Loading ...
Sorry, an error occurred while loading the content.

294962Re: Postfix group lookup against Samba4 AD

Expand Messages
  • Viktor Dukhovni
    Aug 24, 2013
    • 0 Attachment
      On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:

      > >The search was looking up a group with a particular address. It
      > >is a mistake to impute any other meaning to the domain part of the
      > >group email address.
      >
      > Why is it a mistake?

      Your mistake is to use objects with multiple email addresses in
      groups where the intention is that only one of the object's addresses
      is to receive mail from any single group with the selected address
      depending on the domain of that group.

      If a user has multiple independent mailboxes, each one of which is
      capable of separately being added to a group, create separate LDAP
      objects (a.k.a. LDAP entries) for each mailbox, and add these to
      the relevant groups. There is nothing wrong with a mailbox in
      domain X being a member of a list in domain Y if that's what domain
      X wants to do.

      Active directory supports authentication with multiple domains in
      a single "forest", or across multiple "forests". The "alternate
      Security Identities" LDAP attribute allows you to map a user from
      a remote Kerberos realm to a local AD user. There are lots of ways
      of giving a single authentication identity access to multiple
      mailboxes if that is required.

      > Right, so my proposed filter is an ad-hoc design to suit a problem,
      > so I presume that 'leaf_result' is not? Also you seem to be
      > misunderstanding the way that AD tracks members of a group.

      I am not taking the bait. Rethink your design.

      --
      Viktor.
    • Show all 13 messages in this topic