Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
3-14
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Routing Queries
There is no recursion limit for LDAP routing queries; the routing is completely data driven. However,
AsyncOS does check for circular reference data to prevent the routing from looping infinitely.
AsyncOS does check for circular reference data to prevent the routing from looping infinitely.
Anonymous Queries
You may need to configure your LDAP directory server to allow for anonymous queries. (That is, clients
can bind to the server anonymously and perform queries.) For specific instructions on configuring Active
Directory to allow anonymous queries, see the “Microsoft Knowledge Base Article - 320528” at the
following URL:
can bind to the server anonymously and perform queries.) For specific instructions on configuring Active
Directory to allow anonymous queries, see the “Microsoft Knowledge Base Article - 320528” at the
following URL:
Alternately, you can configure one “user” dedicated solely for the purposes of authenticating and
performing queries instead of opening up your LDAP directory server for anonymous queries from any
client.
performing queries instead of opening up your LDAP directory server for anonymous queries from any
client.
A summary of the steps is included here, specifically:
•
How to set up Microsoft Exchange 2000 server to allow “anonymous” authentication.
•
How to set up Microsoft Exchange 2000 server to allow “anonymous bind.”
•
How to set up Cisco IronPort AsyncOS to retrieve LDAP data from a Microsoft Exchange 2000
server using both “anonymous bind” and “anonymous” authentication.
server using both “anonymous bind” and “anonymous” authentication.
Specific permissions must be made to a Microsoft Exchange 2000 server in order to allow “anonymous”
or “anonymous bind” authentication for the purpose of querying user email addresses. This can be very
useful when an LDAP query is used to determine the validity of an income email message to the SMTP
gateway.
or “anonymous bind” authentication for the purpose of querying user email addresses. This can be very
useful when an LDAP query is used to determine the validity of an income email message to the SMTP
gateway.
Anonymous Authentication Setup
The following setup instructions allow you to make specific data available to unauthenticated queries of
Active Directory and Exchange 2000 servers in the Microsoft Windows Active Directory. If you wish to
allow “anonymous bind” to the Active Directory, see
Active Directory and Exchange 2000 servers in the Microsoft Windows Active Directory. If you wish to
allow “anonymous bind” to the Active Directory, see
.
Step 1
Determine required Active Directory permissions.
Using the ADSI Edit snap-in or the LDP utility, you must modify the permissions to the attributes
of the following Active Directory objects:
of the following Active Directory objects:
–
The root of the domain naming context for the domain against which you want to make queries.
–
All OU and CN objects that contain users against which you wish to query email information.
The following table shows the required permissions to be applied to all of the needed containers.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B320528
User Object
Permissions
Inheritance
Permission Type
Everyone
List Contents
Container Objects
Object
Everyone
List Contents
Organizational Unit Objects
Object