Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

When you configure the LDAP profile to query for group membership, enter the base DN for the 
directory level where group records can be found, the attribute that holds the group member’s username, 
and the attribute that contains the group name. Based on the server type that you select for your LDAP 
server profile, AysncOS enters default values for the username and group name attributes, as well default 
query strings.

For Active Directory servers, the default query string to determine if a user is a member of a group is 

(&(objectClass=group)(member={u}))

. However, if your LDAP schema uses distinguished names in 

the “memberof” list instead of usernames, you can use 

{dn}

 instead of 

{u}

.

 shows the default query strings and attributes that AsyncOS uses when it searches for group 

membership information on an Active Directory server.

 shows the default query strings and attributes that AsyncOS uses when it searches for group 

membership information on an OpenLDAP server.

Spam quarantine end-user authentication queries validate users when they log in to the Spam Quarantine. 
The token {u} specifies the user (it represents the user’s login name). The token {a} specifies the user’s 
email address. The LDAP query does not strip "SMTP:" from the email address; AsyncOS strips that 
portion of the address.

Active Directory

[blank] (You need to use a specific base DN to find the group 
records.)

(&(objectClass=group)(member={u}))

If your LDAP schema uses distinguished names in the 

memberOf

 list instead of usernames, you can replace 

{u}

 

with 

{dn}

.

member

cn

OpenLDAP

[blank] (You need to use a specific base DN to find the group 
records.)

(&(objectClass=posixGroup)(memberUid={u}))

memberUid

cn