[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: lookups on multivalued field fails





--On Sunday, June 13, 2004 6:48 PM -0600 kevin@hcico.com wrote:

What are your ACL's?

oops, you did ask me for that... sorry:

access to dn=".*,dc=example,dc=com" attr=userPassword
        by dn="cn=Manager,dc=example,dc=com" write
        by self write
        by * auth

access to dn=".*,dc=example,dc=com" attr=mail
        by dn="cn=Manager,dc=example,dc=com" write
        by self write
        by * read

access to dn=".*,ou=People,dc=example,dc=com"
        by * read

access to dn=".*,dc=example,dc=com"
        by self write
        by * read




This would still be useful information. :)

What is the schema definition of mailAlternateAddress?

attributetype ( 1.3.6.1.4.1.7006.1.2.1.4 NAME 'mailAlternateAddress' DESC 'Secondary (alias) mailaddresses for the same user' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )


Hm, this doesn't match the qmail schema one I found, it had SUB as well as EQ.

In this case, sub is not an attribute that I would need. I did not take it out of the schema that I found, but have no reason to put it back in. The process for this field is: look up to see if the given address is stored in either the mail or mailAlternateAddress field and return the mailMessageStore to know where the maildirs are at. The local delivery agent now takes the email and stores it in ${mailMessageStore}/new. Therefore a partial match could be a disastereous thing. Someone long before me probably took it out because of that.

Imagine a spammer forcing a message to @example.com, all the hard work to
steal email addresses would be useless since everyone would match that
address... ouch!  Better to match only on the whole field and not the
substring.

Well, just because the schema has a rule for substring matching does not mean that you have to index it via sub. ;) That is entirely up to you. It just provides a method for doing so if you so choose.


One thing to consider doing, is to use run slapd with -d -1 and run your query that isn't working. I've often found that this will tell me a lot about what is happening (especially if the problem is ACL related).

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html