Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
The above works ok without errors but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
Any help is much appreciated.
Thanks
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
The above works ok without errors but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
Any help is much appreciated.
It is not clear (to me) what you want to do. You should carefully rephrase your requirements in terms of LDAP queries. Adding the complexity of postfix configuration to what needs to be clarified first in terms of pure LDAP operations further obscures your needs.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
I simply need to export all uid's where are under IT group, that's all. Postfix has nothing to do with the query. I just need the results and then I will bypass manually to Postfix.
2008/11/15 Pierangelo Masarati ando@sys-net.it:
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
The above works ok without errors but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
Any help is much appreciated.
It is not clear (to me) what you want to do. You should carefully rephrase your requirements in terms of LDAP queries. Adding the complexity of postfix configuration to what needs to be clarified first in terms of pure LDAP operations further obscures your needs.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
Stelios A. wrote:
I simply need to export all uid's where are under IT group, that's all. Postfix has nothing to do with the query. I just need the results and then I will bypass manually to Postfix.
But (to me) what you "simply need" is totally obscure. You should rephrase it in a clearer manner, if you want help (from me).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
I really want to get help but don't know how to explain it better. I've post even my actual ldif which holds those values. Did you've seen them?
Thanks
2008/11/15 Pierangelo Masarati ando@sys-net.it:
Stelios A. wrote:
I simply need to export all uid's where are under IT group, that's all. Postfix has nothing to do with the query. I just need the results and then I will bypass manually to Postfix.
But (to me) what you "simply need" is totally obscure. You should rephrase it in a clearer manner, if you want help (from me).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
I'll go step by step into what I don't understand.
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Stated like that, this is the contents of a file (user.ldif) in your file system. I'll assume it's also the prototype of user entries in your DSA.
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
I assume this is the prototype of a group in your DSA (where for some unknown reason you use groupOfUniqueNames/uniqueMember instead of groupOfNames/member), and the above user is a member of it.
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
In LDAP, the only way to do it is:
- search the group - take its members - for each member: - search for the member entry - take its uid
There is no other plain LDAP way to do it. OpenLDAP provides some means to delegate this to the DSA.
One is to use the slapo-dynlist(5) overlay, if your membership relations can be expressed by a LDAP URL.
Another is the slapo-deref(5) overlay, which will be released shortly with OpenLDAP 2.4.13. This, however, requires client modification in order to interpret the deref control response.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
This is unrelated
The above works ok without errors
How can you state it works ok, if it doesn't do what you mean?
but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
Here things get really obscure:
- you tried several ways (but you don't say which)
- you say you "can't find how to add to the query to show you only the cn=blah...".
In the above postfixish there seems to be quite a strange filter: let's write it in non reverse polish notation:
() AND ( ( objectClass = person ) OR ( objectclass = groupOfUniqueNames ) OR ( mail = %s ) OR ( ou = Groups ) )
where I assume "%s" is going to be replaced by some user's mail address (I don't speak postfixish, sorry).
It is clear that your filter will catch everything that's either a person, or a group of unique names, or has the mail address of your user, or has ou equal to "groups".
This is where you should definitely clarify what you intend to gather with that specific query, keeping in mind that the only way to obtain what you stated before is to perform the sequence of operations I just described above.
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
- search for all user entries - for each user entry DN - search for entries whose class is a group and has the user entry's DN as member - only keep those that do not belong to any group
There is no other way to obtain this information.
As a general comment, by trying to formulate operations the way you seem to be formulating them, you seem to be thinking SQLish. Probably, your data is not designed the way it should in order to organize postfix related data in LDAP.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Thanks a lot for the explanation, I will make a few changes to my schema and see how it goes. I've used groupOfUniqueNames/uniqueMember instead of groupOfNames/member as I was following the instructions from a book related to Openldap. I will come back as soon as I have any update on this.
Thanks
2008/11/15 Pierangelo Masarati ando@sys-net.it:
I'll go step by step into what I don't understand.
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Stated like that, this is the contents of a file (user.ldif) in your file system. I'll assume it's also the prototype of user entries in your DSA.
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
I assume this is the prototype of a group in your DSA (where for some unknown reason you use groupOfUniqueNames/uniqueMember instead of groupOfNames/member), and the above user is a member of it.
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
In LDAP, the only way to do it is:
- search the group
- take its members
- for each member: - search for the member entry - take its uid
There is no other plain LDAP way to do it. OpenLDAP provides some means to delegate this to the DSA.
One is to use the slapo-dynlist(5) overlay, if your membership relations can be expressed by a LDAP URL.
Another is the slapo-deref(5) overlay, which will be released shortly with OpenLDAP 2.4.13. This, however, requires client modification in order to interpret the deref control response.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
This is unrelated
The above works ok without errors
How can you state it works ok, if it doesn't do what you mean?
but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
Here things get really obscure:
you tried several ways (but you don't say which)
you say you "can't find how to add to the query to show you only the
cn=blah...".
