On 20/09/2011, at 11:04 AM, Tom Lanyon wrote:
> When using a LDAP lookup table the 'special_result_attribute' parameter is
> available to allow me to recurse to other DNs [e.g. recursing to members of a
> LDAP group]. I can also use the 'leaf_result_attribute' parameter to select
> the attribute I want to return from those recursive DN lookups, but I can't
> find a way to filter that recursive lookup to avoid returning
>
> As an example, I have a group with a bunch of members, but a few of those
> members' objects are marked as 'disabled'. I'd like to recurse through the
> group's member DNs to find their 'mail' attribute, but only for members who
> don't have the 'disabled' attribute set to true [e.g. apply a filter of
> "(!(disabled=true))"].
>
> Is it possible to apply such a filter on the recursive DN search?
No bites on this... perhaps it'd help if I gave an example:
LDAP:
dn: cn=tech-staff,ou=Groups,dc=example,dc=com
objectclass: top
objectclass: ldapgroup
cn: tech-staff
mail: tech-st...@example.com
memberdn: uid=adam,ou=People,dc=example,dc=com
memberdn: uid=bob,ou=People,dc=example,dc=com
memberdn: uid=chuck,ou=People,dc=example,dc=com
dn: uid=adam,ou=People,dc=example,dc=com
objectclass: top
objectclass: ldapuser
uid: adam
mail: a...@example.com
dn: uid=bob,ou=People,dc=example,dc=com
objectclass: top
objectclass: ldapuser
uid: bob
mail: b...@example.com
accountLock: true
Postfix (ldap-group-aliases.cf):
search_base = ou=Groups,dc=example,dc=com
query_filter = mail=%s
result_attribute = mail
special_result_attribute = memberdn
This is fine, and recurses on the memberdn attributes to find the mail
attributes for the listed users, but we need a way to filter that recursion
with a (!(accountLock=true)) filter so that even though bob is a group member,
his account is disabled so his address shouldn't be expanded...
Advice appreciated.
Regards,
Tom
