Configuring profiles : Configuring LDAP profiles : Configuring user alias options
Configuring user alias options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles”.
1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the User Alias Options section.
Resolving aliases to real email addresses enables the FortiMail unit to send a single quarantine report and maintain a single quarantine mailbox at each user’s primary email account, rather than sending separate quarantine reports and maintaining separate quarantine mailboxes for each alias email address. For FortiMail units operating in server mode, this means that users need only log in to their primary account in order to manage their spam quarantine, rather than logging in to each alias account individually.
For more information on resolving email aliases by LDAP query, see “LDAP user alias / address mapping profile”.
4. Configure the following:
 
GUI item
Description
Schema (dropdown list)
You can select a schema style by clicking Schema. Then you can edit the schema as desired. Or select User Defined and write your own schema.
Alias member attribute
Enter the name of the attribute, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com.
This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see “Base DN”.
This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined.
Alias member query
Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.
The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude non-user/alias objects. For details, see “Alias member query example”.
For more information on required object types and their attributes, see “Preparing your LDAP schema for FortiMail LDAP profiles”.
For details on query syntax, refer to any standard LDAP query filter reference manual.
User group expansion In advance
Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see “Base DN”.
When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias Member Attribute to resolve the alias.
When this option is enabled, alias resolution occurs using two queries:
The FortiMail unit first performs a preliminary query using the Base DN and Group member query, and uses the value of each Group member attribute as the base DN for the second query.
The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the Base DN) and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.
The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.
Group member attribute
Enter the name of the attribute, such as member, whose value is the DN of a user object.
This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.
Group member query
Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.
The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.
For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be:
(&(objectClass=group) (proxyAddresses=smtp:$m))
where $m is the FortiMail variable for an email address.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.
For details on query syntax, refer to any standard LDAP query filter reference manual.
Max alias expansion level
Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand.
Scope
Select which level of depth to query, starting from Base DN.
One level: Query only the one level directly below the Base DN in the LDAP directory tree.
Subtree: Query recursively all levels below the Base DN in the LDAP directory tree.
Derefer
Select the method to use, if any, when dereferencing attributes whose values are references.
Never: Do not dereference.
Always: Always dereference.
Search: Dereference only when searching.
Find: Dereference only when finding the base search object.
Max alias expansion level
Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand.
Use separate bind (configure the following if “Default Bind Options” is not desired)
Base DN
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.
User or alias objects should be child nodes of this location.
Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).
With a direct resolution, alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects.
With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member” attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects.
Bind DN
Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN.
Bind password
Enter the password of the Bind DN.
Alias member query example
For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:
(& (objectClass=alias) (mail=$m))
where $m is the FortiMail variable for a user's email address.
If the email address ($m) as it appears in the message header is different from the alias email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the alias by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${-spam}))
where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${^spam-}))
where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.
Whether you should configure this query filter to retrieve user or alias objects depends on whether your schema resolves email addresses directly or indirectly (using references).For more information on direct versus indirect alias resolution, see “Base DN”.
If alias objects in your schema provide direct resolution, configure this query string to retrieve alias objects. Depending on your schema style, you can do this either using the user name portion of the alias email address ($u), or the entire email address ($m). For example, for the email aliases finance@example.com and admin@example.com, if your LDAP directory contains alias objects distinguished by cn: finance and cn: admin, respectively, this query string could be cn=$u.
If alias objects in your schema provide indirect resolution, configure this query string to retrieve user objects by their distinguished name, such as distinguishedName=$b or dn=$b. Also enable User group expansion In advance, then configure Group member query to retrieve email address alias objects, and configure Group Member Attribute to be the name of the alias object attribute, such as member, whose value is the distinguished name of a user object.