ahsanali_FTNT
Staff
Created on
‎07-18-2016
06:37 AM
Edited on
‎01-31-2025
02:37 AM
By
Jean-Philippe_P
Article Id
191414
Description
This article describes that the default Active Directory LDAP query on a FortiMail, FortiSandBox, and FortiNDR LDAP profile only supports full email addresses as IDs. This article will list the steps to modify the query to support sAMAccountName.
It should be noted that this will only work for administrative access. Webmail access will not work with sAMAccountName for FortiMail. The FortiMail uses the username and domain portion of an email address to match a user to their mailbox. Therefore a login to the Webmail with a username only will not allow the FortiMail to retrieve a mailbox.
It should be noted that this will only work for administrative access. Webmail access will not work with sAMAccountName for FortiMail. The FortiMail uses the username and domain portion of an email address to match a user to their mailbox. Therefore a login to the Webmail with a username only will not allow the FortiMail to retrieve a mailbox.
Scope
This has been tested against Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
Solution
- Configure the LDAP Profile.
Configure the Base DN, Bind DN, and Bind password. The related article may assist with this configuration.
Modify the User query to include sAMAccountName.
(&(|(objectClass=user)(objectClass=group)(objectClass=publicFolder))(|(proxyAddresses=smtp:$m)(mail=$m) (sAMAccountName=$u)))
Save the LDAP profile. Scroll down to the bottom of the page, and select OK. - Configure the Administrator account.
Go to System -> Administrator -> Administrator tab. Select New:
Configure the following fields:
- Administrator: Enter the username exactly as it is in Active Directory.
- Access profile: Assign an access profile that will control the privilege levels of different sections of the administrative GUI.
- Authentication type: Set the authentication type to LDAP and select the profile created in Section A.
- Select Create to save.
- Test the configuration.
Log out of the current session, and log in with the newly created Administrator account from Section 2.
If the configuration is correct, the login should be successful.
-
Troubleshooting Notes.
-
Ensure the LDAP profile Default Bind Options are entered correctly. For assistance with this refer to the related KB article.
-
Ensure the LDAP query format is preserved after modification. Verify that each opening parenthesis is closed.
-