Subject: The mailing list for listmasters using Sympa
List archive
Re: [sympa-users] include_ldap_2level_query and Active Directory groups.
- From: "Stefan Hornburg (Racke)" <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-users] include_ldap_2level_query and Active Directory groups.
- Date: Mon, 11 Jan 2021 14:05:07 +0100
On 1/11/21 1:37 PM, David Carter wrote:
> The following:
>
> https://sympa-community.github.io/manual/customize/data-sources.html
>
> documents a way of using a Microsoft Active Directory LDAP server as a data
> source, thanks to Steve Shipway.
>
> This works nicely, but is rather inefficient as you have to run a separate
> LDAP query for each member of the list in
> order to convert each member DN into an email address. I'm not sure what
> happens if you try to construct an "all-staff"
> or "all-students" lists in this way.
>
> A bit of trial and error reveals that a ldapsearch query of the following
> form work in a single pass:
>
> ldapsearch -H ldaps://ldaps.blue.cam.ac.uk \
> -x -D address@concealed -W -b dc=blue,dc=cam,dc=ac,dc=uk \
>
> "(&(objectClass=person)(memberOf=CN=UIS-Hermes.Migration-access,OU=Groups,OU=UIS,OU=Inst,DC=blue,DC=cam,DC=ac,DC=uk))"
> \
> -s sub mail
> Enter LDAP Password:
> ...
> mail: address@concealed
> ...
>
> However you need to know the full DN of the Active Directory group in order
> for this to work.
>
> I can also convert an AD groupname (CN=UIS-Hermes.Migration-access) into a
> full LDAP DN using a single LDAP query:
>
> ldapsearch -x -W -H ldaps://blue.cam.ac.uk \
> -D address@concealed -b DC=blue,DC=cam,DC=ac,DC=uk \
> "(&(CN=UIS-Hermes.Migration-access)(objectClass=group))" DN
> Enter LDAP Password:
> ...
> dn:
> CN=UIS-Hermes.Migration-access,OU=Groups,OU=UIS,OU=Inst,DC=blue,DC=cam,DC=ac.uk
> ..
>
> (my AD admins tell me that the CN part is guaranteed to be unique, at least
> in our environment.)
>
> However I don't seem to be able to turn this into a
> include_ldap_2level_query in order to convert a simple group name of
> the form "UIS-Hermes.Migration-access" into a list of email addresses. I
> don't suppose anyone else has had any luck
> achieving this?
>
> We can obviously use the full DNs of the group in a single level
> include_ldap_query, they are just rather verbose and
> unwieldy.
>
Does a group in AD correspond to a mailing list in Sympa?
Regards
Racke
> Thanks,
> David
>
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
-
[sympa-users] include_ldap_2level_query and Active Directory groups.,
David Carter, 01/11/2021
-
Re: [sympa-users] include_ldap_2level_query and Active Directory groups.,
Stefan Hornburg (Racke), 01/11/2021
-
Re: [sympa-users] include_ldap_2level_query and Active Directory groups.,
David Carter, 01/11/2021
- Re: [sympa-users] include_ldap_2level_query and Active Directory groups., Stefan Hornburg (Racke), 01/11/2021
-
Re: [sympa-users] include_ldap_2level_query and Active Directory groups.,
David Carter, 01/11/2021
-
Re: [sympa-users] include_ldap_2level_query and Active Directory groups.,
Stefan Hornburg (Racke), 01/11/2021
Archive powered by MHonArc 2.6.19+.