Re: Postfix group lookup against Samba4 AD
- On 24/08/13 17:35, Viktor Dukhovni wrote:
> On Sat, Aug 24, 2013 at 12:13:46PM +0100, Rowland Penny wrote:Hi Viktor, I have re-thought my design, I will give up with my rubbish
>>> The search was looking up a group with a particular address. It
>>> is a mistake to impute any other meaning to the domain part of the
>>> group email address.
>> Why is it a mistake?
> Your mistake is to use objects with multiple email addresses in
> groups where the intention is that only one of the object's addresses
> is to receive mail from any single group with the selected address
> depending on the domain of that group.
> If a user has multiple independent mailboxes, each one of which is
> capable of separately being added to a group, create separate LDAP
> objects (a.k.a. LDAP entries) for each mailbox, and add these to
> the relevant groups. There is nothing wrong with a mailbox in
> domain X being a member of a list in domain Y if that's what domain
> X wants to do.
> Active directory supports authentication with multiple domains in
> a single "forest", or across multiple "forests". The "alternate
> Security Identities" LDAP attribute allows you to map a user from
> a remote Kerberos realm to a local AD user. There are lots of ways
> of giving a single authentication identity access to multiple
> mailboxes if that is required.
>> Right, so my proposed filter is an ad-hoc design to suit a problem,
>> so I presume that 'leaf_result' is not? Also you seem to be
>> misunderstanding the way that AD tracks members of a group.
> I am not taking the bait. Rethink your design.
design by using Exim instead of the totally unhelpful postfix.