LDAP Acceptance Query

Hello everybody,
I would like to know if it's possible to enable a "LDAP Acceptance query" only for one domain protected by Ironport?
I explain myself:
Our Ironport is used by 3 companies. One company has an exchange server and so LDAP is possible - and it works well. But (badly but) the others has another product as mail server which does not support LDAP query.
So I would like to enable LDAP acceptance query for the first company and nothing fir the 2 others.
Last, I would like to enable LDAP authentication for Spam Quarantine if possible.
Regards,
GALLEZ Antony

Hi there, Bypass LDAP Accept is the easiest way, but a way to give you more control would be to create a seperate MX record for each company.
On the IronPort have an individual listener for each company, that way you can have multiple routing, accept and group queries for each company.
But as you have already found the Bypass LDAP in the RAT is the easiest option :lol:
Different MX Records means that we need different public IP adresses and we only have one. So, I'll use the "Bypass LDAP Accept" option.
BTW, thanks for your response, I haven't thought at different MX Record...

Similar Messages

  • LDAP accept query (space within email) got pass

    Version: 5.1.2-005
    ldap accept query is very effective here and have been using since day-1.
    Recently, we discover some backend mta log that rejecting invalid address.
    We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
    Here is a funny finding, note the space.
    > ldaptest
    Select which LDAP query to test:
    1. MXLDAP.accept
    2. MXLDAP.smtpauth
    3. VDELDAP.accept
    4. group
    [1]> 1
    Address to use in query:
    []> sys [email protected]
    LDAP query test results:
    Query: MXLDAP.accept
    Address: sys [email protected]
    Action: pass
    LDAP query test finished.
    I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.
    This is our ldap accept query
    (&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
    Our ldap backend is Openwave MX LDAP directory.
    We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

    In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
    If it is set to "loose parsing", it accepts but actually delivers the message to .
    When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
    In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
    I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

  • LDAP Accept query for "catch all" domains

    I'm far from an LDAP expert so I'm posting this both as a "look what I did!" and an "is there a better way?"
    The query feels fairly typical until the end where I look for "absolute-catchall@[the domain]". Effectively this accepts "anything"@"domain." Is this what you do? Is there a better way? Is this already in the manual somewhere :)
    (|(|(gecos={u})(|(mail={a})(mail={u})))(mail=absolute-catchall@{d}))

    I don't think these kind of tricks are in the handbook, but you're not the only one using something like this. A similar query was posted here: http://www.ironportnation.com/forums/viewtopic.php?p=718#718
    I'm using this to skip recipient checking for domains where i'm only acting as backup MX and can't verify the addresses.

  • LDAP Routing Query

    Hi,
    we have the following scenario:
    There is just one single mail domain.
    500 Mailboxes are on an Microsoft Exchange server with Active Directory, 500 Mailboxes are on a different server hosting POP3 Mailboxes.
    Obviously I cannot use a LDAP Accept Query, as the AD doesn't have any knowledge about the POP3 mailboxes. The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?

    Well.... there are more LDAP directories that MS-Active Directory.
    If I understand you right your main problem is how to route 50% of your recipient addresses to Exchange and 50% of them to the POP3 system. If you could, it would be nice to have a message accept policy that is LDAP driven.
    I suggest you try to install a dedicated LDAP server for your Ironport(s). That LDAP server should be updated daily with the details from your AD and an export from the POP3 system. On the LINUX platform there are several options (OpenLDAP, Apache Directory, Fedora 389, etc).
    If you make sure your import scripts also provisions the mail addresses of all users and (at least) an attribute like "mailHost" (your Exchange based 50% of your recipients would have a static value of "your.exchange.server" (=hostname of your Exchange bridgehead) as value, the other 50% would have "your.pop3.server" (=hostname of your POP3 server) as value.
    After that you can create a mail routing LDAP query that makes sure the messages are routed correctly. The mailHost attribute will be used to determine where the message should be routed to. If needed, you can also run a message acceptance query against that same LDAP. That query would reject all mail addresses that are unknown to the directory.
    If you have more questions about this, jus send me a message; I have some experience with this matter.
    Steven

