0

I am having two LDAP Subtrees:

  • users
  • mailinglists

a user has (besides many other attributes) an attribute emailForwardTo which contains email addresses to that mailinglists should be forwarded for this user and forwardList, containing a list of mailinglist ou attributes that should be forwarded.

Those fields need to be set in the user (as 1st the user config should be all in one place and 2nd the user can edit only their own entry). But for my postfix alias lookup, I need to have a list of those alias addresses in the alias objects attribute forwardTo.

I remember that for groups, there is the memberOf virtual attribute that acts acts similarly. Is it possible to do the same for my case? (edit: as stated in the comments, I now know this kind of attribute is called overlay)

Or would it be possible to do joins in ldap queries?

Edit 2: As Joins are probably impossible in LDAP, is it possible to write an own overlay, that works like memberOf but on other attributes?

Tobi
  • 1,175
  • 1
  • 19
  • 44
  • No and no. You have to write it manually. – user207421 Nov 12 '17 at 02:39
  • what do you mean with `it`? write the attribute into the database or is it possible to write something like the `memberOf` logic on myown (the second one was the question)? – Tobi Nov 12 '17 at 02:41
  • I think he meant "Yes it is possible but you have to write it manually, and no." The `it` is an **[overlay](https://www.openldap.org/doc/admin24/overlays.html)**, you'll need to create your own custom overlay unless a core overlay (like `memberOf`) suits your needs. – EricLavault Nov 12 '17 at 11:15
  • No. I meant you will have to write the the *join* manually, in code, which fetches the `emailForwardTo ` attribute and then fetches the entry with that DN. I'm not suggesting people should start writing OpenLDAP overlays. @EricLavault – user207421 Nov 13 '17 at 00:22
  • @EJP Ah! it is not so obvious if you don't elaborate in the first place.. because it is possible to create custom overlays while it's not possible to perform join in ldap right ? And why "should start.." ? – EricLavault Nov 13 '17 at 00:39
  • @EricLavault It is the concept of expecting the OP to write an OpenLDAP overlay that is 'elaborate' here. The word 'overlay' does not appear in the question, and therefore there is no rational reason for my word 'it' to refer to writing such a thing. – user207421 Nov 13 '17 at 09:14
  • Everyone has its own reasoning but imho this affirmation requires a great leap of logic. '_Custom memberOf like Attribute_' is mentioned in the question title and the OP describes a need to perform reverse group membership maintenance, therefore there is more than a rational reason for the _it_ to refer to a _memberOf like overlay_, and especially since join is not possible in ldap. Had you bothered to elaborate on the 'no no', your exceptionally rational reasoning would have been properly understood. NB: _it_ actually refers to a workaround and this word doesn't appear in the question... @EJP – EricLavault Nov 13 '17 at 14:16
  • I think, I'd better implement a custom overlay than maintaining my own version of the postfix ldap plugin... – Tobi Nov 13 '17 at 23:44
  • @EricLavault 'It' referred to 'join', the object of the OP's last sentence, not to something that doesn't appear anywhere in his question. Don't over-interpret. If you want to answer this question yourself, do so: if you want to know what I mean, *ask* me. You don't need to run around SO posting guesswork about what other people may have meant. It adds no value. – user207421 Nov 14 '17 at 01:49
  • Exactly, nobody should have to guess what you meant. And what has no value is to throw assertion without explanation: '_No._', or to invent a hilarious theorem stating there is no rational reason to refer to overlay because the word does not appear in the question. '_memberOf_' is mentioned 2 times in the question, and we both know an overlay provides it. Anyway your '_it_' refers to what you want, stop arguing. Don't blame others for misinterpreting while they let the OP go forward with more than a '_no and no_' like comment, be meaningful or abstain. And don't be so upset with overlays. @EJP – EricLavault Nov 14 '17 at 16:36

2 Answers2

1

Is it possible to do the same for my case ?

Yes.

It is possible to do the same if you implement the memberOf overlay (@see this post).

The memberof overlay updates the memberOf attribute by default, but of course you can override it and set forwardTo or whatever, as long as your need is to maintain a reverse group membership. The same applies to the membership attribute that is by default member.

You cannot do join in ldap queries. And the suggestion of writing it, by which I mean the 'join', manually is an absolute non-sense, either JOIN queries are supported, either not.

EricLavault
  • 12,130
  • 3
  • 23
  • 45
-1

I remember that for groups, there is the memberOf virtual attribute that acts acts similarly. Is it possible to do the same for my case?

No.

Or would it be possible to do joins in ldap queries?

No. You would have to write it, by which I mean the 'join', manually.

EricLavault
  • 12,130
  • 3
  • 23
  • 45
user207421
  • 305,947
  • 44
  • 307
  • 483
  • Could you finally elaborate on the 1st _No_ ? – EricLavault Nov 14 '17 at 16:36
  • @EricLavault OK: No, it isn't possible. Short of writing your own overlay, that is, since you mentioned it. – user207421 Dec 01 '18 at 00:16
  • Mmmmh.. so it is possible right ? Haha thank you @user207421 aka @ EJP under cover, it was very useful, so much, again, and as usual. Still I really wonder what and why is this need to keep on acting as if a memberOf overlay had never existed prior to me mentioning it, but I hope one day you will be able to get over it. – EricLavault Dec 01 '18 at 07:41