The query mismatch was a typo/mispaste, sorry about that. It was indeed at least partly permissions in the LDAP server, likely because a service is running the query.
I solved the freeipa permissions with the below command, which is likely bad in some way but did allow postmap to return the desired attributes: ipa permission-mod "System: Read User Standard Attributes" --includedattrs=mail --includedattrs=mailAlternateAddress The attributes have been changed today, I am using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple (mail-%s) works. Is there a better or more proper way? That one seems to allow anonymous enumeration of email accounts, which isn't a huge problem for me, but I could see cases where it would be. It also seems a waste to set up gssapi and TLS then weaken the LDAP ACI's. When I looked in the access log of the LDAP server I saw no error codes as such, was /var/log/dirsrv/slapd-<domain>/access the wrong file to look in. The remaining issue is posmap returns results just fine, but postfix itself somehow fails to read the ldap alias map. I'll beat my head on that for a few hours now. For the interested the relevant section of main.cf is virtual_alias_domains = domain.org virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf All of the TLS functions are working properly, the directory server shows this when postfix connects: [03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2 filter="(|(mail= existing_u...@domain.org)(mailAlternateAddress=existing_u...@domain.org))" attrs="uid" [03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101 nentries=1 etime=0 it also shows a few extras, I believe I need to tighetn up what postfix looks for as these are queries related to the sending email account. [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH base="cn=users,cn=accounts,dc=domain,dc=org" scope=2 filter="(|(mail=<account test mail was sent from>)(mailAlternateAddress=<account test mail was sent from>))" attrs="uid" [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2 filter="(|(mail=@<sending domain>)(mailAlternateAddress=@<sending domain>))" attrs="uid" [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101 nentries=0 etime=0 Thanks! Bob On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bob Rentschler via FreeIPA-users wrote: > > This may be related to the issue discussed here: > > https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ > > <https://lists.fedorahosted.org/archives/list/freeipa- > us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/> > > > > But it seems not to be, layer 8 is still open though. > > > > Using the instructions here > > https://www.dalemacartney.com/2013/03/14/deploying-postfix- > with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > to enable postfix virtual users from freeIPA I seem to have hit a > > sticking point in that postfix is unable to fetch the mail attribute. > > > > this is the query filter I modified as per the referenced email in the > > archive. > > > > query_filter = (&(objectclass=posixaccount)(mail=%s)) > > > > When run from postmap it gets nothing. If I change it for testing to > > search by uid or another attribute it works as expected. a simple filter > > like (uid=%s) works everytime. > > > > This ldapsearch run using the postfix servers keytab as credentials > > works as well: > > > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org > > '(&(objectclass=posixaccount)(|(mail=validu...@example.org > > <mailto:validu...@example.org>)))' > > > > The FreeIPA version is 4.4.4 running on Fedora 26 > > > > Is there something I may be overlooking here? I dove off into IPA v4 > > permissions and everything *seems* ok, but it is my chief suspect right > now. > > When postmap gets nothing, is the LDAP query correct? What is the LDAP > error code? > > The query you ran doesn't match the query_filter you posted. I mention > it in case this wasn't just a typo in the e-mail. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org