Loading ...
Sorry, an error occurred while loading the content.

294957Re: Postfix group lookup against Samba4 AD

Expand Messages
  • Rowland Penny
    Aug 24, 2013
      On 24/08/13 03:42, Viktor Dukhovni wrote:
      > On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:
      >
      >> dn: CN=albert,CN=Users,DC=example,DC=com
      >> otherMailbox: albert@...
      >> otherMailbox: albert@...
      >> otherMailbox: albert@...
      >>
      >> The only problem that I have found is, any LDAP search with
      >> 'result_attribute = otherMailbox' fails, in that it returns with all
      >> of the 'otherMailbox' attributes, so postfix would then try to
      >> deliver the email to all the mail addresses.
      > This is correct behaviour, Postfix works as designed, and many
      > other users of LDAP rely on this behaviour.

      I understand this, I accept this, what I am asking for would not not
      affect this.

      >> Now I know that assumed wisdom is to use a single-value attribute
      >> such as 'mail' but this would mean that any mail for a user would
      >> end up in just one mailbox and sort of defeats the object of having
      >> multiple email addresses.
      > Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
      > You decide whether you want one or many.

      This is what I am trying to do, get the mail into the correct mailbox,
      not into many mailboxes just one. If I was to use iRedmail on openldap,
      I could have the same user in different maildomains and just get one
      result per maildomain. I have moved the maildomain users mailbox
      attributes to the AD users DN but cannot select just the mailbox required

      >> Can I please propose a solution ;-) or in otherwords, can I please
      >> ask for an enhancement.
      > The meaning of multi-valued attributes in LDAP searches is unlikely
      > to change.

      I am not asking you to change the meaning of multi-value attributes, but
      whilst we are talking about them, the name is a bit misleading. On AD,
      'mail' is a single-valued attribute that can occur only once but can
      contain multiple values, multi-valued attributes can occur several
      times, so shouldn't the 'valued' part really be 'instance'?

      >> The LDAP search works but it is returning with any 'otherMailbox'
      >> attributes it find, even if most of them have nothing to do with the
      >> domain that was included in the search (%d).
      > The search was looking up a group with a particular address. It
      > is a mistake to impute any other meaning to the domain part of the
      > group email address.

      Why is it a mistake?
      The search is looking up a group via its 'mail' address and then
      returning all of its members email addresses, this is the same search
      that iRedmail uses, so if you have a problem with it, take it up with
      iRedmail. The only difference between the iRedmail search and mine is
      the returned attribute, they use 'mail' because their users are stored
      under the domain-name and hence they have the user stored several times,
      I use 'otherMailbox' and store it under the users DN and the user is
      stored once.

      >> So my suggestion would be to add another switch to 'result_format',
      >> 'AD' for instance, if this switch is turned on (result_format = %AD)
      >> then any result the LDAP search returns is passed through another
      >> filter which removes any addresses where the domain does not match
      >> the original search domain.
      > Sorry, this is a an-hoc hack to support a misguided interpretation
      > of group membership. No such feature is remotely likely. I suggest
      > you rethink your design.
      >
      Right, so my proposed filter is an ad-hoc design to suit a problem, so I
      presume that 'leaf_result' is not? Also you seem to be misunderstanding
      the way that AD tracks members of a group.

      So, how would you design a mail system to run on AD?, use the same old
      system of storing the same user several times under multiple domains, if
      so, you are totally missing the point of SSO.

      Rowland
    • Show all 13 messages in this topic