[exim] Again nested LDAP queries...

Top Page
Delete this message
Reply to this message
Author: Marco Gaiarin
Date:  
To: exim-users
Subject: [exim] Again nested LDAP queries...

I'm still hitting my head on the wall triying to make nested LDAP queries
work (in AD).

Some examples:

Having a group name, getting the group DN:

> ${lookup ldap {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=sir@???))}}

CN=sir,,OU=Users,,OU=FVG,,DC=ad,,DC=fvg,,DC=lnf,,DC=it
> ${sg {${lookup ldap {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=sir@???))}}} {,,} {,}}

CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it

But if i try to query users with that result:

> ${lookup ldapm {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${sg {${lookup ldap {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=sir@???))}}} {,,} {,}}))}}

Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))"

Ok, i supposed was a quote trouble:

> ${quote_ldap:${sg {${lookup ldap {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=sir@???))}}} {,,} {,}}}

CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit
> ${lookup ldapm {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${quote_ldap:${sg {${lookup ldap {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}?distinguishedName?sub?(&(objectClass=group)(mail=sir@???))}}} {,,} {,}}}))}}

Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))"

Narrowing the troubles lead me to the fact that seems that query with DN
does not work:

> ${lookup ldapm {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))}}

Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf="CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"))"
> ${lookup ldapm {user=${quote_ldap:CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it} pass="nontelado" ldap:///${quote_ldap:OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}??uid?sub?(&(objectClass=user)(memberOf=${quote_ldap:CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it}))}}

Failed: lookup of "user=CN%3Dmta%2COU%3DRestricted%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit pass="nontelado" ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))" gave DEFER: ldap_url_parse: (error 8) parsing "ldap:///OU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit??uid?sub?(&(objectClass=user)(memberOf=CN%3Dsir%2COU%3DUsers%2COU%3DFVG%2CDC%3Dad%2CDC%3Dfvg%2CDC%3Dlnf%2CDC%3Dit))"

But doing an LDAP query by other means, eg ldapsearch:

root@vdmsv1:/etc/exim4# ldapsearch -x -LLL -D CN=mta,OU=Restricted,DC=ad,DC=fvg,DC=lnf,DC=it -w "nontelado" -H ldaps://vdcsv1.ad.fvg.lnf.it -b OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it "(&(objectClass=user)(memberOf=CN=sir,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it))" uid
dn: CN=amaronese,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
uid: amaronese

dn: CN=gaio,OU=Users,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
uid: gaio

work as expected. What i'm missing?!


Thanks.

-- 
  E quindi vado avanti e non mi svesto,
  dei panni che son solito portare            (F. Guccini)