1LDAP_TABLE(5) File Formats Manual LDAP_TABLE(5)
2
6 ldap_table - Postfix LDAP client configuration
7
9 postmap -q "string" ldap:/etc/postfix/filename
10 postmap -q - ldap:/etc/postfix/filename <inputfile
12
14 The Postfix mail system uses optional tables for address rewriting or
15 mail routing. These tables are usually in dbm or db format.
16 Alternatively, lookup tables can be specified as LDAP databases.
18 In order to use LDAP lookups, define an LDAP source as a lookup table
20 in main.cf, for example:
21 alias_maps = ldap:/etc/postfix/ldap-aliases.cf
23 The file /etc/postfix/ldap-aliases.cf has the same format as the Post‐
25 fix main.cf file, and can specify the parameters described below. An
26 example is given at the end of this manual.
27 This configuration method is available with Postfix version 2.1 and
29 later. See the section "OBSOLETE MAIN.CF PARAMETERS" below for older
30 Postfix versions.
31 For details about LDAP SSL and STARTTLS, see the section on SSL and
33 STARTTLS below.
34
36 When using LDAP to store lists such as $mynetworks, $mydestination,
37 $relay_domains, $local_recipient_maps, etc., it is important to under‐
38 stand that the table must store each list member as a separate key. The
39 table lookup verifies the *existence* of the key. See "Postfix lists
40 versus tables" in the DATABASE_README document for a discussion.
41 Do NOT create tables that return the full list of domains in $mydesti‐
43 nation or $relay_domains etc., or IP addresses in $mynetworks.
44 DO create tables with each matching item as a key and with an arbitrary
46 value. With LDAP databases it is not uncommon to return the key itself.
47 For example, NEVER do this in a map defining $mydestination:
49 query_filter = domain=*
51 result_attribute = domain
52 Do this instead:
54 query_filter = domain=%s
56 result_attribute = domain
57
59 In the text below, default values are given in parentheses. Note:
60 don't use quotes in these variables; at least, not until the Postfix
61 configuration routines understand how to deal with quoted strings.
62 server_host (default: localhost)
64 The name of the host running the LDAP server, e.g.
65 server_host = ldap.example.com
67 Depending on the LDAP client library you're using, it should be
69 possible to specify multiple servers here, with the library try‐
70 ing them in order should the first one fail. It should also be
71 possible to give each server in the list a different port (over‐
72 riding server_port below), by naming them like
73 server_host = ldap.example.com:1444
75 With OpenLDAP, a (list of) LDAP URLs can be used to specify both
77 the hostname(s) and the port(s):
78 server_host = ldap://ldap.example.com:1444
80 ldap://ldap2.example.com:1444
81 All LDAP URLs accepted by the OpenLDAP library are supported,
83 including connections over UNIX domain sockets, and LDAP SSL
84 (the last one provided that OpenLDAP was compiled with support
85 for SSL):
86 server_host = ldapi://%2Fsome%2Fpath
88 ldaps://ldap.example.com:636
89 server_port (default: 389)
91 The port the LDAP server listens on, e.g.
92 server_port = 778
94 timeout (default: 10 seconds)
96 The number of seconds a search can take before timing out, e.g.
97 timeout = 5
99 search_base (No default; you must configure this)
101 The RFC2253 base DN at which to conduct the search, e.g.
102 search_base = dc=your, dc=com
104 With Postfix 2.2 and later this parameter supports the following
106 '%' expansions:
107 %% This is replaced by a literal '%' character.
109 %s This is replaced by the input key. RFC 2253 quoting is
111 used to make sure that the input key does not add unex‐
112 pected metacharacters.
113 %u When the input key is an address of the form user@domain,
115 %u is replaced by the (RFC 2253) quoted local part of the
116 address. Otherwise, %u is replaced by the entire search
117 string. If the localpart is empty, the search is sup‐
118 pressed and returns no results.
119 %d When the input key is an address of the form user@domain,
121 %d is replaced by the (RFC 2253) quoted domain part of
122 the address. Otherwise, the search is suppressed and
123 returns no results.