  • Ideas for features needed in new Conversational LDAP Accept

    Mark, sorry should have given you this list months ago. My guess is you've already thought of all of these and more.
    Everyone else, feel free to add to the list or tell me I'm nuts... or better yet ask what for.
    1) A good DHAP (directory harvest attack prevention) solution. I'm guessing this would be along the same lines as current post-conversation LDAP Accept. - completely obvious
    2) Sender Group specific settings, also like the current DHAP. This allows for different bounce/drop rates based on Sender Group or SRBS. Also the ability to Drop vs. Bounce based on Sender Group, not just a global setting.
    3) The ability to do conversational bounces based on the MAIL FROM: in addition to the RCPT TO:. This allows for conversational bounces for Internet inbound emails where the MAIL FROM: may be your own domain (spoofed).
    4) LDAP Accept still needs to be post HAT, Domain Map and RAT processing.
    5) Rates and counts added to the Mail Flow monitor stats, specifically: Invalid LDAP rates: Total, Bounce and Drop.
    6) LDAP lookup status, very much like DNS with cache hit/miss rates, number of lookups, etc. Also rates along with counts.
    7) Warnings when LDAP lookup timeout is exceeded, vs. server connection failures. Configurable LDAP lookup timeout.
    8) If connection to LDAP server fails or times out, emails are accepted by default.

    Erich,
    This is all very good feedback. The vast majority of it will be included in the conversational LDAPACCEPT feature coming in a maintenance release in the short term.
    There are a couple items that we'll have to get to in a later release:
    - Drop vs. bounce in the sender group. Good idea, beyond what we'll be able to do in this release. But you'll be able to enable/disable and set thresholds per sender group.
    - Conversational bounces on the Envelope Sender. This is coming in the Hard Rock release, planned for Q405.
    - LDAP lookup status will be in the Hard Rock release
    Everything else looks to be in there.
    Peter Schlampp
    Sr. Dir., Product Management
    IronPort Systems

  • CSCul66951 LDAP routing query fails when user name is the same (6 july 2014)

    in the case CSCul66951 LDAP routing query fails when user name is the same it is mentionned that the version 8.0.2-055 correct this bug ? How come i don't see this version on my menu Available upgrades from my IronPort C370 ?
    Is there someone on the support team that have try this LDAP query on a IronPort C370 with this version in the development lab ?
    Do i have to open a support Case to have this version of AsyncOS ?
    Best regards,
    Benoit Belair
    University of Quebec in Montreal

    Yes - CSCul66951 - this was included w/ the 8.0.1-HP1, and is rolled into 8.5.6-074 GA release.
    See release notes, resolved issues:
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/release_notes/ESA_8-0-1_HP1_Release_Notes.pdf
    CSCun02766 - 8.5.6-063, which was superseded by the 8.5.6-074 GA release.  
    See release notes, resolved issues:
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_Release_Notes.pdf

