FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
ahsanali_FTNT
Article Id 191414
Description
The default Active Directory LDAP query on a FortiMail LDAP profile only supports full email addresses as IDs.  This article will list the steps to modify the query to support sAMAccountName.

It should be noted that this will only work for administrative access.  Webmail access will not work with sAMAccountName.  The FortiMail uses the username and domain portion of an email address to match a user to their mailbox.  Therefore a login to the Webmail with a username only will not allow the FortiMail to retrieve a mailbox.

Scope
This has been tested against Windows Server 2008 R2, and Windows Server 2012 R2.

Solution
A) Configure the LDAP Profile

Configure the Base DN, Bind DN, and Bind password. The related article may provide assistance with this configuration.

ahsanali_FD38964_tn_FD38964-1.jpg

Select Active Directory for the User Query Options.

ahsanali_FD38964_tn_FD38964-2.jpg

Modify the User query to include sAMAccountName.

(&(|(objectClass=user)(objectClass=group)(objectClass=publicFolder))(|(proxyAddresses=smtp:$m)(mail=$m) (sAMAccountName=$u)))

ahsanali_FD38964_tn_FD38964-3.jpg

Ensure User Authentication Options is selected, and set to 'Search user and try bind DN'.

ahsanali_FD38964_tn_FD38964-4.jpg

Save the LDAP profile.  Scroll down to the bottom of the page, and click OK.


B) Configure the Administrator account

Go to System > Administrator > Administrator tab.  Click on New...

ahsanali_FD38964_tn_FD38964-5.jpg

Configure the following fields:
a. Administrator: Enter the username exactly as it is in Active Directory.

b. Access profile: Assign an access profile which will control the privilege levels of different sections of the administrative GUI.

c. Authentication type: Set authentication type to LDAP and select the profile created in Section A.

d. Click Create to save.

ahsanali_FD38964_tn_FD38964-6.jpg


C) Test the configuration

Logout of the current session, and login with the newly created Administrator account from Section B.

ahsanali_FD38964_tn_FD38964-7.jpg

If the configuration is correct, the login should be successful.

ahsanali_tn_FD38964-8.jpg

D) Troubleshooting Notes

1) Ensure the LDAP profile Default Bind Options are entered correctly.  For assistance with this refer to the related KB article.

2) Ensure the LDAP query format is preserved after modification.  Verify that each opening parenthesis is closed.

Contributors