On 25 Jan 2005, [EMAIL PROTECTED] wrote: On Tue, Jan 25, 2005 at 10:51:08AM -0500, Ted Zlatanov wrote: > On 24 Jan 2005, [EMAIL PROTECTED] wrote: > >> > Openldap schema checking may not prevent creation of duplicate addresses as >> > mailalternateaddress, but it should not be done. It is an error in the >> > ldap >> > tree. Perhaps the lookup utility should break with a proper warning >> > instead >> > of going with unpredictable result of returning just one of the two >> > entries. >> > (Mine returns both entries.) >> >> Agreed. Claudio, do you also think this is a bug in the lookup? >> > > qmail-ldaplookup should always return all entries matched. So if only one > is found it looks like a bug. Could you run it with -d 255 for more > verbosity in qmail-ldaplookup (needs to be compiled with DEBUG).
I can't do the recompile right now, but here's how you can duplicate what I did. This may be a bug in OpenLDAP, by the way. I don't know. 1) add address [EMAIL PROTECTED] to mailAlternateAddress TWICE (user A) 2) add [EMAIL PROTECTED] to user B 3) delete one of the two [EMAIL PROTECTED] addresses from user A Before 1, before 2, and before 3 qmail-ldaplookup behaved normally. After 3, I only got one address. Here's the relevant info from LDAP: dn: uid=splsec,ou=People,dc=bwh.harvard,dc=edu mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] dn: uid=spltest,ou=People,dc=bwh.harvard,dc=edu mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] mailAlternateAddress: [EMAIL PROTECTED] And qmail-ldaplookup (no DEBUG, unfortunately): qmail-ldaplookup -d 255 -m [EMAIL PROTECTED] Searching ldap for: (|([EMAIL PROTECTED])([EMAIL PROTECTED])) under dn: dc=bwh.harvard,dc=edu Found 1 entry: dn: uid=splsec,ou=People,dc=bwh.harvard,dc=edu > This is a major drawback of LDAP. It is not possible to have unique > fields whereas SQL can do that on the DB level. qmail-ldap is > unable to handel mails that are matched against multiple entries and > gives up. IMO the administartion toolkit should check that a > mailaddress is not used twice. Btw having two different users with > the same address is normaly considered bad and that's why we don't > have a hackish workaround for this scenario. I agree, I don't give my users edit access to mailAlternateAddress, but I can imagine a site that does. It's more of a security concern than a design fault, IMO. I also agree that duplicate mailAlternateAddress entries are bad, but I like to assume we have users that are ignorant or malicious (in addition to the "good" users) and design accordingly :) > Hmm. Yep I think we need to adjust the docu a bit. Wonderful! Ted
