On 24/08/13 03:42, Viktor Dukhovni wrote:
On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:
dn: CN=albert,CN=Users,DC=example,DC=com
otherMailbox: alb...@example.com
otherMailbox: alb...@domain1.com
otherMailbox: alb...@domain2.com
The only problem that I have found is, any LDAP search with
'result_attribute = otherMailbox' fails, in that it returns with all
of the 'otherMailbox' attributes, so postfix would then try to
deliver the email to all the mail addresses.
This is correct behaviour, Postfix works as designed, and many
other users of LDAP rely on this behaviour.
I understand this, I accept this, what I am asking for would not not
affect this.
Now I know that assumed wisdom is to use a single-value attribute
such as 'mail' but this would mean that any mail for a user would
end up in just one mailbox and sort of defeats the object of having
multiple email addresses.
Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
You decide whether you want one or many.
This is what I am trying to do, get the mail into the correct mailbox,
not into many mailboxes just one. If I was to use iRedmail on openldap,
I could have the same user in different maildomains and just get one
result per maildomain. I have moved the maildomain users mailbox
attributes to the AD users DN but cannot select just the mailbox required
Can I please propose a solution ;-) or in otherwords, can I please
ask for an enhancement.
The meaning of multi-valued attributes in LDAP searches is unlikely
to change.
I am not asking you to change the meaning of multi-value attributes, but
whilst we are talking about them, the name is a bit misleading. On AD,
'mail' is a single-valued attribute that can occur only once but can
contain multiple values, multi-valued attributes can occur several
times, so shouldn't the 'valued' part really be 'instance'?
The LDAP search works but it is returning with any 'otherMailbox'
attributes it find, even if most of them have nothing to do with the
domain that was included in the search (%d).
The search was looking up a group with a particular address. It
is a mistake to impute any other meaning to the domain part of the
group email address.
Why is it a mistake?
The search is looking up a group via its 'mail' address and then
returning all of its members email addresses, this is the same search
that iRedmail uses, so if you have a problem with it, take it up with
iRedmail. The only difference between the iRedmail search and mine is
the returned attribute, they use 'mail' because their users are stored
under the domain-name and hence they have the user stored several times,
I use 'otherMailbox' and store it under the users DN and the user is
stored once.
So my suggestion would be to add another switch to 'result_format',
'AD' for instance, if this switch is turned on (result_format = %AD)
then any result the LDAP search returns is passed through another
filter which removes any addresses where the domain does not match
the original search domain.
Sorry, this is a an-hoc hack to support a misguided interpretation
of group membership. No such feature is remotely likely. I suggest
you rethink your design.
Right, so my proposed filter is an ad-hoc design to suit a problem, so I
presume that 'leaf_result' is not? Also you seem to be misunderstanding
the way that AD tracks members of a group.
So, how would you design a mail system to run on AD?, use the same old
system of storing the same user several times under multiple domains, if
so, you are totally missing the point of SSO.
Rowland
