is there an easy way to tell qmail-ldap NOT to use the standard 'mail'
attribute when searching?
Our ldap directory has to work as a public phone (or address) book, and in
this case, the mail attribute is an informal one, i.e. it means "This is the
address I'd like to be contacted". That address may be at some other
provider, and must be able to be changed by the user, and therefore it
doesn't necessarily contain the truth.
As far as I know, qmail uses mailAlternateAddress and mail attributes to
search for the ldap entry, which contains the needed information to proceed.
It bounces the message when gets more than one results. If this is true, a
malitious user (think of a student :) can acquire any number of addresses, or
can prevent an ordinary user from receiving his/her mail.
My idea is to keep the standard mail attribute (which can be found in standard
object classes, like inetOrgPerson) be an informal one (writeable by the user
self), and another attribute, for simplicity mailAlternateAddress a formal
one, which is used by qmail (and not by the search engine), and which can
only be modified by the administrator.
The easiest would be to change the LDAP_MAIL constant in qmai-ldap.h to 'mailAlternateAddress', but I'm not sure whether it breaks something. Of course, schema has to be corrected in this case, while mail is no longer a required attribute.
Any comments on this?
This is an old issue that was discussed on the LASER list a couple of years ago. (Some comments suggest that the inability to agree on this issue was the reason LASER died off...)
See this thread: http://playground.sun.com/laser/0083.html
Personally I agree with those who think that the use of the 'mail' attribute by MTAs is a bad idea.
Bob Morgan sums up the arguments quite well:
<http://playground.sun.com/laser/0090.html>
'mail' is originally an informal white pages type attribute and MTAs using it leads to problems in situations where you also use it for it's original purpose, such as your example.
Using mailAlternateAddress might help you out in your situtation, but it is not a general solution, since mailAlternateAddress is usually expected to be used for another specific need - mail aliases.
Combining searches for the mail attribute with objectclass searches also works as a solution in some cases, but not all.
I think that it might be worth considering (optionally) using a different attribute for qmail-ldap address lookups.
Something like the mailLocalAddress suggested in the Laser discussions and (now expired...) drafts:
http://www.alternic.org/drafts/drafts-l-m/draft-lachman-laser-ldap-mail-routing-02.html
Patrik
