ExternalAuthPostUrlTemplate LDAP Attribute

From Messaging Server Technical Reference Wiki
Jump to: navigation, search


Syntax
IA5 string (ASCII), single-valued
OID
2.16.840.1.113894.1009.1.102.1.1003.1.1

Definition

This attribute is used for finding the internal Directory Server entry for a user who has authenticated against an external Directory Server. It sets the LDAP URL that must be used to map the user who has authenticated against the external Directory Server to a user in the internal Directory. It is used in conjunction with the externalAuthPreUrlTemplate attribute and must be added to each domain entry associated with that external directory.

The attribute value is an LDAP URL of the form:


ldap:///<search base DN>?<attributes>?<scope>?<earch filter>

where:

  • search base DN: Specifies the search base DN from which to perform searches. It can be a template or a fixed DN.
  • attributes: Specifies the list of attributes to be retrieved. It must include the mail attribute.
  • scope: Should be base, one, or sub.
  • search filter: Specifies either a template or a fixed filter.

Note: No server name is used in this LDAP URL (it must be empty), because the lookup is performed against the internal Directory Server.

Both the search base DN and search filter can be templates containing the following patterns:

  • %o (full login id)
  • %U (user part of login id)
  • %V (domain part of login id)
  • %A[attributename] (value of attribute specified)

Note: The % character in %o, %U, %V, and %A needs to be encoded as per the general URI definition. That is, the % character becomes %25.

Example

Consider the following LDAP URL:


ldap:///uid=%25A[ucsUid],ou=people,o=example.com?mail?base?(objectclass=*)

In this example, a search is constructed against the internal User/Group directory with the following values:

  • base DN:uid=jdoe,ou=people,o=example.com
  • scope: base search
  • filter: (objectClass=*)
  • attributes to retrieve:mail