:-)First of all. The Directory structure and the config may seems a little bit strange but, in fact, there are some important historical reasons (backward compatibility, many, many years ago we started with Novell NDS and NetWare4 and so on...) for having it as described. It's worth mentioning this config has been working for many years with no problem.
The query file in some very simplified form can be expressed as: server_host = ldaps://myhosthere:636 version = 3 search_base = ou=someou,o=myorg query_filter = (mail=%s) result_attribute = cn result_format = %s bind = no dereference = 3This query definition makes no sense, because in all the LDAP schemas I'm familiar with, the "cn" attribute is just a free-form name (like "John Smith", and is NOT an email address. Things that are more like an email address are: - mail (canonical email address, single-valued) - maildrop (alias target, can be multi-valued) - mailRoutingAddress (ditto under another name) - uid (login name without domain suffix, single-valued) with Microsoft Exchange, the lookup key is generally matched against: - proxyAddresses (input address with "smtp:" as a prefix) In Microsoft exchange only "contact" objects have built-in email-address-valued destination (RHS) addresses other than the primary address. However many sites add custom attributes for these, e.g. "mailRoutingAddress" is somewhat popular. Or you can use the AD analogue of "uid" which is "sAMAccountName", which is then domain-qualified explicitly in the result format, or implicitly with "$myorigin".
In our case (I'm a client for LDAP; I'm not administering it) it is not: `cn' acts as a username. `mail' is a multi-value entry. For canonicals there is another one. Honestly:
query_filter = (mail=%s)is a simplified form. In fact there are some ANDs and ORs but I decided to skip it here for better clarity.
The intended behavior is as follows: If there is an e-mail to: something.h...@mydoman.tldWhich you'd match against "mail", though typically a multi-input lookup key is more appropriate, allowing the same mailbox to be reachable via more than one address. Though of course one can also create "alias" objects in LDAP with "mail" as the LHS key, and "maildrop" (or similar) as the result attribute value.
As I wrote in our schema `mail' is a multi-value
The problem is: If the 'mail' field of a user 'smithj' (there is such a user) is NOT set to 'smi...@mydoman.tld' I don't want e-mails to 'smi...@mydoman.tld' to be delivered to this user. I'm afraid they are :-(Well, user "smithj" would in many an LDAP schema have "uid: smithj", allowing you to write: query_filter = (&(mail=%s)(uid=%u)) if that's what you're looking for. Of course you then still have the problem that your result attribute is quite wrong, it should probably be "mail", based on the description so far.
Whatever you think about this schema: I have no control over it, I'm a client to it.
`cn' is a username `mail' is a multi-value field.The problem is: why for local senders if an LDAP query fails it delivers based on user name.
Best regards, Marek
smime.p7s
Description: S/MIME Cryptographic Signature
