Overview of Direct LDAP configuration

A normal Direct LDAP configuration, as typically used at most sites nowadays, consists of provisioning local domain definitions and   local user entries in LDAP,   plus optionally provisioning  mail group and mailing list entries   in LDAP,  and then configuring the MTA to consult LDAP to find and use those domain and user (and group and mailing list) definitions.

Once domains and users (and optionally mail groups and mailing lists) are provisioned in LDAP, then configuring the MTA to make use of this information has five main steps:



 Inform the MTA where the LDAP directory resides. In legacy   configuration, the MTA consults the   and      configutil parameters (which may be    overridden specifically for the MTA&#x27;s purposes by the MTA options      and   , respectively);    in Unified Configuration, the MTA    consults the base options      and        (which similarly may be overridden for MTA    purposes by the MTA options      and     ). Various other configuration settings can   further adjust aspects of the MTA&#x27;s connections and consultations of    LDAP, for instance, those discussed in  LDAP bind and connect MTA options. 



Configure the MTA to consult LDAP to determine which domains are   "local", that is, which domains are hosted by this site.  This is    achieved by a special rewrite rule, which in legacy configuration    appears as: $&#x2a;  $A$E$F$U%$H$V$H@official-host-name-of-l-channel or in Unified Configuration: msconfig&#x3e; show rewrite.rule &#x2a; $&#x2a; role.rewrite.rule = $&#x2a; $A$E$F$U%$H$V$H@&/IMTA_HOST/ This rewrite rule uses the match-all match-first   template (so that it matches all domains and will be consulted before  all other rewrite rules---see  Initial match-all rule),  but with   in the template so that it applies only to envelope  To addresses (see Address direction and location-specific rewrites),  then uses a pattern that uses   to look up the currently-being-rewritten-envelope-to domain in LDAP (see  Domain LDAP lookup rewrites)  to determine whether the domain is a "local" domain.



 If the domain is not "local" (is not found in     LDAP), then the rewrite fails, and the envelope To address is routed      per the rest of the rewrite rules. 

 If the domain is "local" (is found in LDAP) but the     domain is provisioned for override routing, as with the        LDAP attribute (or more precisely      whatever LDAP attribute is named by the          MTA option), then the envelope To address is converted to a form using      source-routing to the routing host, and then routed per the rest of the      rewrite rules (typically out a     channel). 

 If the domain is "local" (found in LDAP) and has no     override routing provisioned, then this rewrite rule forces this      envelope To address to "match" the local channel. Such     forcing of the recipient address to match-the-local-channel then sets      the stage for step 3...     





 Configure the MTA to consult LDAP to find "local" recipient   addresses.   Recipient (envelope To) addresses matching the local channel are    looked up in LDAP via the    MTA option template to    determine    whether the recipient address corresponds to a valid "local"    user (or group or mailing list). 

 Configure the interpretation of routing and delivery   settings.  When a recipient (envelope To) address (user, group, or     mailing list) is found in    LDAP (step 3), then the MTA checks whether or    not this MTA system should apply the recipient&#x27;s      values, (more precisely, the values of    the LDAP attribute named by the      MTA     option), with    interpretation of such   values performed    as defined via the MTA&#x27;s      option. 

 If the recipient address has a       (MTA option       )      value set which does not match "this" host (as      determined by comparing with the        and             MTA options&#x27; values)      and at least some of the recipient address&#x27;s        clauses are "mailhost-sensitive", or if      the source channel was configured with        or       , then the      address is converted to a source-routed form which explicitly routes to      the   or   system. </li>

 If the recipient address has a  value matching      "this" host (as determined by comparing with the       and        MTA options&#x27; value), or has no        attribute at all (common for groups and lists),      or has   clauses which are all      "mailhost-independent",      then its        value(s) (more precisely, the values of whatever LDAP attribute is      named by the             MTA option) will be interpreted as      specified by the        MTA option,      and any appropriate address      changes or forwarding will be applied. For instance, a recipient     address that is found to correspond to a local user LDAP entry with a        value of   will be      converted to the proper local mailbox address as defined by       ; and a recipient address that is found to have a        value of   will (in      accordance with  ) be converted to any specified        value(s) (more precisely, be      converted to values of the LDAP attribute named by the        MTA option). </li>

</ol>

</li>

 Configure canonicalization of all non-envelope-To occurrences   of "local" addresses. All non-envelope-To addresses (all addresses    which didn&#x27;t meet the   criteria of the rewrite rule in    step (2)) are looked up in LDAP via the      MTA option    template to determine whether  (and if so, how) the address should be    "reversed" (canonicalized) to some preferred form. </li>

</ol>

A great many refinements, adjustments, and further optional processing can be configured for the MTA---see especially the various LDAP  attribute semantics supported by the MTA listed in  Direct LDAP attribute name MTA options  as some modify address handling, as well as further MTA options discussed in  Direct LDAP attribute interpretation MTA options,  Direct LDAP usergroup lookup MTA options,  and  Direct LDAP domain lookup MTA options---so the above  steps provide merely a somewhat over-simplified description of the  major components of Direct LDAP configuration. Note that combinations of Direct LDAP address handling and more traditional MTA  aliasing (via alias file,  alias database, or Unified Configuration  alias options) are also possible.

See also:
 * test -domain_map utility
 * Aliases in LDAP
 * Mailing list addresses
 * LDAP lookups for address reversal
 * Direct LDAP MTA options
 * ugldaphost Option
 * ugldapport Option
 * ldap_host MTA Option
 * ldap_port MTA Option
 * LDAP bind and connect MTA options
 * Initial match-all rule
 * Address direction and location-specific rewrites
 * ldap_domain_attr_routing_hosts MTA Option
 * Typical TCPIP channels and servers
 * alias_url0 MTA Option
 * delivery_options MTA Option
 * reverse_url MTA Option
 * ldap_delivery_option MTA Option
 * ldap_mailhost MTA Option
 * ldap_local_host MTA Option
 * ldap_host_alias_list Option
 * aliasdetourhost Option
 * ldap_forwarding_address MTA Option
 * reverse_url MTA Option
 * Direct LDAP attribute name MTA options
 * Direct LDAP attribute interpretation MTA options
 * Direct LDAP usergroup lookup MTA options
 * Direct LDAP domain lookup MTA options
 * Aliases