>>> On 10/06/2009 at 12:17 p.m., Victor Duchovni
<victor.ducho...@morganstanley.com> wrote:
> On Wed, Jun 10, 2009 at 10:10:17AM +1200, Kevin Sartorelli wrote:
>
>> domain = irdtest.govt.nz
> This limits the lookup keys to just u...@domain forms in the specified
> domain, are you sure that's what you want???
Yes
>> result_attribute = mail
> Why would a user's email address ("mail" result attribute) be a useful
> transport(5) table result?
Maybe I don't need this at all then. BUT if I don't have something here then I
don't get anything returned.
>> size_limit = 1
>> result_format = relay:10.40.40.61
> You are missing "[", "]" around the literal IP address.
Ah, yes - fixed.
> The result format is independent of the lookup key, what is the point
> of this?
I want any user who is in the LDAP directory to be relayed to another machine.
Any user not in the LDAP gets handled locally.
> and really should come from the directory. Why not route the whole domain
> this really via a simple indexed file transport table?
>
> ird.govt.nz relay:[10.40.40.61]
>
> LDAP does not add any value here, unless users not in the directory have
> a different route...
Correct. If they are in the LDAP directory then the mail should be directed to
one point, otherwise it is handled locally.
>> However, when there is more than one account with the same email address
>> I get:
> Why on earth are there multiple accounts with the same primary mail address?
> Or is the "mail" attribute of the user in question multi-valued? (Also
> not a good idea).
Simple answer - user error. There shouldn't be but I have no control over what
goes into the LDAP directory. While there shouldn't be any duplicate email
addresses there are and I tripped over one in testing. Guess I want to handle
this case in a graceful manner rather than deferring until it is noticed or
times out.
>> My reading of the ldap_table man page indicates that this will happen
>> for the 'expansion_limit' parameter, but not the 'size_limit' parameter.
> A limit is a limit.
I was hoping it would only return 1 entry rather than error if there was more
than one.
>> Anyone have an idea how I can get my LDAP lookup to return only one
>> record regardless of the number of accounts with the same email address?
> If you want a single result, use a query that always returns exactly
> one value, meaning, exactly one matching "entry" with a *single-valued*
> result attribute.
OK, thanks. Wish I had more control over the contents of the LDAP I have to
look in.
Cheers
Kevin
