Hi Andreas

,

I didn't check yet but will, anyway thank you for your answer . I thought Aironport serie C was making his query group from base dn and then down. If he didn't that explain why the syntax should be different. And is the process and syntax same for all different query type ?

Many Thanks

Xavier Crevecoeur

Hello Xavier,

LDAP on the IronPort is only an interface that sends the query to the LDAP server, along with all information (group name, user name, base DN) you give, and only expects a "Yes" (member of group) or "No" (no member of the group) The search is done bye the LDAP server itself, not the IronPort. I am not certain if that is AD specific, but usually a group query to an AD server has to include at least a part of the path, as it does not go deeper into the tee. That's probably because always starting at the top would mean a lot of workload for the LDAP server in complex organisations.

Regards,

Andreas

Hi Andreas

YES your answer ,is correct I've try and ckeck today, trouble come with MS SBS 2008 if I can say when you are not expert of MS

for anyone who will be in same situation this can make you spare some time

SO You have Cserie with updated software (Nov2010 Operating System 7.1.2-020 ), you have MS 2008 SBS

YOU make LDAP TEST GROUP QUERY base on the following

Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))

Test Parameters

Email address : tech1@maheshvara.fr

Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=local

Result if Connection Status

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:tech1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:tech1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.

IF YOU EVER TRY WITH You Get

Group Qery definition : (&(memberOf={g})(proxyAddresses=smtp:{a}))

Test Parameters

Email address : tech1@maheshvara.fr

Group Name : CN=Tech, OU=SBSUsers,OU=Users,OU=MyBusiness,DC=maheshvara,DC=fr

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:tech1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dTech, OU\3dSBSUsers,OU\3dUsers,OU\3dMyBusiness,DC\3dmaheshvara,DC\3dfr)(proxyAddresses=smtp:tech1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

BUT take a look to this another test

I have another user in Users container just below maheshvara.local ( the user is test1 and belong test group at the same level of AD)

so try with

test1@maheshvara.fr

and

CN=test, OU=Users,DC=maheshvara,DC=local

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, OU\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 0 results
Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

AND WITH CN and not OU

CN=test, CN=Users,DC=maheshvara,DC=local

you get the right answer

Query results for host:192.168.254.2
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) to server AD_verification (192.168.254.2:3268)
Query (&(memberOf=CN\3dtest, CN\3dUsers,DC\3dmaheshvara,DC\3dlocal)(proxyAddresses=smtp:test1@maheshvara.fr)) lookup success, (192.168.254.2:3268) returned 1 results
Success: Action: match positive.
Reason: address confirmed as a member of the group.

So guess what I've forgot that a container now under MS could be identify with OU but also with CN

About for information ON Cisco ASA product we can rely on LDAP Server for AAA server group and when with asdm you define your server, you can say in the scope All level beneath the Base DN or One level beneath the Base DN

Best Regards

Xavier Crèvecoeur

Hello Xavier,

Merci beaucoup for sharing your troubleshooting here, very glad to hear that it is working for you know and I was a little bit of help. As this is good info I will most likely add it to our knowledgebase, so other customers can work with it as well.

Thanks again!

Andreas