  • LDAP acceptance

    I would like to configure LDAP acceptance. The mail server is Scalix. I've found some information in Scalix for LDAP:
    swa.ldap.1.type=system
    swa.ldap.1.server=mail.test.com
    swa.ldap.1.port=389
    swa.ldap.1.baseDN=o=scalix
    swa.ldap.1.displayName.resourceID=addressbooksearch_title_system
    swa.ldap.1.displayName.resourceLabel=System Directory
    swa.ldap.1.authType=none
    swa.ldap.1.filter=(|(&(cn=%s*)(mail=*))(&(sn=%s*)(mail=*))(&(gn=%s*)(mail=*))(mail=%s*)(&(omalias=%s*)(mail=*)))
    swa.ldap.1.addressSearchLimit=100
    swa.ldap.1.search.1.header=true
    swa.ldap.1.search.1.type=name
    swa.ldap.1.search.1.name.resourceID=addressbooksearch_label_name
    swa.ldap.1.search.1.name.resourceLabel=Name
    swa.ldap.1.search.1.dirAttribute=omcn
    swa.ldap.1.search.2.header=true
    swa.ldap.1.search.2.type=email
    swa.ldap.1.search.2.name.resourceID=addressbooksearch_label_email
    swa.ldap.1.search.2.name.resourceLabel=Email Address
    swa.ldap.1.search.2.dirAttribute=rfc822Mailbox
    swa.ldap.1.search.3.header=true
    swa.ldap.1.search.3.type=
    swa.ldap.1.search.3.name.resourceID=addressbooksearch_label_phone
    swa.ldap.1.search.3.name.resourceLabel=Phone
    swa.ldap.1.search.3.dirAttribute=telephoneNumber
    swa.ldap.1.search.4.header=
    swa.ldap.1.search.4.type=
    swa.ldap.1.search.4.name.resourceID=
    swa.ldap.1.search.4.name.resourceLabel=Fax Phone
    swa.ldap.1.search.4.dirAttribute=facsimileTelephoneNumber
    swa.ldap.1.search.5.header=
    swa.ldap.1.search.5.type=
    swa.ldap.1.search.5.name.resourceID=
    swa.ldap.1.search.5.name.resourceLabel=Mobile Phone
    swa.ldap.1.search.5.dirAttribute=mobileTelephoneNumber
    swa.ldap.1.search.6.header=
    swa.ldap.1.search.6.type=
    swa.ldap.1.search.6.name.resourceID=
    swa.ldap.1.search.6.name.resourceLabel=Pager Phone
    swa.ldap.1.search.6.dirAttribute=pagerTelephoneNumber
    swa.ldap.2.type=personal
    swa.ldap.2.server=mail.test.com
    swa.ldap.2.port=389
    swa.ldap.2.baseDN=o=MyContacts
    swa.ldap.2.displayName.resourceID=addressbooksearch_title_personal
    swa.ldap.2.displayName.resourceLabel=Personal Contacts
    swa.ldap.2.authType=simple
    swa.ldap.2.bindDN=rfc822mailbox=%u
    swa.ldap.2.filter=(|(&(cn=%s*)(|(mail=*)(304=4)))(&(sn=%s*)(mail=*))(&(gn=%s*)(mail=*))(mail=%s*)(&(omalias=%s*)(mail=*)))
    So what are the parameters for LDAP acceptance according to the information above?

    Can you have more information be exported for this user? From scanning over the output below, I cannot identify where a user's email address would be except for this one value:
    swa.ldap.1.search.2.name.resourceLabel=Email Address
    I would like to configure LDAP acceptance. The mail server is Scalix. I've found some information in Scalix for LDAP:
    swa.ldap.1.type=system
    swa.ldap.1.server=mail.test.com
    swa.ldap.1.port=389
    swa.ldap.1.baseDN=o=scalix
    swa.ldap.1.displayName.resourceID=addressbooksearch_title_system
    swa.ldap.1.displayName.resourceLabel=System Directory
    swa.ldap.1.authType=none
    swa.ldap.1.filter=(|(&(cn=%s*)(mail=*))(&(sn=%s*)(mail=*))(&(gn=%s*)(mail=*))(mail=%s*)(&(omalias=%s*)(mail=*)))
    swa.ldap.1.addressSearchLimit=100
    swa.ldap.1.search.1.header=true
    swa.ldap.1.search.1.type=name
    swa.ldap.1.search.1.name.resourceID=addressbooksearch_label_name
    swa.ldap.1.search.1.name.resourceLabel=Name
    swa.ldap.1.search.1.dirAttribute=omcn
    swa.ldap.1.search.2.header=true
    swa.ldap.1.search.2.type=email
    swa.ldap.1.search.2.name.resourceID=addressbooksearch_label_email
    swa.ldap.1.search.2.name.resourceLabel=Email Address
    swa.ldap.1.search.2.dirAttribute=rfc822Mailbox
    swa.ldap.1.search.3.header=true
    swa.ldap.1.search.3.type=
    swa.ldap.1.search.3.name.resourceID=addressbooksearch_label_phone
    swa.ldap.1.search.3.name.resourceLabel=Phone
    swa.ldap.1.search.3.dirAttribute=telephoneNumber
    swa.ldap.1.search.4.header=
    swa.ldap.1.search.4.type=
    swa.ldap.1.search.4.name.resourceID=
    swa.ldap.1.search.4.name.resourceLabel=Fax Phone
    swa.ldap.1.search.4.dirAttribute=facsimileTelephoneNumber
    swa.ldap.1.search.5.header=
    swa.ldap.1.search.5.type=
    swa.ldap.1.search.5.name.resourceID=
    swa.ldap.1.search.5.name.resourceLabel=Mobile Phone
    swa.ldap.1.search.5.dirAttribute=mobileTelephoneNumber
    swa.ldap.1.search.6.header=
    swa.ldap.1.search.6.type=
    swa.ldap.1.search.6.name.resourceID=
    swa.ldap.1.search.6.name.resourceLabel=Pager Phone
    swa.ldap.1.search.6.dirAttribute=pagerTelephoneNumber
    swa.ldap.2.type=personal
    swa.ldap.2.server=mail.test.com
    swa.ldap.2.port=389
    swa.ldap.2.baseDN=o=MyContacts
    swa.ldap.2.displayName.resourceID=addressbooksearch_title_personal
    swa.ldap.2.displayName.resourceLabel=Personal Contacts
    swa.ldap.2.authType=simple
    swa.ldap.2.bindDN=rfc822mailbox=%u
    swa.ldap.2.filter=(|(&(cn=%s*)(|(mail=*)(304=4)))(&(sn=%s*)(mail=*))(&(gn=%s*)(mail=*))(mail=%s*)(&(omalias=%s*)(mail=*)))
    So what are the parameters for LDAP acceptance according to the information above?

