ExternalAuthPreUrlTemplate LDAP Attribute

From Messaging Server Technical Reference Wiki
Jump to: navigation, search


Syntax
IA5 string (ASCII), single-valued
OID
2.16.840.1.113894.1009.1.102.1.1002.1.1

Definition

This attribute is used to authenticate against external Directory Servers. It is used to set the LDAP URL that defines how users must be searched for in the external Directory Server against which authentication is performed. You must add this attribute to each domain entry associated with that external directory. The attribute value is an LDAP URL of the form:


ldap://<server name>/<search base DN>?<attributes>?<scope>?<search filter>

where:

  • server name: Specifies the LDAP pool identifier, defined in the Calendar Server configuration for that specific external directory server. See the davadmin ldappool create command for more information on how to configure the LDAP pool.
  • search base DN: Specifies either a template or fixed DN.
  • attributes: Specifies a list of attributes to be retrieved that are required to perform external authentication and mapping to the internal Communications Suite directory.
  • scope: Should be base, one, or sub.
  • search filter: Specifies either a template or a fixed filter.

Both the search base DN and search filter can be templates containing the following patterns:

  • %o (original login ID, as provided by the user over protocol)
  • %U (user part of login ID)
  • %V (domain part of login ID)

Note: The % character in %o, %U, and %V needs to be encoded as per the general URI definition. That is, the % character becomes %25.

Examples

Consider the following LDAP URL:


ldap://examplepool/ou=people,o=example.com?mail?sub?(uid=%25o)

In this example, for a user with login ID john@example.com, the following subtree search is issued:

  • basedn: ou=people,o=example.com
  • filter: (uid=john@example.com)

Consider the following LDAP URL where example.com is the default domain:


ldap://examplepool/cn=%U,ou=people,o=example.com?mail?base?(objectclass=*)

In this example, for a user with a login ID of John Doe, the following search is issued:

  • basedn: cn=John Doe,ou=people,o=example.com
  • filter: (objectClass=*)

If more than one entry matches the search, the authentication is rejected.