LDAP Routing Query

Hi,
we have the following scenario:
There is just one single mail domain.
500 Mailboxes are on an Microsoft Exchange server with Active Directory, 500 Mailboxes are on a different server hosting POP3 Mailboxes.
Obviously I cannot use a LDAP Accept Query, as the AD doesn't have any knowledge about the POP3 mailboxes. The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?

Well.... there are more LDAP directories that MS-Active Directory.
If I understand you right your main problem is how to route 50% of your recipient addresses to Exchange and 50% of them to the POP3 system. If you could, it would be nice to have a message accept policy that is LDAP driven.
I suggest you try to install a dedicated LDAP server for your Ironport(s). That LDAP server should be updated daily with the details from your AD and an export from the POP3 system. On the LINUX platform there are several options (OpenLDAP, Apache Directory, Fedora 389, etc).
If you make sure your import scripts also provisions the mail addresses of all users and (at least) an attribute like "mailHost" (your Exchange based 50% of your recipients would have a static value of "your.exchange.server" (=hostname of your Exchange bridgehead) as value, the other 50% would have "your.pop3.server" (=hostname of your POP3 server) as value.
After that you can create a mail routing LDAP query that makes sure the messages are routed correctly. The mailHost attribute will be used to determine where the message should be routed to. If needed, you can also run a message acceptance query against that same LDAP. That query would reject all mail addresses that are unknown to the directory.
If you have more questions about this, jus send me a message; I have some experience with this matter.
Steven

Similar Messages

  • CSCul66951 LDAP routing query fails when user name is the same (6 july 2014)

    in the case CSCul66951 LDAP routing query fails when user name is the same it is mentionned that the version 8.0.2-055 correct this bug ? How come i don't see this version on my menu Available upgrades from my IronPort C370 ?
    Is there someone on the support team that have try this LDAP query on a IronPort C370 with this version in the development lab ?
    Do i have to open a support Case to have this version of AsyncOS ?
    Best regards,
    Benoit Belair
    University of Quebec in Montreal

    Yes - CSCul66951 - this was included w/ the 8.0.1-HP1, and is rolled into 8.5.6-074 GA release.
    See release notes, resolved issues:
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0/release_notes/ESA_8-0-1_HP1_Release_Notes.pdf
    CSCun02766 - 8.5.6-063, which was superseded by the 8.5.6-074 GA release.  
    See release notes, resolved issues:
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_Release_Notes.pdf

  • LDAP routing and DNS combination

    for outgoing devilvery is it possible to combine both LDAP Routing and DNS?
    IE. to send out abc.com that exist on LDAP, it will be delivered using LDAP Routing and for domain that is not exists on LDAP, use DNS instead.
    TIA

    If you haven't explicitly enabled it, then SMTP Routes will be used to forward on the mail.
    fyi, this is for our outbond delivery (not incoming). This is what I have just tested.
    domain.com is in our LDAP, and I'd like to usedns instead of LDAP.routing. domain.com mx records should be somewhere in the internet.
    LDAP query test results:
    Query: LDAP.routing
    Address: [email protected]
    Action: reroute
    Reroute to recipients: - (host: servers.cbn.net.id)
    In smtproutes:
    domain.com: usedns
    In mail_logs:
    Wed Nov 7 18:57:44 2007 Info: LDAP: Reroute query LDAP.routing MID 429897525 RID 0 address [email protected] to [('[email protected]', 'servers.cbn.net.id')]
    Wed Nov 7 18:57:44 2007 Info: LDAP: Mailhost query LDAP.routing address [email protected] to servers.cbn.net.id
    Wed Nov 7 18:57:44 2007 Info: MID 429897526 ICID 0 RID 0 To:
    Although I have already specified to usedns, the message still delivered using LDAP.routing.

  • LDAP Acceptance Query

    Hello everybody,
    I would like to know if it's possible to enable a "LDAP Acceptance query" only for one domain protected by Ironport?
    I explain myself:
    Our Ironport is used by 3 companies. One company has an exchange server and so LDAP is possible - and it works well. But (badly but) the others has another product as mail server which does not support LDAP query.
    So I would like to enable LDAP acceptance query for the first company and nothing fir the 2 others.
    Last, I would like to enable LDAP authentication for Spam Quarantine if possible.
    Regards,
    GALLEZ Antony

    Hi there, Bypass LDAP Accept is the easiest way, but a way to give you more control would be to create a seperate MX record for each company.
    On the IronPort have an individual listener for each company, that way you can have multiple routing, accept and group queries for each company.
    But as you have already found the Bypass LDAP in the RAT is the easiest option :lol:
    Different MX Records means that we need different public IP adresses and we only have one. So, I'll use the "Bypass LDAP Accept" option.
    BTW, thanks for your response, I haven't thought at different MX Record...

  • LDAP accept query (space within email) got pass

    Version: 5.1.2-005
    ldap accept query is very effective here and have been using since day-1.
    Recently, we discover some backend mta log that rejecting invalid address.
    We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
    Here is a funny finding, note the space.
    > ldaptest
    Select which LDAP query to test:
    1. MXLDAP.accept
    2. MXLDAP.smtpauth
    3. VDELDAP.accept
    4. group
    [1]> 1
    Address to use in query:
    []> sys [email protected]
    LDAP query test results:
    Query: MXLDAP.accept
    Address: sys [email protected]
    Action: pass
    LDAP query test finished.
    I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.
    This is our ldap accept query
    (&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
    Our ldap backend is Openwave MX LDAP directory.
    We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

    In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
    If it is set to "loose parsing", it accepts but actually delivers the message to .
    When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
    In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
    I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

  • LDAP group query failure during per-recipient scanning, poss

    I am trying to figure out what this is referring to:
    LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server
    I can still send test messages from my e-mail.
    Is it possible tht a user is trying to send in corectly..hmmm

    If you create a LDAP debug log from within the GUI, this will give you a more in depth look into the query that is being sent to your LDAP server and also more important any errors that are being returned.
    Great log for troubleshooting any LDAP related issues.

  • LDAP Source Query IP (Cisco ISR G2 WebSecurity)

