On Mon, Aug 19, 2013 at 10:08:18PM +0100, Rowland Penny wrote:
> >There is no such thing as "the relevant email addresses", all
> >addresses selected by the filter and result attributes are equally
> >relevant.
>
> When I said "the relevant email addresses", I meant, get from the
> group members the contents of the 'otherMailbox' attributes where
> said contents end with the email domain from the mailgroups mail
> attribute.
This ad-hoc interpretation of "relevance" is not described in any
LDAP standards documents. There is no reason to expect that the
member addresses of a group are restricted to the same domain as
the group.
> As in when searching for mailgr...@example.com, the result should be
> just f...@example.com and should not also bring f...@otherdomain.com
That's what you might want in this case, but there is no reason to
expect groups to work this way.
> >>D) Return only mail addresses that end in the mailgroups domain.
> >Sorry, LDAP does not work that way. Your LDAP groups must expand
> >to the correct list of member addresses (primary addresses of group
> >members).
>
> So, from what you are saying, if you have multiple attributes with
> the same name under a users DN then you can only select all of them
> and not just the one you require if you search the group.
You have a single attribute with multiple values, not multiple
attributes with the same name. Result attributes in matching LDAP
entries are returned in full.
> I know that Openldap works differently from windows AD, but AD is
> what I am trying to work with.
This has nothing to do with AD vs. OpenLDAP. If you want to return
a particular single address for each user, you need to select a
result attribute that contains *only* that address.
AD allows you to extend the schema. If nothing suitable is available,
you can populate a custom attribute.
--
Viktor.