  • LDAP group query failure during per-recipient scanning, poss

    I am trying to figure out what this is referring to:
    LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server
    I can still send test messages from my e-mail.
    Is it possible tht a user is trying to send in corectly..hmmm

    If you create a LDAP debug log from within the GUI, this will give you a more in depth look into the query that is being sent to your LDAP server and also more important any errors that are being returned.
    Great log for troubleshooting any LDAP related issues.

  • C100 LDAP accept to multiple AD domains?

    Hi All,
    Just been settings up our Ironport c100 and noticed that per listener you can only have one LDAP lookup host (or many in failover) however what we require is the following:
    Inbound e-mail for [email protected] c100 lookups AD (LDAP) of domainA.com for the user and accepts or denies, now at the same time another inbound e-mail comes in but for [email protected] this needs to the do the lookup against the domainB.com AD server which is a completly different host to domainA.com (infact different network/customer).
    From what i can see at the moment I would need to setup a separate Listener for each domain with 2 IPs each which would soon get very out of hand.
    Has anybody done this before or have any idea how this could be done??
    Just a side note I setup an ADAM server and used the AD to ADAM syncronizer to get a copy of the domain into a partition in the ADAM server and then another domain into its own partition but seeing as the C100 needs a base DN this makes this impossible, unless anybody again has some ideas about this....

    Torsten is correct, the feature that you need for supporting either different LDAP servers per domain or tiered LDAP lookups is due in the 5.5 release slated for Q3/2007 so this will be addressed.
    With regards to ADAM I personally haven't done an installation with ADAM however I will stated that it's not required to put a base DN into the LDAP profile. So you might want to consider removing the base DN from your ADAM profile and see if the query will work for you.
    Another good step might be to download the Softerra LDAP browser utility and take a look at the ADAM server to idenify relevent pieces of LDAP information...assuming that it doesn't conform to AD's (|mail={a})(proxyAddresses=smtp:{a})) query string.
    Sincerely,
    Jay Bivens
    IronPort Systems

  • Ironport C370 Ldap Accept problems

    Hello all,
    I'm having problems using ldap queries to validate recipients from my Cisco Ironport C370.
    I'm receiving permanent Warning message like this:
    The query CP_LDAP.accept failed with result inquiry timed out
    I need to know how C370 establish TCP sessions for each Ldap host (one session for query, one session for all queries..). Ldap administrators are seeing lots of Established TCP connections fron Ironport C370 event though I've configured "Maximum number of simultaneous connections for each host" to 10.
    I've checked it running the netstat command on C370 appliance (around 20 for each).
    Is this a normal behaviour?
    Thanks a lot.
    Best Regards,
    Alfonso Moneo

