Re: [Exim] ldap lookup -- multiple results

Top Page
Delete this message
Reply to this message
Author: Douglas Gray Stephens
Date:  
To: Derrick 'dman' Hudson
CC: exim-users
Subject: Re: [Exim] ldap lookup -- multiple results
Derrick,

At 18:09 (GMT-0500) on 24-June-2002, Derrick 'dman' Hudson wrote:
> --
>
> I'm having some fun configuring exim (4.05) to pull all sorts of
> routing and control information from an OpenLDAP server. (it's
> working out quite well, actually)
>
> I did run into a little snag, though. I want to set up some lists
> where list membership is given as an attribute on the user's LDAP
> entry. The compilation of all members can then easily be determined
> by a LDAP search that filters on that attribute. This seems to be the
> easiest way to keep list membership manageable for system admins. The
> problem I ran into is this message from exim (wrapped for
> readability):
>
 >     message: failed to expand
 >             "${lookup ldap {ldap://barak.itusa.org/ou=People,
 >             o=International Teams?uid?sub?
 >             (mailGroupLocalPart=${quote_ldap:$local_part}) } }":

>
 >         lookup of
 >             "ldap://barak.itusa.org/ou=People,o=International Teams?uid?sub?
 >             (mailGroupLocalPart=aitp) "

>
 >         gave DEFER: LDAP search: more than one entry (2) was returned
 >             (filter not specific enough?)


So the ldap method fails if there are zero OR more than one match
(i.e. LDAP match is good for forcing there to be ONLY one match).

You are looking multiple matches, so need to look at using ldapm.
This will return the list of UIDs one per line. If your UIDs are
multi-values (unlikely), then those records that had a multi-values
would be returned as a comma separated list on the appropriate lines,
i.e.
uid-for-record1
uid-for-record2
uid-for-record3 value1, uid-for-record3 value2
uid-for-record4
etc.

> This is on a 'redirect' router. I didn't finish the expansion string
> because I wasn't sure how to convert the multiple return entries into
> a list of addresses. (one step at a time :-))


This depends on how you get from the UIDs to the email addresses (why
not just return the mail attribute?).

Douglas.

>
> Is it unreasonable to want to perform a lookup like this? If not, can
> this be a feature request?
>
> In the meantime, I've created a script to do the query and then print
> out a comma-separated list of the 'uid' values which is handled by a
> ${run expansion. The problem with the script is twofold -- 1) extra
> overhead and 2) it's slow. (I don't know why #2 is)
>
> -D
>
> --
>
> How to shoot yourself in the foot with Java:
>
 > You find that Microsoft and Sun have released incompatible class
 > libraries both implementing Gun objects. You then find that although
 > there are plenty of feet objects implemented in the past in many other
 > languages, you cannot get access to one. But seeing as Java is so cool,
 > you don't care and go around shooting anything else you can find.
 >     (written by Mark Hammond)

>
> http://dman.ddts.net/~dman/
>
> --
> [ Content of type application/pgp-signature deleted ]
> --
>


--

================================
Douglas GRAY STEPHENS
Technical Architect (Directories)
Schlumberger Cambridge Research
High Cross,
Madingley Road,
Cambridge.
CB3 0EL
ENGLAND

Phone  +44 1223 325295
Mobile +44 773 0051628
Fax    +44 1223 311830
Email DGrayStephens@???
================================