:12 Distributing mail ("MAESTRO") from owner-nolist-090202A-p0fqiba4@TRAINING.LSOFT.COM...
9 Feb 2009 00:26:12 Mail posted via SMTP to bparker@BESTEFFORT.COM.
9 Feb 2009 00:26:12 Mail posted via SMTP to bparker@TOKAIMALO.COM.
9 Feb 2009 00:26:12 Mail posted via SMTP to bparker@CRAZYYETI.COM.
9 Feb 2009 00:26:12 Mail posted via SMTP to bparker@HAWK.BESTEFFORT.COM.
9 Feb 2009 00:26:12 Done - 1 outbound file (4 rcpts).
By setting DEBUG_FLAGS=000000100 you can instead see the data returned by the query by checking the LISTSERV log file:
4 Mar 2009 17:10:10 From [ANONYMOUS]@TRAINING.LSOFT.COM: X-LOGCK 10062D09F70B23B0E3 AUTHINFO(206.150.207.117) ORGINFO(206.150.207.117) OWNER(DQL2)
LDAP> : displayName="Ben2 Parker"
LDAP> : mail="bparker@besteffort.com"
LDAP> --
LDAP> : displayName="Ben3 Parker"
LDAP> : mail="bparker@tokaimalo.com"
LDAP> --
LDAP> : displayName="Ben4 Parker"
LDAP> : mail="bparker@crazyyeti.com"
LDAP> --
LDAP> : displayName="Ben5 Parker"
LDAP> : mail="bparker@hawk.besteffort.com"
LDAP> --
4 Mar 2009 17:10:10 To [ANONYMOUS]@TRAINING.LSOFT.COM:...
Now, in order to allow users to be able to perform a selection and return, for example, only those addresses from a selected Attribute instead of all matching, we need to create a Target Group for the query. The initial setup looks the same as before, but we will use a user-selection parameter {{sel_description}} as a temporary variable to contain the user's selection until the query can be submitted to LDAP.
The next screen allows us to define characteristics of the parameter, and build a lookup table to allow the user to select sensible values.
Finally, the input and selection pull-down is previewed (but does not actually query LDAP at this time.)
Again, we need to tell LISTSERV Maestro which Attributes are used for email, name, and any others for mail-merge.
After saving and enabling the completed target group, the list of target groups available for the user is now ready for use.
The LISTSERV log file shows a new LDAP query, with the selection chosen, and the resulting recipients mailed to.
9 Feb 2009 00:39:00 To maestro@TRAINING.LSOFT.COM: ***OK*** 1355944A9B3C69D922
9 Feb 2009 00:39:00 From [ANONYMOUS]@TRAINING.LSOFT.COM: X-LOGCK 1355944A9B3C69D922 MAKEDD(...)
LDAP> ldap_init("tech-unix.example.com:389", 389) -> SUCCESS
LDAP> ldap_set_option(ld, 17, =3) -> SUCCESS
LDAP> ldap_bind_s(ld, "cn=Manager,dc=tech-unix,dc=example,dc=com", "XXXXXXXX", 128) -> SUCCESS
9 Feb 2009 00:39:00 Executing LDAP search statements:
> BASE dc=tech-unix,dc=example,dc=com
> FILTER (&(description=Dept3))
> ATTRS mail displayName description
LDAP> ldap_search_s(ld, "dc=tech-unix,dc=example,dc=com", 2, "(&(description=Dept3))", attrs, 0, &result) -> SUCCESS
LDAP> + attrs[0] = "mail"
LDAP> + attrs[1] = "displayName"
LDAP> + attrs[2] = "description"
LDAP> ldap_first_entry(ld, 0xC43558) -> SUCCESS
9 Feb 2009 00:39:00 Fetching...
LDAP> ldap_next_entry(ld, 0xC43560) -> EOF
9 Feb 2009 00:39:00 Data extracted for 1 recipient
LDAP> ldap_unbind(ld) -> SUCCESS
9 Feb 2009 00:39:01 Distributing mail ("MAESTRO") from owner-nolist-090209A-p0fqiba4@TRAINING.LSOFT.COM...
9 Feb 2009 00:39:01 Mail posted via SMTP to bparker@TOKAIMALO.COM.
9 Feb 2009 00:39:01 Done - 1 outbound file (1 rcpt).
This ends the simplified overview of how to construct LDAP queries for LISTSERV Maestro and build them into Target Groups for easy use by end-users.
References
LISTSERV LDAP Overview, Section 7
http://www.lsoft.com/manuals/16.0/htmlhelp/advanced%20topics/LDAP.html
LISTSERV DQL Overview, Section 8
http://www.lsoft.com/manuals/16.0/htmlhelp/advanced%20topics/DQL.html
Subscribe to LISTSERV at Work (American Edition).
|
