294962Re: Postfix group lookup against Samba4 AD
- Aug 24, 2013On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:
> >The search was looking up a group with a particular address. ItYour mistake is to use objects with multiple email addresses in
> >is a mistake to impute any other meaning to the domain part of the
> >group email address.
> Why is it a mistake?
groups where the intention is that only one of the object's addresses
is to receive mail from any single group with the selected address
depending on the domain of that group.
If a user has multiple independent mailboxes, each one of which is
capable of separately being added to a group, create separate LDAP
objects (a.k.a. LDAP entries) for each mailbox, and add these to
the relevant groups. There is nothing wrong with a mailbox in
domain X being a member of a list in domain Y if that's what domain
X wants to do.
Active directory supports authentication with multiple domains in
a single "forest", or across multiple "forests". The "alternate
Security Identities" LDAP attribute allows you to map a user from
a remote Kerberos realm to a local AD user. There are lots of ways
of giving a single authentication identity access to multiple
mailboxes if that is required.
> Right, so my proposed filter is an ad-hoc design to suit a problem,I am not taking the bait. Rethink your design.
> so I presume that 'leaf_result' is not? Also you seem to be
> misunderstanding the way that AD tracks members of a group.
- << Previous post in topic Next post in topic >>