1LDAP_TABLE(5) File Formats Manual LDAP_TABLE(5)
2
6 ldap_table - Postfix LDAP client configuration
7
9 postmap -q "string" ldap:/etc/postfix/filename
10 postmap -q - ldap:/etc/postfix/filename <inputfile
12
14 The Postfix mail system uses optional tables for address rewriting or
15 mail routing. These tables are usually in dbm or db format.
16 Alternatively, lookup tables can be specified as LDAP databases.
18 In order to use LDAP lookups, define an LDAP source as a lookup table
20 in main.cf, for example:
21 alias_maps = ldap:/etc/postfix/ldap-aliases.cf
23 The file /etc/postfix/ldap-aliases.cf has the same format as the Post‐
25 fix main.cf file, and can specify the parameters described below. An
26 example is given at the end of this manual.
27 This configuration method is available with Postfix version 2.1 and
29 later. See the section "BACKWARDS COMPATIBILITY" below for older Post‐
30 fix versions.
31 For details about LDAP SSL and STARTTLS, see the section on SSL and
33 STARTTLS below.
34
36 For backwards compatibility with Postfix version 2.0 and earlier, LDAP
37 parameters can also be defined in main.cf. Specify as LDAP source a
38 name that doesn't begin with a slash or a dot. The LDAP parameters
39 will then be accessible as the name you've given the source in its def‐
40 inition, an underscore, and the name of the parameter. For example, if
41 the map is specified as "ldap:ldapsource", the "server_host" parameter
42 below would be defined in main.cf as "ldapsource_server_host".
43 Note: with this form, the passwords for the LDAP sources are written in
45 main.cf, which is normally world-readable. Support for this form will
46 be removed in a future Postfix version.
47 For backwards compatibility with the pre 2.2 LDAP clients, result_fil‐
49 ter can for now be used instead of result_format, when the latter
50 parameter is not also set. The new name better reflects the function
51 of the parameter. This compatibility interface may be removed in a
52 future release.
53
55 When using LDAP to store lists such as $mynetworks, $mydestination,
56 $relay_domains, $local_recipient_maps, etc., it is important to under‐
57 stand that the table must store each list member as a separate key. The
58 table lookup verifies the *existence* of the key. See "Postfix lists
59 versus tables" in the DATABASE_README document for a discussion.
60 Do NOT create tables that return the full list of domains in $mydesti‐
62 nation or $relay_domains etc., or IP addresses in $mynetworks.
63 DO create tables with each matching item as a key and with an arbitrary
65 value. With LDAP databases it is not uncommon to return the key itself.
66 For example, NEVER do this in a map defining $mydestination:
68 query_filter = domain=*
70 result_attribute = domain
71 Do this instead:
73 query_filter = domain=%s
75 result_attribute = domain
76
78 In the text below, default values are given in parentheses. Note:
79 don't use quotes in these variables; at least, not until the Postfix
80 configuration routines understand how to deal with quoted strings.
81 server_host (default: localhost)
83 The name of the host running the LDAP server, e.g.
84 server_host = ldap.example.com
86 Depending on the LDAP client library you're using, it should be
88 possible to specify multiple servers here, with the library try‐
89 ing them in order should the first one fail. It should also be
90 possible to give each server in the list a different port (over‐
91 riding server_port below), by naming them like
92 server_host = ldap.example.com:1444
94 With OpenLDAP, a (list of) LDAP URLs can be used to specify both
96 the hostname(s) and the port(s):
97 server_host = ldap://ldap.example.com:1444
99 ldap://ldap2.example.com:1444
100 All LDAP URLs accepted by the OpenLDAP library are supported,
102 including connections over UNIX domain sockets, and LDAP SSL
103 (the last one provided that OpenLDAP was compiled with support
104 for SSL):
105 server_host = ldapi://%2Fsome%2Fpath
107 ldaps://ldap.example.com:636
108 server_port (default: 389)
110 The port the LDAP server listens on, e.g.
111 server_port = 778
113 timeout (default: 10 seconds)
115 The number of seconds a search can take before timing out, e.g.
116 timeout = 5
118 search_base (No default; you must configure this)
120 The RFC2253 base DN at which to conduct the search, e.g.
121 search_base = dc=your, dc=com
123 With Postfix 2.2 and later this parameter supports the following
125 '%' expansions:
126 %% This is replaced by a literal '%' character.