In the above postfixish there seems to be quite a strange filter: let's write it in non reverse polish notation:
() AND ( ( objectClass = person ) OR ( objectclass = groupOfUniqueNames ) OR ( mail = %s ) OR ( ou = Groups ) )
where I assume "%s" is going to be replaced by some user's mail address (I don't speak postfixish, sorry).
It is clear that your filter will catch everything that's either a person, or a group of unique names, or has the mail address of your user, or has ou equal to "groups".
This is where you should definitely clarify what you intend to gather with that specific query, keeping in mind that the only way to obtain what you stated before is to perform the sequence of operations I just described above.
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
- search for all user entries
- for each user entry DN - search for entries whose class is a group and has the user entry's DN as member - only keep those that do not belong to any group
There is no other way to obtain this information.
As a general comment, by trying to formulate operations the way you seem to be formulating them, you seem to be thinking SQLish. Probably, your data is not designed the way it should in order to organize postfix related data in LDAP.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
I figure out how to accommodate the mailing list but that needs to update my ldap schema to use groupOfNames/member as suggested along with a change to the dn. Is there a way to change automatically all the dn to the new format in order to avoid editing the whole entries (1000+ users)? This is going from: dn: cn=Firstname Lastname,ou=Users,dc=mydomain,dc=edu,dc=com to dn: uid=flastname,ou=Users,dc=mydomain,dc=edu,dc=com
Thanks a lot
2008/11/15 Stelios A. stelios.a@gmail.com:
Thanks a lot for the explanation, I will make a few changes to my schema and see how it goes. I've used groupOfUniqueNames/uniqueMember instead of groupOfNames/member as I was following the instructions from a book related to Openldap. I will come back as soon as I have any update on this.
Thanks
2008/11/15 Pierangelo Masarati ando@sys-net.it:
I'll go step by step into what I don't understand.
Stelios A. wrote:
Hello all,
My user.ldif is like:
dn: cn=Somename Somelastname, ou=Users,dc=mydomain,dc=edu,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Somename sn: Somelastname cn: Somename Somelastname uid: ssomelastname uidNumber: 1002 gidNumber: 100 homeDirectory: /home/ssomelastname loginShell: /bin/bash mail: ssomelastname@mydomain.edu.com userPassword: some password encrypted
Stated like that, this is the contents of a file (user.ldif) in your file system. I'll assume it's also the prototype of user entries in your DSA.
Same user for example is under cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com Example ldif:
dn: cn=IT,ou=Groups,dc=bca,dc=edu,dc=gr cn: IT objectClass: groupOfUniqueNames uniqueMember: cn=Somename Somelastname,ou=Users,dc=mydomain,dc=edu,dc=com
I assume this is the prototype of a group in your DSA (where for some unknown reason you use groupOfUniqueNames/uniqueMember instead of groupOfNames/member), and the above user is a member of it.
What I want is somehow to get all uid of the users belonging to each of my groups in order to build a mailing list with postfix.
In LDAP, the only way to do it is:
- search the group
- take its members
- for each member: - search for the member entry - take its uid
There is no other plain LDAP way to do it. OpenLDAP provides some means to delegate this to the DSA.
One is to use the slapo-dynlist(5) overlay, if your membership relations can be expressed by a LDAP URL.
Another is the slapo-deref(5) overlay, which will be released shortly with OpenLDAP 2.4.13. This, however, requires client modification in order to interpret the deref control response.
I've created a file called ldap-aliases.cf with the following inside:
server_host = ldaps://myhostname search_base = dc=mydomain,dc=edu,dc=com scope = sub version = 3 query_filter = (&(|(objectclass=person)(objectclass=groupofuniquenames)(mail=%s)(ou=Groups))) result_attribute = uid bind = yes bind_dn = cn=admin,dc=mydomain,dc=edu,dc=com bind_pw = mypasswordwithoutencryption
This is unrelated
The above works ok without errors
How can you state it works ok, if it doesn't do what you mean?
but it just displays all users in my ldap. I tried several different ways but can't find out how to add to the query to show me only the cn=IT,ou=Groups,dc=mydomain,dc=edu,dc=com
Here things get really obscure:
you tried several ways (but you don't say which)
you say you "can't find how to add to the query to show you only the
cn=blah...".
In the above postfixish there seems to be quite a strange filter: let's write it in non reverse polish notation:
() AND ( ( objectClass = person ) OR ( objectclass = groupOfUniqueNames ) OR ( mail = %s ) OR ( ou = Groups ) )
where I assume "%s" is going to be replaced by some user's mail address (I don't speak postfixish, sorry).
It is clear that your filter will catch everything that's either a person, or a group of unique names, or has the mail address of your user, or has ou equal to "groups".
