Loading ...
Sorry, an error occurred while loading the content.

Postfix group lookup against Samba4 AD

Expand Messages
  • Rowland Penny
    Hello, I am trying to setup a postfix mailserver using a Samba4 AD server as the LDAP source and I am struggling with groups. I have created an OU called
    Message 1 of 13 , Aug 19, 2013
    • 0 Attachment
      Hello,

      I am trying to setup a postfix mailserver using a Samba4 AD server as
      the LDAP source and I am struggling with groups.

      I have created an OU called domains and then created a mailgroup called
      example.com in this OU, I then added added a mail attribute
      mailgroup@... to the group

      This is the postfix .cf file that I am using to try to obtain the email
      addresses of the users.

      /etc/postfix/ldap/ad_virtual_group_maps.cf

      server_host = myadserver.example.com
      server_port = 389
      version = 3
      bind = yes
      start_tls = no
      bind_dn = cn=vmail,cn=Users,dc=example,dc=com
      bind_pw = Passw0rd*
      search_base = ou=domains,dc=example,dc=com
      scope = sub
      query_filter = (&(objectclass=group)(mail=%s))
      leaf_result_attribute = otherMailbox
      special_result_attribute = member
      debuglevel = 0

      I have added a couple of otherMailbox attributes to a user called fred,
      one is fred@..., the other is fred@.... I then
      added fred to the example.com group.

      I then ran this command:

      postmap -q mailgroup@...
      ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf

      This is where the problem comes in, I expected to just get back
      fred@..., but instead I get fred@... and
      fred@...

      Is there any way I can just get fred@... i.e. just where have I
      made my mistake. I have tried trawling the internet, but everything that
      I can find seems to say that I am doing the right thing, but I must be
      doing something wrong.

      TIA

      Rowland
    • Viktor Dukhovni
      ... When you specify a multi-valued result attribute (or leaf or terminal result attribute) each value will be part of the result. ... As expected. If you
      Message 2 of 13 , Aug 19, 2013
      • 0 Attachment
        On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:

        > query_filter = (&(objectclass=group)(mail=%s))
        > leaf_result_attribute = otherMailbox
        > special_result_attribute = member

        > I have added a couple of otherMailbox attributes to a user called
        > fred, one is fred@..., the other is fred@....
        > I then added fred to the example.com group.

        When you specify a multi-valued result attribute (or leaf or terminal
        result attribute) each value will be part of the result.

        > I then ran this command:
        >
        > postmap -q mailgroup@... ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
        >
        > This is where the problem comes in, I expected to just get back
        > fred@..., but instead I get fred@... and
        > fred@...

        As expected. If you want a single value back, use a single-valued
        attribute.

        --
        Viktor.
      • Rowland Penny
        ... Thanks, So what you are saying is to use the mail attribute, but on AD, you can only have one mail attribute, what happens if your user has more than one
        Message 3 of 13 , Aug 19, 2013
        • 0 Attachment
          On 19/08/13 19:28, Viktor Dukhovni wrote:
          > On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:
          >
          >> query_filter = (&(objectclass=group)(mail=%s))
          >> leaf_result_attribute = otherMailbox
          >> special_result_attribute = member
          >> I have added a couple of otherMailbox attributes to a user called
          >> fred, one is fred@..., the other is fred@....
          >> I then added fred to the example.com group.
          > When you specify a multi-valued result attribute (or leaf or terminal
          > result attribute) each value will be part of the result.
          >
          >> I then ran this command:
          >>
          >> postmap -q mailgroup@... ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
          >>
          >> This is where the problem comes in, I expected to just get back
          >> fred@..., but instead I get fred@... and
          >> fred@...
          > As expected. If you want a single value back, use a single-valued
          > attribute.
          >
          Thanks, So what you are saying is to use the mail attribute, but on AD,
          you can only have one mail attribute, what happens if your user has more
          than one email address?

          What I thought should happen is

          A) search for the mailgroup via its mail address
          B) Once the mailgroup is found, get all its members
          C) Then from the members, get the relevant email addresses from the
          'otherMailbox' attributes, based on the domain part of the email address
          of the mailgroup I searched for in the first place.
          D) Return only mail addresses that end in the mailgroups domain.

          Can postfix do this? if so how? if not, where do I request that it does.

