Re: LDAP table, recursion filter

Mon, 10 Oct 2011 11:12:24 -0700 

On Mon, Oct 10, 2011 at 12:37:02PM +1030, Tom Lanyon wrote:

> > When using a LDAP lookup table the 'special_result_attribute'
> > parameter is available to allow me to recurse to other DNs [e.g.
> > recursing to members of a LDAP group].  I can also use the
> > 'leaf_result_attribute' parameter to select the attribute I want
> > to return from those recursive DN lookups, but I can't find a way
> > to filter that recursive lookup to avoid returning
> > 
> > As an example, I have a group with a bunch of members, but a
> > few of those members' objects are marked as 'disabled'.  I'd like
> > to recurse through the group's member DNs to find their 'mail'
> > attribute, but only for members who don't have the 'disabled'
> > attribute set to true [e.g. apply a filter of "(!(disabled=true))"].
> > 
> > Is it possible to apply such a filter on the recursive DN search?
> 
> This is fine, and recurses on the memberdn attributes to find
> the mail attributes for the listed users, but we need a way to
> filter that recursion with a (!(accountLock=true)) filter so that
> even though bob is a group member, his account is disabled so his
> address shouldn't be expanded...

Postfix does not have any support for filtering the entries expanded
via special_result_attribute DN values. This is semantically questionable,
in any case, such member objects are supposed to be no less part of the
group than a string-valued multi-valued "memberaddress" list.

To get more complex behaviour, either use ldap_uri valued groups (dynamic
groups) or use a target attribute (say "maildrop") that is absent in
disabled objects:

enabled user:

        mail: primary_addr...@example.com
        mailalternateaddress: primary_addr...@example.com
        mailalternateaddress: secondary_addr...@example.com
        maildrop: mboxaddr...@mailhub.example.com

disabled user:

        mail: primary_addr...@example.com
        mailalternateaddress: primary_addr...@example.com
        mailalternateaddress: secondary_addr...@example.com

Postfix group table:

        query_filter = mail=%s
        special_result_attribute = memberdn
        terminal_result_attribute = maildrop

-- 
        Viktor.

Reply via email to