Direct LDAP attribute name MTA options

By default, the MTA assumes a particular sort of LDAP schema; that is, the MTA assumes that certain named attributes (with certain sorts of meanings) are available and used in the LDAP directory to store the user and domain information. However, the exact attribute names that the MTA looks for (recognizes) are configurable via the various ,   ,  and    MTA options, listed  below. Thus a different (though semantically compatible) schema may be used by setting the ,  , and    MTA options to tell the MTA what named attributes to use (recognize).

Note that many of the attributes used (and hence the attribute name which the MTA by default expects to see used) are standardized; see for instance RFC 2798 (Definition of the inetOrgPerson LDAP Object Class). Other attributes are specific to the Sun schema; see the Sun Schema Reference Guide.

Note that prior to MS 6.3-0.15, each LDAP  attribute could be used for only one (from the MTA&#x27;s point of view) purpose. In particular, prior to MS 6.3-0.15, the MTA would not permit setting two of its LDAP attribute name options to the same underlying LDAP attribute. If a site wanted to use the "same" LDAP attribute for multiple purposes in the MTA, that previously would have to be achieved by creating a second LDAP attribute (named differently), and having its value be duplicated in LDAP. New in MS 6.3-0.15, this restriction has been relaxed, so that two MTA purposes (options) can use the same underlying LDAP attribute; for instance, one can now set, say,   and    to both point to (use/name) the same underlying LDAP attribute, e.g.,.

Note that throughout this discussion and other MTA discussions, for convenience often LDAP attributes will be referred to merely by name. But in general, any such MTA reference to a specific attribute name really ought to be a reference to the attribute named by the corresponding MTA option. For instance, any use by the MTA of the   attribute is really a use of the attribute named by the    MTA option.

However, the general authentication libraries in Messaging Server (sometimes referred to as SASL libraries, or HULA) used for authentication (both by the MTA when performing SMTP AUTH authentication, or by the Message Store when performing login to a user mailbox) do not permit the same degree of "renaming" of attributes. As the authentication infrastructure uses LDAP simple bind for traditional password authentication, if the LDAP directory itself is configured to look at an attribute other than the usual  for LDAP simple bind, that should just work. However, in order to support CRAM-MD5/APOP, then the  attribute must be used and it must contain the clear-text password. The authentication infrastructure also has hard dependence on various user attributes including,  ,   , and   (among others). (Note that the MMP and its proxy servers can be configured to use a different LDAP attribute in place of  via their   option; the IMAP, POP, and MSHTTP servers, however, always use  .)

And of particular relevance when configuring and considering MTA operation, another attribute which is not renameable (prior to the 8.0 release) via an MTA option is the    user attribute. (This is because the MTA itself makes no explicit use of this attribute. Instead, authentication library code explicitly fetches the   attribute&#x27;s value, and then uses that value to tell the MTA what source channel to set.) But as of 8.0,  some  renaming/specification  of the attributes returned with successful authentication is possible; in particular, see the   MTA option which specifies the name of the LDAP attribute whose value the authentication library should fetch  (in place of the default   attribute&#x27;s value). Also new in 8.0, the authentication library may be directed to fetch back values of LDAP attributes other than the default  and   via the   and    MTA options, respectively. See Direct LDAP attributes returned upon authentication MTA options.

The schema sets restrictions (via an ACI) on which attributes even in his or her "own" entry an end user is allowed to modify. Reassigning the MTA&#x27;s interpretation of LDAP attributes via MTA options does not, itself, affect such LDAP schema restrictions; so when reassigning end-user-modifiable LDAP attributes, be sure to also update your schema ACIs correspondingly.

Technical note: In the table below, the user/group attributes are listed in roughly the order in which they are processed by the MTA (though there have been some changes in various versions, and there are some subtleties not captured in the order shown). While this order does not matter for most purposes, on occasion it can be helpful to consider this order as an aid to understanding certain interactions and precedence between attributes. 

+ User-modifiable LDAP attribute.

++ Domain map code has the specified default, not the MTA proper

+++ While the MTA in principle allows this attribute on group/mailing list entries, the typical configuration of the   MTA option disables this support; plus, the Sun schema does not, as distributed, allow this attribute on group/mailing list entries. See the   MTA option for some discussion regarding enabling use of this attribute on group/mailing list entries.