    Hi Cisco folks,
    Goal:
    I would like to implement Cisco ISR Connector with ScanSafe for the company.
    I have followed the ISR Solution Guide carefully (found here:
    http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf)
    So far I have managed to get a basic configuration working.
    Problem:
    This configuration consists of the basic Web Security features and a VPN to our internal network.
    I would now like to implement authentication on the device with LDAP.
    As far as I can tell the configuration is correct. (I followed the solution guide precisely)
    The authentication though doesn't work.
    Here an output from the debug:
    *Feb 22 13:07:35.034: LDAP: LDAP: Queuing AAA request 52 for processing
    *Feb 22 13:07:35.034: LDAP: Received queue event, new AAA request
    *Feb 22 13:07:35.034: LDAP: LDAP authentication request
    *Feb 22 13:07:35.034: LDAP: Username sanity check failed
    *Feb 22 13:07:35.034: LDAP: Invalid hash index 512, nothing to remove
    *Feb 22 13:07:35.038: LDAP: New LDAP request
    *Feb 22 13:07:35.038: LDAP: Attempting first  next available LDAP server
    *Feb 22 13:07:35.038: LDAP: Got next LDAP server :scansafe-ldap-server
    *Feb 22 13:07:35.038: LDAP: Free connection not available. Open a new one.
    *Feb 22 13:07:35.038: LDAP: Opening ldap connection ( Internal IP of DC, 636 )ldap_open
    ldap_init libldap 4.5 18-FEB-2000
    open_ldap_connection
    ldap_connect_to_host: Internal IP of DC
    :636
    *Feb 22 13:07:35.038: LDAP: socket 5 - connecting to Internal IP of DC (636)
    *Feb 22 13:07:35.038: LDAP: socket 5 - connection in progress
    *Feb 22 13:07:35.038: LDAP: Connection on socket 5
    *Feb 22 13:07:35.038: LDAP: Connection to LDAP server (scansafe-ldap-server, Internal IP of DC) attempted
    *Feb 22 13:07:35.038: LDAP: Connection state: DOWN => CONNECTING
    *Feb 22 13:07:35.038: LDAP: LDAP request saved. Will be served after Root Bind is done.
    *Feb 22 13:07:35.038: LDAP: LDAP request successfully processed
    *Feb 22 13:08:05.038: LDAP: Received socket event
    *Feb 22 13:08:05.038: LDAP: Process socket event for socket = 5
    *Feb 22 13:08:05.038: LDAP: Server is not valid and non-TLS
    *Feb 22 13:08:05.038: LDAP: Socket read event socket=5
    *Feb 22 13:08:05.038: LDAP: Found socket ctx
    *Feb 22 13:08:05.038: LDAP: ldap tcp transport closing on socket 5
    *Feb 22 13:08:05.038: LDAP: Transport DOWN notification for scansafe-ldap-server/5
    *Feb 22 13:08:05.038: LDAP: Clearing all ldap transactions
    *Feb 22 13:08:05.038: LDAP: Triggering server failover for transit requet
    *Feb 22 13:08:05.038: LDAP: Connection state: CONNECTING => DOWNldap_unbind
    ldap_free_connection lc=0x8C5C14D4
    ldap_free_connection: actually freed
    As you can see the router can't contact our DC.
    Now I did some sniffing and noticed that the router sends the LDAP query with the source address of the external interface (Public IP).
    This results, that the queries are sent out into the internet with an internal destination IP. --> hence can't connect.
    Question:
    Now to my actual question.. How can I force the ISR to originate the LDAP queries from our internal interface ... which would then enter the VPN and connect to the DC?
    Thanks in advance, and if you need any additional information, please don't hesitate to ask
    Kind regards
    - Sam

    I recently went through this exact issue with Cisco TAC. The answers are quite unpleasant, but Cisco feels the LDAP protocol doesn't need a source-interface command because an LDAP server doesn't need a specific source IP. The "workaround" is to include your egress interface IP in the VPN tunnel so it will get encapsulated and be able to reach the LDAP server over the VPN. There is another even less desirable workaround to use a Virtual Tunnel Interface, but it is not practical for companies with more than 1 remote site or using the headend VPN concentrator for internet routing because of the requirement of the tunnel being ip any any.

  • Using LDAP with query on groups

    Hi,
    I configured our SAP Portal with LDAP authentification(+UME) successfully - so far so good. I used the standard configuration file (dataSourceConfiguration_ads_readonly_db.xml).
    Now I would like to filter the LDAP users and grant access only to users within a LDAP group.
    Is there a way to build a query for this case (datasource configuration file, etc...)?
    Thanks for your help...
    Bernd Hülsebusch

    Hi Shantanu,
    thanks for your fast reply!
    The problem is, that we have about 5.000 users in our LDAP system (Exchange), this includes several system users and also special users for e.g. domain administration, etc. Only about 2000 users are really respective portal users and only these users should have access to the portal generally. The intention is to filter the redundant users, so we won't have problems with SAP licenses for users who never should be able use the portal.
    I didn't mean how to provide access to some content within the portal. I know that this is this is realized with roles and groups in the portal.
    Best regards, Bernd Hülsebusch

  • Ldap search query takes more than 10 seconds

    LDAP query takes more than 10 seconds to execute.
    For validating the policy configured, the Acess Manager(Sun Java System Access Manager) contacts the LDAP (Sun Java System Directory Server 6.2) to get the users in a dynamic group. The time out value configured in Access Manager for LDAP searches is 10 seconds.
    Issue : The ldap query takes more than 10 seconds to execute at some times .
    The query is executing with less than 10 seconds in most of the cases, but it takes more than 10 seconds in some cases. The total number of users available in the ldap is less than 1500.
    7 etime =1
    6 etime =1
    102 etime=4
    51 etime=5
    26 etime=6
    5 etime=7
    4 etime=8
    From the ldap access logs we can see the following entry,some times the query takes more than 10 seconds,
    [28/May/2012:14:21:26 +0200] conn=281 op=41433 msgId=853995 - SRCH base="dc=****,dc=****,dc=com" scope=2 filter="(&(&(***=true)(**=true))(objectClass=vfperson))" attrs=ALL
    [28/May/2012:14:21:36 +0200] conn=281 op=41434 msgId=854001 - ABANDON targetop=41433 msgid=853995 nentries=884 etime=10
    The query was aborted by the access manger after 10 seconds.
    Please post your suggestions to resolve this issue .
    1.How we can find out , why the query is taking more than 10 seconds ?
    2.Next steps to resolve this issue .

    Hi Marco,
    Thanks for your suggestions.
    Sorry for replying late. I was out of office for few weeks.
    1) Have you already tuned the caches? (entry cache, db cache, filesystem cache?)
    We are using db cache and we have not done any turning for cache. The application was working fine and there was no much changes in the number of users .
    2) Unfortunately we don't have direct access to the environment and we have contacted the responsible team to verify the server health during the issue .
    Regarding the IO operations we can see that, load balancer is pinging the ldap sever every 15 seconds to check the status of ldap servers which yields a new connection on every hit. (on average per minute 8 connections - )
    3) We using cn=dsameuser to bind the directory server. Other configuration details for ldap
    LDAP Connection Pool Minimum Size: 1
    LDAP Connection Pool Maximum Size:10
    Maximum Results Returned from Search: 1700
    Search Timeout: 10
    Is the Search Timeout value configured is proper ? ( We have less than 1500 user in the ldap server).
    Also is there any impact if the value Maximum Results Returned from Search = set to 1700. ( The Sun document for AM says that the ideal value for this is 1000 and if its higher than this it will impact performance.
    The application was running without time out issue for last 2 years and there was no much increase in the number of users in the system. ( at the max 200 users added to the system in last 2 years.)
    Thanks,
    Jay

  • Buyer Account, Welcome mail with password & LDAP related query

    Hi All
    We are facing an issue with the LDAP configuration while creating Buy  side users, please see below
    If anyone of you could help, please provide your contact details or a solution to overcome this
    Background
    We have installed SAP E-Sourcing 5.1 On-premise.
    We are currently doing the post installation configuration
    -          Imported the Out of the Box enterprise Deployment Workbook (We have not modified the contents of the workbook)
    -          We have configured an SMTP mail host to send and receive all mails from the application
    Query
    Based on the enterprise Deployment Workbook, the system has created the following Directory configuration settings pointing to different LDAP system
    DISPLAY_NAME   EXTERNAL_ID
    QA SunOne 5.2 u2013 Buyside  dir.qa.sun.bs
    QA SunOne 5.2 u2013 Sellside  dir.qa.sun.ss
    QA ActiveDirectory 2003 - Buyside dir.qa.ms.bs
    QA ActiveDirectory 2003 u2013 Sellside  dir.qa.ms.ss
    QA Oracle 9.0.2 u2013 Buyside  dir.qa.ora.bs
    QA Oracle 9.0.2 u2013 Sellside  dir.qa.ora.ss
    When we are creating the Buyside users (If we use the Check Box u2013 Create Directory account), we are getting a communication error
    If we uncheck it, it creates the account but the system does not generate the welcome mail. We understand that the welcome mail has the system generated password to log-onto the application as the Buyer.
    We are also not able to create the local users, as the password.properties template isnu2019t available in the downloaded software, we donu2019t know the format thatu2019s expected by the system.
    Please let us know, if there is an alternate way to get the password even without using LDAP or Local directories.
    Incase LDAP or creation of local directory is the key, then please let us know whatu2019s happening incorrectly in our case.
    This has become a show stopper for us going any forward.
    Request your help ASAP
    Regards
    Tridip