    Hi Alfonso,
    Do you have any kind of FW on the path or built-in FW on the email server?
    In regards to your other question, the ESA will mantain a number of active TCP conns to your LDAP server (6 hours or 10,000 queries, what happens first).
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • Conversion of Mysql query in oracle acceptable query format

    Hi
    I have successfully converted my MySql database in oracle. Now the problem is how to execute already written hundreds of Mysql query on the oracle. There are many syntax variation in Mysql query format which is not acceptable for oracle.
    For Example
    Select case_id as 'this is alias' from cases
    The above query can run on Mysql database but have problem while executing Oracle, because single quotes should be replaced with double quotes before executing it on oracle. There are also many other syntax conflicts.
    I have tried to resolve the problem through SwisSQLAPI but problem still exist as SwisSQLAPI is not dealing with all syntax conflict. In my case (select if (expresion, true,false)) must be replace with decode (expression, value,true,false) function of oracle and this conversion is not supported by SwisSQLAPI.
    Please help me in resolving this problem
    Thanks

    The problem with trying to port from one language (mysql SQL) to another (oracle SQL) is that there's generally no hard rules for a computer to follow, that it will get it 100% correct.
    Look at babelfish when you translate a foreign language to English. The end result is readable (usually), but it's rarely completely correct.
    The problem is when you feed something into Oracle SQL, it needs to be 100% correct.
    All you can really do here is rewrite these queries. It shouldn't actually take as long as you think, because 50% of queries will generally need very minor changes you can do in a minute, and 25% won't need any changes at all.

  • Using LDAP with query on groups

    Hi,
    I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
    Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
    Is there a way to build a query for this case (datasource configuration file, etc...)?
    Thanks for your help...
    Bernd Hülsebusch

    Hi Shantanu,
    thanks for your fast reply!
    The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
    I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
    Best regards, Bernd Hülsebusch

  • Ldap search query takes more than 10 seconds

    LDAP query takes more than 10 seconds to execute.
    For validating the policy configured, the Acess Manager(Sun Java System Access Manager) contacts the LDAP (Sun Java System Directory Server 6.2) to get the users in a dynamic group. The time out value configured in Access Manager for LDAP searches is 10 seconds.
    Issue : The ldap query takes more than 10 seconds to execute at some times .
    The query is executing with less than 10 seconds in most of the cases, but it takes more than 10 seconds in some cases. The total number of users available in the ldap is less than 1500.
    7 etime =1
    6 etime =1
    102 etime=4
    51 etime=5
    26 etime=6
    5 etime=7
    4 etime=8
    From the ldap access logs we can see the following entry,some times the query takes more than 10 seconds,
    [28/May/2012:14:21:26 +0200] conn=281 op=41433 msgId=853995 - SRCH base="dc=****,dc=****,dc=com" scope=2 filter="(&(&(***=true)(**=true))(objectClass=vfperson))" attrs=ALL
    [28/May/2012:14:21:36 +0200] conn=281 op=41434 msgId=854001 - ABANDON targetop=41433 msgid=853995 nentries=884 etime=10
    The query was aborted by the access manger after 10 seconds.
    Please post your suggestions to resolve this issue .
    1.How we can find out , why the query is taking more than 10 seconds ?
    2.Next steps to resolve this issue .

