AD Query String for Group Membership

Unanswered Question

Hi

I have found that inbound mail to distributions groups (Ex07) are not being delivered. Running a trace, I am seeing they are failing on LDAP match. I tracked it down to the qroup query not working. We are using the default query. Running a test, it fails. I think that is the problem. I can mail the group internally just fine.

Anyone have a good query string that will check for distribution groups? Below is the query being used. Thanks for the help.

(&(memberOf={g})(proxyAddresses=smtp:{a}))

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rayman_Jr Thu, 09/03/2009 - 09:03

We are using exactly the same query without any issues.

There are two things coming into my mind.

One thing might be the access rights of the account used for LDAP queries. Does it see the distribution groups ?

Another thing is the way how active directory do the LDAP lookups. Is the distribution group in local domain or is forestwide query required ?

Instead of 'standard' LDAP query you might haver to do LDAP query directly from your Global Catalog server via TCP port 3268 to make forestwide queries to work.

More info can be found from IronPort Knowledge Base document ID 156
http://tinyurl.com/lenghx

kluu_ironport Wed, 09/09/2009 - 05:10

Also, you may want to check if your Group Membership name is correct and complete.

It needs to be the entire DN, not just the short name.

For example, you cannot just say "CN=Developers"

You would need something like,

"CN=Developers,O=Information Technology, OU=San Francisco, DC=company,DC=com"

So, when it gets submitted and compared against the AD server, this is what is sent over:

(&(memberOf={CN=Developers,O=Information Technology, OU=San Francisco, DC=company,DC=com})(proxyAddresses=smtp:{[email protected]}))

------

To make sure you have the full DN of the group membership, I would recommend using an LDAP tool like ldapbrowser.com. It is free and very easy to use. It will display the entire structure of your LDAP server and show you all the info you need without compromising security.

Well I opened a ticket with support, and it appears that I have them stumped. From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.

Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.

Snippit from trace:

Envelope Recipient Processing
Envelope Recipient: [email protected]
LDAP Accept Lookup: Result: failed
Default Domain Processing: No Change
Domain Map Processing: No Change
Recipient Access Table Processing: Behavior: ACCEPT Matched On: [email protected]
Alias Expansion: No Change

Donald Nash Wed, 09/16/2009 - 20:44

I would recommend using an LDAP tool like ldapbrowser.com.  It is free and very easy to use.

"Easy" in the context of "LDAP" is a relative thing. :-)

I use Apache Directory Studio myself, since ldapbrowser.com is Windows-only.
kluu_ironport Wed, 09/16/2009 - 22:48

Can you go to the LDAP section and provide all the fields that are relevant?

I'll need the LDAP configuration fields (minus the password of course) and what you're using for the LDAP Accept.




Well I opened a ticket with support, and it appears that I have them stumped.  From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.

Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.

Snippit from trace:

Envelope Recipient Processing
Envelope Recipient: [email protected]
LDAP Accept Lookup: Result: failed
Default Domain Processing: No Change
Domain Map Processing: No Change
Recipient Access Table Processing: Behavior: ACCEPT Matched On: [email protected]
Alias Expansion: No Change

Ding! Won't be necessary, got it working. Your comments got me looking in the correct location, and I found the problem, thank you. Ironically enough the support engineer emailed me the fix too while I was making the changes.

Further examination of the ldap settings themselves and not the query, showed the problem. I have all of our users in ou=XusersX, dc=domain, dc=com

All of my mail distribution lists (to make it easy for the help desk) are in ou=distribution lists, dc=domain, dc=com

My base DN was set to the user OU, so whenever i tested against a distro group, the base dn was at a parallel level as the distro ou, so it wasn't even searching here, and hence failed.

Thanks again guys for pushing the brain in the right direction!

SF

Actions

This Discussion