What it looks like to me (just a guess) is that qmail-group is dereferencing the uidMember attribute because it is populated with a complete dn. According to our inhouse ldap expert this is a bug on the client side (qmail-group) as the schema definition for the uidMember attribute should not allow full dn's as attribute values.
why not use dnmember: Example: dnmember: uid=joe,ou=example,o=qmail-ldap,c=CH >From /var/qmail/doc/QLDAPGROUP: dnmember: filtermember: rfc822member: Members of the group are specified by these attributes. It is possible to specify a member by a LDAP distinguish name, a LDAP filter definiton or by a rfc822 email address. Example: dnmember: uid=joe,ou=example,o=qmail-ldap,c=CH filetrmember: ((objectclass=qmailUser)(employeeType=accountant)) rfc822member: [EMAIL PROTECTED] That should work for your purposes. On Thu, Jun 12, 2008 at 11:09 AM, Daniel Wedewardt < [EMAIL PROTECTED]> wrote: > Hello @all, > > Thanks for your replies, but the problem still exist. > > In short: We want to make use of the field memberUid, > which is not part of the qmail schema. Apparently, we > only can use a full DN as value in this field. > But for other purposes, the field only works with a "uid". > > Wen don't want to use the field rfc822member in the groups, > because this contains the email addresses themselves (which > is harder to maintain). > > Is it possible to solve this isse? > > Details: > > We are using qmail-ldap-1.03-20060201 in a productive > environment. > The group entry testgroup is also member of posixGroup: > > $ ldapsearch -xW -b .... uid=testgroup > > dn: cn=testgroup,ou=Groups,dc=.... > objectClass: top > objectClass: qmailUser > objectClass: qmailGroup > objectClass: posixGroup > cn: testgroup > uid: testgroup > qmailGID: 999 > qmailUID: 999 > gidNumber: 1111 > mailMessageStore: /var/spool/mail/testgroup > mail: [EMAIL PROTECTED] > mailAlternateAddress: [EMAIL PROTECTED] > memberUid: uid=mein.name,ou=systemuser,ou=People,dc=.... > > > that is, memberUid is not in the qmail schema. Interestingly > qmail-group > can resolve this anyway, if the field contains a full DN. > Here the slapd log when a mail is delivered: > > testgroup is searched: > > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31944 op=1 SRCH > base="dc=native-instruments,dc=de" scope=2 deref=0 > > filter="(|([EMAIL PROTECTED])(mailAlternateAddress= > [EMAIL PROTECTED]))" > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31944 op=1 SRCH attr=uid > qmailUID qmailGID accountStatus mailHost > mailMessageStore nohomeDirectory mailQuotaSize > mailQuotaCount mailForwardingAddress deliveryProgramPath > deliveryMode mailReplyText qmailDotMode mailSizeMax > objectClass > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31944 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31945 op=1 SRCH > base="cn=testgroup,ou=Groups,dc=native-instruments,dc=de" > scope=0 deref=0 filter="(objectClass=*)" > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31945 op=1 SRCH > attr=senderconfirm membersonly confirmtext moderatortext > dnmoderator rfc822moderator memberUid rfc822member > filtermember dnsender rfc822sender filtersender bounceadmin > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31945 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > > it currently contains one entry, mein.name: > > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31947 op=1 SRCH > base="uid=mein.name,ou=systemuser,ou=People,dc=native-instruments,dc=de" > scope=0 deref=0 filter="(objectClass=*)" > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31947 op=1 SRCH attr=mail > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31947 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31948 op=1 SRCH > base="dc=native-instruments,dc=de" scope=2 deref=0 > > filter="(|([EMAIL PROTECTED])(mailAlternateAddress= > [EMAIL PROTECTED]))" > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31948 op=1 SRCH attr=uid > qmailUID qmailGID accountStatus mailHost mailMessageStore > nohomeDirectory mailQuotaSize mailQuotaCount > mailForwardingAddress deliveryProgramPath deliveryMode mailReplyText > qmailDotMode mailSizeMax objectClass > Jun 11 17:20:12 maildir01 slapd[28907]: conn=31948 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > > > It might be working by coincidence, because the memberUid is used as > base? > qmail-ldaplookup doesn't help when debugging, because it seems to > ignore > memberUid completely. > > Now - if memberUid is changed from > uid=mein.name,ou=systemuser,ou=People,dc=.... > to uid=mein.name, the result is emtpy (because this uid was not used as > filter?) > > > Jun 11 17:24:45 maildir01 slapd[28907]: conn=32152 op=1 SRCH > base="uid=mein.name" scope=0 deref=0 filter="(objectClass=*)" > Jun 11 17:24:45 maildir01 slapd[28907]: conn=32152 op=1 SRCH attr=mail > Jun 11 17:24:45 maildir01 slapd[28907]: conn=32152 op=1 SEARCH RESULT > tag=101 err=32 nentries=0 text= > Jun 11 17:24:45 maildir01 slapd[28907]: conn=32152 op=2 UNBIND > > If filtermember is set, this is used in a separate search and not > combined > in an appropriate way. (and this yields all qmailUsers) > > slapd log: > > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=1 SRCH > base="uid=mein.name" scope=0 deref=0 filter="(objectClass=*)" > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=1 SRCH attr=mail > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=1 SEARCH RESULT > tag=101 err=32 nentries=0 text= > > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=2 SRCH > base="dc=native-instruments,dc=de" scope=2 deref=0 > filter="(&(objectClass=qmailUser)(uid=*))" > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=2 SRCH attr=mail > Jun 11 17:46:12 maildir01 slapd[28907]: conn=33181 op=2 SEARCH RESULT > tag=101 err=0 nentries=1415 text= > > for the sake of completeness: no more lookups occur, > that is, qmail doesn't deliver to mein.name: > > 2008-06-11 17:46:12.189839500 starting delivery 462611: msg 234883259 to > local [EMAIL PROTECTED] > 2008-06-11 17:46:12.189846500 status: local 1/100 remote 0/100 > 2008-06-11 17:46:12.284352500 delivery 462611: deferral: > qmail-group:_fatal:_expand_group_attr:_filtermember:_too_many_objects/ > 2008-06-11 17:46:12.284360500 status: local 0/100 remote 0/100 > > Best > > > Daniel > > -- Scott Ryan ****************************************************** Cheap memory cards - SD / Memory Stick Pro / MicroSD / USB pen drives / XD cards >From SA's leading online memory card store: www.bitsandchips.co.za *****************************************************
