Aliases in LDAP

If at least one of the ,  ,   , or   MTA options is specified, then for each address matching the local channel  (or any channel marked   )  the MTA will automatically perform the  LDAP query specified by the    option(s). (If more than one such option is specified, then queries are normally performed in order beginning with  and ending with  ; but see the   MTA option and   channel option.)

The LDAP server to query, as well as other basic LDAP query parameters, are  controlled by certain MTA options and/or configutil parameters (legacy  configuration) or Unified Configuration base options and PAB options; see  Table of Basic configuration settings  relevant to alias LDAP lookups. The MTA options, if explicitly set, for MTA lookup purposes take precedence over (override) their corresponding configutil parameters (legacy  configuration) or base options and PAB options (Unified Configuration).

Note that the MTA&#x27;s SMTP AUTH user authentication lookups are done using general SASL library code, also  used for IMAP, POP, or MSHTTP user logins (authentication). The SASL code does not use the MTA-specific options, but rather uses the  configutil parameters or Unified Configuration options.

+The  base option (Unified Configuration) or   parameter (legacy configuration) is a global default for all searches done  through the LDAP pool API, including those done by the MTA.

++The MTA option  defaults to the value of the   base option,  which in turn defaults, if not set, to the loopback interface.

Compare this Table of Basic configuration  settings relevant to alias LDAP lookups with  Basic configuration settings relevant to domain LDAP lookups.

For the,  ,   , or   MTA options,  standard LDAP URLs as per RFC 2255 must be used, with the following  exception and special interpretations:



 The LDAP server and port are typically omitted, and are instead   specified via MTA options or   parameters (legacy   configuration) or base options (Unified Configuration), as    shown above in Table of Basic LDAP settings   relevant to alias lookups. Indeed, prior to Messaging Server 7.0u4, the host and   port had to be omitted; as of Messaging Server 7.0u4, specifying the host and port in    the URL itself is supported. 

 The MTA makes a distinction between a completely omitted attributes   field, which as per RFC 2255 means to request the return of    all attributes, and an attributes field consisting of the    asterisk character, , which the MTA instead interprets as    meaning to request the return of all known-to-the-MTA    attributes, that is, all attributes specified by    direct LDAP   attribute name MTA options. This distinction is available since for some directory setups, there   may be a noticeable performance difference in LDAP directory response    to one type of query (all attributes requested) vs. the other   type of query (specific, though large, list of attributes requested). 

 Also, certain substitution sequences are available, as shown in   Table  of LDAP URL substitution sequences. 



Thus the LDAP URL value for an  option should be specified as  ldap:///dn&#x5b;?attributes&#x5b;?scope?filter&#x5d;&#x5d; where the square bracket characters  and    shown above indicate optional portions of the  URL. The  is required and is a distinguished  name specifying the search base; it might correspond to the  organization&#x27;s top level in the Directory Information Tree. The optional ,  ,  and   portions of the URL further refine  what information to return. For an alias, the desired   to specify returning would typically  be the   attribute (or some similar attribute). The   may be any of   (the  default), , or. And the desired   would typically be based upon the mailbox  (local portion) of the incoming addresses.

Note that the usual LDAP URL encoding rules should be followed; see especially RFC 1738 (Uniform Resource Locators (URL)) and RFC 2255 (LDAP URL Format).

Substitution sequences, as shown in Table of LDAP URL substitution sequences, are available for  use in constructing the LDAP URL.

The LDAP URL, before any substitutions, is limited to 256 characters in length (252 characters in iMS 5.2 and earlier); the substitutions may  insert additional material and the length after such substitutions is  limited to 1024 characters. Note that the substitution of "known" attributes when asterisk, , is  specified as the attribute to return, is not considered as part of the  regular substitution; this substitution is performed at a later step  and the length after this "known" attributes substitution is  limited to 4096 characters.

For instance, at a Messaging Server site using direct LDAP mode,    is typically set as follows: domain_uplevel=2 alias_url0=ldap:///$V?&#x2a;?sub?$R Here the   setting means that:



 Since bit 0 (value 1) is not set, domain matches must be exact;   (e.g., a domain entry in the DC tree for siroe.com will not    imply that host.siroe.com should also be considered a    "local" domain). 

 Since bit 2 (value 2) is set, then user alias lookups will be   performed looking not only for the exact address presented, but also    for that address with the domain name replaced by the    "canonical" domain name;    for instance, if a domain name is an    alias for another domain name (see    in   Schema 1 mode or       in Schema 2 mode),    then the user alias lookup will be    performed both with the address as originally presented, and with the    address with the domain name replaced by the aliased (to) domain name. 



The  setting means that the result of a previous domainMap  lookup will be used as the base for the search (this is the    substitution), and the MTA will look for its standard set of mail alias  attributes (the   substitution); see the    MTA option.

If a Messaging Server site is using direct LDAP mode with vanity domains enabled, then typical settings are: domain_uplevel=2 alias_url0=ldap:///$V?&#x2a;?sub?$R alias_url1=ldap:///$B?&#x2a;?sub?(&(msgVanityDomain=$D)$R) alias_url2=ldap:///$1V?&#x2a;?sub?(mailAlternateAddress=@$D) domain_match_url=ldap:///$B?msgVanityDomain?sub?(msgVanityDomain=$D) In addition to the usual settings (see above), notice the additional ,  ,  and   settings. Here the   setting, used to do an extra lookup when doing  domainMap checking, means that the user tree base will be used as the  base for the search (the   substitution), searching for a    attribute that has the value of the domain  name of the address being processed; that is, this is enabling the  finding of vanity domain names. The   setting means that the  user tree base will be used as the base for a search for entries with    attribute equal to the domain name of the  address being processed, and with at least one of the entry&#x27;s standard  mail alias attributes (see the    MTA option) equal to  the address being processed. The   setting, used if neither  the   nor   searches resulted  in a match, is looking  for an entry that is the "catch-all" address for the domain  or vanity domain of the address being processed.

See also:
 * alias_url0 MTA Option
 * aliaslocal Option
 * Overview of Direct LDAP configuration
 * domain_uplevel MTA Option
 * ldap_domain_attr_canonical MTA Option
 * ldap_domain_attr_alias Option
 * ldap_attr_domain2_schema2 MTA Option
 * ldap_mail_aliases MTA Option
 * domain_match_url MTA Option
 * Alias recursion and nested list definitions
 * aliasmagic Option
 * LDAP URL substitution sequences
 * Alias special formats
 * Aliases