It seems the postfix problem was of my creation, I reset the postfix config
file to a copy of the default, re-did everything a step at
a time and it all worked. Who knows what I had in there screwing it up, I
still can't find it when I compare them.

To sum it up under ipa v4 you need to in one way or another make sure the
mail attributes(s) can be read.

Perhaps this is a candidate for a new default permission/privilege/role for
services feature request?

Bob

On Thu, Aug 3, 2017 at 10:42 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Bob Rentschler wrote:
> > The query mismatch was a typo/mispaste, sorry about that.
> >
> > It was indeed at least partly permissions in the LDAP server, likely
> > because a service is running the query.
> >
> > I solved the freeipa permissions with the below command, which is likely
> > bad in some way but did allow postmap to return the
> > desired attributes:
> >
> > ipa permission-mod "System: Read User Standard Attributes"
> > --includedattrs=mail --includedattrs=mailAlternateAddress
> >
> > The attributes have been changed today, I am
> > using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple
> > (mail-%s) works.
> >
> > Is there a better or more proper way? That one seems to allow anonymous
> > enumeration of email accounts, which isn't a huge
> > problem for me, but I could see cases where it would be. It also seems a
> > waste to set up gssapi and TLS then weaken the LDAP
> > ACI's.
>
> You could use "System: Read User Addressbook Attributes" instead which
> requires an authenticated user.
>
> >
> > When I looked in the access log of the LDAP server I saw no error codes
> > as such, was /var/log/dirsrv/slapd-<domain>/access the wrong file to
> > look in.
>
> That's right but LDAP errors can be subtle.
>
> > The remaining issue is posmap returns results just fine, but postfix
> > itself somehow fails to read the ldap alias map. I'll beat my
> > head on that for a few hours now.
> >
> > For the interested the relevant section of main.cf <http://main.cf> is
> >
> > virtual_alias_domains = domain.org <http://domain.org>
> > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
> > <http://ldap_aliases.cf>
> >
> > All of the TLS functions are working properly, the directory server
> > shows this when postfix connects:
> >
> >
> > [03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH
> > base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2
> > filter="(|(mail=existing_u...@domain.org
> > <mailto:existing_u...@domain.org>)(mailAlternateAddress=exi
> sting_u...@domain.org
> > <mailto:existing_u...@domain.org>))" attrs="uid"
> > [03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101
> > nentries=1 etime=0
>
> It is the err I was looking for. err=0 is good, though there are others
> that can be acceptable as well depending on context. In this case one
> user was found with the e-mail address.
>
> > it also shows a few extras, I believe I need to tighetn up what postfix
> > looks for as these are queries related to the sending email account.
> >
> > [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH
> > base="cn=users,cn=accounts,dc=domain,dc=org" scope=2
> > filter="(|(mail=<account test mail was sent
> > from>)(mailAlternateAddress=<account test mail was sent from>))"
> attrs="uid"
> > [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101
> > nentries=0 etime=0
> > [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH
> > base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2
> > filter="(|(mail=@<sending domain>)(mailAlternateAddress=@<sending
> > domain>))" attrs="uid"
> > [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101
> > nentries=0 etime=0
>
> Hard to say without knowing your LDAP db but these could be perfectly
> normal and expected. It is searching the right subtree and the query
> format looks right, that's about all I can say :-)
>
> rob
>
> >
> > Thanks!
> > Bob
> >
> > On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Bob Rentschler via FreeIPA-users wrote:
> >     > This may be related to the issue discussed here:
> >     > https://lists.fedorahosted.org/archives/list/freeipa-
> us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/
> >     <https://lists.fedorahosted.org/archives/list/freeipa-
> us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/>
> >     > <https://lists.fedorahosted.org/archives/list/freeipa-
> us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/
> >     <https://lists.fedorahosted.org/archives/list/freeipa-
> us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/>>
> >     >
> >     > But it seems not to be, layer 8 is still open though.
> >     >
> >     > Using the instructions here
> >     > https://www.dalemacartney.com/2013/03/14/deploying-postfix-
> with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
> >     <https://www.dalemacartney.com/2013/03/14/deploying-
> postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/>
> >     > to enable postfix virtual users from freeIPA I seem to have hit a
> >     > sticking point in that postfix is unable to fetch the mail
> attribute.
> >     >
> >     > this is the query filter I modified as per the referenced email in
> the
> >     > archive.
> >     >
> >     > query_filter = (&(objectclass=posixaccount)(mail=%s))
> >     >
> >     > When run from postmap it gets nothing. If I change it for testing
> to
> >     > search by uid or another attribute it works as expected. a simple
> filter
> >     > like (uid=%s) works everytime.
> >     >
> >     > This ldapsearch run using the postfix servers keytab as credentials
> >     > works as well:
> >     >
> >     > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=
> example,dc=org
> >     > '(&(objectclass=posixaccount)(|(mail=validu...@example.org
> <mailto:validu...@example.org>
> >     > <mailto:validu...@example.org <mailto:validu...@example.org>>)))'
> >     >
> >     > The FreeIPA version is 4.4.4 running on Fedora 26
> >     >
> >     > Is there something I may be overlooking here? I dove off into IPA
> v4
> >     > permissions and everything *seems* ok, but it is my chief suspect
> right now.
> >
> >     When postmap gets nothing, is the LDAP query correct? What is the
> LDAP
> >     error code?
> >
> >     The query you ran doesn't match the query_filter you posted. I
> mention
> >     it in case this wasn't just a typo in the e-mail.
> >
> >     rob
> >
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to