The query mismatch was a typo/mispaste, sorry about that.

It was indeed at least partly permissions in the LDAP server, likely
because a service is running the query.

I solved the freeipa permissions with the below command, which is likely
bad in some way but did allow postmap to return the
desired attributes:

ipa permission-mod "System: Read User Standard Attributes"
--includedattrs=mail --includedattrs=mailAlternateAddress

The attributes have been changed today, I am
using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple (mail-%s)

Is there a better or more proper way? That one seems to allow anonymous
enumeration of email accounts, which isn't a huge
problem for me, but I could see cases where it would be. It also seems a
waste to set up gssapi and TLS then weaken the LDAP

When I looked in the access log of the LDAP server I saw no error codes as
such, was /var/log/dirsrv/slapd-<domain>/access the wrong file to look in.

The remaining issue is posmap returns results just fine, but postfix itself
somehow fails to read the ldap alias map. I'll beat my
head on that for a few hours now.

For the interested the relevant section of is

virtual_alias_domains =
virtual_alias_maps = ldap:/etc/postfix/

All of the TLS functions are working properly, the directory server shows
this when postfix connects:

[03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH
base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2 filter="(|(mail="
[03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101
nentries=1 etime=0

it also shows a few extras, I believe I need to tighetn up what postfix
looks for as these are queries related to the sending email account.

[03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH
base="cn=users,cn=accounts,dc=domain,dc=org" scope=2
filter="(|(mail=<account test mail was sent
from>)(mailAlternateAddress=<account test mail was sent from>))" attrs="uid"
[03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH
base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2
filter="(|(mail=@<sending domain>)(mailAlternateAddress=@<sending
domain>))" attrs="uid"
[03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101
nentries=0 etime=0


On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden <> wrote:

> Bob Rentschler via FreeIPA-users wrote:
> > This may be related to the issue discussed here:
> >
> > <
> >
> > But it seems not to be, layer 8 is still open though.
> >
> > Using the instructions here
> >
> with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
> > to enable postfix virtual users from freeIPA I seem to have hit a
> > sticking point in that postfix is unable to fetch the mail attribute.
> >
> > this is the query filter I modified as per the referenced email in the
> > archive.
> >
> > query_filter = (&(objectclass=posixaccount)(mail=%s))
> >
> > When run from postmap it gets nothing. If I change it for testing to
> > search by uid or another attribute it works as expected. a simple filter
> > like (uid=%s) works everytime.
> >
> > This ldapsearch run using the postfix servers keytab as credentials
> > works as well:
> >
> > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org
> > '(&(objectclass=posixaccount)(|(
> > <>)))'
> >
> > The FreeIPA version is 4.4.4 running on Fedora 26
> >
> > Is there something I may be overlooking here? I dove off into IPA v4
> > permissions and everything *seems* ok, but it is my chief suspect right
> now.
> When postmap gets nothing, is the LDAP query correct? What is the LDAP
> error code?
> The query you ran doesn't match the query_filter you posted. I mention
> it in case this wasn't just a typo in the e-mail.
> rob
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to