LDAP multiple values attributes filter

emailldapopenldappostfix

Can't find same question, but I think it's regular issue. I have LDAP user:

dn: uid=alise,ou=peoples,dc=acme,dc=com
objectClass: inetOrgPerson
objectClass: top
cn: alise
sn: alise
uid: alise
userPassword: {SCHEME}password
mail: alise@domain1.tld
mail: alise@domain2.tld
mailAlias: bill@domain1.tld
mailAlias: bill@domain2.tld

I need to return mail attribute, but filtered by domain. For example if I search:

ldapsearch -xLLL -b ou=peoples,dc=withsound,dc=ru '(mailAlias=bill@domain1.tld)' mail

I get:

dn: uid=alise,ou=peoples,dc=acme,dc=com
mail: alise@domain1.tld
mail: alise@domain2.tld

But I need something like:

ldapsearch -xLLL -b ou=peoples,dc=withsound,dc=ru '(mailAlias=bill@domain1.tld)' mail=*domain1.tld


dn: uid=alise,ou=peoples,dc=acme,dc=com
mail: alise@domain1.tld

I can't simply use | grep domain1.tld cause I use LDAP search in Postfix

I really don't want to separate user and make only one email field…

Best Answer

A search term like this should help:

(&(mailAlias=bill@domain1.tld)(mail=*domain1.tld))

LDAP search terms get combined like this:

(Operator(filter)(filter)(filter)...)

with Operator being & (AND), | (OR) and ! (NOT).

Related Solutions

Ldap – Make Postfix search LDAP group members by UID instead of DN

Your ldap config is wrong. Please use:

server_host = 127.0.0.1
version = 3
bind = no
query_filter = (&(objectClass=posixGroup)(maildrop=%s))
result_attribute = memberUid, mail

You can't use "bind = yes" here - this can't work. No group can/should bind (authenticate).

Ldap – How to configure LDAP in ApacheDS to use uid for authentication

With that particular object, it's unlikely that you can. LDAP is looking for you to bind with the distinguished name (DN) of the object, and the primary attribute in this case is cn. This is a deliberate design decision because there is no guarantee that any given attribute of objects within a container will be unique other than the one that is associated with their DN.

This will not stop services from being able to search your directory and determine that uid=lawrence is associated with that particular DN (and thus being able to find any other attributes needed off of that object), but any calls that explicitly need to be run against a DN can only be run against the primary attribute.

This isn't to say that there aren't ways that you can avoid specifying a DN. Implementing SASL authentication and defining a map between SASL IDs and DNs comes to mind. But within the context of your question, no, you cannot switch to using a non-primary attribute of the DN you're authenticating to in place of the DN.

Best Answer

Related Solutions

Ldap – Make Postfix search LDAP group members by UID instead of DN

Ldap – How to configure LDAP in ApacheDS to use uid for authentication

Related Topic