I'll go step by step into what I don't understand.
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Stated like that, this is the contents of a file (user.ldif) in your file system. I'll assume it's also the prototype of user entries in your DSA.
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
I assume this is the prototype of a group in your DSA (where for some unknown reason you use groupOfUniqueNames/uniqueMember instead of groupOfNames/member), and the above user is a member of it.
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
In LDAP, the only way to do it is:
- search the group - take its members - for each member: - search for the member entry - take its uid
There is no other plain LDAP way to do it. OpenLDAP provides some means to delegate this to the DSA.
One is to use the slapo-dynlist(5) overlay, if your membership relations can be expressed by a LDAP URL.
Another is the slapo-deref(5) overlay, which will be released shortly with OpenLDAP 2.4.13. This, however, requires client modification in order to interpret the deref control response.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
This is unrelated
The above works ok without errors
How can you state it works ok, if it doesn't do what you mean?
but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
Here things get really obscure:
- you tried several ways (but you don't say which)
- you say you "can't find how to add to the query to show you only the cn=blah...".
In the above postfixish there seems to be quite a strange filter: let's write it in non reverse polish notation:
() AND ( ( objectClass = person ) OR ( objectclass = groupOfUniqueNames ) OR ( mail = %s ) OR ( ou = Groups ) )
where I assume "%s" is going to be replaced by some user's mail address (I don't speak postfixish, sorry).
It is clear that your filter will catch everything that's either a person, or a group of unique names, or has the mail address of your user, or has ou equal to "groups".
This is where you should definitely clarify what you intend to gather with that specific query, keeping in mind that the only way to obtain what you stated before is to perform the sequence of operations I just described above.
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
- search for all user entries - for each user entry DN - search for entries whose class is a group and has the user entry's DN as member - only keep those that do not belong to any group
There is no other way to obtain this information.
As a general comment, by trying to formulate operations the way you seem to be formulating them, you seem to be thinking SQLish. Probably, your data is not designed the way it should in order to organize postfix related data in LDAP.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------