Active Directory and LDAP alias

Forum|Forum|13 years ago
November 26, 2012
5 replies
15101 views

Hi, Does anyone has working configuration for Fortimail and LDAP aliases? We have FML 400 with build495-120418 firmware in server mode. AD is 2008 R2. User authentication is working properly. We have several groups (security and distribution), and our idea is to put alias email in group properties, and mail sent to alias email should be sent to members of that group. Our ldap query is according post on this forum. Schema - User Defined - Base DN - DC=company,DC=com - Bind DN - Same as in User Query Options - Bind Password - Same as in User Query Options - Alias Member Attribute - mail - Alias Memeber Query String - (&(|(objectClass=User)(objectClass=Group)(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m))) - User Group Expansion In Advanced - No checkbox - Group Member Attribute - Didnt use, but should work with this one, member - Group Memeber Query String - Didnt use, but should work with this one, (&(objectClass=group) (proxyAddresses=smtp:$m)) - Scope - Subtree - Derefer - Never - Max Alias Expansion Level - 0 Alias is succesfuly found when I make Test LDAP query. Unfortunately, mail delivery doesnt work this way. Mail gets through (there is no 550 error RCPT required) but it is not delivered to members of alias group. If I put checkmark on User Group Expansion or change query options, I get 550 error. Does anyone knows how to make it work?

FortiRack_Eric

New Member

I' ve got the same but only difference is Derefer = always. Needless to say, it working fine with me

gotuivaAuthor

New Member

Thanks!! Can you just post your user query options? Mine are - Schema - Active Directory - Base DN - DC=Company,DC=Com - Bind DN - A username for the connection to the AD (a made a new one) - Bind Password - The password for the user above - LDAP Query to Find User - I used this one. (&(|(objectClass=User)(objectClass=Group)(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m))) - Scope - Subtree - Derefer - Never Also, did you have to group AD groups and users in some specific manner (in same OU or something similar) or LDAP query from root of domain works fine? Do you have the same firmware as mine? Did you have to make some modifications in recipient filtering or access policies or your alias query works without any modifications? Thank you.

ehlo

New Member

Hi gotuiva, You should check the checkbox ' User Group Expansion In Advanced' , it is the one to find out the group members of your group. Use the default setting should work. Thanks, ehlo

gotuivaAuthor

New Member

Hi, It doesn' t work even with User Group Expansion checked and with Derefer Always or with different combinations of these two. Can you tell me in which way did you two create alias object? I have group IT, and alias mail is defined in Group properties (General tab, E-mail field) as it@domain.com. I have also found somwhere on the forum that people use groups named after alias mail (eg. group name is it@domain.com). This is killing me....

ehlo

New Member

Hi If you can post this part of your configuration here, I could take a look and try to find out why it is not working for you, since it is such simple. BTW, have you applied it in your domain setting of " LDAP alias/address mapping' ? ehlo

gotuivaAuthor

New Member

Helo ehlo, As I wrote in previous post, I have security/distribution groups with email defined in General/e-mail field. I have user1 with mail user1@domain.com, and group has mail it@domain.com. I want mail sent to it@domain.com gets delivered to user1 and other users who are members of this group. FML Documentation is not very specific on what alias object is, but i hope I got this part right.. My conf is as follows: User query Options are default - Schema - Active Directory - Base DN - DC=Company,DC=Com - Bind DN - A username for the connection to the AD (a made a new one) - Bind Password - The password for the user above - LDAP Query to Find User - (&(|(objectClass=User)(objectClass=Group)(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m))) - Scope - Subtree - Derefer - Never When I click browse, I can see all the objects in AD, so this part is working. Also user auth using AD credentials os working. User authentication option is: Search user and try bind DN User alias options> User defined Base DN > same as user query Bind DN > same as user query Bind password > same as user query Alias member attribute: mail Alias member query: (&(|(objectClass=User)(objectClass=Contact)(objectClass=Group)(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m))) User group expansion - no checkbox. When I put the checkbox here I get 550 5.1.1 User unknown error Group member attribute: member Group member query: (&(objectClass=group) (proxyAddresses=smtp:$m)(mail=$m)) Scope: subtree Derefer> Always Max alias expansion level: 0. I have nothing defined in address mapping options. AD domain is domain.local, bit Fortimail domain is domain.com, and emails defined in groups and users are also .com I have tried different options for Derefer and queries, but even when I don' t get 550 5.1.1 error, that mail does not end at user1 mailbox. Instead it gets delivered somewhere. When I check Users there is no user IT (name of the group is IT), but when I check next tab " User preferences" I see mu users, but also groups i tried to send email to. Looks like new mailbox gets created, but I can not access it since groups don' t have passwords?! Look at the picture in the att. I tried to downgrade to Mr3 Patch 2, but same thing happens.

Mk25249.jpg

ehlo

New Member

Hi Of course I have exchange server. My config: User alias options> User defined Base DN > same as user query Bind DN > same as user query Bind password > same as user query Alias member attribute: mail Alias member query: distinguishedName=$b User group expansion - enable checkbox. Group member attribute: member Group member query: (&(objectClass=group) (proxyAddresses=smtp:$m)) Scope: subtree Derefer> Always Max alias expansion level: 0. I guess that the problem is your alias member query field, I said before the default setting should be good. You can give it a try. ehlo

gotuivaAuthor

New Member

Thanks ehlo!!! Finally got it working using your setup (with minor modification) Whole problem was in that (proxyadresses=smtp:$m) because that field is empty in my AD. I tried numerous times using (&(objectClass=Group) (|(proxyAddresses=smtp:$m)(mail=$m)) but it didnt work. Now it is working using Group member query (&(objectClass=group) (mail=$m)). All other options are as yours. Thanks 1000 times.

ehlo

New Member

Hi Glad it works for you. Actually (&(objectClass=Group) (|(proxyAddresses=smtp:$m)(mail=$m)) should be working, it is due to you are missing one rgiht bracket ' )' at the end. (&(objectClass=Group) (|(proxyAddresses=smtp:$m)(mail=$m))) Thanks ehlo

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded