GROUP_AUTH mapping table
The MTA's group/list access control mechanisms allow for a wide variety of access and permission models. However, exploiting this flexibility often depends on being able to define what attributes and values appear in LDAP group entries. If the entries being processed cannot be modified, as for instance in the case of an externally controlled LDAP directory, it becomes necessary for the MTA to adopt a more flexible processing model in order to support different attribute syntaxes.
New in 7.0.5, the
GROUP_AUTH mapping table and four new MTA options
N=1-4) have been added to facilitate such processing. The MTA options are used to specify the names of up to four additional LDAP attributes to be fetched during alias expansion processing. When the
GROUP_AUTH mapping is defined and at least one of the four attributes
N is defined and appears on a group, then the
GROUP_AUTH mapping is probed during group authorization checks (before any other authorization checks are done). The probe format is:
authN fields are simply whatever values are associated with the
N named LDAP attributes for this group. If multiple attributes or multiple attribute values appear, they will all be present in the probe field, separated by commas.
GROUP_AUTH mapping can produce any of four possible outputs:
$Yindicates that the authorization check has passed.
$Tindicates that the mapping result is a URL, which is then checked in the same fashion as an
$Nindicates that authorization has failed.
$Findicates that the mapping result is a URL, which is then checked in the same fashion as an