I'm still hitting my head on the wall triying to make nested LDAP queries work (in AD).
Some examples: Having a group name, getting the group DN: > ${lookup ldap > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=s...@fvg.lnf.it))}} CN=sir,,OU=Users,,OU=FVG,,DC=ad,,DC=fvg,,DC=lnf,,DC=it > ${sg {${lookup ldap > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=s...@fvg.lnf.it))}}} > {,,} {,}} CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it But if i try to query users with that result: > ${lookup ldapm > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${sg > {${lookup ldap > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=s...@fvg.lnf.it))}}} > {,,} {,}}))}} Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))" Ok, i supposed was a quote trouble: > ${quote_ldap:${sg {${lookup ldap > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=s...@fvg.lnf.it))}}} > {,,} {,}}} CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit > ${lookup ldapm > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${quote_ldap:${sg > {${lookup ldap > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=s...@fvg.lnf.it))}}} > {,,} {,}}}))}} Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" Narrowing the troubles lead me to the fact that seems that query with DN does not work: > ${lookup ldapm > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))}} Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))" > ${lookup ldapm > {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} > pass="nontelado" > ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${quote_ldap:CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}))}} Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" But doing an LDAP query by other means, eg ldapsearch: root@vdmsv1:/etc/exim4# ldapsearch -x -LLL -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -w "nontelado" -H ldaps://vdcsv1.ad.fvg.lnf.it -b OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it "(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))" uid dn: CN=amaronese,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it uid: amaronese dn: CN=gaio,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it uid: gaio work as expected. What i'm missing?! Thanks. -- E quindi vado avanti e non mi svesto, dei panni che son solito portare (F. Guccini) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/