          Rowland
        • Viktor Dukhovni
          ... What I am saying is that if you want a single address back, (which is what you appeared to be asking for), you should use a single-valued result attribute.
          Message 4 of 13 , Aug 19, 2013
          • 0 Attachment
            On Mon, Aug 19, 2013 at 07:51:50PM +0100, Rowland Penny wrote:

            > On 19/08/13 19:28, Viktor Dukhovni wrote:
            >
            > >On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:
            > >
            > >>query_filter = (&(objectclass=group)(mail=%s))
            > >>leaf_result_attribute = otherMailbox
            > >>special_result_attribute = member
            > >>
            > >>I have added a couple of otherMailbox attributes to a user called
            > >>fred, one is fred@..., the other is fred@....
            > >>I then added fred to the example.com group.
            > >
            > >When you specify a multi-valued result attribute (or leaf or terminal
            > >result attribute) each value will be part of the result.
            > >
            > >>I then ran this command:
            > >>
            > >>postmap -q mailgroup@... ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
            > >>
            > >>This is where the problem comes in, I expected to just get back
            > >>fred@..., but instead I get fred@... and
            > >>fred@...
            > >
            > >As expected. If you want a single value back, use a single-valued
            > >attribute.
            >
            > Thanks, So what you are saying is to use the mail attribute, but on
            > AD, you can only have one mail attribute, what happens if your user
            > has more than one email address?

            What I am saying is that if you want a single address back, (which
            is what you appeared to be asking for), you should use a single-valued
            result attribute.

            > What I thought should happen is
            >
            > A) search for the mailgroup via its mail address
            > B) Once the mailgroup is found, get all its members
            > C) Then from the members, get the relevant email addresses from the
            > 'otherMailbox' attributes, based on the domain part of the email
            > address of the mailgroup I searched for in the first place.

            There is no such thing as "the relevant email addresses", all
            addresses selected by the filter and result attributes are equally
            relevant.

            > D) Return only mail addresses that end in the mailgroups domain.

            Sorry, LDAP does not work that way. Your LDAP groups must expand
            to the correct list of member addresses (primary addresses of group
            members).

            --
            Viktor.
          • Rowland Penny
            ... When I said the relevant email addresses , I meant, get from the group members the contents of the otherMailbox attributes where said contents end with
            Message 5 of 13 , Aug 19, 2013
            • 0 Attachment
              On 19/08/13 20:11, Viktor Dukhovni wrote:
              > On Mon, Aug 19, 2013 at 07:51:50PM +0100, Rowland Penny wrote:
              >
              >> On 19/08/13 19:28, Viktor Dukhovni wrote:
              >>
              >>> On Mon, Aug 19, 2013 at 06:25:24PM +0100, Rowland Penny wrote:
              >>>
              >>>> query_filter = (&(objectclass=group)(mail=%s))
              >>>> leaf_result_attribute = otherMailbox
              >>>> special_result_attribute = member
              >>>>
              >>>> I have added a couple of otherMailbox attributes to a user called
              >>>> fred, one is fred@..., the other is fred@....
              >>>> I then added fred to the example.com group.
              >>> When you specify a multi-valued result attribute (or leaf or terminal
              >>> result attribute) each value will be part of the result.
              >>>
              >>>> I then ran this command:
              >>>>
              >>>> postmap -q mailgroup@... ldap:/etc/postfix/ldap/ad_virtual_group_maps.cf
              >>>>
              >>>> This is where the problem comes in, I expected to just get back
              >>>> fred@..., but instead I get fred@... and
              >>>> fred@...
              >>> As expected. If you want a single value back, use a single-valued
              >>> attribute.
              >> Thanks, So what you are saying is to use the mail attribute, but on
              >> AD, you can only have one mail attribute, what happens if your user
              >> has more than one email address?
              > What I am saying is that if you want a single address back, (which
              > is what you appeared to be asking for), you should use a single-valued
              > result attribute.
              >
              >> What I thought should happen is
              >>
              >> A) search for the mailgroup via its mail address
              >> B) Once the mailgroup is found, get all its members
              >> C) Then from the members, get the relevant email addresses from the
              >> 'otherMailbox' attributes, based on the domain part of the email
              >> address of the mailgroup I searched for in the first place.
              > There is no such thing as "the relevant email addresses", all
              > addresses selected by the filter and result attributes are equally
              > relevant.
              >

              When I said "the relevant email addresses", I meant, get from the group
              members the contents of the 'otherMailbox' attributes where said
              contents end with the email domain from the mailgroups mail attribute.

