GROUP_AUTH mapping table

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

The MTA's group/list access control mechanisms allow for a wide variety of access and permission models. However, exploiting this flexibility often depends on being able to define what attributes and values appear in LDAP group entries. If the entries being processed cannot be modified, as for instance in the case of an externally controlled LDAP directory, it becomes necessary for the MTA to adopt a more flexible processing model in order to support different attribute syntaxes.

New in 7.0.5, the GROUP_AUTH mapping table and four new MTA options ldap_auth_mappingN (N=1-4) have been added to facilitate such processing. The MTA options are used to specify the names of up to four additional LDAP attributes to be fetched during alias expansion processing. When the GROUP_AUTH mapping is defined and at least one of the four attributes ldap_auth_mappingN is defined and appears on a group, then the GROUP_AUTH mapping is probed during group authorization checks (before any other authorization checks are done). The probe format is:


Here the authN fields are simply whatever values are associated with the ldap_auth_mappingN named LDAP attributes for this group. If multiple attributes or multiple attribute values appear, they will all be present in the probe field, separated by commas.

The GROUP_AUTH mapping can produce any of four possible outputs:

  • $Y indicates that the authorization check has passed.
  • $T indicates that the mapping result is a URL, which is then checked in the same fashion as an ldap_auth_url would be.
  • $N indicates that authorization has failed.
  • $F indicates that the mapping result is a URL, which is then checked in the same fashion as an ldap_cant_url would be.

See also: