AIRONPORT serie C and ldap query group

Answered Question
Sep 23rd, 2010

Hi I've good some trouble to understand what's happens 

Basic things : want to check recipient against ldap AD group membership

point is I have a MS SBS 2008 SP3 (very happy! and not very confortable with debugging MS)

my configuration :

Define an LDAP PROFIL on which Accept Query is check  (proxyAddresses=smtp:{a}) and that give me good result with test and authentication therefore validate the BAS DN  DC=maheshvara,DC=local and account use for that.

Group query (&(memberOf={g})(proxyAddresses=smtp:{a})) that give me as chech result

Query results for host:192.168.254.2
Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

of course I link Ldap profile to incoming listener and also my group query but no trace of check condition of my content fitering condition.

I THINK PB COME MS BUT DON'T see why, try with distribution group, security group also nothing more !!!

DO you have any sample of implementation facing MS AD 2008 on SBS

Thu Sep 23 14:08:36 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (10) connected to server

Thu Sep 23 14:12:41 2010 Debug: LDAP: (accept) Query (proxyAddresses=smtp:[email protected]) to server AD_verification (192

.168.254.2:3268)

Thu Sep 23 14:12:41 2010 Debug: LDAP: (accept) Query (proxyAddresses=smtp:[email protected]) lookup success, (192.168.254.2

:3268) returned 1 results

trace of query group

Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) connected to server
Thu Sep 23 16:06:41 2010 Debug: LDAP: (group) Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Thu Sep 23 16:06:41 2010 Debug: LDAP: (group) Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 0 results
Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) Connection interrupted (reader)
Thu Sep 23 16:06:41 2010 Debug: LDAP: check_id_Maheshvara:192.168.254.2(192.168.254.2:389) (1) Connection interrupted (reader)
Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) Connection interrupted (writer)
Thu Sep 23 16:06:41 2010 Debug: LDAP: check_id_Maheshvara:192.168.254.2(192.168.254.2:389) (1) Connection interrupted (writer)

I have this problem too.
0 votes
Correct Answer by Andreas Mueller about 6 years 3 months ago

Looking at your query I think there's where the problem lies:

Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected]))

You only entered the group name ("commercial") here, but the LDAP server does not know where to look for it in the directory tree. You'd need to include the full path actually:

Example: CN=commercial,OU=EmailGroups,DC=ad,DC=example,DC=com

Hope that helps.

Regards,

Andreas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Correct Answer
Andreas Mueller Mon, 09/27/2010 - 06:04

Looking at your query I think there's where the problem lies:

Query (&(memberOf=commercial)(proxyAddresses=smtp:[email protected]))

You only entered the group name ("commercial") here, but the LDAP server does not know where to look for it in the directory tree. You'd need to include the full path actually:

Example: CN=commercial,OU=EmailGroups,DC=ad,DC=example,DC=com

Hope that helps.

Regards,

Andreas

xcrevecoeur Mon, 09/27/2010 - 06:23

Hi Andreas

,

I didn't check yet but will, anyway thank you for your answer . I thought Aironport serie C was making his query group from base dn and then down. If he didn't that explain why the syntax should be different. And is the process and syntax same for all different query type ?

Many Thanks

Xavier Crevecoeur

Andreas Mueller Mon, 09/27/2010 - 06:34

Hello Xavier,

LDAP on the IronPort is only an interface that sends the query to the LDAP server, along with all information (group name, user name, base DN) you give, and only expects a "Yes" (member of group) or "No" (no member of the group) The search is done bye the LDAP server itself, not the IronPort. I am not certain if that is AD specific, but usually a group query to an AD server has to include at least a part of the path, as it does not go deeper into the tee. That's probably because always starting at the top would mean a lot of workload for the LDAP server in complex organisations.

Regards,

Andreas

xcrevecoeur Tue, 10/05/2010 - 02:19

Hi Andreas

YES your answer ,is correct I've try and ckeck today, trouble come with MS SBS 2008 if I can say when you are not expert of MS

for anyone who will be in same situation this can make you spare some time

SO You have Cserie with updated software (Nov2010 Operating System 7.1.2-020 ), you have MS 2008 SBS

YOU make LDAP TEST GROUP QUERY base on the following

Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))

Test Parameters

Email address : [email protected]

Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=local

Result if Connection Status

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.

IF YOU EVER TRY WITH You Get

Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))

Test Parameters

Email address : [email protected]

Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=fr

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

BUT take a look to this another test

I have another user in Users container just below maheshvara.local ( the user is test1 and belong test group at the same level of AD)

so try with

[email protected]

and

CN=test, OU=Users,DC=maheshvara,DC=local

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

AND WITH CN and not OU

CN=test, CN=Users,DC=maheshvara,DC=local

you get the right answer

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:[email protected])) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.

So guess what I've forgot that a container now under MS could be identify with OU but also with CN

About for information ON Cisco ASA product we can rely on LDAP Server for AAA server group and when with asdm you define your server, you can say in the scope All level beneath the Base DN or One level beneath the Base DN

Best Regards

Xavier Crèvecoeur

Andreas Mueller Tue, 10/05/2010 - 05:36

Hello Xavier,

Merci beaucoup for sharing your troubleshooting here, very glad to hear that it is working for you know and I was a little bit of help. As this is good info I will most likely add it to our knowledgebase, so other customers can work with it as well.

Thanks again!

Andreas

Actions

This Discussion