    Hi All
    I had the same problem when I tried doing the email Set-up
    I finally realised that you need to do the configuration steps for SMTP using the enterprise user and the system user. If you have done this setting as only the system user the mails will be in Awaiting retry.
    Do this and the mails will start flowing, incase your SMTP mail server is working fine
    Please do the following settings logged in as System User and Enterprise User
    System Properties->searrch for messaging
    Set           -                Property                       -               Value                -                   Context
    messaging messaging.smtp.mailhost                replace the default with your value  System Context
    messaging messaging.smtp.port                       25                                               System Context
    Also please let me know what is the status of the messages in your Queued Messages
    This should work
    Do let me know, if it does
    Regards
    Tridip
    Edited by: Tridip Chakraborthy on May 27, 2009 11:57 AM
    Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM
    Edited by: Tridip Chakraborthy on May 27, 2009 12:02 PM

  • LDAP Accept query for "catch all" domains

    I'm far from an LDAP expert so I'm posting this both as a "look what I did!" and an "is there a better way?"
    The query feels fairly typical until the end where I look for "absolute-catchall@[the domain]". Effectively this accepts "anything"@"domain." Is this what you do? Is there a better way? Is this already in the manual somewhere :)
    (|(|(gecos={u})(|(mail={a})(mail={u})))(mail=absolute-catchall@{d}))

    I don't think these kind of tricks are in the handbook, but you're not the only one using something like this. A similar query was posted here: http://www.ironportnation.com/forums/viewtopic.php?p=718#718
    I'm using this to skip recipient checking for domains where i'm only acting as backup MX and can't verify the addresses.

  • Managing ldap user querying permission at BI server level

    Hello Guys
    I am trying to manage the corporate resource by limiting certain users to run query at certain time or certain size. I know it can be done using 'manage--security' to set the querying limit for each users that are defined in the Admin tool..
    However, since we are using Ldap authentications, none of the users that are using OBIEE are created in admin tool, they are all set up using Ldap server which is configured in the Admin tool..
    So in this case, how would i be able to set up query limit for these users throu Ldap?
    Thanks in advance

    You should still create a group in your RPD and set the query limits. Then in your GROUP init block you could add something like this to make sure all users will get this group:
    UNION ALL
    SELECT 'GROUP', 'General Query Limits' FROM DUAL

  • Java LDAP Tag Query Issue

    I am using the ldap tag library to view users and output info. There are specific attributes I want to pull back that it wont. The attributes are passwordretrycount pwdaccountlockedtime pwdfailuretime.
    <!-- LDAP Call -->
    <ldap:property name="url" value="<%= \"ldap://\" + request.getParameter(\"ldapserver\") %>"/>
    <ldap:property name="dn" value="<%= binddn %>"/>
    <ldap:property name="password" value="<%= bindpw %>"/>
    <ldap:connect>
    <ldap:query id="var" basedn="o=tlhc" filter="<%= cn %>">
    <table border="0" cellpadding="1" cellspacing="0">
    <tr><td valign="top"><b>Last Name:</b> </td><td valign="top"><ldap:getAttribute name="sn"/></td></tr>
    <tr><td valign="top"><b>First Name:</b> </td><td valign="top"><ldap:getAttribute name="givenname"/>
    </td></tr>
    <tr><td valign="top">Middle Name: </td><td valign="top"><ldap:getAttribute name="tlhcmiddlename"/><
    /td></tr>
    <tr><td valign="top">UserID: </td><td valign="top"><ldap:getAttribute name="uid"/></td></tr>
    <tr><td valign="top">GUID: </td><td valign="top"><ldap:getAttribute name="tlhcguid"/></td></tr>
    <tr><td valign="top">Employee Number: </td><td valign="top"><ldap:getAttribute name="employeeNumber
    "/></td></tr>
    <tr><td valign="top">Title: </td><td valign="top"><ldap:getAttribute name="title"/></td></tr>
    <tr><td valign="top">Email: </td><td valign="top"><ldap:getAttribute name="mail"/></td></tr>
    <tr><td valign="top">Password Retry Count: </td><td valign="top"><ldap:getAttribute name="passwordr
    etrycount"/></td></tr>
    <tr><td valign="top">Password Failure Time: </td><td valign="top"><ldap:getAttribute name="pwdfailu
    retime" delimiter="<br>"/><br><br></td></tr>
    </table>
    </ldap:query>
    </ldap:connect>

    Is this the easyldap tag library?
    i think it is the implementation of ldap operations in the tag library that causes it.
    I m lookin for a tag library for the same use too.

