Bob Rentschler wrote:
> The query mismatch was a typo/mispaste, sorry about that.
>
> It was indeed at least partly permissions in the LDAP server, likely
> because a service is running the query.
>
> I solved the freeipa permissions with the below command, which is likely
> bad in some way but did allow postmap to return the
> desired attributes:
>
> ipa permission-mod "System: Read User Standard Attributes"
> --includedattrs=mail --includedattrs=mailAlternateAddress You could use "System: Read User Addressbook Attributes" instead which
>
> The attributes have been changed today, I am
> using (|(mail=%s)(mailAlternateAddress=%s)) now that the simple
> (mail-%s) works.
>
> Is there a better or more proper way? That one seems to allow anonymous
> enumeration of email accounts, which isn't a huge
> problem for me, but I could see cases where it would be. It also seems a
> waste to set up gssapi and TLS then weaken the LDAP
> ACI's.
requires an authenticated user.
>
> When I looked in the access log of the LDAP server I saw no error codes
> as such, was /var/log/dirsrv/slapd-<domain>/access the wrong file to That's right but LDAP errors can be subtle.
> look in.
> The remaining issue is posmap returns results just fine, but postfix
> itself somehow fails to read the ldap alias map. I'll beat my
> head on that for a few hours now.
>
> For the interested the relevant section of main.cf <http://main.cf> is
>
> virtual_alias_domains = domain.org <http://domain.org>
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
> <http://ldap_aliases.cf>
>
> All of the TLS functions are working properly, the directory server
> shows this when postfix connects:
>
>
> [03/Aug/2017:10:18:31.380423718 -0400] conn=95 op=0 SRCH > <mailto:existing_user@domain.
> base="cn=users,cn=accounts,dc=domain,dc=ord" scope=2
> filter="(|(mail=existing_user@domain.org
org >)(mailAlternateAddress=existing_user@domain.org
> <mailto:existing_user@domain.org >))" attrs="uid"
> [03/Aug/2017:10:18:31.381151196 -0400] conn=95 op=0 RESULT err=0 tag=101 It is the err I was looking for. err=0 is good, though there are others
> nentries=1 etime=0
that can be acceptable as well depending on context. In this case one
user was found with the e-mail address.
> it also shows a few extras, I believe I need to tighetn up what postfix
> looks for as these are queries related to the sending email account.
>
> [03/Aug/2017:10:18:32.201190867 -0400] conn=96 op=1 SRCH Hard to say without knowing your LDAP db but these could be perfectly
> base="cn=users,cn=accounts,dc=domain,dc=org" scope=2
> filter="(|(mail=<account test mail was sent
> from>)(mailAlternateAddress=<account test mail was sent from>))" attrs="uid"
> [03/Aug/2017:10:18:32.201454459 -0400] conn=96 op=1 RESULT err=0 tag=101
> nentries=0 etime=0
> [03/Aug/2017:10:18:32.201883216 -0400] conn=96 op=2 SRCH
> base="cn=users,cn=accounts,dc=notwise,dc=net" scope=2
> filter="(|(mail=@<sending domain>)(mailAlternateAddress=@<sending
> domain>))" attrs="uid"
> [03/Aug/2017:10:18:32.202028213 -0400] conn=96 op=2 RESULT err=0 tag=101
> nentries=0 etime=0
normal and expected. It is searching the right subtree and the query
format looks right, that's about all I can say :-)
rob
>
> Thanks!
> Bob
>
> On Thu, Aug 3, 2017 at 10:06 AM, Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Bob Rentschler via FreeIPA-users wrote:
> > This may be related to the issue discussed here:
> > https://lists.fedorahosted.org/archives/list/freeipa- users@lists.fedorahosted.org/ message/ SC7GYMHMJ2DNT6BDDSWG5F4HL252EJ OD/
> <https://lists.fedorahosted.org/archives/list/freeipa- >users@lists.fedorahosted.org/ message/ SC7GYMHMJ2DNT6BDDSWG5F4HL252EJ OD/
> > <https://lists.fedorahosted.org/archives/list/freeipa- users@lists.fedorahosted.org/ message/ SC7GYMHMJ2DNT6BDDSWG5F4HL252EJ OD/
> <https://lists.fedorahosted.org/archives/list/freeipa- >>users@lists.fedorahosted.org/ message/ SC7GYMHMJ2DNT6BDDSWG5F4HL252EJ OD/
> >
> > But it seems not to be, layer 8 is still open though.
> >
> > Using the instructions here
> > https://www.dalemacartney.com/2013/03/14/deploying-postfix- with-ldap-freeipa-virtual- aliases-and-kerberos- authentication/
> <https://www.dalemacartney.com/2013/03/14/deploying- >postfix-with-ldap-freeipa- virtual-aliases-and-kerberos- authentication/
> > to enable postfix virtual users from freeIPA I seem to have hit a
> > sticking point in that postfix is unable to fetch the mail attribute.
> >
> > this is the query filter I modified as per the referenced email in the
> > archive.
> >
> > query_filter = (&(objectclass=posixaccount)(mail=%s)) > > <mailto:validuser@example.org <mailto:validuser@example.org>
> >
> > When run from postmap it gets nothing. If I change it for testing to
> > search by uid or another attribute it works as expected. a simple filter
> > like (uid=%s) works everytime.
> >
> > This ldapsearch run using the postfix servers keytab as credentials
> > works as well:
> >
> > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=org
> > '(&(objectclass=posixaccount)(|(mail=validuser@example.org <mailto:validuser@example.org>
>)))'
> >
> > The FreeIPA version is 4.4.4 running on Fedora 26
> >
> > Is there something I may be overlooking here? I dove off into IPA v4
> > permissions and everything *seems* ok, but it is my chief suspect right now.
>
> When postmap gets nothing, is the LDAP query correct? What is the LDAP
> error code?
>
> The query you ran doesn't match the query_filter you posted. I mention
> it in case this wasn't just a typo in the e-mail.
>
> rob
>
>