Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AD Query String for Group Membership

Hi

I have found that inbound mail to distributions groups (Ex07) are not being delivered. Running a trace, I am seeing they are failing on LDAP match. I tracked it down to the qroup query not working. We are using the default query. Running a test, it fails. I think that is the problem. I can mail the group internally just fine.

Anyone have a good query string that will check for distribution groups? Below is the query being used. Thanks for the help.

(&(memberOf={g})(proxyAddresses=smtp:{a}))

6 REPLIES
New Member

Re: AD Query String for Group Membership

We are using exactly the same query without any issues.

There are two things coming into my mind.

One thing might be the access rights of the account used for LDAP queries. Does it see the distribution groups ?

Another thing is the way how active directory do the LDAP lookups. Is the distribution group in local domain or is forestwide query required ?

Instead of 'standard' LDAP query you might haver to do LDAP query directly from your Global Catalog server via TCP port 3268 to make forestwide queries to work.

More info can be found from IronPort Knowledge Base document ID 156
http://tinyurl.com/lenghx

New Member

Re: AD Query String for Group Membership

Also, you may want to check if your Group Membership name is correct and complete.

It needs to be the entire DN, not just the short name.

For example, you cannot just say "CN=Developers"

You would need something like,

"CN=Developers,O=Information Technology, OU=San Francisco, DC=company,DC=com"

So, when it gets submitted and compared against the AD server, this is what is sent over:

(&(memberOf={CN=Developers,O=Information Technology, OU=San Francisco, DC=company,DC=com})(proxyAddresses=smtp:{user@company.com}))

------

To make sure you have the full DN of the group membership, I would recommend using an LDAP tool like ldapbrowser.com. It is free and very easy to use. It will display the entire structure of your LDAP server and show you all the info you need without compromising security.

New Member

Re: AD Query String for Group Membership

Well I opened a ticket with support, and it appears that I have them stumped. From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.

Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.

Snippit from trace:

Envelope Recipient Processing
Envelope Recipient: testgroup@domain.org
LDAP Accept Lookup: Result: failed
Default Domain Processing: No Change
Domain Map Processing: No Change
Recipient Access Table Processing: Behavior: ACCEPT Matched On: testgroup@domain.org
Alias Expansion: No Change

New Member

Re: AD Query String for Group Membership

I would recommend using an LDAP tool like ldapbrowser.com.  It is free and very easy to use.

"Easy" in the context of "LDAP" is a relative thing. :-)

I use Apache Directory Studio myself, since ldapbrowser.com is Windows-only.

New Member

Re: AD Query String for Group Membership

Can you go to the LDAP section and provide all the fields that are relevant?

I'll need the LDAP configuration fields (minus the password of course) and what you're using for the LDAP Accept.




Well I opened a ticket with support, and it appears that I have them stumped.  From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.

Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.

Snippit from trace:

Envelope Recipient Processing
Envelope Recipient: testgroup@domain.org
LDAP Accept Lookup: Result: failed
Default Domain Processing: No Change
Domain Map Processing: No Change
Recipient Access Table Processing: Behavior: ACCEPT Matched On: testgroup@domain.org
Alias Expansion: No Change

New Member

Re: AD Query String for Group Membership

Ding! Won't be necessary, got it working. Your comments got me looking in the correct location, and I found the problem, thank you. Ironically enough the support engineer emailed me the fix too while I was making the changes.

Further examination of the ldap settings themselves and not the query, showed the problem. I have all of our users in ou=XusersX, dc=domain, dc=com

All of my mail distribution lists (to make it easy for the help desk) are in ou=distribution lists, dc=domain, dc=com

My base DN was set to the user OU, so whenever i tested against a distro group, the base dn was at a parallel level as the distro ou, so it wasn't even searching here, and hence failed.

Thanks again guys for pushing the brain in the right direction!

SF

1743
Views
0
Helpful
6
Replies