              As in when searching for mailgroup@..., the result should be
              just fred@... and should not also bring fred@...

              >> D) Return only mail addresses that end in the mailgroups domain.
              > Sorry, LDAP does not work that way. Your LDAP groups must expand
              > to the correct list of member addresses (primary addresses of group
              > members).
              >
              So, from what you are saying, if you have multiple attributes with the
              same name under a users DN then you can only select all of them and not
              just the one you require if you search the group.

              I know that Openldap works differently from windows AD, but AD is what I
              am trying to work with.

              Rowland
            • Viktor Dukhovni
              ... This ad-hoc interpretation of relevance is not described in any LDAP standards documents. There is no reason to expect that the member addresses of a
              Message 6 of 13 , Aug 19, 2013
              • 0 Attachment
                On Mon, Aug 19, 2013 at 10:08:18PM +0100, Rowland Penny wrote:

                > >There is no such thing as "the relevant email addresses", all
                > >addresses selected by the filter and result attributes are equally
                > >relevant.
                >
                > When I said "the relevant email addresses", I meant, get from the
                > group members the contents of the 'otherMailbox' attributes where
                > said contents end with the email domain from the mailgroups mail
                > attribute.

                This ad-hoc interpretation of "relevance" is not described in any
                LDAP standards documents. There is no reason to expect that the
                member addresses of a group are restricted to the same domain as
                the group.

                > As in when searching for mailgroup@..., the result should be
                > just fred@... and should not also bring fred@...

                That's what you might want in this case, but there is no reason to
                expect groups to work this way.

                > >>D) Return only mail addresses that end in the mailgroups domain.
                > >Sorry, LDAP does not work that way. Your LDAP groups must expand
                > >to the correct list of member addresses (primary addresses of group
                > >members).
                >
                > So, from what you are saying, if you have multiple attributes with
                > the same name under a users DN then you can only select all of them
                > and not just the one you require if you search the group.

                You have a single attribute with multiple values, not multiple
                attributes with the same name. Result attributes in matching LDAP
                entries are returned in full.

                > I know that Openldap works differently from windows AD, but AD is
                > what I am trying to work with.

                This has nothing to do with AD vs. OpenLDAP. If you want to return
                a particular single address for each user, you need to select a
                result attribute that contains *only* that address.

                AD allows you to extend the schema. If nothing suitable is available,
                you can populate a custom attribute.

                --
                Viktor.
              • Rowland Penny
                ... That is what I was trying to do, do a search of a group, get its members and return the otherMailbox from the group members that contain the members
                Message 7 of 13 , Aug 19, 2013
                • 0 Attachment
                  On 19/08/13 22:14, Viktor Dukhovni wrote:
                  > On Mon, Aug 19, 2013 at 10:08:18PM +0100, Rowland Penny wrote:
                  >
                  >>> There is no such thing as "the relevant email addresses", all
                  >>> addresses selected by the filter and result attributes are equally
                  >>> relevant.
                  >> When I said "the relevant email addresses", I meant, get from the
                  >> group members the contents of the 'otherMailbox' attributes where
                  >> said contents end with the email domain from the mailgroups mail
                  >> attribute.
                  > This ad-hoc interpretation of "relevance" is not described in any
                  > LDAP standards documents. There is no reason to expect that the
                  > member addresses of a group are restricted to the same domain as
                  > the group.
                  >
                  >> As in when searching for mailgroup@..., the result should be
                  >> just fred@... and should not also bring fred@...
                  > That's what you might want in this case, but there is no reason to
                  > expect groups to work this way.
                  >
                  >>>> D) Return only mail addresses that end in the mailgroups domain.
                  >>> Sorry, LDAP does not work that way. Your LDAP groups must expand
                  >>> to the correct list of member addresses (primary addresses of group
                  >>> members).
                  >> So, from what you are saying, if you have multiple attributes with
                  >> the same name under a users DN then you can only select all of them
                  >> and not just the one you require if you search the group.
                  > You have a single attribute with multiple values, not multiple
                  > attributes with the same name. Result attributes in matching LDAP
                  > entries are returned in full.
                  >
                  >> I know that Openldap works differently from windows AD, but AD is
                  >> what I am trying to work with.
                  > This has nothing to do with AD vs. OpenLDAP. If you want to return
                  > a particular single address for each user, you need to select a
                  > result attribute that contains *only* that address.

