On Wed, Apr 02, 2003 at 01:36:43PM +0200, Kristof Bajnok wrote: > Hi, > > is there an easy way to tell qmail-ldap NOT to use the standard 'mail' > attribute when searching? > Our ldap directory has to work as a public phone (or address) book, and in > this case, the mail attribute is an informal one, i.e. it means "This is the > address I'd like to be contacted". That address may be at some other > provider, and must be able to be changed by the user, and therefore it > doesn't necessarily contain the truth. > As far as I know, qmail uses mailAlternateAddress and mail attributes to > search for the ldap entry, which contains the needed information to proceed. > It bounces the message when gets more than one results. If this is true, a > malitious user (think of a student :) can acquire any number of addresses, or > can prevent an ordinary user from receiving his/her mail. > My idea is to keep the standard mail attribute (which can be found in standard > object classes, like inetOrgPerson) be an informal one (writeable by the user > self), and another attribute, for simplicity mailAlternateAddress a formal > one, which is used by qmail (and not by the search engine), and which can > only be modified by the administrator. > > The easiest would be to change the LDAP_MAIL constant in qmai-ldap.h to > 'mailAlternateAddress', but I'm not sure whether it breaks something. Of > course, schema has to be corrected in this case, while mail is no longer a > required attribute. > > Any comments on this? >
The resulting serach string is in your case: (|(mailAlternateAddress=$MAIL)(mailAlternateAddress=$MAIL)) AFAIK this should not affect the search but may or may not reduce speed. You could edit the filter generation in qmail-lspawn.c but this is a bit tricky without knowledg of C. -- :wq Claudio
