Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Changes in LDAP/SMTPAuth going from 5.1.2 to 5.5.1(11)

After upgrading my 2 Ironports something is not working as it should on the LDAP connection department.

Every Ironport is configured for a max of 50 simultaneous connections load balanced on 2 LDAP servers.

Mail is working correctly but I receive repeated messages "SMTP Auth: LDAP query failed".

How do I check what interface is being used for LDAP connections (I saw there are new options available, but I havenb't tried them out yet)?

Is there some whitepaper or info to help me understand quickly the new options in LDAP/SMTP Auth configuration with AsyncOS 5.5.1 ?

Thanks a lot

3 REPLIES
New Member

Re: Changes in LDAP/SMTPAuth going from 5.1.2 to 5.5.1(11)

To see which interface you're doing LDAP queries on, go to "System Administraton > LDAP"

The setting at the bottom, "LDAP Global Settings" shows the interface.

----

To get more info on what the query is and possibly why it's failing, create a ldap debug log.

- "System Administration > Log Subscriptions".
- click on "add log", select the ldap debug log type"
- fill the info out and submit/commit changes.
- on the command line of the machine, type "tail", then enter that number of the ldap debug log that you just created and test a few ldap queries in your ldap profile (system administration > ldap > ldap profile)

Paste back any ldap errors that you encounter and need help analyzing.




After upgrading my 2 Ironports something is not working as it should on the LDAP connection department.

Every Ironport is configured for a max of 50 simultaneous connections load balanced on 2 LDAP servers.

Mail is working correctly but I receive repeated messages "SMTP Auth: LDAP query failed".

How do I check what interface is being used for LDAP connections (I saw there are new options available, but I havenb't tried them out yet)?

Is there some whitepaper or info to help me understand quickly the new options in LDAP/SMTP Auth configuration with AsyncOS 5.5.1 ?

Thanks a lot

New Member

Re: Changes in LDAP/SMTPAuth going from 5.1.2 to 5.5.1(11)

gv,

Here is what is new in AsyncOS 5.5.1 in regards to LDAP.

New and Enhanced: LDAP Queries
AsyncOS version 5.5 includes the following enhancements to LDAP queries:

• Domain-based queries. Domain-based queries are LDAP queries grouped by type, associated with a domain, and assigned to a particular listener. You might want to use domain-based queries if you have different LDAP servers associated with different domains but you want to run queries for all your LDAP servers on the same listener.

• Chain queries. A chain query is a series of LDAP queries that the IronPort appliance runs in succession. The IronPort appliance runs each query in the “chain” until the LDAP server returns a positive response (or the final query in the “chain” returns a negative response or fails). Chain queries can be useful if entries in your LDAP directory use different attributes to store similar (or the same) values. For example, you might have used the attributes maillocaladdress and mail to store user email addresses. To ensure that your queries run against both these attributes, you can use chain queries.

• Modified DHAP. In a previous release, DHAP counters were based solely on the rejections detected during LDAP acceptance queries. Now, the DHAP counters include both RAT rejections and LDAP acceptance query rejections. DHAP settings are now configured in the Mail Flow Policy rather than in the Listener settings.

• LDAP Referrals. The 5.5 version of AsyncOS supports LDAP referrals. When you use LDAP referrals, the original query gets referred to another LDAP server. For example, the following log shows a query that is referred from server openLDAP1 to server ldap_server2.com:

Tue Jun 26 13:19:54 2007 Debug: LDAP: (accept) Query
(mail=user@domain.com) to server openLDAP1 (ldap_server1.com:389)
Tue Jun 26 13:19:54 2007: LDAP: Query (mail=user@domain.com)
following continuation: ldap://ldap_server2.com/ ou=test,ou=people,dc=com??sub
Tue Jun 26 13:19:54 2007: LDAP: (accept) Query
(mail=user@domain.com) lookup success, returned 1 results

IMPORTANT: When you use LDAP referrals, you must have configured an LDAP server profile for each LDAP server you want to refer to. In the previous example, you would need to configure an LDAP server profile for openLDAP1 and ldap_server2.com.

• LDAP caches. In previous releases, LDAP cache settings were configured for each LDAP query. In AsyncOS 5.5, LDAP caches are now associated with the server profile, and cache settings are the same for all LDAP queries. When you upgrade from previous versions, the highest cache values from the previous configuration are used as the upgraded cache value. For example, if you set the maximum retained cache entries to a value of 1000 for the routing query, and a maximum retained cache entries to a value of 5000 for the Accept query, the upgraded value would be 5000 for all queries.

• Bypass LDAP Acceptance query. If you configure LDAP acceptance queries, you may wish to bypass the acceptance query for certain recipients. This feature can be useful if there are recipients for whom you receive email which you do not want to be delayed or queued during LDAP queries, such as customercare@example.com. You can configure
bypassing LDAP acceptance via the GUI or from the CLI. To configure bypassing LDAP acceptance via the GUI, select Bypass LDAP Accept Queries for this Recipient when you add or edit the RAT entry.

To configure bypassing LDAP acceptance queries via the CLI , answer yes to the following question when you enter recipients using the listenerconfig ->
edit -> rcptaccess command:

Note — When you configure a RAT entry to bypass LDAP acceptance, be aware that the order of RAT entries affects how recipient addresses are matched. The RAT matches the recipient address with the first RAT entry that qualifies.

For example, you have the following RAT entries:

postmaster@ironport.com and ironport.com.

You configure the entry for postmaster@ironport.com to bypass LDAP acceptance queries, and you configure the entry for ironport.com for ACCEPT. When you receive mail for postmaster@ironport.com, the LDAP acceptance bypass will occur only if the entry for postmaster@ironport.com is before the entry for ironport.com. If the entry for ironport.com is before the postmaster@ironport.com entry, the RAT matches the recipient address to this entry and applies the ACCEPT action.

For information about configuring new LDAP settings, see “LDAP Queries” in the IronPort AsyncOS Advanced User Guide.

New Member

Re: Changes in LDAP/SMTPAuth going from 5.1.2 to 5.5.1(11)

Thanks for the info.
After various days of attempts, configuration changes etc we have discovered the problem was with our LDAP master server that had started having problems replicating to the secondary servers used by our Ironports to authenticate logins/passwords.
The problem is now solved.

690
Views
0
Helpful
3
Replies
CreatePlease to create content