Loading ...
Sorry, an error occurred while loading the content.

virtual_maibox_maps, ldap lookups, and multiple attributes

Expand Messages
  • ben thielsen
    hi- i m using an ldap lookup map for virtual_maibox_maps and haven t been able to get the lookup to work quite the way i d like. users exist in the ldap tree
    Message 1 of 5 , Feb 1, 2009
    • 0 Attachment
      hi-

      i'm using an ldap lookup map for virtual_maibox_maps and haven't been
      able to get the lookup to work quite the way i'd like. users exist in
      the ldap tree as
      uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com, and
      currently i'm using the mailLocalAddress attribute to store addresses
      which should be delivered to the filesystem, by virtual. users
      potentially have multiple addresses in their entry using this
      attribute, each of which should be delivered to a discrete mailbox -
      e.g.:

      dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
      mailLocalAddress: user@... - delivered to foo.com/user/Maildir/
      mailLocalAddress: user@... - delivered to bar.net/user/Maildir/
      mailLocalAddress: u@... - delivered to foobar.org/u/Maildir/

      this works well for entries that contain only a single
      mailLocalAddress attribute, but not so well when multiple attributes
      exist. using %U and %D in the result_format value appeared to be a
      step in the right direction, but still returns more than one result,
      which suggested that there might be a more sensible approach. i also
      experimented with expansion_limit and size_limit, neither of which
      appeared to change the outcome (aside from introducing failures).

      at first glance, it seems to me that being able to use % expansions in
      the result_attribute might get me what i'm after (e.g.
      result_attribute = mailLocalAddress=%s or such), the idea being that
      only attributes that matched a particular value would be returned.
      since this isn't possible though, according to the ldap_table man
      page, i'm wondering how else i might achieve my goal, without
      requiring independent entries in ldap for each mailbox.

      thanks
      -ben
    • ben thielsen
      ... apologies- i meant to include my lookup map, as it currently stands (horribly munged, out of unreasonable paranoia): version = 3 tls_ca_cert_file =
      Message 2 of 5 , Feb 1, 2009
      • 0 Attachment
        On Feb 01, 2009, at 23.15, ben thielsen wrote:

        > hi-
        >
        > i'm using an ldap lookup map for virtual_maibox_maps and haven't
        > been able to get the lookup to work quite the way i'd like. users
        > exist in the ldap tree as
        > uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com, and
        > currently i'm using the mailLocalAddress attribute to store
        > addresses which should be delivered to the filesystem, by virtual.
        > users potentially have multiple addresses in their entry using this
        > attribute, each of which should be delivered to a discrete mailbox -
        > e.g.:
        >
        > dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
        > mailLocalAddress: user@... - delivered to foo.com/user/Maildir/
        > mailLocalAddress: user@... - delivered to bar.net/user/Maildir/
        > mailLocalAddress: u@... - delivered to foobar.org/u/Maildir/
        >
        > this works well for entries that contain only a single
        > mailLocalAddress attribute, but not so well when multiple attributes
        > exist. using %U and %D in the result_format value appeared to be a
        > step in the right direction, but still returns more than one result,
        > which suggested that there might be a more sensible approach. i
        > also experimented with expansion_limit and size_limit, neither of
        > which appeared to change the outcome (aside from introducing
        > failures).
        >
        > at first glance, it seems to me that being able to use % expansions
        > in the result_attribute might get me what i'm after (e.g.
        > result_attribute = mailLocalAddress=%s or such), the idea being that
        > only attributes that matched a particular value would be returned.
        > since this isn't possible though, according to the ldap_table man
        > page, i'm wondering how else i might achieve my goal, without
        > requiring independent entries in ldap for each mailbox.
        >
        > thanks
        > -ben

        apologies-

        i meant to include my lookup map, as it currently stands (horribly
        munged, out of unreasonable paranoia):

        version = 3
        tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
        server_host = ldaps://ldap.example.com
        bind_dn = cn=postfix,ou=under,ou=services,ou=accounts,dc=example,dc=com
        bind_pw = xxxxxxxxxxxxxx
        search_base = ou=people,ou=users,ou=accounts,dc= example,dc= com
        query_filter = (&(objectClass=inetLocalMailRecipient)(mailLocalAddress=
        %s)(memberOf=cn=mail_recipients,dc=
        %d,ou=domains,ou=mail,dc=example,dc=com))
        result_attribute = mailLocalAddress
        result_format = %D/%U/Maildir/

        -ben
      • Victor Duchovni
        ... Pick a single-valued attribute as the result_attribute. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore
        Message 3 of 5 , Feb 1, 2009
        • 0 Attachment
          On Sun, Feb 01, 2009 at 11:15:00PM -0500, ben thielsen wrote:

          > dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
          > mailLocalAddress: user@... - delivered to foo.com/user/Maildir/
          > mailLocalAddress: user@... - delivered to bar.net/user/Maildir/
          > mailLocalAddress: u@... - delivered to foobar.org/u/Maildir/
          >
          > this works well for entries that contain only a single mailLocalAddress
          > attribute, but not so well when multiple attributes exist. using %U and %D
          > in the result_format value appeared to be a step in the right direction,
          > but still returns more than one result, which suggested that there might be
          > a more sensible approach. i also experimented with expansion_limit and
          > size_limit, neither of which appeared to change the outcome (aside from
          > introducing failures).
          >
          > at first glance, it seems to me that being able to use % expansions in the
          > result_attribute might get me what i'm after (e.g. result_attribute =
          > mailLocalAddress=%s or such), the idea being that only attributes that
          > matched a particular value would be returned. since this isn't possible
          > though, according to the ldap_table man page, i'm wondering how else i
          > might achieve my goal, without requiring independent entries in ldap for
          > each mailbox.

          Pick a single-valued attribute as the result_attribute.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • ben thielsen
          ... i m not able to conceive of a method of doing this that wouldn t use a multi-valued attribute. what might be an example of how you guys would accomplish
          Message 4 of 5 , Feb 2, 2009
          • 0 Attachment
            On Feb 01, 2009, at 23.58, Victor Duchovni wrote:

            > On Sun, Feb 01, 2009 at 11:15:00PM -0500, ben thielsen wrote:
            >
            >> dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
            >> mailLocalAddress: user@... - delivered to foo.com/user/Maildir/
            >> mailLocalAddress: user@... - delivered to bar.net/user/Maildir/
            >> mailLocalAddress: u@... - delivered to foobar.org/u/Maildir/
            >>
            >> this works well for entries that contain only a single
            >> mailLocalAddress
            >> attribute, but not so well when multiple attributes exist. using
            >> %U and %D
            >> in the result_format value appeared to be a step in the right
            >> direction,
            >> but still returns more than one result, which suggested that there
            >> might be
            >> a more sensible approach. i also experimented with expansion_limit
            >> and
            >> size_limit, neither of which appeared to change the outcome (aside
            >> from
            >> introducing failures).
            >>
            >> at first glance, it seems to me that being able to use % expansions
            >> in the
            >> result_attribute might get me what i'm after (e.g. result_attribute =
            >> mailLocalAddress=%s or such), the idea being that only attributes
            >> that
            >> matched a particular value would be returned. since this isn't
            >> possible
            >> though, according to the ldap_table man page, i'm wondering how
            >> else i
            >> might achieve my goal, without requiring independent entries in
            >> ldap for
            >> each mailbox.
            >
            > Pick a single-valued attribute as the result_attribute.

            i'm not able to conceive of a method of doing this that wouldn't use a
            multi-valued attribute. what might be an example of how you guys
            would accomplish such a goal? is my approach of wanting a human to
            own multiple discrete mailboxes, yet not require separate ldap entries
            fundamentally flawed?

            -ben
          • ben thielsen
            ... ah! thank you, i understand the approach. please excuse my previous message - i had missed this reply, originally, in my inbox. -ben
            Message 5 of 5 , Feb 2, 2009
            • 0 Attachment
              On Feb 02, 2009, at 06.15, Reinaldo de Carvalho wrote:

              > On Mon, Feb 2, 2009 at 1:15 AM, ben thielsen <btb@...> wrote:
              >> dn: uid=user,ou=people,ou=users,ou=accounts,dc=example,dc=com
              >> mailLocalAddress: user@... - delivered to foo.com/user/Maildir/
              >> mailLocalAddress: user@... - delivered to bar.net/user/Maildir/
              >> mailLocalAddress: u@... - delivered to foobar.org/u/Maildir/
              >>
              >> this works well for entries that contain only a single
              >> mailLocalAddress
              >> attribute, but not so well when multiple attributes exist. using
              >> %U and %D
              >> in the result_format value appeared to be a step in the right
              >> direction, but
              >> still returns more than one result, which suggested that there
              >> might be a
              >> more sensible approach. i also experimented with expansion_limit and
              >> size_limit, neither of which appeared to change the outcome (aside
              >> from
              >> introducing failures).
              >>
              >
              > in this case result_attribute must be single value.
              >
              > Example:
              >
              > mail: user@...
              > mailLocalAddress: user@...
              > mailLocalAddress: u@...
              >
              > query_filter = (&(objectClass=inetLocalMailRecipient)(|
              > (mailLocalAddress=%s)(mail=%s))(memberOf=cn=mail_recipients,dc=
              > %d,ou=domains,ou=mail,dc=example,dc=com))
              > result_attribute = mail
              > result_format = %D/%U/Maildir/

              ah! thank you, i understand the approach. please excuse my previous
              message - i had missed this reply, originally, in my inbox.

              -ben
            Your message has been successfully submitted and would be delivered to recipients shortly.