Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1769
Views
0
Helpful
7
Replies

LDAP instead of RAT

sven_warnke_ironport
Level 1
Level 1

‎10-07-2009 02:02 PM

Hey,

this may be a very stupid question but i'm new on ironport.

At the moment our Ironport is checking whether an email is accepted by RAT. Soon I plan to use LDAP.
Is it possible to use a LDAP-Query instead of RAT.
Regarding the listener i can't modify the field "Recipient Access Table".

Thx.

Labels:
0 Helpful
7 Replies 7

Andrew Wurster
Level 1
Level 1

‎10-07-2009 05:06 PM

sven -

that's a fine question as many people need to accomplish that. you do not necessarily edit or remove your RAT, you just add another layer of checking.

you'll need an LDAP accept query - and here's how to do it:
http://tinyurl.com/hjsn4

take care!

0 Helpful

sven_warnke_ironport
Level 1
Level 1

‎12-03-2009 07:09 AM

Hi,
sorry, but i didn't have the time until yet to try it out.

So i experimented yesterday and found my next question:

I don't want to accept all the adresses, listed in my AD. So an accept query would be the wrong way. It has to be a group query.

This is also definable on the listener. But i do not find the right place to tell the ironport against which group this group query should check.

I hope you understand what i want to do.
Don't hesitate to ask me for more information ;)


THX!

0 Helpful

Andrew Wurster
Level 1
Level 1

‎12-03-2009 04:34 PM

yea that makes sense to me for the most part.

you probably want to add a term to your query that enforces this "group" name. that means taking your default query (which I'm guessing at since you haven't provided one) and add in a group-like statement for the following logic

(memberOf = actual DN) AND (mail OR proxyAddresses = rcpt to address)

actual syntax for your AD it might look like:

&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail={a})(proxyAddresses=smtp:{a}))

give that a shot.

andrew

0 Helpful

sven_warnke_ironport
Level 1
Level 1

‎12-04-2009 06:53 AM

Hi,

i had the same idea yesterday morning but the following message appears when i'm going to use the "test-button" on the ldap configuration site:
(I used a fully qualified name of a group, which exists in my AD ;-) --> same result)


Query results for host:XXX.XXX.XXX.XXX
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de))) to server ldap_recieve (xxx.xxx.xxx.xxx:389)
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de))) lookup failed: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de)))"
Failure: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de)))"



UPDATE:
A few minutes ago i ran 2 tests:
1. I enabled the group-query (not paying attention on the wrong syntax) and changed the value of "all other recipients" in my rat from reject to accept.
--> Every Email passed the RAT but i saw the trial of an ldap request with the same failure as described on top

2. 1. I enabled the group-query (not paying attention on the wrong syntax) and let the value of "all other recipients" on "reject"
--> Using tail i got the message "Adress rejected by RAT" and did not see any ldap request

0 Helpful

Andrew Wurster
Level 1
Level 1

‎12-04-2009 04:02 PM

sven -

do you mind opening a support case on this? i am 99% sure there is a defect which requires us to escape our distinguished name values '=' with '%3d' or something along those lines to look like 'CN%3dfoo,DC%3dbar' etc. if we get a support case and remote access tunnel, we can isolate your requirements and run an ldapsearch against your directory to confirm this.

i just need to look further in to it before confirming. we can always post the answer back here in any case.

andrew

0 Helpful

sven_warnke_ironport
Level 1
Level 1

‎12-07-2009 06:38 AM

Hi,

support case has been opened: #525239

0 Helpful

sven_warnke_ironport
Level 1
Level 1

‎12-07-2009 02:32 PM

Hi,

you're almost right!

I think the support and me found the solution nearly in parallel :-D

Like already posted, you have to replace the "=" at the fully qualified name of the group with this string "\3d".

So the syntax for the accept-query looks like this


&(memberOf=CN\3dwe,CN\3dfoo,DC\3dbar,DC\3dtld")(|(mail={a})(proxyAddresses=smtp:{a}))

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents