This may be related to the issue discussed here:
But it seems not to be, layer 8 is still open though.
this is the query filter I modified as per the referenced email in the archive.
query_filter = (&(objectclass=posixaccount)(mail=%s))
When run from postmap it gets nothing. If I change it for testing to search by uid or another attribute it works as expected. a simple filter like (uid=%s) works everytime.
This ldapsearch run using the postfix servers keytab as credentials works as well:
ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org '(&(objectclass=posixaccount)(|(mail=
validuser@example.org)))'
The FreeIPA version is 4.4.4 running on Fedora 26
Is there something I may be overlooking here? I dove off into IPA v4 permissions and everything *seems* ok, but it is my chief suspect right now.
Thanks!