• SonicOS 7.0
• Anti-Spam
  • About Anti-Spam
    • What is Anti-Spam?
    • Benefits
  • How Does the Anti-Spam Service Work?
    • GRID Network
      • Benefits
      • GRID Connection Management with Sender IP Reputation and Connection Management Precedence Order
    • Address and Service Objects
      • Objects Created When the Anti-Spam Service is Enabled
  • Purchasing an Anti-Spam License
• Status
• Settings
  • Activating Anti-Spam
  • Installing the Junk Store
  • Configuring Email Threat Categories
  • Configuring Access Lists
    • Configuring User-defined Access Lists
    • Adding a Host to the Access Lists
  • Configuring Advanced Settings
• Relay Domains
  • About Open Relay
  • Listing Allowed Relay Domains
• Junk Box Messages
  • Information Displayed in the Junk Box Messages Table
  • Managing Junk Box Messages
• Junk Box Settings
• Junk Box Summary
  • Managing the Junk Box Summary
• User View Setup
  • Configuring User View Setup
• Address Books
  • About the Tabs
    • Allowed Lists
    • Blocked Lists
  • Adding Items to the Allowed or Blocked List
  • Deleting Items from the Allowed or Blocked List
  • Importing Address Book Entries
  • Exporting Address Book Entries
  • Searching the Allowed and Blocked Lists
• Manage Users
  • Updating the User Table
  • Enabling Non-LDAP User Authentication
  • Viewing Users
    • Selecting the Type and Sever of User to View
    • Selecting a Server’s Users to View
    • Finding a User
  • Adding Users
    • Adding Users Manually to the User Table
    • Importing Users to the User Table
  • Signing In as a User
• LDAP Configuration
  • Adding an LDAP Server
    • Configuring LDAP Queries
    • Adding LDAP Mappings
  • Editing an LDAP Server Configuration
  • Deleting an LDAP Server
• Advanced
  • Downloading System/Log Files
  • Selecting Log Settings
• Downloads
• SonicWall Support
  • About This Document

Configuring LDAP Queries

If you selected the Auto-fill LDAP Query when saving configuration option on the LDAP Configuration tab, the LDAP Query Panel fills with default values automatically.

To successfully allow users to login to their Junk Box

To examine your LDAP tree in its entirety to get a comprehensive look at your LDAP structure and its various attributes and object classes, run the free program, Softerra LDAP Browser 2.5, available at: http://www.ldapbrowser.com/download/index.php

On a Windows PC, download the program. When it is running, to determine the best query for your network, browse to a user on the network and examine their attributes.

1. In the LDAP Query Panel tab, go to the Query for LDAP User section.

2. To use the optional Query for LDAP Group functionality, in the Directory node to begin search field, specify a full LDAP directory path that points towards a node (directory inside LDAP) containing the information for all groups in the directory. This path narrows the search for LDAP groups to a reasonable size.

   The information contained in LDAP is organized into a directory tree much like an ordinary file system. Each directory is specified as a name=value pair, where:

   • name is commonly:

     DC(domain component)	OU(organizational unit)
     DN(distinguished name)	O (organization)

   • value is commonly one segment of a fully specified hostname (for example, the word companyxyz in sales.companyxyz.com).

   To specify a particular node in LDAP you use a comma-separated list. To specify multiple nodes to search in, use the ampersand (&) character between full paths.

   For example, if the hostname of a particular machine inside companyxyz was computer27.sales.companyxyz.com, the LDAP path might be:

   DC=computer27,DC=sales,DC=companyxyz,DC=com

   To see examples for the various directory types, click the Question Mark icon next to the Directory Node to Begin Search field

3. Enter an LDAP filter in the standard LDAP filter syntax in the Filter field.

   Anti-Spam must be instructed on how to find and identify users and mailing lists. By specifically stating the Object Class and mail attribute in the Filter field, non-primary email accounts (such as printers and computers) are not included during an LDAP query. Focusing on primary user accounts speeds up the query.

   The Filter field contains an example syntax:

   (&(|(objectClass=group)(objectClass=person)(objectClass=publicFolder))(mail=*))

   All LDAP filters are grouped in parenthesis, and the filter itself has a pair of parentheses surrounding the whole string. The very next character from the left is an ampersand (&). The LDAP filter syntax is prefix notation, which means this filter only returns the logical AND of three sub-filters, each grouped in parentheses. Other operators include a pipe (|) for OR and an exclamation point (!) for NOT.

4. Specify the text attribute a user uses fora login name in the User login name attribute field. The generally accepted attribute for this field is sAMAccountName, which is the default. This attribute should work for Microsoft Windows, as well as all other environments.

   This field works in conjunction and needs to agree with the Filter field. If you change sAMAccountName, you must change it in both the Filter field and the User login name attribute field.

5. Specify the email address, employee ID, phone number, or other alias attributes that link a single user to his or her junk box in the Email alias attribute field.

   At many companies, an end user has multiple email accounts that all map to one true email account. For example, JohnS@example.com and John.Smith@example.com might both be valid email addresses for John Smith's InBox. Anti-Spam supports this by allowing an end user to have one junk email box that groups all email from their various email addresses.

   The generally accepted single attribute for this field is proxyAddresses. All other attributes must be separated by a comma. For example:

   • proxyAddresses,legacyExchangeDN
   • proxyAddresses,EmployeeID,PhoneNumber

   In Microsoft Windows environments, the single attribute, proxyAddresses, is often sufficient.

6. Optionally, test to see if your settings work, click the blue icon Test User Query under the Query for LDAP User section.
7. Save the changes by clicking Save.

8. Go to the Query Information for LDAP Groups section.

   If you did not specify Auto-fill LDAP Query fields when saving configuration in the Settings section, you can click Auto-fill Group Fields to do so.

9. To use the optional Groups functionality, in the Directory node to begin search field, specify a full LDAP directory path that points towards a node (directory inside LDAP) containing the information for all groups in the directory. This narrows the search for LDAP groups to a reasonable size. For further information about this setting, see Step 2.
10. To instruct Anti-Spam on how to find and identify users and mailing lists, enter an LDAP filter in the standard LDAP filter syntax in the Filter field. The field contains an example syntax. For further information about this setting, see Step 3.
11. Specify the attribute of the group that corresponds to Group names in the User login name attribute field.
12. A common way to specify a group is a mailing list. In the mailing list entry in LDAP, there is one particular field that specifies the members of the list. Enter that information in the Group members attribute field.
13. In some LDAP configurations, there is an attribute, inside each user's entry in LDAP, that lists the groups or mailing lists of which this user is a member. Specify that attribute in the User membership attribute field.
14. Optionally, test to see if your settings are functioning correctly, click the blue icon, Test User Query or Test User Query .
15. Save the changes by clicking Save.