On 19/08/13 23:15, Viktor Dukhovni wrote:
On Mon, Aug 19, 2013 at 10:32:27PM +0100, Rowland Penny wrote:
If you want to return
a particular single address for each user, you need to select a
result attribute that contains *only* that address.
That is what I was trying to do, do a search of a group, get its
members and return the 'otherMailbox' from the group members that
contain the members CN@%d.
There is no reasonable expectation that an LDAP query will return
a subset of the requested attribute values. LDAP returns the
totality of the requested attribute values for all entries that
match the query filter. The LDAP query language is much more
limited than SQL.
But from what you are saying, this is not possible and whilst I can
search via the group, I will get every 'otherMailbox' attribute
under every member of the mailgroup and there is no way to fix this.
Yes, naturally.
I will have to rethink this, there must be another way of getting
what I want, this is after all unix ;-)
Unix has little to do with it, this is LDAP. If you are querying
LDAP live, you are limited by the capabilities of LDAP. The Postfix
LDAP driver does not add a filter language to post-process LDAP
results. So LDAP is what you get.
AD allows you to extend the schema. If nothing suitable is available,
you can populate a custom attribute.
The problem with AD is that whilst it a version of LDAP, it is a
very bastardized version, moulded by MS to do what they wanted to
do, you cannot do with Ad what you can do very easily with LDAP.
This is a poor excuse. I've extended the AD schema with custom
attributes holding email addresses, it is relatively simple to do.
I am still puzzled why you don't want to use "mail" as the leaf
result attribute. This will return one address per mailgroup user.
If you are looking to add users to groups in such a way that the
member address depends on the group's domain, you've likely made
a design error somewhere else that is forcing you to jump through
hoops. All groups a user is a member of should route mail to the
same address or set of addresses for each user.
Ok, I have tried to find an answer to my problem and failed.
I will explain what I am trying to do, I have added the iRedmail schema
to a Samba 4 AD server and am trying to build an email server based on
iRedmail and AD SSO
i.e one user, one password, multiple email domains.
let me explain the problem as I see it.
LDAP mail servers typically store domain users under seperate OU per
domain and if a user has three (or more) mail addresses, he would be
listed in three different places but he would still be the same user.
Active Directory seems to work differently, you have the user in one
place with one password and you can have all the users email addresses
stored under their DN in Multi-value attributes, I decided to use the
'otherMailbox' attribute.
i.e.
dn: CN=albert,CN=Users,DC=example,DC=com
otherMailbox: alb...@example.com
otherMailbox: alb...@domain1.com
otherMailbox: alb...@domain2.com
The only problem that I have found is, any LDAP search with
'result_attribute = otherMailbox' fails, in that it returns with all of
the 'otherMailbox' attributes, so postfix would then try to deliver the
email to all the mail addresses.
Now I know that assumed wisdom is to use a single-value attribute such
as 'mail' but this would mean that any mail for a user would end up in
just one mailbox and sort of defeats the object of having multiple email
addresses.
Can I please propose a solution ;-) or in otherwords, can I please ask
for an enhancement.
The LDAP search works but it is returning with any 'otherMailbox'
attributes it find, even if most of them have nothing to do with the
domain that was included in the search (%d).
So my suggestion would be to add another switch to 'result_format', 'AD'
for instance, if this switch is turned on (result_format = %AD) then any
result the LDAP search returns is passed through another filter which
removes any addresses where the domain does not match the original
search domain.
I know that this would work, because I created a small bash script
around the 'postmap ldap:' commands and got the expected results, no
matter what ldap .cf I ran it with.
Please do not suggest that I write the code, because to me C comes
between B & D ;-) I can write bash scripts (but I am by no means an
expert) but I fear that C is beyond me.
Thanks
Rowland
