2
Querying LDAP on Smartermail
Question asked by Brian Ebers - 12/7/2017 at 10:45 PM
Unanswered
I am able to successfully connect to SM server via configuring an LDAP address book in Outlook.  I am also able to connect with various LDAP admin tools to view some of the directory attributes.   However I am struggling to configure an LDAP query from a 3rd party service.   
 
Does anyone have an example of the BIND DN and Search string base attributes for SmarterMail LDAP?

9 Replies

Reply to Thread
0
Brian Ebers Replied
I am on v15 BTW
0
Douglas Foster Replied
A late response, but this is my supplement to the following KB article

Barracuda allows the LDAP query to be customized.    In the end, I decided that LDAP from Barracuda was not usable, given the limitation of SmarterMail LDAP.  This is what I learned in the process,.

Attribute List
The list of LDAP attributes supported by SmarterMail is undocumented and appears to be unknown.
Here is a list of the attributes that I have confirmed can be recognized by the SmarterMail LDAP server.   There may be others.  Curiously, I could not find the LDAP attribute name for the "City" portion of a mailing address.
  • c: (country) 
  • cn: (common name) 
  • displayName: 
  • givenName: 
  • initials: 
  • mail:
  • middleName: 
  • o: (organization) 
  • otherMailbox: (same as mail) 
  • postalCode: sn: (surname) 
  • st: (state) 
  • street: 
  • streetAddress: 
  • surname: 
  • title: 
  • uid: (user portion of email address)
Configuring LDAP Data from the SmarterMail GUI 
In previous versions, a mailbox import would populate name components (first, middle, last, suffix), but these values could not be configured from the GUI. I suspect that is still the case. 

LDAP scope: are all addresses visible, as long as they are Global Catalog visible? 
Unfortunately, No. My testing indicates that LDAP returns usernames and alias names, but not Mailing List names, even though my configuration says to include Mailing Lists in the Global Catalog.  I worked around this by configuring a manual list to supplement the LDAP lookup.  This combined-list approach is supported and works, even though the help indicates that it does not.

LDAP query syntax
 Barracuda uses this LDAP query by default: 
(|(proxyaddresses=smtp$${recipient_email})
(proxyaddresses=smtp:${recipient_email})
(mail=${recipient_email})
(userPrincipalName=${recipient_email})) 

Since SmarterMail LDAP server does not recognize the attributes for proxyaddresses or userPrincipalName, it seems best to omit these from the LDAP query, even though my testing found no failures caused by the extra attributes. The sufficient query is 
(mail=${recipient_email}) 

Domain Aliases 
I have domain aliases, which are now supported by the SmarterMail LDAP server.  However, Barracuda gets confused when I search for username@aliasdomain because SmarterMail returns a result of mail=username@primarydomain. 
The workaround is to modify the Barracuda field "LDAP UID" to use "uid" instead of "mail". This performs a match on just the username portion of the email address, which solves the problem.

What we need:
  1. Mailing List names to be visible in LDAP
  2. ObjectClass to be supported, so that we can filter for user accounts, alias names, and mailing list names independently.
  3. A UserDisabled flag so that disabled users can be excluded from the LDAP query, whether disabled explicitly or disabled from receiving mail due to quota exhaustion.   I do not think there is any standardized atttribute name for a disabled account.  For active directory, not-disabled is detected with this LDAP syntax:
    (!(userAccountControl:1.2.840.113556.1.4.803:=2))

0
Douglas Foster Replied
I have also found that in version 17, new user accounts are not added into LDAP.   Problem seems to persist in Beta 7269.
0
Matt Petty Replied
Employee Post
@Douglas, so you have a set of users being returned right now, but any new accounts you create aren't showing up?
I can take a peek at this tomorrow.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Douglas Foster Replied
Recently upgraded production environment from v15 (XML) to v17 (JSON).   All of my existing users are still in LDAP after the upgrade.   But new accounts do not appear, so I had to stop using LDAP for email account verification from my Barracuda.    For the BETA environment, I configured a test domain with 4 users.  LDP.EXE query against that server returns zero results when using an LDAP filter of (mail=*).

0
Matt Petty Replied
Employee Post
You mentioned having a BETA environment, I was not able to reproduce this in my environment. I'm using my own tool but similar query. If you are using a test environment can I get credentials for a user on the domain? I can try with mine. I tested adding a new user and seeing the new user show up on a second query.


Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Douglas Foster Replied
RSA has been submitted on ticket 023-25699CF5-0030.   
1
Andrea Free Replied
Employee Post
Hello all,

In one of the replies by Douglas Foster, he mentioned: "new user accounts are not added into LDAP."

I wanted to let you know that this appears to be resolved by a recent change in Build 7661: 
Fixed: Creating a new account with Active Directory authentication does not create required "account_name" field in the settings file.

If you continue to see trouble with this behavior on the latest build, please submit a support ticket for further review.

Thank you,
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com
1
Douglas Foster Replied
Yes, bug fixed, including a mechanism to correct missing data.

Reply to Thread