Bug with $default_ldap setting

[Mark Martinec]

Huangbin,

> I get an unexpected result with $default_ldap setting: If base dn doesn't
> exist, amavisd should bypass/dunno this check and continue sending mail
> out, instead of defer this mail.
> 
> My settings in amavisd.conf
> 
> # ----
> $enable_ldap    = 1;
> $default_ldap   = {
>     [...]
>     base            => "domainName=%d,o=domains,dc=example,dc=com",
>     [...]
> };
> # ----
> 
> I have several virtual domains under "o=domains,dc=example,dc=com", i want
> to make it query "domainName=%d,o=domains,dc=example,dc=com" instead of
> "o=domains,dc=example,dc=com" for better performance.
> 
> The problem is, when i send mail to an external mail address, e.g. gmail,
> yahoo, hotmail, Amavisd raises below error log and mails can **NOT** be
> sent out:

> (!!)TROUBLE in process_request: do_search: failed again,
> LDAP_NO_SUCH_OBJECT at (eval 104) line 159,
> <DATA> line 392. at (eval 104) line 445, <DATA> line 392.
> 
> Amavisd should bypass/dunno this mail and continue sending it out, isn't
> it?

Please try the following patch (for 2.6.4), it will let LDAP lookup
code ignore the LDAP_NO_SUCH_OBJECT status, and avoid
retry attempts in cases where they are unlikely to succeed.


--- amavisd~	2011-03-29 03:09:05.000000000 +0200
+++ amavisd	2011-03-29 17:06:42.919174884 +0200
@@ -15069,5 +15069,5 @@
 sub do_search {
   my($self,$base,$scope,$filter) = @_;
-  my($result);
+  my($result,$error_name);
   $self->ldap or die "do_search: ldap not available";
   do_log(5,"lookup_ldap: searching base=\"%s\", scope=\"%s\", filter=\"%s\"",
@@ -15079,5 +15079,13 @@
                                     deref  => $self->{deref},
                                     );
-    if ($result->code) { die $result->error_name, "\n"; }
+    if ($result->code) {
+      $error_name = $result->error_name;
+      if ($error_name eq 'LDAP_NO_SUCH_OBJECT') {
+        # probably alright, e.g. a foreign %d
+        do_log(4, 'do_search failed in "%s": %s', $base, $error_name);
+      } else {
+        die $error_name."\n";
+      }
+    }
     1;
   } or do {
@@ -15086,6 +15094,9 @@
     if ($err !~ /^LDAP_/) {
       die "do_search: $err";
-    } else {  #  LDAP related error
-      do_log(0, "NOTICE: do_search: trying again: %s", $err);
+    } elsif ($error_name !~ /^LDAP_(?:BUSY|UNAVAILABLE|UNWILLING_TO_PERFORM|
+                             TIMEOUT|SERVER_DOWN|CONNECT_ERROR|OTHER)\z/x) {
+      die "do_search: failed: $error_name\n";
+    } else {  # LDAP related error, worth retrying
+      do_log(0, "NOTICE: do_search: trying again: %s", $error_name);
       $self->disconnect_from_ldap;
       $self->connect_to_ldap;
@@ -15351,6 +15362,7 @@
   eval {
     snmp_count('OpsLDAPSearch');
-    my($result) = $conn_h->do_search($base, $self->{scope}, $filter);
-    my(@entry) = $result->entries;
+    my(@entry);
+    my($search_obj) = $conn_h->do_search($base, $self->{scope}, $filter);
+    @entry = $search_obj->entries  if $search_obj && !$search_obj->code;
     my(%mv_ldap_attrs) = map { (lc($_), 1) } @mv_ldap_attrs;
     for my $entry (@entry) {


Mark