Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

LDAP Recursion

Some of our AD groups contain other AD groups and LDAP membership checks don't appear to pick this up?

Eg, if I am a member of GroupA and GroupA is a member of GroupB - then there is an outgoing mail policy looking for the sender to be a member of GroupB, it will not trigger when I send an email. If I'm a member of GroupA and GroupB, then it works.

If this something that can be changed or will I have to unravel the groups I want to check against?

New Member

Nested Active Directory Groups

Great Post AndrewR. I have been working on this issue for a while now and have not found a way to accomplish this either. IronPort Support has indicated that it is not possible and that they are working on it. I can make it work from a Linux box with no problems but have not been able to make it work with IronPort. The work around that I used was in the Mail Policy just add a query for Group A and another one for Group B. I would think that this causes LDAP queries to double but thus far has worked OK.

New Member

Re: LDAP Recursion

Yeah, that's basically the conclusion I came to as well - I opened a support ticket and from the output I sent they have said that we're hitting a recursion limit..! Quite why the limit is set at 1 I don't know :)

Basically we're now checking for Group A and B, like you say. Shame, but it works

New Member

Re: LDAP Recursion

AndrewR, JMeyer5241, this is very surprising but seems to be the reality. I have run into the same problem as well !

Group membership via LDAP browsers or Linux box is working fine but IronPort doesn't seems to be able to see membership from nested groups.

Have you got other solution to this than creating separate queries to different groups ?

A side note. I have 5 different AD groups in mail policies, those are working just fine. Each of those groups will get 5 new nested groups at Monday. After initial tests and quick calculations I'm afraid that I'll have a headache size of Universe at Monday morning :?

I'm more than thankful if you have any updated in this case !

New Member

Re: LDAP Recursion

Unfortunately not - we're still doing the member of group A or group B check!

It's a pain, but it's only for this one policy fortunately, so not too bad for us.

Re: LDAP Recursion

Can 'Chain Query' do the job right? (i did not try)

New Member

Re: LDAP Recursion

Nope, chained queries are for different domains, rather than groups within a domain.

Re: LDAP Recursion

I mean, can this be done?

Create two different ldap profile for different group ldap query. (profile1: ldap1server, groupA; profile2: ldap1server, groupB)

Then chained the query.

Will it work?

CreatePlease login to create content