128 %s This is replaced by the input key. RFC 2253 quoting is
130 used to make sure that the input key does not add unex‐
131 pected metacharacters.
132 %u When the input key is an address of the form user@domain,
134 %u is replaced by the (RFC 2253) quoted local part of the
135 address. Otherwise, %u is replaced by the entire search
136 string. If the localpart is empty, the search is sup‐
137 pressed and returns no results.
138 %d When the input key is an address of the form user@domain,
140 %d is replaced by the (RFC 2253) quoted domain part of
141 the address. Otherwise, the search is suppressed and
142 returns no results.
143 %[SUD] For the search_base parameter, the upper-case equivalents
145 of the above expansions behave identically to their
146 lower-case counter-parts. With the result_format parame‐
147 ter (previously called result_filter see the COMPATIBIL‐
148 ITY section and below), they expand to the corresponding
149 components of input key rather than the result value.
150 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
152 sponding most significant component of the input key's
153 domain. If the input key is user@mail.example.com, then
154 %1 is com, %2 is example and %3 is mail. If the input key
155 is unqualified or does not have enough domain components
156 to satisfy all the specified patterns, the search is sup‐
157 pressed and returns no results.
158 query_filter (default: mailacceptinggeneralid=%s)
160 The RFC2254 filter used to search the directory, where %s is a
161 substitute for the address Postfix is trying to resolve, e.g.
162 query_filter = (&(mail=%s)(paid_up=true))
164 This parameter supports the following '%' expansions:
166 %% This is replaced by a literal '%' character. (Postfix 2.2
168 and later).
169 %s This is replaced by the input key. RFC 2254 quoting is
171 used to make sure that the input key does not add unex‐
172 pected metacharacters.
173 %u When the input key is an address of the form user@domain,
175 %u is replaced by the (RFC 2254) quoted local part of the
176 address. Otherwise, %u is replaced by the entire search
177 string. If the localpart is empty, the search is sup‐
178 pressed and returns no results.
179 %d When the input key is an address of the form user@domain,
181 %d is replaced by the (RFC 2254) quoted domain part of
182 the address. Otherwise, the search is suppressed and
183 returns no results.
184 %[SUD] The upper-case equivalents of the above expansions behave
186 in the query_filter parameter identically to their lower-
187 case counter-parts. With the result_format parameter
188 (previously called result_filter see the COMPATIBILITY
189 section and below), they expand to the corresponding com‐
190 ponents of input key rather than the result value.
191 The above %S, %U and %D expansions are available with
193 Postfix 2.2 and later.
194 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
196 sponding most significant component of the input key's
197 domain. If the input key is user@mail.example.com, then
198 %1 is com, %2 is example and %3 is mail. If the input key
199 is unqualified or does not have enough domain components
200 to satisfy all the specified patterns, the search is sup‐
201 pressed and returns no results.
202 The above %1, ..., %9 expansions are available with Post‐
204 fix 2.2 and later.
205 The "domain" parameter described below limits the input keys to
207 addresses in matching domains. When the "domain" parameter is
208 non-empty, LDAP queries for unqualified addresses or addresses
209 in non-matching domains are suppressed and return no results.
210 NOTE: DO NOT put quotes around the query_filter parameter.
212 result_format (default: %s)
214 Called result_filter in Postfix releases prior to 2.2. Format
215 template applied to result attributes. Most commonly used to
216 append (or prepend) text to the result. This parameter supports
217 the following '%' expansions:
218 %% This is replaced by a literal '%' character. (Postfix 2.2
220 and later).
221 %s This is replaced by the value of the result attribute.
223 When result is empty it is skipped.
224 %u When the result attribute value is an address of the form
226 user@domain, %u is replaced by the local part of the
227 address. When the result has an empty localpart it is
228 skipped.
229 %d When a result attribute value is an address of the form
231 user@domain, %d is replaced by the domain part of the
232 attribute value. When the result is unqualified it is
233 skipped.