    Hi Marco,
    Thanks for your suggestions.
    Sorry for replying late. I was out of office for few weeks.
    1) Have you already tuned the caches? (entry cache, db cache, filesystem cache?)
    We are using db cache and we have not done any turning for cache. The application was working fine and there was no much changes in the number of users .
    2) Unfortunately we don't have direct access to the environment and we have contacted the responsible team to verify the server health during the issue .
    Regarding the IO operations we can see that, load balancer is pinging the ldap sever every 15 seconds to check the status of ldap servers which yields a new connection on every hit. (on average per minute 8 connections - )
    3) We using cn=dsameuser to bind the directory server. Other configuration details for ldap
    LDAP Connection Pool Minimum Size: 1
    LDAP Connection Pool Maximum Size:10
    Maximum Results Returned from Search: 1700
    Search Timeout: 10
    Is the Search Timeout value configured is proper ? ( We have less than 1500 user in the ldap server).
    Also is there any impact if the value Maximum Results Returned from Search = set to 1700. ( The Sun document for AM says that the ideal value for this is 1000 and if its higher than this it will impact performance.
    The application was running without time out issue for last 2 years and there was no much increase in the number of users in the system. ( at the max 200 users added to the system in last 2 years.)
    Thanks,
    Jay

  • Buyer Account, Welcome mail with password & LDAP related query

    Hi All
    We are facing an issue with the LDAP configuration while creating Buy  side users, please see below
    If anyone of you could help, please provide your contact details or a solution to overcome this
    Background
    We have installed SAP E-Sourcing 5.1 On-premise.
    We are currently doing the post installation configuration
    -          Imported the Out of the Box enterprise Deployment Workbook (We have not modified the contents of the workbook)
    -          We have configured an SMTP mail host to send and receive all mails from the application
    Query
    Based on the enterprise Deployment Workbook, the system has created the following Directory configuration settings pointing to different LDAP system
    DISPLAY_NAME   EXTERNAL_ID
    QA SunOne 5.2 u2013 Buyside  dir.qa.sun.bs
    QA SunOne 5.2 u2013 Sellside  dir.qa.sun.ss
    QA ActiveDirectory 2003 - Buyside dir.qa.ms.bs
    QA ActiveDirectory 2003 u2013 Sellside  dir.qa.ms.ss
    QA Oracle 9.0.2 u2013 Buyside  dir.qa.ora.bs
    QA Oracle 9.0.2 u2013 Sellside  dir.qa.ora.ss
    When we are creating the Buyside users (If we use the Check Box u2013 Create Directory account), we are getting a communication error
    If we uncheck it, it creates the account but the system does not generate the welcome mail. We understand that the welcome mail has the system generated password to log-onto the application as the Buyer.
    We are also not able to create the local users, as the password.properties template isnu2019t available in the downloaded software, we donu2019t know the format thatu2019s expected by the system.
    Please let us know, if there is an alternate way to get the password even without using LDAP or Local directories.
    Incase LDAP or creation of local directory is the key, then please let us know whatu2019s happening incorrectly in our case.
    This has become a show stopper for us going any forward.
    Request your help ASAP
    Regards
    Tridip

    Hi All
    I had the same problem when I tried doing the email Set-up
    I finally realised that you need to do the configuration steps for SMTP using the enterprise user and the system user. If you have done this setting as only the system user the mails will be in Awaiting retry.
    Do this and the mails will start flowing, incase your SMTP mail server is working fine
    Please do the following settings logged in as System User and Enterprise User
    System Properties->searrch for messaging
    Set           -                Property                       -               Value                -                   Context
    messaging messaging.smtp.mailhost                replace the default with your value  System Context
    messaging messaging.smtp.port                       25                                               System Context
    Also please let me know what is the status of the messages in your Queued Messages
    This should work
    Do let me know, if it does
    Regards
    Tridip
    Edited by: Tridip Chakraborthy on May 27, 2009 11:57 AM
    Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM
    Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM

  • Managing ldap user querying permission at BI server level

    Hello Guys
    I am trying to manage the corporate resource by limiting certain users to run query at certain time or certain size. I know it can be done using 'manage--security' to set the querying limit for each users that are defined in the Admin tool..
    However, since we are using Ldap authentications, none of the users that are using OBIEE are created in admin tool, they are all set up using Ldap server which is configured in the Admin tool..
    So in this case, how would i be able to set up query limit for these users throu Ldap?
    Thanks in advance

    You should still create a group in your RPD and set the query limits. Then in your GROUP init block you could add something like this to make sure all users will get this group:
    UNION ALL
    SELECT 'GROUP', 'General Query Limits' FROM DUAL

Maybe you are looking for