But it seems not to be, layer 8 is still open though.

Using the instructions here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ to enable postfix virtual users from freeIPA I seem to have hit a sticking point in that postfix is unable to fetch the mail attribute.

this is the query filter I modified as per the referenced email in the archive.

When run from postmap it gets nothing. If I change it for testing to search by uid or another attribute it works as expected. a simple filter like (uid=%s) works everytime.

This ldapsearch run using the postfix servers keytab as credentials works as well:

ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org '(&(objectclass=posixaccount)(|(mail=validuser@example.org)))'

The FreeIPA version is 4.4.4 running on Fedora 26

Is there something I may be overlooking here? I dove off into IPA v4 permissions and everything *seems* ok, but it is my chief suspect right now.

Thanks!