234 %[SUD1-9]
236 The upper-case and decimal digit expansions interpolate
237 the parts of the input key rather than the result. Their
238 behavior is identical to that described with query_fil‐
239 ter, and in fact because the input key is known in
240 advance, lookups whose key does not contain all the
241 information specified in the result template are sup‐
242 pressed and return no results.
243 The above %S, %U, %D and %1, ..., %9 expansions are
245 available with Postfix 2.2 and later.
246 For example, using "result_format = smtp:[%s]" allows one to use
248 a mailHost attribute as the basis of a transport(5) table. After
249 applying the result format, multiple values are concatenated as
250 comma separated strings. The expansion_limit and size_limit
251 parameters explained below allow one to restrict the number of
252 values in the result, which is especially useful for maps that
253 should return a single value.
254 The default value %s specifies that each attribute value should
256 be used as is.
257 This parameter was called result_filter in Postfix releases
259 prior to 2.2. If no "result_format" is specified, the value of
260 "result_filter" will be used instead before resorting to the
261 default value. This provides compatibility with old configura‐
262 tion files.
263 NOTE: DO NOT put quotes around the result format!
265 domain (default: no domain list)
267 This is a list of domain names, paths to files, or dictionaries.
268 When specified, only fully qualified search keys with a *non-
269 empty* localpart and a matching domain are eligible for lookup:
270 'user' lookups, bare domain lookups and "@domain" lookups are
271 not performed. This can significantly reduce the query load on
272 the LDAP server.
273 domain = postfix.org, hash:/etc/postfix/searchdomains
275 It is best not to use LDAP to store the domains eligible for
277 LDAP lookups.
278 NOTE: DO NOT define this parameter for local(8) aliases.
280 This feature is available in Postfix 1.0 and later.
282 result_attribute (default: maildrop)
284 The attribute(s) Postfix will read from any directory entries
285 returned by the lookup, to be resolved to an email address.
286 result_attribute = mailbox, maildrop
288 Don't rely on the default value ("maildrop"). Set the
290 result_attribute explicitly in all ldap table configuration
291 files. This is particularly relevant when no result_attribute is
292 applicable, e.g. cases in which leaf_result_attribute and/or
293 terminal_result_attribute are used instead. The default value is
294 harmless if "maildrop" is also listed as a leaf or terminal
295 result attribute, but it is best to not leave this to chance.
296 special_result_attribute (default: empty)
298 The attribute(s) of directory entries that can contain DNs or
299 RFC 2255 LDAP URLs. If found, a recursive search is performed to
300 retrieve the entry referenced by the DN, or the entries matched
301 by the URL query.
302 special_result_attribute = memberdn
304 DN recursion retrieves the same result_attributes as the main
306 query, including the special attributes for further recursion.
307 URL processing retrieves only those attributes that are included
309 in both the URL definition and as result attributes (ordinary,
310 special, leaf or terminal) in the Postfix table definition. If
311 the URL lists any of the table's special result attributes,
312 these are retrieved and used recursively. A URL that does not
313 specify any attribute selection, is equivalent (RFC 2255) to a
314 URL that selects all attributes, in which case the selected
315 attributes will be the full set of result attributes in the
316 Postfix table.
317 If an LDAP URL attribute-descriptor or the corresponding Postfix
319 LDAP table result attribute (but not both) uses RFC 2255 sub-
320 type options ("attr;option"), the attribute requested from the
321 LDAP server will include the sub-type option. In all other
322 cases, the URL attribute and the table attribute must match
323 exactly. Attributes with options in both the URL and the Postfix
324 table are requested only when the options are identical. LDAP
325 attribute-descriptor options are very rarely used, most LDAP
326 users will not need to concern themselves with this level of
327 nuanced detail.
328 terminal_result_attribute (default: empty)
330 When one or more terminal result attributes are found in an LDAP
331 entry, all other result attributes are ignored and only the ter‐
332 minal result attributes are returned. This is useful for dele‐
333 gating expansion of group members to a particular host, by using
334 an optional "maildrop" attribute on selected groups to route the
335 group to a specific host, where the group is expanded, possibly
336 via mailing-list manager or other special processing.
