GROUP AUTH mapping table

The MTA&#x27;s group/list access control mechanisms allow for a wide variety of access and permission models. However, exploiting this flexibility often depends on being able to define what attributes and values appear in LDAP group entries. If the entries being processed cannot be modified, as for instance in the case of an externally controlled LDAP directory, it becomes necessary for the MTA to adopt a more flexible processing model in order to support different attribute syntaxes.

New in 7.0.5, the   mapping table and four new MTA options     ( =1-4) have been added to facilitate such processing. The MTA options are used to specify the names of up to four additional LDAP attributes to be fetched during alias expansion processing. When the  mapping is defined and at least one of the four attributes    is defined and appears on a group, then the    mapping  is probed during group authorization checks (before any other authorization checks are done). The probe format is: envelope-from&#x7c;group-address&#x7c;auth1&#x7c;auth2&#x7c;auth3&#x7c;auth4 Here the   fields are simply whatever values are associated with the    named LDAP attributes for this group. If multiple attributes or multiple attribute values appear, they will all be present in the probe field, separated by commas.

The  mapping can produce any of four possible outputs:



 indicates that the authorization check has passed. 

 indicates that the mapping result is a URL, which is then          checked in the same fashion as an   would be. 

 indicates that authorization has failed. 

 indicates that the mapping result is a URL, which is then          checked in the same fashion as an   would be. 



See also:
 * ldap_auth_mapping1 MTA Option
 * ldap_auth_mapping2 MTA Option
 * ldap_auth_mapping3 MTA Option
 * ldap_auth_mapping4 MTA Option
 * mapping_paranoia MTA Option
 * Restricting posting access to large lists
 * LDAP external directory lookup MTA options
 * ldap_auth_url MTA Option
 * ldap_cant_url MTA Option