124 %[SUD] For the search_base parameter, the upper-case equivalents
126 of the above expansions behave identically to their
127 lower-case counter-parts. With the result_format parame‐
128 ter (previously called result_filter see the COMPATIBIL‐
129 ITY section and below), they expand to the corresponding
130 components of input key rather than the result value.
131 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
133 sponding most significant component of the input key's
134 domain. If the input key is user@mail.example.com, then
135 %1 is com, %2 is example and %3 is mail. If the input key
136 is unqualified or does not have enough domain components
137 to satisfy all the specified patterns, the search is sup‐
138 pressed and returns no results.
139 query_filter (default: mailacceptinggeneralid=%s)
141 The RFC2254 filter used to search the directory, where %s is a
142 substitute for the address Postfix is trying to resolve, e.g.
143 query_filter = (&(mail=%s)(paid_up=true))
145 This parameter supports the following '%' expansions:
147 %% This is replaced by a literal '%' character. (Postfix 2.2
149 and later).
150 %s This is replaced by the input key. RFC 2254 quoting is
152 used to make sure that the input key does not add unex‐
153 pected metacharacters.
154 %u When the input key is an address of the form user@domain,
156 %u is replaced by the (RFC 2254) quoted local part of the
157 address. Otherwise, %u is replaced by the entire search
158 string. If the localpart is empty, the search is sup‐
159 pressed and returns no results.
160 %d When the input key is an address of the form user@domain,
162 %d is replaced by the (RFC 2254) quoted domain part of
163 the address. Otherwise, the search is suppressed and
164 returns no results.
165 %[SUD] The upper-case equivalents of the above expansions behave
167 in the query_filter parameter identically to their
168 lower-case counter-parts. With the result_format parame‐
169 ter (previously called result_filter see the COMPATIBIL‐
170 ITY section and below), they expand to the corresponding
171 components of input key rather than the result value.
172 The above %S, %U and %D expansions are available with
174 Postfix 2.2 and later.
175 %[1-9] The patterns %1, %2, ... %9 are replaced by the corre‐
177 sponding most significant component of the input key's
178 domain. If the input key is user@mail.example.com, then
179 %1 is com, %2 is example and %3 is mail. If the input key
180 is unqualified or does not have enough domain components
181 to satisfy all the specified patterns, the search is sup‐
182 pressed and returns no results.
183 The above %1, ..., %9 expansions are available with Post‐
185 fix 2.2 and later.
186 The "domain" parameter described below limits the input keys to
188 addresses in matching domains. When the "domain" parameter is
189 non-empty, LDAP queries for unqualified addresses or addresses
190 in non-matching domains are suppressed and return no results.
191 NOTE: DO NOT put quotes around the query_filter parameter.
193 result_format (default: %s)
195 Called result_filter in Postfix releases prior to 2.2. Format
196 template applied to result attributes. Most commonly used to
197 append (or prepend) text to the result. This parameter supports
198 the following '%' expansions:
199 %% This is replaced by a literal '%' character. (Postfix 2.2
201 and later).
202 %s This is replaced by the value of the result attribute.
204 When result is empty it is skipped.
205 %u When the result attribute value is an address of the form
207 user@domain, %u is replaced by the local part of the
208 address. When the result has an empty localpart it is
209 skipped.
210 %d When a result attribute value is an address of the form
212 user@domain, %d is replaced by the domain part of the
213 attribute value. When the result is unqualified it is
214 skipped.
215 %[SUD1-9]
217 The upper-case and decimal digit expansions interpolate
218 the parts of the input key rather than the result. Their
219 behavior is identical to that described with query_fil‐
220 ter, and in fact because the input key is known in
221 advance, lookups whose key does not contain all the
222 information specified in the result template are sup‐
223 pressed and return no results.
224 The above %S, %U, %D and %1, ..., %9 expansions are
226 available with Postfix 2.2 and later.
227 For example, using "result_format = smtp:[%s]" allows one to use
229 a mailHost attribute as the basis of a transport(5) table. After
230 applying the result format, multiple values are concatenated as
231 comma separated strings. The expansion_limit and size_limit
232 parameters explained below allow one to restrict the number of
233 values in the result, which is especially useful for maps that
234 should return a single value.
235 The default value %s specifies that each attribute value should
237 be used as is.