This is where you should definitely clarify what you intend to gather with that specific query, keeping in mind that the only way to obtain what you stated before is to perform the sequence of operations I just described above.
and also a second more complicated query, that is to show me all users uid where not belonging to any Group (ou=Groups,dc=mydomain,dc=edu,dc=com)
- search for all user entries
- for each user entry DN - search for entries whose class is a group and has the user entry's DN as member - only keep those that do not belong to any group
There is no other way to obtain this information.
As a general comment, by trying to formulate operations the way you seem to be formulating them, you seem to be thinking SQLish. Probably, your data is not designed the way it should in order to organize postfix related data in LDAP.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
-- Stelios A
Stelios A. wrote:
I figure out how to accommodate the mailing list but that needs to update my ldap schema to use groupOfNames/member as suggested along with a change to the dn. Is there a way to change automatically all the dn to the new format in order to avoid editing the whole entries (1000+ users)? This is going from: dn: cn=Firstname Lastname,ou=Users,dc=mydomain,dc=edu,dc=com to dn: uid=flastname,ou=Users,dc=mydomain,dc=edu,dc=com
nothing smarter than slapcat | sed | slapadd (with appropriate options, of course; and stop slapd first).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
An alternate way of implementing this would be to have the Mail Group entry itself store a list of the mail/uid attributes of all of the members of the mail group. Then all you would need to do is to update the mailgroup entries to store the associate mail/uid values. Then you can adjust your postfix config to return this multi-valued attribute from the group entry itself. This might require you to make a custom objectclass and attribute or there may be an existing RFC objectclass/attribute that is suitable but I am not certain of what that would be. Also be aware that updating the ldap-alias.cf will affect regular mail to a single user and you might have to use two separate ldap-alias.cf files one to handle normal mail and another to specifically handle the mail group case.
Kris Burton
-----Original Message----- From: openldap-technical-bounces+kris.burton=acision.com@OpenLDAP.org [mailto:openldap-technical-bounces+kris.burton=acision.com@OpenLDAP.org] On Behalf Of Pierangelo Masarati Sent: Sunday, November 16, 2008 2:33 PM To: Stelios A. Cc: openldap-technical@openldap.org Subject: Re: Mailing list query
Stelios A. wrote:
I figure out how to accommodate the mailing list but that needs to update my ldap schema to use groupOfNames/member as suggested along with a change to the dn. Is there a way to change automatically all the dn to the new format in order to avoid editing the whole entries (1000+ users)? This is going from: dn: cn=Firstname Lastname,ou=Users,dc=mydomain,dc=edu,dc=com to dn: uid=flastname,ou=Users,dc=mydomain,dc=edu,dc=com
nothing smarter than slapcat | sed | slapadd (with appropriate options, of course; and stop slapd first).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Pierangelo Masarati wrote:
SA> What I want is somehow to get all uid of the users belonging to each SA> of my groups in order to build a mailing list with postfix.
PM> In LDAP, the only way to do it is:
PM> - search the group PM> - take its members PM> - for each member: PM> - search for the member entry PM> - take its uid
We've implemented approximately this method for systems administered with GOsa. It has an auxiliary objectclass called "gosaMailAccount" which it adds to groups and to users when the GUI enables mail for that object.
Using Exim, rather than Postfix, you can for example do something like:
gosa_mailgroup_expand: driver = redirect allow_fail allow_defer check_ancestor address_data = ${lookup ldapm \ {user=LDAP_USER pass=LDAP_PASS \ ldap:///LDAP_BASE?memberUid,gosaMailForwardingAddress?sub?\ (&(objectClass=gosaMailAccount)(objectClass=posixGroup)\ (|(mail=$local_part@$domain)\ (gosaMailAlternateAddress=$local_part@$domain)))} \ } # Now get the canonical mail addresses for all the members data = ${expand:${lookup ldapm \ {user=LDAP_USER pass=LDAP_PASS \ ldap:///LDAP_BASE?mail?sub?\ (&(objectClass=gosaMailAccount)(objectClass=gosaAccount)\ (|(uid=${sg{${extract{memberUid}{$address_data}\ }}{,\s*}{)(uid=}})))}\ }},\ (&(objectClass=gosaMailAccount)\ (objectClass=gosaAccount)(uid=%l))}\ }{,\s*}{\n}}\ }},\ ${extract{gosaMailForwardingAddress}{$address_data}}
ie find a posixGroup whose "mail" or "gosaMailAlternateAddress" matches the list address, then use memberUid to look up the mail addresses of members who are local users, and deliver to them plus any external addresses listed in the group's "gosaMailForwardingAddress".
An equivalent with groupOf(Unique)Names rather than posixGroup might be simpler because having the user DNs in the group removes the need for the second-level search.
You may be able to write an MTA config which looks less horrible using PostFix. The upshot either way is something simple to administer with the web GUI.
Cheers
Duncan
openldap-technical@openldap.org