PureMessage for UNIX: LDAP authentication with multiple aliases for the EUWI

  • Article ID: 39323
  • Updated: 07 Jun 2012

Problem

An organization has email users with multiple aliases, and it requires that they are able to log into the End User Web Interface (EUWI) with any of their addresses, and view all mail sent to any of the addresses. The organization is authenticating against an LDAP server.

Technical details

When a user logs into the EUWI, PureMessage performs an LDAP lookup for the username given (using the specified 'filter'), and retrieves the value of the specified 'mail' attribute (using the result as the user's email address). It then searches the quarantine for this email address, which includes mail sent directly to the address, and any mail that was mapped to the address.

Here is a basic configuration for LDAP authentication:

----8<----
Authenticator#ldap.config.attribute_mail = mail
Authenticator#ldap.config.attribute_mail_index = 0
Authenticator#ldap.config.base_dn = dc=sophos,dc=com
Authenticator#ldap.config.bind_dn = cn=SuperAdmin,dc=sophos,dc=com
Authenticator#ldap.config.bind_password = XXXXXXXX
Authenticator#ldap.config.debug = 0
Authenticator#ldap.config.dn_discovery = 1
Authenticator#ldap.config.filter = (mail=%%username%%)
Authenticator#ldap.config.ldap_server = ldap://192.168.0.1:389
Authenticator#ldap.description = LDAP based authentication
Authenticator#ldap.module = PureMessage::Enduser::Auth::Authenticator::LDAP

---->8---- 

This configuration instructs PureMessage to query LDAP for a 'mail' attribute that equals the username given (filter = (mail=%%username%%)), and then asks for the 'mail' attribute. If an organization has more than one 'mail' attribute, PureMessage will use the one that LDAP returns first. This creates inconsistent behaviour because a different email address may be used to the search the quarantine on different occasions.

What to do

If your organization is using multiple aliases, you should limit each user account to one 'mail' attribute (which would be the "main" address, e.g., all the 'sophos.com' addresses), and then zero or more 'proxyAddresses' attributes for their aliases (e.g., the 'ca.sophos.com' addresses).

The following filter could then be used to query for this user:

(|(mail=%%username%%)(proxyAddresses=%%username%%))

This filter queries the LDAP database for all accounts in which either the 'mail' attribute or the 'proxyAddresses' attribute is equal to the given username. Since there is only one mail attribute, the EUWI will search the quarantine for that address only.

The final step is to populate the 'recipient-aliases' map so that the 'proxyAddresses' are correctly mapped to the main address in the quarantine. This ensures that a search for the main address will return all messages sent to all addresses.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments