On 19/08/13 20:11, Viktor Dukhovni wrote:
On Mon, Aug 19, 2013 at 07:51:50PM +0100, Rowland Penny wrote:
On 19/08/13 19:28, Viktor Dukhovni wrote:
On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = otherMailbox
special_result_attribute = member
I have added a couple of otherMailbox attributes to a user called
fred, one is f...@example.com, the other is f...@anotherdomain.com.
I then added fred to the example.com group.
When you specify a multi-valued result attribute (or leaf or terminal
result attribute) each value will be part of the result.
I then ran this command:
postmap -q mailgr...@example.com ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
This is where the problem comes in, I expected to just get back
f...@example.com, but instead I get f...@example.com and
f...@anotherdomain.com
As expected. If you want a single value back, use a single-valued
attribute.
Thanks, So what you are saying is to use the mail attribute, but on
AD, you can only have one mail attribute, what happens if your user
has more than one email address?
What I am saying is that if you want a single address back, (which
is what you appeared to be asking for), you should use a single-valued
result attribute.
What I thought should happen is
A) search for the mailgroup via its mail address
B) Once the mailgroup is found, get all its members
C) Then from the members, get the relevant email addresses from the
'otherMailbox' attributes, based on the domain part of the email
address of the mailgroup I searched for in the first place.
There is no such thing as "the relevant email addresses", all
addresses selected by the filter and result attributes are equally
relevant.
When I said "the relevant email addresses", I meant, get from the group
members the contents of the 'otherMailbox' attributes where said
contents end with the email domain from the mailgroups mail attribute.
As in when searching for mailgr...@example.com, the result should be
just f...@example.com and should not also bring f...@otherdomain.com
D) Return only mail addresses that end in the mailgroups domain.
Sorry, LDAP does not work that way. Your LDAP groups must expand
to the correct list of member addresses (primary addresses of group
members).
So, from what you are saying, if you have multiple attributes with the
same name under a users DN then you can only select all of them and not
just the one you require if you search the group.
I know that Openldap works differently from windows AD, but AD is what I
am trying to work with.
Rowland
