Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
26-18
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 26 LDAP Queries
Working with LDAP Queries
Note
The variable names you enter for queries are case-sensitive and must match your LDAP implementation
in order to work correctly. For example, entering
in order to work correctly. For example, entering
mailLocalAddress
at a prompt performs a different
query than entering
maillocaladdress
. Cisco Systems strongly recommends using the
test
subcommand of the
ldapconfig
command to test all queries you construct and ensure the proper results
are returned.
Troubleshooting Connections to LDAP Servers
If the LDAP server is unreachable by the appliance, one of the following errors will be shown:
•
Error: LDAP authentication failed: <LDAP Error "invalidCredentials" [0x31]>
•
Error: Server unreachable: unable to connect
•
Error: Server unreachable: DNS lookup failure
Note that a server may be unreachable because the wrong port was entered in the server configuration,
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See the
“Firewall Information” appendix for more information.) In AsyncOS 4.0, the ability to communicate to
the LDAP server via SSL (usually over port 636) was added. For more information, see
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See the
“Firewall Information” appendix for more information.) In AsyncOS 4.0, the ability to communicate to
the LDAP server via SSL (usually over port 636) was added. For more information, see
.
A server may also be unreachable because the hostname you entered cannot be resolved.
You can use the Test Server(s) on the Add/Edit LDAP Server Profile page (or the
test
subcommand of
the
ldapconfig
command in the CLI) to test the connection to the LDAP server. For more information,
If the LDAP server is unreachable:
•
If LDAP Accept or Masquerading or Routing is enabled on the work queue, mail will remain within
the work queue.
the work queue.
•
If LDAP Accept is not enabled but other queries (group policy checks, etc.) are used in filters, the
filters evaluate to false.
filters evaluate to false.
Spam Quarantine End-User
Authentication (
Authentication (
isqauth
)
Returns a “match positive” for the
end-user account.
end-user account.
No password match can occur;
End-User Authentication attempts
fail.
End-User Authentication attempts
fail.
Spam Quarantine Alias
Consolidation (
Consolidation (
isqalias
)
Returns the email address that the
consolidated spam notifications
will be sent to.
consolidated spam notifications
will be sent to.
No consolidation of spam
notifications can occur.
notifications can occur.
Table 26-1
Testing LDAP Queries (continued)
Query type
If a recipient matches (PASS)...
If a recipient does not match (FAIL)...