Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
3
Replies

best ldap deployment in hosted environment

Eric Cole
Level 1
Level 1

‎01-06-2015 12:02 AM

Hello,

 

I am migrating to a LDAP based query for allowing email to transit our ironport.  Currently we have email addresses manually assigned in a variety of outbound mail policies depending upon customer, policies selected, etc.

 

I am working on getting ldap to query a given customer/domain for allowing emails through.

 

My question is what is the limit in the number of ldap queries I can create on an ironport C170/C370?

 

I have some customers which share a basic policy but we have them divided by customer currently.  We have some that have special policies and are unique to them.

 

Would it be best to create a global generic shared ldap query when that policy is the only policy they have and then create individual ldap queries for each special customer?

 

Would it be unfeasible to create a new ldap query for each customer / domain where we could easily have over 100 separate ldap queries simultaneously?

 

Just wanted to get your feedback on this approach.

 

Thanks.

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎01-16-2015 02:28 PM

So, weeks late, but better late than never, right?

 

Are all of the hosted email domains on one LDAP realm? (eg if you were on Exchange, in one AD?)

If so, I'd do one set of query's for the domain, (eg 1 accept query, 1 group etc.) then create groups for the various policy requirements and use the group query to deal with the non-standard stuff...

 

 

 

 

 

0 Helpful

Eric Cole
Level 1
Level 1
In response to Ken Stieers

‎01-21-2015 08:00 PM

Ken,

 

Thanks for the reply.

A better breakdown is:

Customer A - domain1.com has 15 users and default policy

Customer B - domain2.com has 5 users and default policy

Customer C - domain3.com has 10 users in 2 "groups", group 1 has 7 users and has default policy, group 2 has 3 users and custom-policy-1

Customer E - domain4.com has 6 users and default policy, domain5.com has 5 users and default policy

 

... for a few hundred domains.

 

Each domain is under a given customer which are then under one umbrella CN in LDAP.

 

The main thing is that all of these will be configured in "Outgoing Mail Policies"

 

Does that help clarify what I'm trying to do?  Do you think I'll run into a load issue when I have that many LDAP queries configured?

 

Thanks,

Eric

0 Helpful

Jrod
Level 1
Level 1
In response to Eric Cole

‎02-03-2015 06:53 AM

Eric,

 

I have the same type of environment.

In the System Admin > LDAP

1. Create multiple LDAP domains with whichever queries you need (.accept, etc)

 a. Must have access to perform LDAP query.

2. Create a domain assignments ie: List1

 a. List one contains domains to test against with specific .accept profile.

3. Edit the Incoming listener

 a. LDAP queries > Accept Query > List1 (from #2 above)

4. Recipient Access Table (RAT)

 a. The domains added match the domains in List1.

 b. Action accept

 c. Ensure "Bypass LDAP Accecpt Queries for this Recipient" is NOT checked. Only when the LDAP server is unreachable.

 

Recommendations

1. Default connections is 10 simultaneous connections to each server (resources)

2. Default cache 10000 entries try 100? or 1000? 

 

Hope this helps. 

Let me know if you have any questions. 

 

Jared

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents