Loading ...
Sorry, an error occurred while loading the content.

294974Re: Postfix group lookup against Samba4 AD

Expand Messages
  • Rowland Penny
    Aug 25, 2013
      On 24/08/13 17:35, Viktor Dukhovni wrote:
      > On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:
      >>> The search was looking up a group with a particular address. It
      >>> is a mistake to impute any other meaning to the domain part of the
      >>> group email address.
      >> Why is it a mistake?
      > Your mistake is to use objects with multiple email addresses in
      > groups where the intention is that only one of the object's addresses
      > is to receive mail from any single group with the selected address
      > depending on the domain of that group.
      > If a user has multiple independent mailboxes, each one of which is
      > capable of separately being added to a group, create separate LDAP
      > objects (a.k.a. LDAP entries) for each mailbox, and add these to
      > the relevant groups. There is nothing wrong with a mailbox in
      > domain X being a member of a list in domain Y if that's what domain
      > X wants to do.
      > Active directory supports authentication with multiple domains in
      > a single "forest", or across multiple "forests". The "alternate
      > Security Identities" LDAP attribute allows you to map a user from
      > a remote Kerberos realm to a local AD user. There are lots of ways
      > of giving a single authentication identity access to multiple
      > mailboxes if that is required.
      >> Right, so my proposed filter is an ad-hoc design to suit a problem,
      >> so I presume that 'leaf_result' is not? Also you seem to be
      >> misunderstanding the way that AD tracks members of a group.
      > I am not taking the bait. Rethink your design.
      Hi Viktor, I have re-thought my design, I will give up with my rubbish
      design by using Exim instead of the totally unhelpful postfix.

    • Show all 13 messages in this topic