On Mon, Aug 19, 2013 at 07:51:50PM +0100, Rowland Penny wrote:
> On 19/08/13 19:28, Viktor Dukhovni wrote:
>
> >On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:
> >
> >>query_filter = (&(objectclass=group)(mail=%s))
> >>leaf_result_attribute = otherMailbox
> >>special_result_attribute = member
> >>
> >>I have added a couple of otherMailbox attributes to a user called
> >>fred, one is f...@example.com, the other is f...@anotherdomain.com.
> >>I then added fred to the example.com group.
> >
> >When you specify a multi-valued result attribute (or leaf or terminal
> >result attribute) each value will be part of the result.
> >
> >>I then ran this command:
> >>
> >>postmap -q mailgr...@example.com
> >>ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
> >>
> >>This is where the problem comes in, I expected to just get back
> >>f...@example.com, but instead I get f...@example.com and
> >>f...@anotherdomain.com
> >
> >As expected. If you want a single value back, use a single-valued
> >attribute.
>
> Thanks, So what you are saying is to use the mail attribute, but on
> AD, you can only have one mail attribute, what happens if your user
> has more than one email address?
What I am saying is that if you want a single address back, (which
is what you appeared to be asking for), you should use a single-valued
result attribute.
> What I thought should happen is
>
> A) search for the mailgroup via its mail address
> B) Once the mailgroup is found, get all its members
> C) Then from the members, get the relevant email addresses from the
> 'otherMailbox' attributes, based on the domain part of the email
> address of the mailgroup I searched for in the first place.
There is no such thing as "the relevant email addresses", all
addresses selected by the filter and result attributes are equally
relevant.
> D) Return only mail addresses that end in the mailgroups domain.
Sorry, LDAP does not work that way. Your LDAP groups must expand
to the correct list of member addresses (primary addresses of group
members).
--
Viktor.
