This article describes guidance on configuring FortiMail to use LDAP groups in access control policies while allowing wildcards in the group members.
Scope
All supported versions of FortiMail.
Solution
To enable the use of LDAP groups in access control policies with wildcards on group members, follow these steps:
LDAP Server Configuration:
Ensure that the LDAP server is configured properly.
The AD users representing a wildcard on the 'mail' attribute should only contain the '@' symbol followed by the domain without the asterisk (*). For example, use '@test.com' instead of '*@test.com.'
Modify LDAP Profile:
Access the FortiMail configuration and modify the LDAP profile used for group queries.
Example LDAP Profile Configuration:
config profile ldap
edit AD
…
set query (&(|(objectClass=user)(objectClass=group))(|(proxyAddresses=smtp:@$d)(mail=@$d)(proxyAddresses=smtp:$m)(mail=$m)))
…
next
end
In the LDAP profile configuration:
The LDAP query ('set query') includes parameters that allow wildcards for group members.
The LDAP user attribute 'mail' is used for group membership checks.
Save and Apply Configuration:
After modifying the LDAP profile, save the changes and apply the updated configuration.
Test LDAP Group Access Control Policies:
Verify that LDAP groups can now be used in FortiMail access control policies and that wildcards in the group members are supported.
By modifying the LDAP profile query and configuring the LDAP server to use '@domain.com' instead of '*@domain.com' for wildcards, FortiMail can successfully use LDAP groups in access control policies with wildcard support for group members.