238 This parameter was called result_filter in Postfix releases
240 prior to 2.2. If no "result_format" is specified, the value of
241 "result_filter" will be used instead before resorting to the
242 default value. This provides compatibility with old configura‐
243 tion files.
244 NOTE: DO NOT put quotes around the result format!
246 domain (default: no domain list)
248 This is a list of domain names, paths to files, or dictionaries.
249 When specified, only fully qualified search keys with a
250 *non-empty* localpart and a matching domain are eligible for
251 lookup: 'user' lookups, bare domain lookups and "@domain"
252 lookups are not performed. This can significantly reduce the
253 query load on the LDAP server.
254 domain = postfix.org, hash:/etc/postfix/searchdomains
256 It is best not to use LDAP to store the domains eligible for
258 LDAP lookups.
259 NOTE: DO NOT define this parameter for local(8) aliases.
261 This feature is available in Postfix 1.0 and later.
263 result_attribute (default: maildrop)
265 The attribute(s) Postfix will read from any directory entries
266 returned by the lookup, to be resolved to an email address.
267 result_attribute = mailbox, maildrop
269 Don't rely on the default value ("maildrop"). Set the
271 result_attribute explicitly in all ldap table configuration
272 files. This is particularly relevant when no result_attribute is
273 applicable, e.g. cases in which leaf_result_attribute and/or
274 terminal_result_attribute are used instead. The default value is
275 harmless if "maildrop" is also listed as a leaf or terminal
276 result attribute, but it is best to not leave this to chance.
277 special_result_attribute (default: empty)
279 The attribute(s) of directory entries that can contain DNs or
280 RFC 2255 LDAP URLs. If found, a recursive search is performed to
281 retrieve the entry referenced by the DN, or the entries matched
282 by the URL query.
283 special_result_attribute = memberdn
285 DN recursion retrieves the same result_attributes as the main
287 query, including the special attributes for further recursion.
288 URL processing retrieves only those attributes that are included
290 in both the URL definition and as result attributes (ordinary,
291 special, leaf or terminal) in the Postfix table definition. If
292 the URL lists any of the table's special result attributes,
293 these are retrieved and used recursively. A URL that does not
294 specify any attribute selection, is equivalent (RFC 2255) to a
295 URL that selects all attributes, in which case the selected
296 attributes will be the full set of result attributes in the
297 Postfix table.
298 If an LDAP URL attribute-descriptor or the corresponding Postfix
300 LDAP table result attribute (but not both) uses RFC 2255
301 sub-type options ("attr;option"), the attribute requested from
302 the LDAP server will include the sub-type option. In all other
303 cases, the URL attribute and the table attribute must match
304 exactly. Attributes with options in both the URL and the Postfix
305 table are requested only when the options are identical. LDAP
306 attribute-descriptor options are very rarely used, most LDAP
307 users will not need to concern themselves with this level of
308 nuanced detail.
309 terminal_result_attribute (default: empty)
311 When one or more terminal result attributes are found in an LDAP
312 entry, all other result attributes are ignored and only the ter‐
313 minal result attributes are returned. This is useful for dele‐
314 gating expansion of group members to a particular host, by using
315 an optional "maildrop" attribute on selected groups to route the
316 group to a specific host, where the group is expanded, possibly
317 via mailing-list manager or other special processing.
318 result_attribute =
320 terminal_result_attribute = maildrop
321 When using terminal and/or leaf result attributes, the
323 result_attribute is best set to an empty value when it is not
324 used, or else explicitly set to the desired value, even if it is
325 the default value "maildrop".
326 This feature is available with Postfix 2.4 or later.
328 leaf_result_attribute (default: empty)
330 When one or more special result attributes are found in a
331 non-terminal (see above) LDAP entry, leaf result attributes are
332 excluded from the expansion of that entry. This is useful when
333 expanding groups and the desired mail address attribute(s) of
334 the member objects obtained via DN or URI recursion are also
335 present in the group object. To only return the attribute values
336 from the leaf objects and not the containing group, add the
337 attribute to the leaf_result_attribute list, and not the
338 result_attribute list, which is always expanded. Note, the
339 default value of "result_attribute" is not empty, you may want
340 to set it explicitly empty when using "leaf_result_attribute" to
341 expand the group to a list of member DN addresses. If groups
342 have both member DN references AND attributes that hold multiple
343 string valued rfc822 addresses, then the string attributes go in
344 "result_attribute". The attributes that represent the email
345 addresses of objects referenced via a DN (or LDAP URI) go in
346 "leaf_result_attribute".
