We are using Postfix+ActiveDirectory and group aliases:
query_filter = (&(mail=%s)(objectClass=group))
result_attribute = mail
leaf_result_attribute = mail
special_result_attribute = member
And the problem is that special sub query does return disabled users
(useraccountcontrol:1.2.840.113556.1.4.803:=2) which we'd like to skip.
This problem was discussed earlier
https://marc.info/?l=postfix-users&m=131827035520537&w=2
Suggestion was:
either use ldap_uri valued groups (dynamic groups) or use a target
attribute (say "maildrop") that is absent in disabled objects.
Well, (1) AD doesn't support dynamic groups as I know, and (2) this can
not be called simple and reliable solution, since instead of the single
well-know in AD-world action (disable user) we'll need the second
(add/remove some attribute via ADUC or other LDAP tool).
So, this would be great if we had a way to specify additional filter for
special_result_attribute query. Something like this in our case:
special_query_filter=(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))
and the resulting query would be:
(&(dn={dn from special_result_attribute}){special_query_filter})
I guess it's not so hard to implement.
Thanks for attention!
--
Best regards,
Sergey Urushkin
