--On Wednesday, September 25, 2013 12:21 AM +0000 Viktor Dukhovni
<[email protected]> wrote:
If anyone is using LDAP for virtual hosting with a separate search
base for each hosted domain using domain component RDNs, please
reply on list whether the feature below is useful, and whether you
tested the code and found that it works for you (once a handful of
people respond that this is useful, that'll be enough, you can
test with a custom-built "postmap" binary if you like, without
upgrading Postfix).
Limitation: Because this expansion applies only to user@address
queries, it cannot be used to define the set of domains in
virtual_mailbox_domains or virtual_alias_domains. Rather it can
only be used to define the valid mailboxes. To avoid confusion
with partial lookup keys (bare user names) we'd need a different
%<c> substitution to extract an RDN sequence from the full query.
How would users with virtual hosting LDAP schemas like to designate
the set of virtual domains (is there a common-practice LDAP query
that given a domain as input will return a result if the domain is
a hosted virtual domain when managing each domain in a separate
subtree)?
Hi Viktor,
Well, I can only speak to what Zimbra does. ;) As you guess, all of our
domains are in subtrees, so right now we use a search base of "". So it
certainly seems to me like your patch would allow the LDAP queries to be
more restrictive as far as search results go, which could be quite useful.
I'll have our QA team test out the patch. It would have to vary by map,
because sometimes we need the search base outside of people:
As one example, for transport_maps, we currently do:
search_base =
query_filter =
(&(|(zimbraMailDeliveryAddress=%s)(zimbraDomainName=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailTransport
which we could then modify to:
search_base = %
query_filter =
(&(|(zimbraMailDeliveryAddress=%s)(zimbraDomainName=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailTransport
Note that I limit it to the domain, rather than ou=people, <domain> because
of things like this:
dn: dc=liquidsys,dc=com
zimbraMailCatchAllAddress: @liquidsys.com
zimbraMailCatchAllForwardingAddress: @zimbra.com
I.e., if someone sends mail to [email protected], we have it redirected
to [email protected]
But for virtual_mailbox_maps, we could definitely limit it down to
ou=people, etc:
search_base = ou=people, %
query_filter = (&(zimbraMailDeliveryAddress=%s)(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress
On the virtual domain question, Zimbra has an attribute it uses to track
alias & local domains (zimbraDomainType):
For virtual_alias_domains, we do:
search_base =
query_filter =
(&(zimbraDomainName=%s)(zimbraDomainType=alias)(zimbraMailStatus=enabled))
result_attribute = zimbraDomainName
For virtual_mailbox_domains, we do:
search_base =
query_filter =
(&(zimbraDomainName=%s)(zimbraDomainType=local)(zimbraMailStatus=enabled))
result_attribute = zimbraDomainName
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
