Cisco Cisco Email Security Appliance C170 Guía Del Usuario
3-22
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Group LDAP Queries
You can define a query to your LDAP servers to determine if a recipient is a member of a group as
defined by your LDAP directory.
defined by your LDAP directory.
Configuring LDAP group queries involves three steps:
Step 1
Create a message filter that uses a
rcpt-to-group
or
mail-from-group
rule to act upon the message.
Step 2
Then, use the System Administration > LDAP page (or the
ldapconfig
command) to define the LDAP
server for the appliance to bind to and configure a query for a group membership.
Step 3
Use the Network > Listeners page (or the
listenerconfig -> edit -> ldapgroup
subcommand) to
enable the group query for the listener.
Sample Group Queries
For example, suppose that your LDAP directory classifies members of the “Marketing” group as
ou=Marketing
. You can use this classification to treat messages sent to or from members of this group
in a special way. Step 1 creates a message filter to act upon the message, and Steps 2 and 3 enable the
LDAP lookup mechanism.
LDAP lookup mechanism.
Configuring a Group Query
In the following example, mail from members of the Marketing group (as defined by the LDAP group
“Marketing”) will be delivered to the alternate delivery host
“Marketing”) will be delivered to the alternate delivery host
marketingfolks.example.com
.
Step 1
First, a message filter is created to act upon messages that match positively for group membership. In
this example, a filter is created that uses the
this example, a filter is created that uses the
mail-from-group
rule. All messages whose Envelope
Sender is found to be in the LDAP group “marketing-group1” will be delivered with an alternate delivery
host (the filters
host (the filters
alt-mailhost
action).
The group membership field variable (groupName) will be defined in step 2. The group attribute
“groupName” is defined with the value
“groupName” is defined with the value
marketing-group1
.
Table 3-5
Example LDAP Query Strings for Common LDAP Implementation: Group
Query for:
Group
OpenLDAP
OpenLDAP does not support the
memberOf
attribute
by default. Your LDAP Administrator may add this
attribute or a similar attribute to the schema.
attribute or a similar attribute to the schema.
Microsoft Active Directory
(&(memberOf={g})(proxyAddresses=smtp:{a}))
SunONE Directory Server
(&(memberOf={g})(mailLocalAddress={a}))
mail3.example.com> filters
Choose the operation you want to perform:
- NEW - Create a new filter.