Hi Victor, ok, I know my question is a bit confusing. That's because I tried to "simplify" the case I face with a generic example. It seems simplification leads to more confusion ... sorry ! Here below the real case:
in main.cf: check_recipient_access ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf $cat ldapUserAccess_mgrprfc822mailmember.cf server_host = ldap://fe-ldap1-data:389 search_base = ou=fe1,o=fe bind_dn = cn=root DN bind_pw = xxxxxx version = 3 query_filter = (&(mgrprfc822mailmember=%s)(|(objectclass=mailrecipient)(objectclass=inetlocalmailrecipient)(objectclass=mailgroup)(objectclass=inetmailgroup))) domain = hash:/etc/postfix/relay_domains result_attribute = mail bind = yes result_filter = OK expansion_limit = 1 Here below the error message I have with some recipients emails addresses: postmap -q "j...@u.org" ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf warning: dict_ldap_lookup: Search error 4: Size limit exceeded WHY ? => because for theses recipients emails addresses the query_filter matches several time in the ldap and the expansion_limit is set to 1 $ldap | grep j...@u.org mgrpRFC822MailMember: j...@u.org mgrpRFC822MailMember: j...@u.org mgrpRFC822MailMember: j...@u.org mgrpRFC822MailMember: j...@u.org mgrpRFC822MailMember: j...@u.org mgrpRFC822MailMember: j...@u.org if i set the expansion_limit to 0 then as each entry (dn) has a mail attribute i will have the following: postmap -q "j...@u.org" ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf OK,OK,OK,OK,OK,OK That's my problem. Is it possible to only have one OK as a result ? Rgds Alain ----- Original Message ----- From: Victor Duchovni <victor.ducho...@morganstanley.com> Date: Thursday, May 7, 2009 3:29 pm Subject: Re: ldap and result_filter question To: postfix <post...@spam3.gm.transpac.fr> Cc: postfix-users@postfix.org > On Wed, May 06, 2009 at 11:54:42AM +0200, postfix wrote: > > > Hi, > > > > I am using Postfix 2.5.5. > > > > I would like to test recipients against a ldap query. > > I have 2 mailAlternateAddress attributes for the ldap entry wich > mail> attribute is post...@spam3.gm.transpac.fr: > > # postmap -q post...@spam3.gm.transpac.fr > > ldap:/etc/postfix/ldapUserAccessTest.cf > > OK,OK > > When LDAP is used as an access(5) table, use a single-valued result > attribute and a query that always matches at most one LDAP entry. > > > #cat ldapUserAccessTest.cf > > server_host = 10.1.1.64 > > server_port = 389 > > search_base = o=spam3.gm.transpac.fr, o=antipam, o=cd3 > > bind_dn = cn=root DN > > bind_pw = xxxxxxx > > version = 3 > > query_filter = > > (&(|(mail=%s)(mailAlternateAddress=%s))(mailUserStatus=active)) > > result_attribute = mailAlternateAddress > > bind = yes > > result_filter = OK > > expansion_limit = 0 > > Don't set the limit to 0, that means "unlimited". Do use a single- > valuedresult attribute. Undoubtedly there is at least one single- > valuedattribute in the LDAP schema of the class in question. > > > Any idea knowing that the condition is to keep "result_attribute = > > mailAlternateAddress" (so not use any other result attribut as for > > example "result_attribute = mail" - which I know works) ? > > Why impose non-sensical restrictions? If the attribute value is not > actually used (replaced with the fixed string "OK"), what would > motivateyou to ask for a particularly non-useful attribute? > > -- > Viktor. >
