GUI item | Description |
Schema (dropdown list) | You can select a schema style by clicking Schema. Then you can edit the schema as desired. Or select User Defined and write your own schema. |
Alias member attribute | Enter the name of the attribute, such as mail or rfc822MailMember, whose value is an email address to which the email alias resolves, such as user@example.com. This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see “Base DN”. This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined. |
Alias member query | Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude non-user/alias objects. For details, see “Alias member query example”. For more information on required object types and their attributes, see “Preparing your LDAP schema for FortiMail LDAP profiles”. For details on query syntax, refer to any standard LDAP query filter reference manual. |
User group expansion In advance | Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see “Base DN”. When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias Member Attribute to resolve the alias. When this option is enabled, alias resolution occurs using two queries: • The FortiMail unit first performs a preliminary query using the Base DN and Group member query, and uses the value of each Group member attribute as the base DN for the second query. • The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the Base DN) and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias. The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. |
Group member attribute | Enter the name of the attribute, such as member, whose value is the DN of a user object. This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled. |
Group member query | Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects. For example, if alias objects in your directory have two distinguishing characteristics, their objectClass and proxyAddresses attributes, the query filter might be: (&(objectClass=group) (proxyAddresses=smtp:$m)) where $m is the FortiMail variable for an email address. This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled. For details on query syntax, refer to any standard LDAP query filter reference manual. |
Max alias expansion level | Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand. |
Scope | Select which level of depth to query, starting from Base DN. • One level: Query only the one level directly below the Base DN in the LDAP directory tree. • Subtree: Query recursively all levels below the Base DN in the LDAP directory tree. |
Derefer | Select the method to use, if any, when dereferencing attributes whose values are references. • Never: Do not dereference. • Always: Always dereference. • Search: Dereference only when searching. • Find: Dereference only when finding the base search object. |
Max alias expansion level | Enter the maximum number of alias nesting levels that aliases the FortiMail unit will expand. |
Use separate bind (configure the following if “Default Bind Options” is not desired) | |
Base DN | Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects. User or alias objects should be child nodes of this location. Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references). • With a direct resolution, alias objects directly contain one or more email address attributes, such as mail or rfc822MailMember, whose values are user email addresses such as user@example.com, and that resolves the alias. The Base DN, such as ou=Aliases,dc=example,dc=com, should contain alias objects. • With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as user@example.com, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member” attributes whose value is the DN of a user object, such as uid=user,ou=People,dc=example,dc=com. The FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such as ou=People,dc=example,dc=com, should contain user objects. |
Bind DN | Enter the bind DN, such as cn=FortiMailA,dc=example,dc=com, of an LDAP user account with permissions to query the Base DN. |
Bind password | Enter the password of the Bind DN. |