                  That is what I was trying to do, do a search of a group, get its members
                  and return the 'otherMailbox' from the group members that contain the
                  members CN@%d.

                  But from what you are saying, this is not possible and whilst I can
                  search via the group, I will get every 'otherMailbox' attribute under
                  every member of the mailgroup and there is no way to fix this.

                  I will have to rethink this, there must be another way of getting what I
                  want, this is after all unix ;-)

                  >
                  > AD allows you to extend the schema. If nothing suitable is available,
                  > you can populate a custom attribute.
                  >
                  The problem with AD is that whilst it a version of LDAP, it is a very
                  bastardized version, moulded by MS to do what they wanted to do, you
                  cannot do with Ad what you can do very easily with LDAP.

                  Rowland
                • Viktor Dukhovni
                  ... There is no reasonable expectation that an LDAP query will return a subset of the requested attribute values. LDAP returns the totality of the requested
                  Message 8 of 13 , Aug 19, 2013
                  • 0 Attachment
                    On Mon, Aug 19, 2013 at 10:32:27PM +0100, Rowland Penny wrote:

                    > >If you want to return
                    > >a particular single address for each user, you need to select a
                    > >result attribute that contains *only* that address.
                    >
                    > That is what I was trying to do, do a search of a group, get its
                    > members and return the 'otherMailbox' from the group members that
                    > contain the members CN@%d.

                    There is no reasonable expectation that an LDAP query will return
                    a subset of the requested attribute values. LDAP returns the
                    totality of the requested attribute values for all entries that
                    match the query filter. The LDAP query language is much more
                    limited than SQL.

                    > But from what you are saying, this is not possible and whilst I can
                    > search via the group, I will get every 'otherMailbox' attribute
                    > under every member of the mailgroup and there is no way to fix this.

                    Yes, naturally.

                    > I will have to rethink this, there must be another way of getting
                    > what I want, this is after all unix ;-)

                    Unix has little to do with it, this is LDAP. If you are querying
                    LDAP live, you are limited by the capabilities of LDAP. The Postfix
                    LDAP driver does not add a filter language to post-process LDAP
                    results. So LDAP is what you get.

                    > >AD allows you to extend the schema. If nothing suitable is available,
                    > >you can populate a custom attribute.
                    >
                    > The problem with AD is that whilst it a version of LDAP, it is a
                    > very bastardized version, moulded by MS to do what they wanted to
                    > do, you cannot do with Ad what you can do very easily with LDAP.

                    This is a poor excuse. I've extended the AD schema with custom
                    attributes holding email addresses, it is relatively simple to do.

                    I am still puzzled why you don't want to use "mail" as the leaf
                    result attribute. This will return one address per mailgroup user.

                    If you are looking to add users to groups in such a way that the
                    member address depends on the group's domain, you've likely made
                    a design error somewhere else that is forcing you to jump through
                    hoops. All groups a user is a member of should route mail to the
                    same address or set of addresses for each user.

                    --
                    Viktor.
                  • Rowland Penny
                    ... Ok, I have tried to find an answer to my problem and failed. I will explain what I am trying to do, I have added the iRedmail schema to a Samba 4 AD server
                    Message 9 of 13 , Aug 23, 2013
                    • 0 Attachment
                      On 19/08/13 23:15, Viktor Dukhovni wrote:
                      > On Mon, Aug 19, 2013 at 10:32:27PM +0100, Rowland Penny wrote:
                      >
                      >>> If you want to return
                      >>> a particular single address for each user, you need to select a
                      >>> result attribute that contains *only* that address.
                      >> That is what I was trying to do, do a search of a group, get its
                      >> members and return the 'otherMailbox' from the group members that
                      >> contain the members CN@%d.
                      > There is no reasonable expectation that an LDAP query will return
                      > a subset of the requested attribute values. LDAP returns the
                      > totality of the requested attribute values for all entries that
                      > match the query filter. The LDAP query language is much more
                      > limited than SQL.
                      >
                      >> But from what you are saying, this is not possible and whilst I can
                      >> search via the group, I will get every 'otherMailbox' attribute
                      >> under every member of the mailgroup and there is no way to fix this.
                      > Yes, naturally.
                      >
                      >> I will have to rethink this, there must be another way of getting
                      >> what I want, this is after all unix ;-)
                      > Unix has little to do with it, this is LDAP. If you are querying
                      > LDAP live, you are limited by the capabilities of LDAP. The Postfix
                      > LDAP driver does not add a filter language to post-process LDAP
                      > results. So LDAP is what you get.
                      >
                      >>> AD allows you to extend the schema. If nothing suitable is available,
                      >>> you can populate a custom attribute.
                      >> The problem with AD is that whilst it a version of LDAP, it is a
                      >> very bastardized version, moulded by MS to do what they wanted to
                      >> do, you cannot do with Ad what you can do very easily with LDAP.
                      > This is a poor excuse. I've extended the AD schema with custom
                      > attributes holding email addresses, it is relatively simple to do.
                      >
                      > I am still puzzled why you don't want to use "mail" as the leaf
                      > result attribute. This will return one address per mailgroup user.
                      >
                      > If you are looking to add users to groups in such a way that the
                      > member address depends on the group's domain, you've likely made
                      > a design error somewhere else that is forcing you to jump through
                      > hoops. All groups a user is a member of should route mail to the
                      > same address or set of addresses for each user.
                      >
                      Ok, I have tried to find an answer to my problem and failed.

                      I will explain what I am trying to do, I have added the iRedmail schema
                      to a Samba 4 AD server and am trying to build an email server based on
                      iRedmail and AD SSO
                      i.e one user, one password, multiple email domains.

                      let me explain the problem as I see it.

                      LDAP mail servers typically store domain users under seperate OU per
                      domain and if a user has three (or more) mail addresses, he would be
                      listed in three different places but he would still be the same user.

                      Active Directory seems to work differently, you have the user in one
                      place with one password and you can have all the users email addresses
                      stored under their DN in Multi-value attributes, I decided to use the
                      'otherMailbox' attribute.

                      i.e.

                      dn: CN=albert,CN=Users,DC=example,DC=com

                      otherMailbox: albert@...
                      otherMailbox: albert@...
                      otherMailbox: albert@...

                      The only problem that I have found is, any LDAP search with
                      'result_attribute = otherMailbox' fails, in that it returns with all of
                      the 'otherMailbox' attributes, so postfix would then try to deliver the
                      email to all the mail addresses.

                      Now I know that assumed wisdom is to use a single-value attribute such
                      as 'mail' but this would mean that any mail for a user would end up in
                      just one mailbox and sort of defeats the object of having multiple email
                      addresses.

                      Can I please propose a solution ;-) or in otherwords, can I please ask
                      for an enhancement.

                      The LDAP search works but it is returning with any 'otherMailbox'
                      attributes it find, even if most of them have nothing to do with the
                      domain that was included in the search (%d).
                      So my suggestion would be to add another switch to 'result_format', 'AD'
                      for instance, if this switch is turned on (result_format = %AD) then any
                      result the LDAP search returns is passed through another filter which
                      removes any addresses where the domain does not match the original
                      search domain.

                      I know that this would work, because I created a small bash script
                      around the 'postmap ldap:' commands and got the expected results, no
                      matter what ldap .cf I ran it with.

                      Please do not suggest that I write the code, because to me C comes
                      between B & D ;-) I can write bash scripts (but I am by no means an
                      expert) but I fear that C is beyond me.

                      Thanks

                      Rowland
                    • Viktor Dukhovni
                      ... This is correct behaviour, Postfix works as designed, and many other users of LDAP rely on this behaviour. ... Correct, mail for a user goes to a fixed
                      Message 10 of 13 , Aug 23, 2013
                      • 0 Attachment
                        On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:

                        > dn: CN=albert,CN=Users,DC=example,DC=com
                        > otherMailbox: albert@...
                        > otherMailbox: albert@...
                        > otherMailbox: albert@...
                        >
                        > The only problem that I have found is, any LDAP search with
                        > 'result_attribute = otherMailbox' fails, in that it returns with all
                        > of the 'otherMailbox' attributes, so postfix would then try to
                        > deliver the email to all the mail addresses.