337 result_attribute =
339 terminal_result_attribute = maildrop
340 When using terminal and/or leaf result attributes, the
342 result_attribute is best set to an empty value when it is not
343 used, or else explicitly set to the desired value, even if it is
344 the default value "maildrop".
345 This feature is available with Postfix 2.4 or later.
347 leaf_result_attribute (default: empty)
349 When one or more special result attributes are found in a non-
350 terminal (see above) LDAP entry, leaf result attributes are
351 excluded from the expansion of that entry. This is useful when
352 expanding groups and the desired mail address attribute(s) of
353 the member objects obtained via DN or URI recursion are also
354 present in the group object. To only return the attribute values
355 from the leaf objects and not the containing group, add the
356 attribute to the leaf_result_attribute list, and not the
357 result_attribute list, which is always expanded. Note, the
358 default value of "result_attribute" is not empty, you may want
359 to set it explicitly empty when using "leaf_result_attribute" to
360 expand the group to a list of member DN addresses. If groups
361 have both member DN references AND attributes that hold multiple
362 string valued rfc822 addresses, then the string attributes go in
363 "result_attribute". The attributes that represent the email
364 addresses of objects referenced via a DN (or LDAP URI) go in
365 "leaf_result_attribute".
366 result_attribute = memberaddr
368 special_result_attribute = memberdn
369 terminal_result_attribute = maildrop
370 leaf_result_attribute = mail
371 When using terminal and/or leaf result attributes, the
373 result_attribute is best set to an empty value when it is not
374 used, or else explicitly set to the desired value, even if it is
375 the default value "maildrop".
376 This feature is available with Postfix 2.4 or later.
378 scope (default: sub)
380 The LDAP search scope: sub, base, or one. These translate into
381 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
382 bind (default: yes)
384 Whether or how to bind to the LDAP server. Newer LDAP implemen‐
385 tations don't require clients to bind, which saves time. Exam‐
386 ple:
387 # Don't bind
389 bind = no
390 # Use SIMPLE bind
391 bind = yes
392 # Use SASL bind
393 bind = sasl
394 Postfix versions prior to 2.8 only support "bind = no" which
396 means don't bind, and "bind = yes" which means do a SIMPLE bind.
397 Postfix 2.8 and later also supports "bind = SASL" when compiled
398 with LDAP SASL support as described in LDAP_README, it also adds
399 the synonyms "bind = none" and "bind = simple" for "bind = no"
400 and "bind = yes" respectively. See the SASL section below for
401 additional parameters available with "bind = sasl".
402 If you do need to bind, you might consider configuring Postfix
404 to connect to the local machine on a port that's an SSL tunnel
405 to your LDAP server. If your LDAP server doesn't natively sup‐
406 port SSL, put a tunnel (wrapper, proxy, whatever you want to
407 call it) on that system too. This should prevent the password
408 from traversing the network in the clear.
409 bind_dn (default: empty)
411 If you do have to bind, do it with this distinguished name.
412 Example:
413 bind_dn = uid=postfix, dc=your, dc=com
415 With "bind = sasl" (see above) the DN may be optional for some
416 SASL mechanisms, don't specify a DN if not needed.
417 bind_pw (default: empty)
419 The password for the distinguished name above. If you have to
420 use this, you probably want to make the map configuration file
421 readable only by the Postfix user. When using the obsolete
422 ldap:ldapsource syntax, with map parameters in main.cf, it is
423 not possible to securely store the bind password. This is
424 because main.cf needs to be world readable to allow local
425 accounts to submit mail via the sendmail command. Example:
426 bind_pw = postfixpw
428 With "bind = sasl" (see above) the password may be optional for
429 some SASL mechanisms, don't specify a password if not needed.
430 cache (IGNORED with a warning)
432 cache_expiry (IGNORED with a warning)
434 cache_size (IGNORED with a warning)
436 The above parameters are NO LONGER SUPPORTED by Postfix. Cache
437 support has been dropped from OpenLDAP as of release 2.1.13.
438 recursion_limit (default: 1000)
440 A limit on the nesting depth of DN and URL special result
441 attribute evaluation. The limit must be a non-zero positive num‐
442 ber.
