Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

LDAP Accept Query for AD

I'd like to set up an LDAP Accept query against AD & Exchange to verify recipient addresses. When I test the query, I'm getting a configuration error. I'm using the following query string - (|(mail={a})(proxyAddresses=smtp:{
a})). I'm an Ironport newbie so am probably overlooking something simple.

6 REPLIES
New Member

Re: LDAP Accept Query for AD

This what i am using for accept query

(proxyAddresses=smtp:{a})

Also tested:

(|(mail={a})(proxyAddresses=smtp:{a}))

both seem to work

The other thing to look at are you using authentication or anonymous for LDAP? If if you are using a username and password check that the details are correct.

New Member

Re: LDAP Accept Query for AD

Also double check what port is being used, if you only have one AD server then you may be able to communicate on both 3268 and 389.
One way of testing network connectivity is to telnet from the command line on both ports, once you know they work you can start testing on username/password for the BIND procedure(authentication).
You can just enter username and not domain\username.

Apart from that the query string looks fine, it will simply check both attributes for the rcpt-to value.

New Member

Re: LDAP Accept Query for AD

I discovered I had to use the IP address of the LDAP server instead of the Host name. All is working well now. Thanks for the help.

New Member

Re: LDAP Accept Query for AD

I'm noticing the following error message in my mail_logs file. Does this just indicate Ironport was not able to find a match for the sender address when querying AD or is it a problem that I need to be concerned about?

Wed Mar 19 13:34:22 2008 Critical: LDAP: query DNS result DNS Hard Error looking up 10.1.255.2.unitedtrust.com (A): NXDomain

New Member

Re: LDAP Accept Query for AD

OK, so what happens on every connection is that the IronPort performs a forward and reverse lookup.
I'm having a stab in the dark that you are not using your own internal dns server on the IronPort. if this is the case then you probably need to swap it over.
If this continues I would log a support ticket

New Member

LDAP Accept Query for AD

You are correct. I'm using the Internet's Root DNS Servers and unitedtrust.com is our internal domain name. Our internal DNS is set to forward unresolved DNS queries to the DNS servers of our ISP. If I change IronPort to point to our internal DNS server, can you think of any negative ramifications?

437
Views
0
Helpful
6
Replies