Cisco Cisco Email Security Appliance X1070 Fehlerbehebungsanleitung

Contributed by Dominic Yip and Andreas Mueller, Cisco TAC
Engineers.
Aug 12, 2014

How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active
Directory (LDAP)?

Note: The following example integrates with a standard Microsoft Active Directory deployment, although the
principles can be applied to many types of LDAP implementations.

You will first create an LDAP server entry, at which point you must specify your directory server as well as
the query that the Email Security Appliance will perform.  The query is then enabled or applied on your
incoming (public) listener. These LDAP server settings can be shared by different listeners and other parts of
the configuration such as end−user quarantine access.

To facilitate the configuration of the LDAP queries on your IronPort appliance, we recommend that you use
an LDAP browser, which allows you to take a look at your schema as well as all the attributes upon which
you can query against.

For Microsoft Windows, you can use:

Softterra's LDAP browser

• 

Ldp

• 

Adsiedit

• 

For Linux or UNIX, you can use the 

ldapsearch

 command.

First, you need to define the LDAP server to query. In this example, the nickname of "PublicLDAP" is given
for the myldapserver.example.com LDAP server. Queries are directed to TCP port 389 (the default).

NOTE: If your Active Directory implementation contains subdomains, you will not be able to query for users
in a sub domain using the base DN of the root domain. However, when using Active Directory, you may also
query LDAP against the Global Catalog (GC) Server on TCP port 3268. The GC contains partial information
for *all* objects in the Active Directory forest and provides referrals to the subdomain in question when