Indirect or alternate criteria for list membership

As discussed in Defining membership of large lists, the MTA&#x27;s normal interpretation of the    LDAP attribute (more precisely, the attribute  named by the   MTA option)  involves expanding the value of the    attribute via the URL template set by the    MTA option,  which by default is  ldap:///$A??sub?(mail=&#x2a;) (meaning that the   substitution  inserts the    value), so that by default,   values are  interpreted as specifying a DN location in the DIT: all e-mail  addresses under that location are considered to have been specified (be  members).

This sort of indirect, additional-step, expansion of an LDAP attribute value turns out to be potentially useful for alternate approaches for  membership definition. In order not to interfere with the "normal" handling of   DN values for  list membership, in Messaging Server 7.0.5   the MTA option    and the  mapping table   were introduced. can be used to specify the name of an LDAP attribute which will then be  processed similarly to the     attribute---in particular, by default values of the LDAP attribute named  by   are expanded via the    URL template  just like   values. But the real usefulness of   tends to be when its use is combined with use of the    mapping table.

The  mapping table  provides a way to specify different  URL expansion templates for differently named LDAP attributes (such as  different templates for the attribute named by    vs. the  attributes named by  ), or  even for different values of such LDAP  attributes. When a  mapping table exists, it will be  probed each time a group has an LDAP attribute named by either of the    or   MTA options. The probe form is: object-classes&#x7c;attribute-name&#x7c;attribute-value where  is a plus-separated list of  the object classes associated with the current LDAP entry, (see the     MTA option),   is the  name of the group "DN" attribute being expanded  (i.e., the LDAP attribute name specified for either    or  ), and    is that attribute&#x27;s current value.

If the mapping sets the  output flag, then the mapping  output string will be used as the template for this attribute&#x27;s  expansion in place of using the value of    as the  template. If the mapping sets the  output flag, then the  attribute will be silently ignored.

So now that the facilities have been explained, how could they actually be used? Well, one sort of usage might be where groups/lists are defined not so much by the group/list entry pointing to (that is,  listing) the members, but rather where each user entry specifies the  groups/lists of which the user is a member, referring to some  group/list ID. For instance, suppose group/list entries have an LDAP attribute   whose value is some string unique to that  group/list. Then suppose further that user entries mark which groups/lists the user belongs to by having a    attribute that contains a valid   value. Defining group/list membership in this new way, while still allowing  "traditional"   membership  definitions, can be achieved by configuring the MTA with an option: msconfig&#x3e; set mta.ldap_groupdn listID and mapping table: GROUP_TEMPLATES ! Normal use of ldap_group_dn attribute uniqueMember &#x2a;&#x7c;uniqueMember&#x7c;&#x2a; $Yldap:///$$A?mail?sub?(mail=&#x2a;) ! Find users who have a memberOf attribute set to the value of the group&#x27;s ! listID attribute &#x2a;&#x7c;listID&#x7c;&#x2a;     $Yldap:///$$B??sub?(memberOf=$$A) where here note  is the  substitution sequence meaning to  substitute in the base of the user/group portion of the DIT (the     MTA option&#x27;s value), and where the    "Address" substitution means, in this context, the value of  the currently used LDAP attribute (so the value of, respectively, the    or   attribute in the  respective mapping table entries matching those attribute names). Then to make use of this type of group/list definition, provision groups and  users in the directory along the lines of: group1-entry listID: group123 ... group2-entry listID: groupXYZ ... user1-entry memberOf: group123 memberOf: groupXYZ ...

See also:
 * ldap_group_dn MTA Option
 * group_dn_template MTA Option
 * LDAP URL substitution sequences
 * ldap_group_dn2 MTA Option
 * GROUP_TEMPLATES mapping table
 * ldap_group_object_classes MTA Option
 * ldap_user_root MTA Option
 * Constructing list member addresses
 * Defining membership of large lists