Add LDAP Server Profile problem.

Unanswered Question

We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an

"Error - Error: configuration error" message.

We are using AD, top of the tree for base DN. dc=domain, dc=local.

We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.

Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.

The error left us clueless since we followed the instructions on the user manual.

For the accept query we tried this query string: (proxyAddresses=smtp:{a})

Any ideas or pointers to what could be causing this are very appriciated.

Thanks.

Ed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Mon, 09/29/2008 - 17:57
User Badges:

The first thing I would verify is if you can connect and traverse your Active Directory/Domain Controller using Softerra's free ldap browser.

1. Softerra ldap browser link

http://download.softerra.com/files/ldapbrowser26.msi

Put in the IP/hostname of the domain controller, use the same BASE DN, and user credentials that you used on the IronPort appliance.

I would highly recommend that you create a separate account for the IronPort. (i.e. ironportldap). Do this so that you don't have to worry about accidentially resetting the password and then forgetting to update the IronPort appliance.



2. Once you've verified that you can connect and see your tree, use the same settings from Softerra ldap browser and put them in the IronPort ldap interface.

Try this for your Accept query string

(|(mail={a})(proxyAddresses=smtp:{a}))



3. If it still fails, enable the ldap debug log if you haven't already and paste in the error.


We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an 

"Error - Error: configuration error" message.

We are using AD, top of the tree for base DN. dc=domain, dc=local.

We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.

Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.

The error left us clueless since we followed the instructions on the user manual.

For the accept query we tried this query string: (proxyAddresses=smtp:{a})

Any ideas or pointers to what could be causing this are very appriciated.

Thanks.

Ed.

We created an account to bind to the directory and tested it with Softterra, it worked without trouble.

After following your directions I came up with this on the cli.

Mon Sep 29 14:26:20 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:26 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:27 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:27 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:34 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain

Now I'm a bit confused, because the DNS configuration on our C100 has the DNS IP's of our ISP to route email outside of our school.

Our appliance is a C100 and uses Data1 as outbound and Data2 as inbound.

Thanks for your advice.

The DNS configuration on the C100 only allows to set the IP of the DNS servers for Data1, Data2 or Auto, but not individually, that's confusing.

How to go about this?

Ed.

kluu_ironport Mon, 09/29/2008 - 19:51
User Badges:

From the command line of the IronPort, try a dns lookup


nslookup sjudc1.pupr.local



Also, try using the IP

kluu_ironport Mon, 09/29/2008 - 21:21
User Badges:

How were you able to connect to the AD server on port 389 before?



We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.

Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.


Ed.

Trying to troubleshoot the server, for any antivirus blocking access to the ports I did a telnet from my machine, not the C100 itself.

We haven't used AD before with the ironport and I tought it was a good idea to start using it for the benefit of DHAP.

We have an SMTP route to our mail exchanger. But it has the IP of the server.

kluu_ironport Mon, 09/29/2008 - 21:40
User Badges:

1. Verify from the command line of the IronPort that you can connect to the ldap server on the correct IP.


- telnet
select the Interface that is allowed to connect to the LDAP server on your firewall

- IP_Address of ldap server

- 389 or 3268 (if you have Exchange 2003+)


2. If the above is successfully, make sure you update the LDAP settings (System Administration > LDAP > Ldap settings) and use the same interface.


3. Delete the profile and recreate it, then test again.

I could connect from the cli to the server using the IP on both ports.

Adding the ldap profile it asked me for the host name, what I did was add an override for the internal domain on the dns and now the C100 can resolve names for the internal domain.

Now something different is logged in the LDAP log you helped me create earlier.

Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) (101) connecting to server
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) (169) connecting to server
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) (101) auth failed
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) connection authentication error
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) this server marked DOWN
Mon Sep 29 17:08:14 2008 Debug: LDAP: Waiting period until next connection attempt is 3 seconds
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) (169) auth failed
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) connection authentication error
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) this server marked DOWN
Mon Sep 29 17:08:14 2008 Debug: LDAP: Waiting period until next connection attempt is 3 seconds

Ed.

Success - Action: Pass.

Also checked in CLI got lookup success on 3 (2 valid and 1 invalid) addresses tested.

And this when trying an invalid recipient in GUI:

Success — Action: drop or bounce (depending on listener settings)
Reason: no matching LDAP record was found.

Now I gotta keep reading and lookup a topic about boucing or droping invalid recipients, I think I read in that topic that there is a way to get the best of both worlds, I want to read the manual and the topic and try to fully understand the process.

Kluu thank you very much for helping sir!

Very much appriciated.

kluu_ironport Tue, 09/30/2008 - 00:59
User Badges:

Yeah, the AsyncOS Advanced User Guide is the best resource on all things LDAP.

Also, I would recommend using ldap accept query in the "SMTP Conversation" in the listener section.

You will be doing the verification at the network level and reduce the amount of invalid recipients that get processed in the workqueue. By handling it at the "smtp conversation" level, you'll reduce load on the IronPort and still alert the sending MTA that the recipients were invalid.

And now with LDAP, you'll get the benefit of DHAP (directory harvest attack) on your sendergroups/mail flow policies section.

-kevin

Actions

This Discussion