347 result_attribute = memberaddr
349 special_result_attribute = memberdn
350 terminal_result_attribute = maildrop
351 leaf_result_attribute = mail
352 When using terminal and/or leaf result attributes, the
354 result_attribute is best set to an empty value when it is not
355 used, or else explicitly set to the desired value, even if it is
356 the default value "maildrop".
357 This feature is available with Postfix 2.4 or later.
359 scope (default: sub)
361 The LDAP search scope: sub, base, or one. These translate into
362 LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
363 bind (default: yes)
365 Whether or how to bind to the LDAP server. Newer LDAP implemen‐
366 tations don't require clients to bind, which saves time. Exam‐
367 ple:
368 # Don't bind
370 bind = no
371 # Use SIMPLE bind
372 bind = yes
373 # Use SASL bind
374 bind = sasl
375 Postfix versions prior to 2.8 only support "bind = no" which
377 means don't bind, and "bind = yes" which means do a SIMPLE bind.
378 Postfix 2.8 and later also supports "bind = SASL" when compiled
379 with LDAP SASL support as described in LDAP_README, it also adds
380 the synonyms "bind = none" and "bind = simple" for "bind = no"
381 and "bind = yes" respectively. See the SASL section below for
382 additional parameters available with "bind = sasl".
383 If you do need to bind, you might consider configuring Postfix
385 to connect to the local machine on a port that's an SSL tunnel
386 to your LDAP server. If your LDAP server doesn't natively sup‐
387 port SSL, put a tunnel (wrapper, proxy, whatever you want to
388 call it) on that system too. This should prevent the password
389 from traversing the network in the clear.
390 bind_dn (default: empty)
392 If you do have to bind, do it with this distinguished name.
393 Example:
394 bind_dn = uid=postfix, dc=your, dc=com
396 With "bind = sasl" (see above) the DN may be optional for some
397 SASL mechanisms, don't specify a DN if not needed.
398 bind_pw (default: empty)
400 The password for the distinguished name above. If you have to
401 use this, you probably want to make the map configuration file
402 readable only by the Postfix user. When using the obsolete
403 ldap:ldapsource syntax, with map parameters in main.cf, it is
404 not possible to securely store the bind password. This is
405 because main.cf needs to be world readable to allow local
406 accounts to submit mail via the sendmail command. Example:
407 bind_pw = postfixpw
409 With "bind = sasl" (see above) the password may be optional for
410 some SASL mechanisms, don't specify a password if not needed.
411 cache (IGNORED with a warning)
413 cache_expiry (IGNORED with a warning)
415 cache_size (IGNORED with a warning)
417 The above parameters are NO LONGER SUPPORTED by Postfix. Cache
418 support has been dropped from OpenLDAP as of release 2.1.13.
419 recursion_limit (default: 1000)
421 A limit on the nesting depth of DN and URL special result
422 attribute evaluation. The limit must be a non-zero positive num‐
423 ber.
424 expansion_limit (default: 0)
426 A limit on the total number of result elements returned (as a
427 comma separated list) by a lookup against the map. A setting of
428 zero disables the limit. Lookups fail with a temporary error if
429 the limit is exceeded. Setting the limit to 1 ensures that
430 lookups do not return multiple values.
431 size_limit (default: $expansion_limit)
433 A limit on the number of LDAP entries returned by any single
434 LDAP search performed as part of the lookup. A setting of 0 dis‐
435 ables the limit. Expansion of DN and URL references involves
436 nested LDAP queries, each of which is separately subjected to
437 this limit.
438 Note: even a single LDAP entry can generate multiple lookup
440 results, via multiple result attributes and/or multi-valued
441 result attributes. This limit caps the per search resource uti‐
442 lization on the LDAP server, not the final multiplicity of the
443 lookup result. It is analogous to the "-z" option of
444 "ldapsearch".
