SonicOS 7.1 Anti-Spam

LDAP Configuration > Adding an LDAP Server > Configuring LDAP Queries
Table of Contents

Configuring LDAP Queries

If you selected the Auto-fill LDAP Query when saving configuration option on the LDAP Configuration tab, the LDAP Query Panel fills with default values automatically.

To successfully allow users to login to their Junk Box

To examine your LDAP tree in its entirety to get a comprehensive look at your LDAP structure and its various attributes and object classes, run the free program, Softerra LDAP Browser 2.5, available at: http://www.ldapbrowser.com/download/index.php

On a Windows PC, download the program. When it is running, to determine the best query for your network, browse to a user on the network and examine their attributes.

  1. In the LDAP Query Panel tab, go to the Query for LDAP User section.

  2. To use the optional Query for LDAP Group functionality, in the Directory node to begin search field, specify a full LDAP directory path that points towards a node (directory inside LDAP) containing the information for all groups in the directory. This path narrows the search for LDAP groups to a reasonable size.

    The information contained in LDAP is organized into a directory tree much like an ordinary file system. Each directory is specified as a name=value pair, where:

    • name is commonly:

      DC(domain component)

      OU(organizational unit)
      DN(distinguished name)

      O (organization)
    • value is commonly one segment of a fully specified hostname (for example, the word companyxyz in sales.companyxyz.com).

    To specify a particular node in LDAP you use a comma-separated list. To specify multiple nodes to search in, use the ampersand (&) character between full paths.

    For example, if the hostname of a particular machine inside companyxyz was computer27.sales.companyxyz.com, the LDAP path might be:

    DC=computer27,DC=sales,DC=companyxyz,DC=com

    To see examples for the various directory types, click the Question Mark icon next to the Directory Node to Begin Search field

  3. Enter an LDAP filter in the standard LDAP filter syntax in the Filter field.

    Anti-Spam must be instructed on how to find and identify users and mailing lists. By specifically stating the Object Class and mail attribute in the Filter field, non-primary email accounts (such as printers and computers) are not included during an LDAP query. Focusing on primary user accounts speeds up the query.

    The Filter field contains an example syntax:

    (&(|(objectClass=group)(objectClass=person)(objectClass=publicFolder))(mail=*))

    All LDAP filters are grouped in parenthesis, and the filter itself has a pair of parentheses surrounding the whole string. The very next character from the left is an ampersand (&). The LDAP filter syntax is prefix notation, which means this filter only returns the logical AND of three sub-filters, each grouped in parentheses. Other operators include a pipe (|) for OR and an exclamation point (!) for NOT.

  4. Specify the text attribute a user uses fora login name in the User login name attribute field. The generally accepted attribute for this field is sAMAccountName, which is the default. This attribute should work for Microsoft Windows, as well as all other environments.

    This field works in conjunction and needs to agree with the Filter field. If you change sAMAccountName, you must change it in both the Filter field and the User login name attribute field.

  5. Specify the email address, employee ID, phone number, or other alias attributes that link a single user to his or her junk box in the Email alias attribute field.

    At many companies, an end user has multiple email accounts that all map to one true email account. For example, JohnS@example.com and John.Smith@example.com might both be valid email addresses for John Smith's InBox. Anti-Spam supports this by allowing an end user to have one junk email box that groups all email from their various email addresses.

    The generally accepted single attribute for this field is proxyAddresses. All other attributes must be separated by a comma. For example:

    • proxyAddresses,legacyExchangeDN
    • proxyAddresses,EmployeeID,PhoneNumber

    In Microsoft Windows environments, the single attribute, proxyAddresses, is often sufficient.

  6. Optionally, test to see if your settings work, click the blue icon Test User Query under the Query for LDAP User section.
  7. Save the changes by clicking Save.

  8. Go to the Query Information for LDAP Groups section.

    If you did not specify Auto-fill LDAP Query fields when saving configuration in the Settings section, you can click Auto-fill Group Fields to do so.

  9. To use the optional Groups functionality, in the Directory node to begin search field, specify a full LDAP directory path that points towards a node (directory inside LDAP) containing the information for all groups in the directory. This narrows the search for LDAP groups to a reasonable size. For further information about this setting, see Step 2.
  10. To instruct Anti-Spam on how to find and identify users and mailing lists, enter an LDAP filter in the standard LDAP filter syntax in the Filter field. The field contains an example syntax. For further information about this setting, see Step 3.
  11. Specify the attribute of the group that corresponds to Group names in the User login name attribute field.
  12. A common way to specify a group is a mailing list. In the mailing list entry in LDAP, there is one particular field that specifies the members of the list. Enter that information in the Group members attribute field.
  13. In some LDAP configurations, there is an attribute, inside each user's entry in LDAP, that lists the groups or mailing lists of which this user is a member. Specify that attribute in the User membership attribute field.
  14. Optionally, test to see if your settings are functioning correctly, click the blue icon, Test User Query under the Query for LDAP User section.
  15. Save the changes by clicking Save.