On Tue, Jan 25, 2005 at 10:51:08AM -0500, Ted Zlatanov wrote: > On 24 Jan 2005, [EMAIL PROTECTED] wrote: > > > Openldap schema checking may not prevent creation of duplicate addresses as > > mailalternateaddress, but it should not be done. It is an error in the > > ldap > > tree. Perhaps the lookup utility should break with a proper warning > > instead > > of going with unpredictable result of returning just one of the two > > entries. > > (Mine returns both entries.) > > Agreed. Claudio, do you also think this is a bug in the lookup? >
qmail-ldaplookup should always return all entries matched. So if only one is found it looks like a bug. Could you run it with -d 255 for more verbosity in qmail-ldaplookup (needs to be compiled with DEBUG). > > Anyway... Both qmail-send and qmail-verify recognize that more than one > > result for a mail address lookup is an error and they will not deliver to > > either recipient. I added duplicate [EMAIL PROTECTED] mailalternate > > addresses and here is what I got. > > Great. Should your patch also guard against this possibility, though? > That was my original concern. Someone malicious could set their > mailAlternateAddress and break someone else's login in your system. > This is a major drawback of LDAP. It is not possible to have unique fields whereas SQL can do that on the DB level. qmail-ldap is unable to handel mails that are matched against multiple entries and gives up. IMO the administartion toolkit should check that a mailaddress is not used twice. Btw having two different users with the same address is normaly considered bad and that's why we don't have a hackish workaround for this scenario. > In the current qmail-ldap, this apparently also disables mail > delivery. Perhaps the docs should have a note about this, so users > are not given access to editing of mailAlternateAddress. I was not > aware of this until now - maybe others are not, either. > Hmm. Yep I think we need to adjust the docu a bit. -- :wq Claudio