445 dereference (default: 0)
447 When to dereference LDAP aliases. (Note that this has nothing do
448 with Postfix aliases.) The permitted values are those legal for
449 the OpenLDAP/UM LDAP implementations:
450 0 never
452 1 when searching
454 2 when locating the base object for the search
456 3 always
458 See ldap.h or the ldap_open(3) or ldapsearch(1) man pages for
460 more information. And if you're using an LDAP package that has
461 other possible values, please bring it to the attention of the
462 postfix-users@postfix.org mailing list.
463 chase_referrals (default: 0)
465 Sets (or clears) LDAP_OPT_REFERRALS (requires LDAP version 3
466 support).
467 version (default: 2)
469 Specifies the LDAP protocol version to use.
470 debuglevel (default: 0)
472 What level to set for debugging in the OpenLDAP libraries.
473
475 If you're using the OpenLDAP libraries compiled with SASL support,
476 Postfix 2.8 and later built with LDAP SASL support as described in
477 LDAP_README can authenticate to LDAP servers via SASL.
478 This enables authentication to the LDAP server via mechanisms other
480 than a simple password. The added flexibility has a cost: it is no
481 longer practical to set an explicit timeout on the duration of an LDAP
482 bind operation. Under adverse conditions, whether a SASL bind times
483 out, or if it does, the duration of the timeout is determined by the
484 LDAP and SASL libraries.
485 It is best to use tables that use SASL binds via proxymap(8), this way
487 the requesting process can time-out the proxymap request. This also
488 lets you tailer the process environment by overriding the proxymap(8)
489 import_environment setting in master.cf(5). Special environment set‐
490 tings may be needed to configure GSSAPI credential caches or other SASL
491 mechanism specific options. The GSSAPI credentials used for LDAP
492 lookups may need to be different than say those used for the Postfix
493 SMTP client to authenticate to remote servers.
494 Using SASL mechanisms requires LDAP protocol version 3, the default
496 protocol version is 2 for backwards compatibility. You must set "ver‐
497 sion = 3" in addition to "bind = sasl".
498 The following parameters are relevant to using LDAP with SASL
500 sasl_mechs (default: empty)
502 Space separated list of SASL mechanism(s) to try.
503 sasl_realm (default: empty)
505 SASL Realm to use, if applicable.
506 sasl_authz_id (default: empty)
508 The SASL authorization identity to assert, if applicable.
509 sasl_minssf (default: 0)
511 The minimum required sasl security factor required to establish
512 a connection.
513
515 If you're using the OpenLDAP libraries compiled with SSL support, Post‐
516 fix can connect to LDAP SSL servers and can issue the STARTTLS command.
517 LDAP SSL service can be requested by using a LDAP SSL URL in the
519 server_host parameter:
520 server_host = ldaps://ldap.example.com:636
522 STARTTLS can be turned on with the start_tls parameter:
524 start_tls = yes
526 Both forms require LDAP protocol version 3, which has to be set explic‐
528 itly with:
529 version = 3
531 If any of the Postfix programs querying the map is configured in mas‐
533 ter.cf to run chrooted, all the certificates and keys involved have to
534 be copied to the chroot jail. Of course, the private keys should only
535 be readable by the user "postfix".
536 The following parameters are relevant to LDAP SSL and STARTTLS:
538 start_tls (default: no)
540 Whether or not to issue STARTTLS upon connection to the server.
541 Don't set this with LDAP SSL (the SSL session is setup automati‐
542 cally when the TCP connection is opened).
543 tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
545 Directory containing X509 Certification Authority certificates
546 in PEM format which are to be recognized by the client in
547 SSL/TLS connections. The files each contain one CA certificate.
548 The files are looked up by the CA subject name hash value, which
549 must hence be available. If more than one CA certificate with
550 the same name hash value exist, the extension must be different
551 (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in
552 the ordering of the extension number, regardless of other prop‐
553 erties of the certificates. Use the c_rehash utility (from the
554 OpenSSL distribution) to create the necessary links.
555 tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
557 File containing the X509 Certification Authority certificates in
558 PEM format which are to be recognized by the client in SSL/TLS
559 connections. This setting takes precedence over tls_ca_cert_dir.
560 tls_cert (No default; you must set this)
562 File containing client's X509 certificate to be used by the
563 client in SSL/ TLS connections.
