Cisco Cisco Email Security Appliance C170 사용자 가이드
26-17
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 26 LDAP Queries
Working with LDAP Queries
•
The appliance should connect to a domain controller that is also a global catalog so that you can
perform queries to different bases using the same server.
perform queries to different bases using the same server.
•
Within Active Directory, you may need to grant read permissions to the group “Everyone” to
directory objects to yield successful queries. This includes the root of the domain naming context.
directory objects to yield successful queries. This includes the root of the domain naming context.
•
Generally, the value of the
mail
attribute entry in many Active Directory implementations has a
matching value “ProxyAddresses” attribute entry.
•
Microsoft Exchange environments that are aware of each other within the infrastructure can usually
route mail between each other without involving a route back to the originating MTA.
route mail between each other without involving a route back to the originating MTA.
Testing LDAP Queries
Use the Test Query button on the Add/Edit LDAP Server Profile page (or the
test
subcommand in the
CLI) of each query type to test the query to the LDAP server you configured. In addition to displaying
the result, AsyncOS also displays the details on each stage of the query connection test. You can test
each of the query types.
the result, AsyncOS also displays the details on each stage of the query connection test. You can test
each of the query types.
The
ldaptest
command is available as a batch command, for example:
ldaptest LDAP.ldapaccept foo@ironport.com
If you entered multiple hosts in the Host Name field of the LDAP server attributes, the appliance tests
the query on each LDAP server.
the query on each LDAP server.
Table 26-1
Testing LDAP Queries
Query type
If a recipient matches (PASS)...
If a recipient does not match (FAIL)...
Recipient Acceptance
(Accept,
(Accept,
ldapaccept
)
Accept the message.
Invalid Recipient: Conversation or
delayed bounce or drop the message
per listener settings.
DHAP: Drop.
delayed bounce or drop the message
per listener settings.
DHAP: Drop.
Routing
(Routing,
ldaprouting
)
Route based on the query
settings.
settings.
Continue processing the message.
Masquerade (Masquerade,
masquerade
)
Alter the headers with the
variable mappings defined by the
query.
variable mappings defined by the
query.
Continue processing the message.
Group Membership (Group,
ldapgroup
)
Return “true” for message filter
rules.
rules.
Return “false” for message filter rules.
SMTP Auth
(SMTP Authentication,
smtpauth
)
A password is returned from the
LDAP server and is used for
authentication; SMTP
Authentication occurs.
LDAP server and is used for
authentication; SMTP
Authentication occurs.
No password match can occur; SMTP
Authentication attempts fail.
Authentication attempts fail.
External Authentication
(
(
externalauth
)
Individually returns a “match
positive” for the bind, the user
record, and the user’s group
membership.
positive” for the bind, the user
record, and the user’s group
membership.
Individually returns a “match
negative” for the bind, the user record,
and the user’s group membership.
negative” for the bind, the user record,
and the user’s group membership.