Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

LDAP instead of RAT

Hey,

this may be a very stupid question but i'm new on ironport.

At the moment our Ironport is checking whether an email is accepted by RAT. Soon I plan to use LDAP.
Is it possible to use a LDAP-Query instead of RAT.
Regarding the listener i can't modify the field "Recipient Access Table".

Thx.

7 REPLIES
Community Member

Re: LDAP instead of RAT

sven -

that's a fine question as many people need to accomplish that. you do not necessarily edit or remove your RAT, you just add another layer of checking.

you'll need an LDAP accept query - and here's how to do it:
http://tinyurl.com/hjsn4

take care!

Community Member

Re: LDAP instead of RAT

Hi,
sorry, but i didn't have the time until yet to try it out.

So i experimented yesterday and found my next question:

I don't want to accept all the adresses, listed in my AD. So an accept query would be the wrong way. It has to be a group query.

This is also definable on the listener. But i do not find the right place to tell the ironport against which group this group query should check.

I hope you understand what i want to do.
Don't hesitate to ask me for more information ;)


THX!

Community Member

Re: LDAP instead of RAT

yea that makes sense to me for the most part.

you probably want to add a term to your query that enforces this "group" name. that means taking your default query (which I'm guessing at since you haven't provided one) and add in a group-like statement for the following logic

(memberOf = actual DN) AND (mail OR proxyAddresses = rcpt to address)

actual syntax for your AD it might look like:

&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail={a})(proxyAddresses=smtp:{a}))

give that a shot.

andrew

Community Member

Re: LDAP instead of RAT

Hi,

i had the same idea yesterday morning but the following message appears when i'm going to use the "test-button" on the ldap configuration site:
(I used a fully qualified name of a group, which exists in my AD ;-) --> same result)


Query results for host:XXX.XXX.XXX.XXX
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de))) to server ldap_recieve (xxx.xxx.xxx.xxx:389)
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de))) lookup failed: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de)))"
Failure: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|(mail=test@email.de)(otherMailbox=test@email.de)(proxyAddresses=smtp:test@email.de)))"



UPDATE:
A few minutes ago i ran 2 tests:
1. I enabled the group-query (not paying attention on the wrong syntax) and changed the value of "all other recipients" in my rat from reject to accept.
--> Every Email passed the RAT but i saw the trial of an ldap request with the same failure as described on top

2. 1. I enabled the group-query (not paying attention on the wrong syntax) and let the value of "all other recipients" on "reject"
--> Using tail i got the message "Adress rejected by RAT" and did not see any ldap request

Community Member

Re: LDAP instead of RAT

sven -

do you mind opening a support case on this? i am 99% sure there is a defect which requires us to escape our distinguished name values '=' with '%3d' or something along those lines to look like 'CN%3dfoo,DC%3dbar' etc. if we get a support case and remote access tunnel, we can isolate your requirements and run an ldapsearch against your directory to confirm this.

i just need to look further in to it before confirming. we can always post the answer back here in any case.

andrew

Community Member

Re: LDAP instead of RAT

Hi,

support case has been opened: #525239

Community Member

Re: LDAP instead of RAT

Hi,

you're almost right!

I think the support and me found the solution nearly in parallel :-D

Like already posted, you have to replace the "=" at the fully qualified name of the group with this string "\3d".

So the syntax for the accept-query looks like this


&(memberOf=CN\3dwe,CN\3dfoo,DC\3dbar,DC\3dtld")(|(mail={a})(proxyAddresses=smtp:{a})) 

586
Views
0
Helpful
7
Replies
CreatePlease to create content