Bob Rentschler via FreeIPA-users wrote:
> This may be related to the issue discussed here: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/
> <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/>
> 
> But it seems not to be, layer 8 is still open though.
> 
> Using the instructions here
> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
> to enable postfix virtual users from freeIPA I seem to have hit a
> sticking point in that postfix is unable to fetch the mail attribute.
> 
> this is the query filter I modified as per the referenced email in the
> archive.
> 
> query_filter = (&(objectclass=posixaccount)(mail=%s))
> 
> When run from postmap it gets nothing. If I change it for testing to
> search by uid or another attribute it works as expected. a simple filter
> like (uid=%s) works everytime.
> 
> This ldapsearch run using the postfix servers keytab as credentials
> works as well:
> 
> ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org
> '(&(objectclass=posixaccount)(|(mail=validu...@example.org
> <mailto:validu...@example.org>)))'
> 
> The FreeIPA version is 4.4.4 running on Fedora 26
> 
> Is there something I may be overlooking here? I dove off into IPA v4
> permissions and everything *seems* ok, but it is my chief suspect right now.

When postmap gets nothing, is the LDAP query correct? What is the LDAP
error code?

The query you ran doesn't match the query_filter you posted. I mention
it in case this wasn't just a typo in the e-mail.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to