cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1803
Views
0
Helpful
2
Replies
keithsauer507
Contributor

AD/LDAP Group queries never work

Trying to get LDAP / Active Directory integration so we can use different policies for different AD users and groups.  Lets for example say in Active Directory I have the following structure:

OU=Company Employees

       OU=Accounting

               User=John Doe

               User=Johhny Appleseed

               Group=accounting (both above members belong to group)

       OU=IT

               User=Administrator

               User=Joe Admin

               Group=Information Technology (both above members belong to group).

In the above scenereo if I do a group test for doej@domain.com and group accounting, it always comes back that they are not a member of the group.  In ADUC in that group under the e-mail field its spelled out like accounting@domain.com.  So I tried this syntax in the group test but I still get that they are not a member of the group. 

Failure: Action: match negative.
Reason: unknown error (assumed not a member of the group).

How do you sucessfully query for groups in this case?

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Engager

You have to use the DN of the group...

cn=accounting,ou=Accounting,ou=CompanyEmployees,dc=company, dc=local

Its an LDAP query, so think in LDAP...

Ken

View solution in original post

2 REPLIES 2
Ken Stieers
Engager

You have to use the DN of the group...

cn=accounting,ou=Accounting,ou=CompanyEmployees,dc=company, dc=local

Its an LDAP query, so think in LDAP...

Ken

View solution in original post

Ha, you my friend saved the day yet again.  I really owe you a beverage.

Thanks so much, my new mail policy is working correctly (as I tested moving myself in and out of the AD group I am looking at).  I see it caches it for 900 seconds (which is tunable), but for testing I did use the clear LDAP cache.

Not only does this work with my mail flow policy, I could see other future possibilities down the road with the LDAP integration since now we can check / test on it and perform an action based on it.  I also tightened up the directory harvest protection a bit.

Content for Community-Ad