564 tls_key (No default; you must set this)
566 File containing the private key corresponding to the above
567 tls_cert.
568 tls_require_cert (default: no)
570 Whether or not to request server's X509 certificate and check
571 its validity when establishing SSL/TLS connections. The sup‐
572 ported values are no and yes.
573 With no, the server certificate trust chain is not checked, but
575 with OpenLDAP prior to 2.1.13, the name in the server certifi‐
576 cate must still match the LDAP server name. With OpenLDAP 2.0.0
577 to 2.0.11 the server name is not necessarily what you specified,
578 rather it is determined (by reverse lookup) from the IP address
579 of the LDAP server connection. With OpenLDAP prior to 2.0.13,
580 subjectAlternativeName extensions in the LDAP server certificate
581 are ignored: the server name must match the subject CommonName.
582 The no setting corresponds to the never value of TLS_REQCERT in
583 LDAP client configuration files.
584 Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
586 if you can avoid it.
587 With yes, the server certificate must be issued by a trusted CA,
589 and not be expired. The LDAP server name must match one of the
590 name(s) found in the certificate (see above for OpenLDAP library
591 version dependent behavior). The yes setting corresponds to the
592 demand value of TLS_REQCERT in LDAP client configuration files.
593 The "try" and "allow" values of TLS_REQCERT have no equivalents
595 here. They are not available with OpenLDAP 2.0, and in any case
596 have questionable security properties. Either you want TLS veri‐
597 fied LDAP connections, or you don't.
598 The yes value only works correctly with Postfix 2.5 and later,
600 or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
601 releases don't work together with this setting. Support for LDAP
602 over TLS was added to Postfix based on the OpenLDAP 2.0 API.
603 tls_random_file (No default)
605 Path of a file to obtain random bits from when /dev/[u]random is
606 not available, to be used by the client in SSL/TLS connections.
607 tls_cipher_suite (No default)
609 Cipher suite to use in SSL/TLS negotiations.
610
612 Here's a basic example for using LDAP to look up local(8) aliases.
613 Assume that in main.cf, you have:
614 alias_maps = hash:/etc/aliases,
616 ldap:/etc/postfix/ldap-aliases.cf
617 and in ldap:/etc/postfix/ldap-aliases.cf you have:
619 server_host = ldap.example.com
621 search_base = dc=example, dc=com
622 Upon receiving mail for a local address "ldapuser" that isn't found in
624 the /etc/aliases database, Postfix will search the LDAP server listen‐
625 ing at port 389 on ldap.example.com. It will bind anonymously, search
626 for any directory entries whose mailacceptinggeneralid attribute is
627 "ldapuser", read the "maildrop" attributes of those found, and build a
628 list of their maildrops, which will be treated as RFC822 addresses to
629 which the message will be delivered.
630
632 For backwards compatibility with Postfix version 2.0 and earlier, LDAP
633 parameters can also be defined in main.cf. Specify as LDAP source a
634 name that doesn't begin with a slash or a dot. The LDAP parameters
635 will then be accessible as the name you've given the source in its def‐
636 inition, an underscore, and the name of the parameter. For example, if
637 the map is specified as "ldap:ldapsource", the "server_host" parameter
638 below would be defined in main.cf as "ldapsource_server_host".
639 Note: with this form, the passwords for the LDAP sources are written in
641 main.cf, which is normally world-readable. Support for this form will
642 be removed in a future Postfix version.
643
645 For backwards compatibility with the pre 2.2 LDAP clients, result_fil‐
646 ter can for now be used instead of result_format, when the latter
647 parameter is not also set. The new name better reflects the function
648 of the parameter. This compatibility interface may be removed in a
649 future release.
650
652 postmap(1), Postfix lookup table manager
653 postconf(5), configuration parameters
654 mysql_table(5), MySQL lookup tables
655 pgsql_table(5), PostgreSQL lookup tables
656
658 Use "postconf readme_directory" or "postconf html_directory" to locate
659 this information.
660 DATABASE_README, Postfix lookup table overview
661 LDAP_README, Postfix LDAP client guide
662
664 The Secure Mailer license must be distributed with this software.
665
667 Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM‐
668 ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,
669 Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
670 LDAP_TABLE(5)