Cisco Cisco Email Security Appliance C680 User Guide
3-18
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Note
The variable names you enter for queries are case-sensitive and must match your LDAP implementation
in order to work correctly. For example, entering
in order to work correctly. For example, entering
mailLocalAddress
at a prompt performs a different
query than entering
maillocaladdress
. Cisco IronPort Systems strongly recommends using the
test
subcommand of the
ldapconfig
command to test all queries you construct and ensure the proper results
are returned.
Troubleshooting Connections to LDAP Servers
If the LDAP server is unreachable by the appliance, one of the following errors will be shown:
•
Error: LDAP authentication failed: <LDAP Error "invalidCredentials" [0x31]>
•
Error: Server unreachable: unable to connect
•
Error: Server unreachable: DNS lookup failure
Note that a server may be unreachable because the wrong port was entered in the server configuration,
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See
“Firewall Information” in the Cisco IronPort AsyncOS for Email Configuration Guide for more
information.) In AsyncOS 4.0, the ability to communicate to the LDAP server via SSL (usually over port
636) was added. For more information, see
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See
“Firewall Information” in the Cisco IronPort AsyncOS for Email Configuration Guide for more
information.) In AsyncOS 4.0, the ability to communicate to the LDAP server via SSL (usually over port
636) was added. For more information, see
.
A server may also be unreachable because the hostname you entered cannot be resolved.
You can use the Test Server(s) on the Add/Edit LDAP Server Profile page (or the
test
subcommand of
the
ldapconfig
command in the CLI) to test the connection to the LDAP server. For more information,
If the LDAP server is unreachable:
•
If LDAP Accept or Masquerading or Routing is enabled on the work queue, mail will remain within
the work queue.
the work queue.
•
If LDAP Accept is not enabled but other queries (group policy checks, etc.) are used in filters, the
filters evaluate to false.
filters evaluate to false.
Acceptance (Recipient Validation) Queries
You can use your existing LDAP infrastructure to define how the recipient email address of incoming
messages (on an public listener) should be handled. Changes to user data in your directories are updated
the next time the Cisco IronPort appliance queries the directory server. You can specify the size of the
caches and the amount of time the Cisco IronPort appliance stores the data it retrieves.
messages (on an public listener) should be handled. Changes to user data in your directories are updated
the next time the Cisco IronPort appliance queries the directory server. You can specify the size of the
caches and the amount of time the Cisco IronPort appliance stores the data it retrieves.
Note
You may wish to bypass LDAP acceptance queries for special recipients (such as
administrator@example.com
). You can configure this setting from the Recipient Access Table (RAT).
For information about configuring this setting, see “Configuring the Gateway to Receive Email” in the
Cisco IronPort AsyncOS for Email Configuration Guide.
Cisco IronPort AsyncOS for Email Configuration Guide.