See also:
 * ldap_objectclass MTA Option
 * ldap_user_status MTA Option
 * ldap_user_mail_status MTA Option
 * ldap_group_status MTA Option
 * ldap_group_mail_status MTA Option
 * ldap_permid Option
 * ldap_extid Option
 * ldap_uid MTA Option
 * ldap_mlsrange MTA Option
 * ldap_capture MTA Option
 * ldap_recipientlimit MTA Option
 * ldap_recipientcutoff MTA Option
 * ldap_sourceblocklimit MTA Option
 * ldap_source_channel MTA Option
 * ldap_source_optin1 MTA Option
 * ldap_source_optin2 MTA Option
 * ldap_source_optin3 MTA Option
 * ldap_source_optin4 MTA Option
 * ldap_source_optin5 MTA Option
 * ldap_source_optin6 MTA Option
 * ldap_source_optin7 MTA Option
 * ldap_source_optin8 MTA Option
 * ldap_preferred_language MTA Option
 * ldap_preferred_country MTA Option
 * ldap_nosolicit MTA Option
 * ldap_routing_address MTA Option
 * ldap_delivery_option MTA Option
 * ldap_personal_name MTA Option
 * ldap_source_conversion_tag MTA Option
 * ldap_sender_sieve MTA Option
 * ldap_primary_address MTA Option
 * ldap_alias_addresses MTA Option
 * ldap_equivalence_addresses MTA Option
 * ldap_optin1 MTA Option
 * ldap_optin2 MTA Option
 * ldap_optin3 MTA Option
 * ldap_optin4 MTA Option
 * ldap_optin5 MTA Option
 * ldap_optin6 MTA Option
 * ldap_optin7 MTA Option
 * ldap_optin8 MTA Option
 * ldap_optout1 MTA Option
 * ldap_optout2 MTA Option
 * ldap_optout3 MTA Option
 * ldap_optout4 MTA Option
 * ldap_optout5 MTA Option
 * ldap_optout6 MTA Option
 * ldap_optout7 MTA Option
 * ldap_optout8 MTA Option
 * ldap_presence MTA Option
 * ldap_autosecretary MTA Option
 * ldap_alternate_recipient MTA Option
 * ldap_start_date MTA Option
 * ldap_end_date MTA Option
 * ldap_conversion_tag MTA Option
 * ldap_detourhost_optin MTA Option
 * ldap_blocklimit MTA Option
 * ldap_mailhost MTA Option
 * ldap_disk_quota MTA Option
 * ldap_message_quota MTA Option
 * ldap_program_info MTA Option
 * ldap_delivery_file MTA Option
 * ldap_spare_1 MTA Option
 * ldap_spare_2 MTA Option
 * ldap_spare_3 MTA Option
 * ldap_spare_4 MTA Option
 * ldap_spare_5 MTA Option
 * ldap_spare_6 MTA Option
 * ldap_spare_7 MTA Option
 * ldap_spare_8 MTA Option
 * ldap_spare_9 MTA Option
 * ldap_spare_10 MTA Option
 * ldap_spare_11 MTA Option
 * ldap_spare_12 MTA Option
 * ldap_spare_13 MTA Option
 * ldap_spare_14 MTA Option
 * ldap_spare_15 MTA Option
 * ldap_spare_16 MTA Option
 * ldap_spare_17 MTA Option
 * ldap_spare_18 MTA Option
 * ldap_autoreply_mode MTA Option
 * ldap_autoreply_subject MTA Option
 * ldap_autoreply_text MTA Option
 * ldap_autoreply_text_internal MTA Option
 * ldap_autoreply_addresses MTA Option
 * ldap_autoreply_timeout MTA Option
 * ldap_filter MTA Option
 * ldap_parental_controls MTA Option
 * ldap_filter_reference MTA Option
 * ldap_forwarding_address MTA Option
 * ldap_reprocess MTA Option
 * ldap_jettison_domain MTA Option
 * ldap_jettison_url MTA Option
 * ldap_list_id MTA Option
 * ldap_reject_action MTA Option
 * ldap_reject_text MTA Option
 * ldap_auth_policy MTA Option
 * ldap_cant_url MTA Option
 * ldap_auth_url MTA Option
 * ldap_cant_domain MTA Option
 * ldap_auth_domain MTA Option
