Cisco Cisco Email Security Appliance C160 Guía Del Usuario
3-33
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
The Cisco IronPort appliance takes an arbitrary username from the SMTP Auth exchange and converts
that to an LDAP query that fetches the clear or hashed password field. It will then perform any necessary
hashing on the password supplied in the SMTP Auth credentials and compare the results with what it has
retrieved from LDAP (with the hash type tag, if any, removed). A match means that the SMTP Auth
conversation shall proceed. A failure to match will result in an error code.
that to an LDAP query that fetches the clear or hashed password field. It will then perform any necessary
hashing on the password supplied in the SMTP Auth credentials and compare the results with what it has
retrieved from LDAP (with the hash type tag, if any, removed). A match means that the SMTP Auth
conversation shall proceed. A failure to match will result in an error code.
Configuring an SMTP Authentication Query
When configuring an SMTP Authentication query, you specify the following information:
In the following example, the System Administration > LDAP page is used to edit the LDAP
configuration named “PublicLDAP” to include an SMTPAUTH query. The query string (
configuration named “PublicLDAP” to include an SMTPAUTH query. The query string (
uid={u}
) is
constructed to match against userPassword attribute.
Table 3-6
SMTP Auth LDAP Query Fields
Name
A name for the query.
Query String
You can select whether to authenticate via LDAP bind or by fetching the
password as an attribute.
password as an attribute.
Bind: Attempt to log into the LDAP server using the credentials supplied by
the client (this is called an LDAP bind).
the client (this is called an LDAP bind).
Specify the maximum number of concurrent connections to be used by the
SMTP Auth query. This number should not exceed the number specified in
the LDAP server attributes above. Note, to avoid large number of session
time-outs for bind authentication, increase the maximum number of
concurrent connections here (typically nearly all of the connections can be
assigned to SMTP Auth). A new connection is used for each bind
authentication. The remainder of the connections are shared by the other
LDAP query types.
SMTP Auth query. This number should not exceed the number specified in
the LDAP server attributes above. Note, to avoid large number of session
time-outs for bind authentication, increase the maximum number of
concurrent connections here (typically nearly all of the connections can be
assigned to SMTP Auth). A new connection is used for each bind
authentication. The remainder of the connections are shared by the other
LDAP query types.
Password as Attribute: To authenticate by fetching passwords, specify the
password in the SMTP Auth password attribute field below.
password in the SMTP Auth password attribute field below.
Specify the LDAP query to use for either kind of authentication.
Active Directory example query:
(&(samaccountname={u})(objectCategory=person)
(objectClass=user))
SMTP Auth Password
Attribute
Attribute
If you have selected “Authenticate by fetching the password as an attribute,”
you can specify the password attribute here.
you can specify the password attribute here.