443 expansion_limit (default: 0)
445 A limit on the total number of result elements returned (as a
446 comma separated list) by a lookup against the map. A setting of
447 zero disables the limit. Lookups fail with a temporary error if
448 the limit is exceeded. Setting the limit to 1 ensures that
449 lookups do not return multiple values.
450 size_limit (default: $expansion_limit)
452 A limit on the number of LDAP entries returned by any single
453 LDAP search performed as part of the lookup. A setting of 0 dis‐
454 ables the limit. Expansion of DN and URL references involves
455 nested LDAP queries, each of which is separately subjected to
456 this limit.
457 Note: even a single LDAP entry can generate multiple lookup
459 results, via multiple result attributes and/or multi-valued
460 result attributes. This limit caps the per search resource uti‐
461 lization on the LDAP server, not the final multiplicity of the
462 lookup result. It is analogous to the "-z" option of
463 "ldapsearch".
464 dereference (default: 0)
466 When to dereference LDAP aliases. (Note that this has nothing do
467 with Postfix aliases.) The permitted values are those legal for
468 the OpenLDAP/UM LDAP implementations:
469 0 never
471 1 when searching
473 2 when locating the base object for the search
475 3 always
477 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for
479 more information. And if you're using an LDAP package that has
480 other possible values, please bring it to the attention of the
481 postfix-users@postfix.org mailing list.
482 chase_referrals (default: 0)
484 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3
485 support).
486 version (default: 2)
488 Specifies the LDAP protocol version to use.
489 debuglevel (default: 0)
491 What level to set for debugging in the OpenLDAP libraries.
492
494 If you're using the OpenLDAP libraries compiled with SASL support,
495 Postfix 2.8 and later built with LDAP SASL support as described in
496 LDAP_README can authenticate to LDAP servers via SASL.
497 This enables authentication to the LDAP server via mechanisms other
499 than a simple password. The added flexibility has a cost: it is no
500 longer practical to set an explicit timeout on the duration of an LDAP
501 bind operation. Under adverse conditions, whether a SASL bind times
502 out, or if it does, the duration of the timeout is determined by the
503 LDAP and SASL libraries.
504 It is best to use tables that use SASL binds via proxymap(8), this way
506 the requesting process can time-out the proxymap request. This also
507 lets you tailer the process environment by overriding the proxymap(8)
508 import_environment setting in master.cf(5). Special environment set‐
509 tings may be needed to configure GSSAPI credential caches or other SASL
510 mechanism specific options. The GSSAPI credentials used for LDAP
511 lookups may need to be different than say those used for the Postfix
512 SMTP client to authenticate to remote servers.
513 Using SASL mechanisms requires LDAP protocol version 3, the default
515 protocol version is 2 for backwards compatibility. You must set "ver‐
516 sion = 3" in addition to "bind = sasl".
517 The following parameters are relevant to using LDAP with SASL
519 sasl_mechs (default: empty)
521 Space separated list of SASL mechanism(s) to try.
522 sasl_realm (default: empty)
524 SASL Realm to use, if applicable.
525 sasl_authz_id (default: empty)
527 The SASL authorization identity to assert, if applicable.
528 sasl_minssf (default: 0)
530 The minimum required sasl security factor required to establish
531 a connection.
532
534 If you're using the OpenLDAP libraries compiled with SSL support, Post‐
535 fix can connect to LDAP SSL servers and can issue the STARTTLS command.
536 LDAP SSL service can be requested by using a LDAP SSL URL in the
538 server_host parameter:
539 server_host = ldaps://ldap.example.com:636
541 STARTTLS can be turned on with the start_tls parameter:
543 start_tls = yes
545 Both forms require LDAP protocol version 3, which has to be set explic‐
547 itly with:
548 version = 3
550 If any of the Postfix programs querying the map is configured in mas‐
552 ter.cf to run chrooted, all the certificates and keys involved have to
553 be copied to the chroot jail. Of course, the private keys should only
554 be readable by the user "postfix".
555 The following parameters are relevant to LDAP SSL and STARTTLS:
557 start_tls (default: no)
559 Whether or not to issue STARTTLS upon connection to the server.
560 Don't set this with LDAP SSL (the SSL session is setup automati‐
561 cally when the TCP connection is opened).