 * ldap_maximum_message_size MTA Option
 * ldap_maximum_messages_per_day MTA Option
 * ldap_auth_password MTA Option
 * ldap_moderator_url MTA Option
 * ldap_group_last_access_time MTA Option
 * ldap_group_url1 MTA Option
 * ldap_group_url2 MTA Option
 * ldap_group_dn MTA Option
 * ldap_group_dn2 MTA Option
 * ldap_group_rfc822 MTA Option
 * ldap_url_result_mapping MTA Option
 * ldap_errors_to MTA Option
 * ldap_delay_notifications MTA Option
 * ldap_digest_interval MTA Option
 * ldap_add_header MTA Option
 * ldap_remove_header MTA Option
 * ldap_add_tag MTA Option
 * ldap_prefix_text MTA Option
 * ldap_suffix_text MTA Option
 * ldap_expandable MTA Option
 * ldap_auth_mapping1 MTA Option
 * ldap_auth_mapping2 MTA Option
 * ldap_auth_mapping3 MTA Option
 * ldap_auth_mapping4 MTA Option
 * ldap_check_header MTA Option
 * ldap_hoh_filter MTA Option
 * ldap_hoh_owner MTA Option
 * ldap_auth_attr_mail_host MTA Option
 * ldap_auth_attr_sender MTA Option
 * ldap_auth_attr_submit_channel MTA Option
 * ldap_attr_domain1_schema2 MTA Option
 * ldap_attr_domain2_schema2 MTA Option
 * ldap_attr_domain_search_filter MTA Option
 * ldap_domain_attr_basedn Option
 * ldap_domain_attr_alias Option
 * ldap_domain_attr_uplevel MTA Option
 * ldap_domain_attr_mailserv MTA Option
 * ldap_domain_attr_canonical MTA Option
 * ldap_domain_attr_uid_separator Option
 * ldap_domain_attr_subaddress MTA Option
 * ldap_domain_attr_routing_hosts MTA Option
 * ldap_domain_attr_smarthost MTA Option
 * ldap_domain_attr_status Option
 * ldap_domain_attr_mail_status Option
 * ldap_domain_attr_blocklimit MTA Option
 * ldap_domain_attr_conversion_tag MTA Option
 * ldap_domain_attr_source_conversion_tag MTA Option
 * ldap_domain_attr_optin1 MTA Option
 * ldap_domain_attr_optin2 MTA Option
 * ldap_domain_attr_optin3 MTA Option
 * ldap_domain_attr_optin4 MTA Option
 * ldap_domain_attr_optin5 MTA Option
 * ldap_domain_attr_optin6 MTA Option
 * ldap_domain_attr_optin7 MTA Option
 * ldap_domain_attr_optin8 MTA Option
 * ldap_domain_attr_presence MTA Option
 * ldap_domain_attr_autosecretary MTA Option
 * ldap_domain_attr_nosolicit MTA Option
 * ldap_domain_attr_autoreply_timeout MTA Option
 * ldap_domain_attr_default_mailhost MTA Option
 * ldap_domain_attr_disk_quota MTA Option
 * ldap_domain_attr_message_quota MTA Option
 * ldap_domain_attr_filter MTA Option
 * ldap_domain_attr_sender_sieve MTA Option
 * ldap_domain_attr_capture MTA Option
 * ldap_domain_attr_report_address MTA Option
 * ldap_domain_attr_catchall_address MTA Option
 * ldap_domain_attr_catchall_mapping MTA Option
 * ldap_domain_attr_sourceblocklimit MTA Option
 * ldap_domain_attr_source_channel MTA Option
 * ldap_domain_attr_prefix_text MTA Option
 * ldap_domain_attr_suffix_text MTA Option
 * ldap_domain_attr_recipientlimit MTA Option
 * ldap_domain_attr_recipientcutoff MTA Option
 * ldap_domain_attr_detourhostoptin MTA Option
 * ldap_creation_date MTA Option
 * ldap_domain_attr_creation_date MTA Option
 * Access controls on LDAP attributes
 * Direct LDAP attributes returned upon authentication MTA options
 * MTA options
 * Direct LDAP MTA options
 * MTA URL types