On Mon, Oct 10, 2011 at 12:37:02PM +1030, Tom Lanyon wrote:
> > When using a LDAP lookup table the 'special_result_attribute'
> > parameter is available to allow me to recurse to other DNs [e.g.
> > recursing to members of a LDAP group]. I can also use the
> > 'leaf_result_attribute' parameter to select the attribute I want
> > to return from those recursive DN lookups, but I can't find a way
> > to filter that recursive lookup to avoid returning
> >
> > As an example, I have a group with a bunch of members, but a
> > few of those members' objects are marked as 'disabled'. I'd like
> > to recurse through the group's member DNs to find their 'mail'
> > attribute, but only for members who don't have the 'disabled'
> > attribute set to true [e.g. apply a filter of "(!(disabled=true))"].
> >
> > Is it possible to apply such a filter on the recursive DN search?
>
> This is fine, and recurses on the memberdn attributes to find
> the mail attributes for the listed users, but we need a way to
> filter that recursion with a (!(accountLock=true)) filter so that
> even though bob is a group member, his account is disabled so his
> address shouldn't be expanded...
Postfix does not have any support for filtering the entries expanded
via special_result_attribute DN values. This is semantically questionable,
in any case, such member objects are supposed to be no less part of the
group than a string-valued multi-valued "memberaddress" list.
To get more complex behaviour, either use ldap_uri valued groups (dynamic
groups) or use a target attribute (say "maildrop") that is absent in
disabled objects:
enabled user:
mail: [email protected]
mailalternateaddress: [email protected]
mailalternateaddress: [email protected]
maildrop: [email protected]
disabled user:
mail: [email protected]
mailalternateaddress: [email protected]
mailalternateaddress: [email protected]
Postfix group table:
query_filter = mail=%s
special_result_attribute = memberdn
terminal_result_attribute = maildrop
--
Viktor.