                        This is correct behaviour, Postfix works as designed, and many
                        other users of LDAP rely on this behaviour.

                        > Now I know that assumed wisdom is to use a single-value attribute
                        > such as 'mail' but this would mean that any mail for a user would
                        > end up in just one mailbox and sort of defeats the object of having
                        > multiple email addresses.

                        Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
                        You decide whether you want one or many.

                        > Can I please propose a solution ;-) or in otherwords, can I please
                        > ask for an enhancement.

                        The meaning of multi-valued attributes in LDAP searches is unlikely
                        to change.

                        > The LDAP search works but it is returning with any 'otherMailbox'
                        > attributes it find, even if most of them have nothing to do with the
                        > domain that was included in the search (%d).

                        The search was looking up a group with a particular address. It
                        is a mistake to impute any other meaning to the domain part of the
                        group email address.

                        > So my suggestion would be to add another switch to 'result_format',
                        > 'AD' for instance, if this switch is turned on (result_format = %AD)
                        > then any result the LDAP search returns is passed through another
                        > filter which removes any addresses where the domain does not match
                        > the original search domain.

                        Sorry, this is a an-hoc hack to support a misguided interpretation
                        of group membership. No such feature is remotely likely. I suggest
                        you rethink your design.

                        --
                        Viktor.
                      • Rowland Penny
                        ... I understand this, I accept this, what I am asking for would not not affect this. ... This is what I am trying to do, get the mail into the correct
                        Message 11 of 13 , Aug 24, 2013
                        • 0 Attachment
                          On 24/08/13 03:42, Viktor Dukhovni wrote:
                          > On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:
                          >
                          >> dn: CN=albert,CN=Users,DC=example,DC=com
                          >> otherMailbox: albert@...
                          >> otherMailbox: albert@...
                          >> otherMailbox: albert@...
                          >>
                          >> The only problem that I have found is, any LDAP search with
                          >> 'result_attribute = otherMailbox' fails, in that it returns with all
                          >> of the 'otherMailbox' attributes, so postfix would then try to
                          >> deliver the email to all the mail addresses.
                          > This is correct behaviour, Postfix works as designed, and many
                          > other users of LDAP rely on this behaviour.

                          I understand this, I accept this, what I am asking for would not not
                          affect this.

                          >> Now I know that assumed wisdom is to use a single-value attribute
                          >> such as 'mail' but this would mean that any mail for a user would
                          >> end up in just one mailbox and sort of defeats the object of having
                          >> multiple email addresses.
                          > Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
                          > You decide whether you want one or many.

                          This is what I am trying to do, get the mail into the correct mailbox,
                          not into many mailboxes just one. If I was to use iRedmail on openldap,
                          I could have the same user in different maildomains and just get one
                          result per maildomain. I have moved the maildomain users mailbox
                          attributes to the AD users DN but cannot select just the mailbox required

                          >> Can I please propose a solution ;-) or in otherwords, can I please
                          >> ask for an enhancement.
                          > The meaning of multi-valued attributes in LDAP searches is unlikely
                          > to change.

                          I am not asking you to change the meaning of multi-value attributes, but
                          whilst we are talking about them, the name is a bit misleading. On AD,
                          'mail' is a single-valued attribute that can occur only once but can
                          contain multiple values, multi-valued attributes can occur several
                          times, so shouldn't the 'valued' part really be 'instance'?

                          >> The LDAP search works but it is returning with any 'otherMailbox'
                          >> attributes it find, even if most of them have nothing to do with the
                          >> domain that was included in the search (%d).
                          > The search was looking up a group with a particular address. It
                          > is a mistake to impute any other meaning to the domain part of the
                          > group email address.

                          Why is it a mistake?
                          The search is looking up a group via its 'mail' address and then
                          returning all of its members email addresses, this is the same search
                          that iRedmail uses, so if you have a problem with it, take it up with
                          iRedmail. The only difference between the iRedmail search and mine is
                          the returned attribute, they use 'mail' because their users are stored
                          under the domain-name and hence they have the user stored several times,
                          I use 'otherMailbox' and store it under the users DN and the user is
                          stored once.

