LDAP Recursion

Unanswered Question
Jan 14th, 2009
User Badges:

Some of our AD groups contain other AD groups and LDAP membership checks don't appear to pick this up?

Eg, if I am a member of GroupA and GroupA is a member of GroupB - then there is an outgoing mail policy looking for the sender to be a member of GroupB, it will not trigger when I send an email. If I'm a member of GroupA and GroupB, then it works.

If this something that can be changed or will I have to unravel the groups I want to check against?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jason Meyer Tue, 01/20/2009 - 21:36
User Badges:

Great Post AndrewR. I have been working on this issue for a while now and have not found a way to accomplish this either. IronPort Support has indicated that it is not possible and that they are working on it. I can make it work from a Linux box with no problems but have not been able to make it work with IronPort. The work around that I used was in the Mail Policy just add a query for Group A and another one for Group B. I would think that this causes LDAP queries to double but thus far has worked OK.

AndrewR_ironport Wed, 01/21/2009 - 09:21
User Badges:

Yeah, that's basically the conclusion I came to as well - I opened a support ticket and from the output I sent they have said that we're hitting a recursion limit..! Quite why the limit is set at 1 I don't know :)

Basically we're now checking for Group A and B, like you say. Shame, but it works

Rayman_Jr Fri, 09/18/2009 - 13:36
User Badges:

AndrewR, JMeyer5241, this is very surprising but seems to be the reality. I have run into the same problem as well !

Group membership via LDAP browsers or Linux box is working fine but IronPort doesn't seems to be able to see membership from nested groups.

Have you got other solution to this than creating separate queries to different groups ?

A side note. I have 5 different AD groups in mail policies, those are working just fine. Each of those groups will get 5 new nested groups at Monday. After initial tests and quick calculations I'm afraid that I'll have a headache size of Universe at Monday morning :?

I'm more than thankful if you have any updated in this case !

AndrewR_ironport Mon, 09/21/2009 - 09:27
User Badges:

Unfortunately not - we're still doing the member of group A or group B check!

It's a pain, but it's only for this one policy fortunately, so not too bad for us.

AndrewR_ironport Tue, 09/22/2009 - 09:31
User Badges:

Nope, chained queries are for different domains, rather than groups within a domain.

mychrislo_ironport Tue, 09/22/2009 - 10:41
User Badges:

I mean, can this be done?

Create two different ldap profile for different group ldap query. (profile1: ldap1server, groupA; profile2: ldap1server, groupB)

Then chained the query.

Will it work?


This Discussion