09-23-2010 07:13 AM
Hi I've good some trouble to understand what's happens
Basic things : want to check recipient against ldap AD group membership
point is I have a MS SBS 2008 SP3 (very happy! and not very confortable with debugging MS)
my configuration :
Define an LDAP PROFIL on which Accept Query is check (proxyAddresses=smtp:{a}) and that give me good result with test and authentication therefore validate the BAS DN DC=maheshvara,DC=local and account use for that.
Group query (&(memberOf={g})(proxyAddresses=smtp:{a})) that give me as chech result
Query results for host:192.168.254.2
Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).
of course I link Ldap profile to incoming listener and also my group query but no trace of check condition of my content fitering condition.
I THINK PB COME MS BUT DON'T see why, try with distribution group, security group also nothing more !!!
DO you have any sample of implementation facing MS AD 2008 on SBS
Thu Sep 23 14:08:36 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (10) connected to server
Thu Sep 23 14:12:41 2010 Debug: LDAP: (accept) Query (proxyAddresses=smtp:user1@maheshvara.fr) to server AD_verification (192
.168.254.2:3268)
Thu Sep 23 14:12:41 2010 Debug: LDAP: (accept) Query (proxyAddresses=smtp:user1@maheshvara.fr) lookup success, (192.168.254.2
:3268) returned 1 results
trace of query group
Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) connected to server
Thu Sep 23 16:06:41 2010 Debug: LDAP: (group) Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Thu Sep 23 16:06:41 2010 Debug: LDAP: (group) Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) Connection interrupted (reader)
Thu Sep 23 16:06:41 2010 Debug: LDAP: check_id_Maheshvara:192.168.254.2(192.168.254.2:389) (1) Connection interrupted (reader)
Thu Sep 23 16:06:41 2010 Debug: LDAP: AD_verification:192.168.254.2(192.168.254.2:3268) (1) Connection interrupted (writer)
Thu Sep 23 16:06:41 2010 Debug: LDAP: check_id_Maheshvara:192.168.254.2(192.168.254.2:389) (1) Connection interrupted (writer)
Solved! Go to Solution.
09-27-2010 06:04 AM
Looking at your query I think there's where the problem lies:
Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr))
You only entered the group name ("commercial") here, but the LDAP server does not know where to look for it in the directory tree. You'd need to include the full path actually:
Example: CN=commercial,OU=EmailGroups,DC=ad,DC=example,DC=com
Hope that helps.
Regards,
Andreas
09-27-2010 06:04 AM
Looking at your query I think there's where the problem lies:
Query (&(memberOf=commercial)(proxyAddresses=smtp:user1@maheshvara.fr))
You only entered the group name ("commercial") here, but the LDAP server does not know where to look for it in the directory tree. You'd need to include the full path actually:
Example: CN=commercial,OU=EmailGroups,DC=ad,DC=example,DC=com
Hope that helps.
Regards,
Andreas
09-27-2010 06:23 AM
Hi Andreas
,
I didn't check yet but will, anyway thank you for your answer . I thought Aironport serie C was making his query group from base dn and then down. If he didn't that explain why the syntax should be different. And is the process and syntax same for all different query type ?
Many Thanks
Xavier Crevecoeur
09-27-2010 06:34 AM
Hello Xavier,
LDAP on the IronPort is only an interface that sends the query to the LDAP server, along with all information (group name, user name, base DN) you give, and only expects a "Yes" (member of group) or "No" (no member of the group) The search is done bye the LDAP server itself, not the IronPort. I am not certain if that is AD specific, but usually a group query to an AD server has to include at least a part of the path, as it does not go deeper into the tee. That's probably because always starting at the top would mean a lot of workload for the LDAP server in complex organisations.
Regards,
Andreas
10-05-2010 02:19 AM
Hi Andreas
YES your answer ,is correct I've try and ckeck today, trouble come with MS SBS 2008 if I can say when you are not expert of MS
for anyone who will be in same situation this can make you spare some time
SO You have Cserie with updated software (Nov2010 Operating System 7.1.2-020 ), you have MS 2008 SBS
YOU make LDAP TEST GROUP QUERY base on the following
Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))
Test Parameters
Email address : tech1@maheshvara.fr
Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=local
Result if Connection Status
Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:tech1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:tech1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.
IF YOU EVER TRY WITH You Get
Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))
Test Parameters
Email address : tech1@maheshvara.fr
Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=fr
Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:tech1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:tech1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).
BUT take a look to this another test
I have another user in Users container just below maheshvara.local ( the user is test1 and belong test group at the same level of AD)
so try with
and
CN=test, OU=Users,DC=maheshvara,DC=local
Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).
AND WITH CN and not OU
CN=test, CN=Users,DC=maheshvara,DC=local
you get the right answer
Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.
So guess what I've forgot that a container now under MS could be identify with OU but also with CN
About for information ON Cisco ASA product we can rely on LDAP Server for AAA server group and when with asdm you define your server, you can say in the scope All level beneath the Base DN or One level beneath the Base DN
Best Regards
Xavier Crèvecoeur
10-05-2010 05:36 AM
Hello Xavier,
Merci beaucoup for sharing your troubleshooting here, very glad to hear that it is working for you know and I was a little bit of help. As this is good info I will most likely add it to our knowledgebase, so other customers can work with it as well.
Thanks again!
Andreas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: