pmx-ldap-sync - Create a flat file list or map from an LDAP service.


    pmx-ldap-sync --base DN --query QUERY --result ATTRIBUTES
                  [--result-filter EXPR] [--host LDAPHOST[:PORT]]
                  [--result-rhs ATTRIBUTES [--result-rhs-filter EXPR]]
                  [--page-size INT]
                  [--async] [--verbose]
                  [--bind-dn DN] [--bind-password PASSWORD]
                  [--ldap-version 2|3] [--scope base|one|sub]
    pmx-ldap-sync --help


The pmx-ldap-sync program synchronizes data from an LDAP directory service with a plain text file. This file can be used as a PureMessage list or map.

Once the sync is complete, the local file (FILENAME) specified is atomically replaced using rename(). Therefore, the local file can be the list or map name. pmx-ldap-sync can run uninterrupted, without prompting the user for input (for example, it can be used as a scheduled job).


Performs all LDAP operations asynchronously.

--base DN
The Distinguished Name of the entries that must be queried. This is a required option.

--query QUERY
Specifies the RFC 2254-compliant LDAP search filter expression. The QUERY is responsible for selecting the set of records used for building the results. This is a required option.

One or more LDAP attributes that are used to build the results from the set of records selected by the QUERY. If there is more than one attribute, they can be either comma separated, or passed as more than one --result option.

The result from each record is a separate list item. Multiple results from each record are space separated but still result in a single list item.

--result-filter EXPR
A perl expression that is evaluated in list context for every result value. The value is available as $_ for use in the expression. The result of the expression is used in place of the value when creating the output file.

--result-rhs ATTRIBUTES
This has the same behavior as --result, but instead of creating a list, the results are used as the right-hand side of a map.

--result-rhs-filter EXPR
This has the same behavior as --result-filter, but it applies to --result-rhs instead of --result.

--page-size INT
Controls the number of results we ask the LDAP server for in each page of results. Defaults to 1000 results per page for LDAPv3 queries. Pass a value of 0 to disable paged results processing.

LDAPv2 and older do not support this option.

The fully qualified name of the LDAP server, optionally followed by a port number. Defaults to localhost:389 if unspecified.

More than one --host option may be specified. Each is tried in order until a connection is made.

--port PORT
The port number where the LDAP directory service is contacted. Defaults to 389 if unspecified.

--bind-dn DN
--bind-password PASSWORD
Bind credentials used to establish a connection to the server.

--bind-dn specifies the identity (in the form of a Distinguished Name) of someone who is authorized to query the LDAP server. This option is required if --bind-password is specified.

If --bind-password is not specified, an anonymous bind is attempted.

--scope base | one | sub
The type of search performed to locate records matching the query.

--ldap-version 2|3
Specifies the LDAP protocol version that the client should announce to the server. It can be 2 or 3. If not specified it defaults to 3.

The LDAP records selected by the query are printed to stdout.


Creating a valid-users list
The following example shows how to create a list of valid email addresses. Such a list can be used in a PureMessage policy test to silently discard mail sent to invalid users (a common nuisance due to dictionary attacks by spammers).
    pmx-ldap-sync --base 'o=yourorg,c=US' --query '(&(mail=*)(paid=true)' \
                  --result 'mail,awaymail' valid-users

Another usage for the pmx-ldap-sync utility is to set the --result-filter option to add content to the result. The following example uses the --result-filter option in a sendmail access file generator:

    pmx-ldap-sync --base 'o=yourorg,c=US' --query '(&(mail=*)(paid=true))' \
                  --result 'mail' --result-filter 's,\z,\tOK,;$_' \


Copyright (C) 2000-2008 Sophos Group. All rights reserved. Sophos and PureMessage are trademarks of Sophos Plc and Sophos Group.