562 tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
564 Directory containing X509 Certificate Authority certificates in
565 PEM format which are to be recognized by the client in SSL/TLS
566 connections. The files each contain one CA certificate. The
567 files are looked up by the CA subject name hash value, which
568 must hence be available. If more than one CA certificate with
569 the same name hash value exist, the extension must be different
570 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in
571 the ordering of the extension number, regardless of other prop‐
572 erties of the certificates. Use the c_rehash utility (from the
573 OpenSSL distribution) to create the necessary links.
574 tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
576 File containing the X509 Certificate Authority certificates in
577 PEM format which are to be recognized by the client in SSL/TLS
578 connections. This setting takes precedence over tls_ca_cert_dir.
579 tls_cert (No default; you must set this)
581 File containing client's X509 certificate to be used by the
582 client in SSL/ TLS connections.
583 tls_key (No default; you must set this)
585 File containing the private key corresponding to the above
586 tls_cert.
587 tls_require_cert (default: no)
589 Whether or not to request server's X509 certificate and check
590 its validity when establishing SSL/TLS connections. The sup‐
591 ported values are no and yes.
592 With no, the server certificate trust chain is not checked, but
594 with OpenLDAP prior to 2.1.13, the name in the server certifi‐
595 cate must still match the LDAP server name. With OpenLDAP 2.0.0
596 to 2.0.11 the server name is not necessarily what you specified,
597 rather it is determined (by reverse lookup) from the IP address
598 of the LDAP server connection. With OpenLDAP prior to 2.0.13,
599 subjectAlternativeName extensions in the LDAP server certificate
600 are ignored: the server name must match the subject CommonName.
601 The no setting corresponds to the never value of TLS_REQCERT in
602 LDAP client configuration files.
603 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
605 if you can avoid it.
606 With yes, the server certificate must be issued by a trusted CA,
608 and not be expired. The LDAP server name must match one of the
609 name(s) found in the certificate (see above for OpenLDAP library
610 version dependent behavior). The yes setting corresponds to the
611 demand value of TLS_REQCERT in LDAP client configuration files.
612 The "try" and "never" values of TLS_REQCERT have no equivalents
614 here. They are not available with OpenLDAP 2.0, and in any case
615 have questionable security properties. Either you want TLS veri‐
616 fied LDAP connections, or you don't.
617 The yes value only works correctly with Postfix 2.5 and later,
619 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
620 releases don't work together with this setting. Support for LDAP
621 over TLS was added to Postfix based on the OpenLDAP 2.0 API.
622 tls_random_file (No default)
624 Path of a file to obtain random bits from when /dev/[u]random is
625 not available, to be used by the client in SSL/TLS connections.
626 tls_cipher_suite (No default)
628 Cipher suite to use in SSL/TLS negotiations.
629
631 Here's a basic example for using LDAP to look up local(8) aliases.
632 Assume that in main.cf, you have:
633 alias_maps = hash:/etc/aliases,
635 ldap:/etc/postfix/ldap-aliases.cf
636 and in ldap:/etc/postfix/ldap-aliases.cf you have:
638 server_host = ldap.example.com
640 search_base = dc=example, dc=com
641 Upon receiving mail for a local address "ldapuser" that isn't found in
643 the /etc/aliases database, Postfix will search the LDAP server listen‐
644 ing at port 389 on ldap.example.com. It will bind anonymously, search
645 for any directory entries whose mailacceptinggeneralid attribute is
646 "ldapuser", read the "maildrop" attributes of those found, and build a
647 list of their maildrops, which will be treated as RFC822 addresses to
648 which the message will be delivered.
649
651 postmap(1), Postfix lookup table manager
652 postconf(5), configuration parameters
653 mysql_table(5), MySQL lookup tables
654 pgsql_table(5), PostgreSQL lookup tables
655
657 Use "postconf readme_directory" or "postconf html_directory" to locate
658 this information.
659 DATABASE_README, Postfix lookup table overview
660 LDAP_README, Postfix LDAP client guide
661
663 The Secure Mailer license must be distributed with this software.
664
666 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM‐
667 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,
668 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
669 LDAP_TABLE(5)