[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mailing list query

I'll go step by step into what I don't understand.

Stelios A. wrote:
Hello all,

My user.ldif is like:

dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: top
givenName: Somename
sn: Somelastname
cn: Somename Somelastname
uid: ssomelastname
uidNumber: 1002
gidNumber: 100
homeDirectory: /home/ssomelastname
loginShell: /bin/bash
mail: ssomelastname@mydomain.edu.com
userPassword: some password encrypted

Stated like that, this is the contents of a file (user.ldif) in your file system. I'll assume it's also the prototype of user entries in your DSA.

Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:

dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr
cn: IT
objectClass: groupOfUniqueNames
uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com

I assume this is the prototype of a group in your DSA (where for some unknown reason you use groupOfUniqueNames/uniqueMember instead of groupOfNames/member), and the above user is a member of it.

What I want is somehow to get all uid of the users belonging to each
of my groups in order to build a mailing list with postfix.

In LDAP, the only way to do it is:

- search the group
- take its members
- for each member:
	- search for the member entry
	- take its uid

There is no other plain LDAP way to do it. OpenLDAP provides some means to delegate this to the DSA.

One is to use the slapo-dynlist(5) overlay, if your membership relations can be expressed by a LDAP URL.

Another is the slapo-deref(5) overlay, which will be released shortly with OpenLDAP 2.4.13. This, however, requires client modification in order to interpret the deref control response.

I've created a file called ldap-aliases.cf with the following inside:

server_host = ldaps://myhostname
search_base = dc=mydomain,dc=edu,dc=com
scope = sub
version = 3
query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups)))
result_attribute = uid
bind = yes
bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com
bind_pw = mypasswordwithoutencryption

This is unrelated

The above works ok without errors

How can you state it works ok, if it doesn't do what you mean?

but it just displays all users in my ldap.
I tried several different ways but can't find out how to add to the
query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com

Here things get really obscure:

- you tried several ways (but you don't say which)

- you say you "can't find how to add to the query to show you only the cn=blah...".

In the above postfixish there seems to be quite a strange filter: let's write it in non reverse polish notation:

() AND (
    ( objectClass = person )
    OR ( objectclass = groupOfUniqueNames )
    OR ( mail = %s )
    OR ( ou = Groups )

where I assume "%s" is going to be replaced by some user's mail address (I don't speak postfixish, sorry).

It is clear that your filter will catch everything that's either a person, or a group of unique names, or has the mail address of your user, or has ou equal to "groups".

This is where you should definitely clarify what you intend to gather with that specific query, keeping in mind that the only way to obtain what you stated before is to perform the sequence of operations I just described above.

and also a second more complicated query, that is to show me all users
uid where not belonging to any Group

- search for all user entries - for each user entry DN - search for entries whose class is a group and has the user entry's DN as member - only keep those that do not belong to any group

There is no other way to obtain this information.

As a general comment, by trying to formulate operations the way you seem to be formulating them, you seem to be thinking SQLish. Probably, your data is not designed the way it should in order to organize postfix related data in LDAP.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it