On 13/09/15 06:05, Tim Landscheidt wrote:
> a) I want to make sure that this does not
> open up any holes. My understanding is that a redirect
> router without "allow_filter" treats data returned by
> "${lookup}" as if it was given as recipient address(es) in
> the first place, i. e. this can never be used to achieve
> something "more". Is that correct?
There's still file vs. pipe vs. name@??? possibilities,
I think?
> Second, does
> "${quote_ldap:$local_part}" everything that it needs to do?
It quotes for protecting chars special to ldap,
on the way in. Policy beyond that is up to you.
It does nothing about the output, either.
>
> | data = ${sg{${lookup ldap \
> | {user=LDAPUSER pass=LDAPPASS ldap://ldap-eqiad.wikimedia.org/cn=INSTANCEPROJECT.${quote_ldap:$local_part},ou=servicegroups,dc=wikimedia,dc=org?member}{$value}fail}}{uid=(.*?),ou=people,(ou=servicegroups,)?dc=wikimedia,dc=org}{\$1}}
>
> Again, that works, but I would much prefer something that
> says: "For each attribute, apply this regular expression and
> make the result a list of all matches". I've looked at
> "${map}", but I'm unclear if and where I should throw in
> some "${quote}" operators. Are there recommended examples
> for processing the results of look-ups?
Not clear what you're trying to achieve here.
Why isn't the output of the ldap lookup already in
usable form? What are you getting? Can you test
with "exim -be"?
--
Cheers,
Jeremy