                          >> So my suggestion would be to add another switch to 'result_format',
                          >> 'AD' for instance, if this switch is turned on (result_format = %AD)
                          >> then any result the LDAP search returns is passed through another
                          >> filter which removes any addresses where the domain does not match
                          >> the original search domain.
                          > Sorry, this is a an-hoc hack to support a misguided interpretation
                          > of group membership. No such feature is remotely likely. I suggest
                          > you rethink your design.
                          >
                          Right, so my proposed filter is an ad-hoc design to suit a problem, so I
                          presume that 'leaf_result' is not? Also you seem to be misunderstanding
                          the way that AD tracks members of a group.

                          So, how would you design a mail system to run on AD?, use the same old
                          system of storing the same user several times under multiple domains, if
                          so, you are totally missing the point of SSO.

                          Rowland
                        • Viktor Dukhovni
                          ... Your mistake is to use objects with multiple email addresses in groups where the intention is that only one of the object s addresses is to receive mail
                          Message 12 of 13 , Aug 24, 2013
                          • 0 Attachment
                            On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:

                            > >The search was looking up a group with a particular address. It
                            > >is a mistake to impute any other meaning to the domain part of the
                            > >group email address.
                            >
                            > Why is it a mistake?

                            Your mistake is to use objects with multiple email addresses in
                            groups where the intention is that only one of the object's addresses
                            is to receive mail from any single group with the selected address
                            depending on the domain of that group.

                            If a user has multiple independent mailboxes, each one of which is
                            capable of separately being added to a group, create separate LDAP
                            objects (a.k.a. LDAP entries) for each mailbox, and add these to
                            the relevant groups. There is nothing wrong with a mailbox in
                            domain X being a member of a list in domain Y if that's what domain
                            X wants to do.

                            Active directory supports authentication with multiple domains in
                            a single "forest", or across multiple "forests". The "alternate
                            Security Identities" LDAP attribute allows you to map a user from
                            a remote Kerberos realm to a local AD user. There are lots of ways
                            of giving a single authentication identity access to multiple
                            mailboxes if that is required.

                            > Right, so my proposed filter is an ad-hoc design to suit a problem,
                            > so I presume that 'leaf_result' is not? Also you seem to be
                            > misunderstanding the way that AD tracks members of a group.

                            I am not taking the bait. Rethink your design.

                            --
                            Viktor.
                          • Rowland Penny
                            ... Hi Viktor, I have re-thought my design, I will give up with my rubbish design by using Exim instead of the totally unhelpful postfix. Rowland
                            Message 13 of 13 , Aug 25, 2013
                            • 0 Attachment
                              On 24/08/13 17:35, Viktor Dukhovni wrote:
                              > On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:
                              >
                              >>> The search was looking up a group with a particular address. It
                              >>> is a mistake to impute any other meaning to the domain part of the
                              >>> group email address.
                              >> Why is it a mistake?
                              > Your mistake is to use objects with multiple email addresses in
                              > groups where the intention is that only one of the object's addresses
                              > is to receive mail from any single group with the selected address
                              > depending on the domain of that group.
                              >
                              > If a user has multiple independent mailboxes, each one of which is
                              > capable of separately being added to a group, create separate LDAP
                              > objects (a.k.a. LDAP entries) for each mailbox, and add these to
                              > the relevant groups. There is nothing wrong with a mailbox in
                              > domain X being a member of a list in domain Y if that's what domain
                              > X wants to do.
                              >
                              > Active directory supports authentication with multiple domains in
                              > a single "forest", or across multiple "forests". The "alternate
                              > Security Identities" LDAP attribute allows you to map a user from
                              > a remote Kerberos realm to a local AD user. There are lots of ways
                              > of giving a single authentication identity access to multiple
                              > mailboxes if that is required.
                              >
                              >> Right, so my proposed filter is an ad-hoc design to suit a problem,
                              >> so I presume that 'leaf_result' is not? Also you seem to be
                              >> misunderstanding the way that AD tracks members of a group.
                              > I am not taking the bait. Rethink your design.
                              >
                              Hi Viktor, I have re-thought my design, I will give up with my rubbish
                              design by using Exim instead of the totally unhelpful postfix.

                              Rowland
                            Your message has been successfully submitted and would be delivered to recipients shortly.