  • Looking to switch: router query.

    Hi, i'm looking to switch broadband providers but i have a query first.
    At the moment my wifi is provided by Apple Airport Express and Apple extenders and is linked to the router with ethernet cable. Does the BT router have an ethernet connection so i can still use the Apple wifi and if so will i be apple to turn off the BT wifi while i use this method.
    Solved!
    Go to Solution.

    yes the home hub has 4 ethernet connections and you can turn wireless off if you wish
    If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

  • Routing query on EIGRP and OSPF

    Hi,
    Suppose i have 2 routers connected by using ethernet link. I have 2 internal network connected to each routers.
    Now i am using OSPF routing protocol between the routers and i made adjancies only with the ethernet interface ip address ie /30 subent.
    Now my query, will my internal network will get advertised by learning internally or do i want to advertise by using network command.
    Again.. do i want to advertise with passive interface command or not. what is the difference in enabling ospf for all networks.
    Attached a sample diagram which my setup clearly.
    I want to know, what the is difference if i advertise the internal network with passive interface enabled and not.
    May be the query is simple, but i am missing to understand one point and looking for the someone to explain that.
    Also the sme using EIGRP, will it make any difference. As i understood the network command in IGP is same,
    Regards,Gan

    Gan
    You have choices about how you can get OSPF and EIGRP to advertise the LAN subnets that you have configured. Let me start with the obvious point that you must have a network statement for the subnet that connects the two routers. The network statement is necessary to have the routing protocol run on those connecting interfaces.
    Beyond the connecting interfaces you have a choice about how to get the routing protocol to advertise the LAN subnets. You could use network statements that match the LAN subnets. This will result in the routing protocol running on the LAN interfaces as well as the connecting interface. This is the approach that is frequently used but not the only option. You can also redistribute connected into the routing protocol. Redistribute connected will result in the routing protocol advertising the subnets but the routing protocol will not run on the LAN interfaces. The other thing to consider is that if you redistribute the subnets they will be advertised as External routes in the routing protocol.
    If you do use network statements for the LAN subnets then there is the question of whether to use passive interface for the LAN subnets. When you use passive interface the routing protocol does not send any hello messages on those interfaces, will not create any neighbor relationships on those interfaces, and will not accept any routing updates from those interfaces. If there are no routers connected on those interfaces and no other devices that need to participate in the routing protocol then passive interface may be a good option to consider as it reduces the overhead processing on the interface.
    HTH
    Rick

Maybe you are looking for

  • Ignore blank rows inbetween in Xcelsius

    Hi, We are using Xcelsius 2008, we need to ignore blank rows which are there inbetween few rows. so we have few rows data and few blank rows rhen data and blank rows. Ignore blank rows will only ignore the rows if its in end but it doesn't if we have

  • Error U43M1D204 with Premiere Pro

    I recieve this error when using the trial version of Creative Cloud, seems to only apply to Premiere.

  • What should be there in MARS?

    Hi, i guess it would be nice to discuss the options that we would like to see in MARS, may be in the next releases. It would give a good comparison in a way that the feedback from others in guiding to know if my/or your required features are already

  • Analyzing Function Input

    Respected sir,   What is mean by "analyzing Function Input" and explain the role of ABAPer in it. Its very urgent.

  • No termina de restaurarse ipad 2

    al intentar resturar el ipad se queda bloqueado a la derecha de la manzana dando el error 1