Loading ...
Sorry, an error occurred while loading the content.

Re: Postfix group lookup against Samba4 AD

Expand Messages
  • Rowland Penny
    ... I understand this, I accept this, what I am asking for would not not affect this. ... This is what I am trying to do, get the mail into the correct
    Message 1 of 13 , Aug 24, 2013
    • 0 Attachment
      On 24/08/13 03:42, Viktor Dukhovni wrote:
      > On Fri, Aug 23, 2013 at 03:01:52PM +0100, Rowland Penny wrote:
      >
      >> dn: CN=albert,CN=Users,DC=example,DC=com
      >> otherMailbox: albert@...
      >> otherMailbox: albert@...
      >> otherMailbox: albert@...
      >>
      >> The only problem that I have found is, any LDAP search with
      >> 'result_attribute = otherMailbox' fails, in that it returns with all
      >> of the 'otherMailbox' attributes, so postfix would then try to
      >> deliver the email to all the mail addresses.
      > This is correct behaviour, Postfix works as designed, and many
      > other users of LDAP rely on this behaviour.

      I understand this, I accept this, what I am asking for would not not
      affect this.

      >> Now I know that assumed wisdom is to use a single-value attribute
      >> such as 'mail' but this would mean that any mail for a user would
      >> end up in just one mailbox and sort of defeats the object of having
      >> multiple email addresses.
      > Correct, mail for a user goes to a fixed mailbox or set of mailboxes.
      > You decide whether you want one or many.

      This is what I am trying to do, get the mail into the correct mailbox,
      not into many mailboxes just one. If I was to use iRedmail on openldap,
      I could have the same user in different maildomains and just get one
      result per maildomain. I have moved the maildomain users mailbox
      attributes to the AD users DN but cannot select just the mailbox required

      >> Can I please propose a solution ;-) or in otherwords, can I please
      >> ask for an enhancement.
      > The meaning of multi-valued attributes in LDAP searches is unlikely
      > to change.

      I am not asking you to change the meaning of multi-value attributes, but
      whilst we are talking about them, the name is a bit misleading. On AD,
      'mail' is a single-valued attribute that can occur only once but can
      contain multiple values, multi-valued attributes can occur several
      times, so shouldn't the 'valued' part really be 'instance'?

      >> The LDAP search works but it is returning with any 'otherMailbox'
      >> attributes it find, even if most of them have nothing to do with the
      >> domain that was included in the search (%d).
      > The search was looking up a group with a particular address. It
      > is a mistake to impute any other meaning to the domain part of the
      > group email address.

      Why is it a mistake?
      The search is looking up a group via its 'mail' address and then
      returning all of its members email addresses, this is the same search
      that iRedmail uses, so if you have a problem with it, take it up with
      iRedmail. The only difference between the iRedmail search and mine is
      the returned attribute, they use 'mail' because their users are stored
      under the domain-name and hence they have the user stored several times,
      I use 'otherMailbox' and store it under the users DN and the user is
      stored once.

      >> So my suggestion would be to add another switch to 'result_format',
      >> 'AD' for instance, if this switch is turned on (result_format = %AD)
      >> then any result the LDAP search returns is passed through another
      >> filter which removes any addresses where the domain does not match
      >> the original search domain.
      > Sorry, this is a an-hoc hack to support a misguided interpretation
      > of group membership. No such feature is remotely likely. I suggest
      > you rethink your design.
      >
      Right, so my proposed filter is an ad-hoc design to suit a problem, so I
      presume that 'leaf_result' is not? Also you seem to be misunderstanding
      the way that AD tracks members of a group.

      So, how would you design a mail system to run on AD?, use the same old
      system of storing the same user several times under multiple domains, if
      so, you are totally missing the point of SSO.

      Rowland
    • Viktor Dukhovni
      ... Your mistake is to use objects with multiple email addresses in groups where the intention is that only one of the object s addresses is to receive mail
      Message 2 of 13 , Aug 24, 2013
      • 0 Attachment
        On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:

        > >The search was looking up a group with a particular address. It
        > >is a mistake to impute any other meaning to the domain part of the
        > >group email address.
        >
        > Why is it a mistake?

        Your mistake is to use objects with multiple email addresses in
        groups where the intention is that only one of the object's addresses
        is to receive mail from any single group with the selected address
        depending on the domain of that group.

        If a user has multiple independent mailboxes, each one of which is
        capable of separately being added to a group, create separate LDAP
        objects (a.k.a. LDAP entries) for each mailbox, and add these to
        the relevant groups. There is nothing wrong with a mailbox in
        domain X being a member of a list in domain Y if that's what domain
        X wants to do.

        Active directory supports authentication with multiple domains in
        a single "forest", or across multiple "forests". The "alternate
        Security Identities" LDAP attribute allows you to map a user from
        a remote Kerberos realm to a local AD user. There are lots of ways
        of giving a single authentication identity access to multiple
        mailboxes if that is required.

        > Right, so my proposed filter is an ad-hoc design to suit a problem,
        > so I presume that 'leaf_result' is not? Also you seem to be
        > misunderstanding the way that AD tracks members of a group.

        I am not taking the bait. Rethink your design.

        --
        Viktor.
      • Rowland Penny
        ... Hi Viktor, I have re-thought my design, I will give up with my rubbish design by using Exim instead of the totally unhelpful postfix. Rowland
        Message 3 of 13 , Aug 25, 2013
        • 0 Attachment
          On 24/08/13 17:35, Viktor Dukhovni wrote:
          > On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:
          >
          >>> The search was looking up a group with a particular address. It
          >>> is a mistake to impute any other meaning to the domain part of the
          >>> group email address.
          >> Why is it a mistake?
          > Your mistake is to use objects with multiple email addresses in
          > groups where the intention is that only one of the object's addresses
          > is to receive mail from any single group with the selected address
          > depending on the domain of that group.
          >
          > If a user has multiple independent mailboxes, each one of which is
          > capable of separately being added to a group, create separate LDAP
          > objects (a.k.a. LDAP entries) for each mailbox, and add these to
          > the relevant groups. There is nothing wrong with a mailbox in
          > domain X being a member of a list in domain Y if that's what domain
          > X wants to do.
          >
          > Active directory supports authentication with multiple domains in
          > a single "forest", or across multiple "forests". The "alternate
          > Security Identities" LDAP attribute allows you to map a user from
          > a remote Kerberos realm to a local AD user. There are lots of ways
          > of giving a single authentication identity access to multiple
          > mailboxes if that is required.
          >
          >> Right, so my proposed filter is an ad-hoc design to suit a problem,
          >> so I presume that 'leaf_result' is not? Also you seem to be
          >> misunderstanding the way that AD tracks members of a group.
          > I am not taking the bait. Rethink your design.
          >
          Hi Viktor, I have re-thought my design, I will give up with my rubbish
          design by using Exim instead of the totally unhelpful postfix.

          Rowland
        Your message has been successfully submitted and would be delivered to recipients shortly.