It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

How do I configure LDAP/Active Directory verification on my Email Security Gateway?

  • Type: Knowledgebase
  • Date changed: 3 years ago
Solution #00002192

All Email Security Gateways, all firmware versions, model 300 and above.

The Email Security Gateway is able to perform LDAP and Active Directory recipient verification on all incoming e-mail. This means a Email Security Gateway is able to block all e-mails addressed to users that don't exist.

Firmware version 3.5.x and earlier
To configure LDAP verification, you will need an LDAP or Active Directory server. Once in the Barracuda's interface, click on the Domains tab and click the Edit LDAP link to the right of one of the domains. LDAP must be configured individually for each domain.

Firmware version 4.0.x and later
Navigate to Domains > Manage Domain (select your domain) > Users > LDAP Configuration. The LDAP Server Type should be Active Directory.

For a basic setup, specify your LDAP server's IP address or domain name, the destination port (typically 389), your Bind DN, your Bind Password, and a valid e-mail address in the last field (for testing). Note: In firmware and higher, the valid email address for testing must be an email address for the domain being configured (i.e. if the domain is then the testing address must be <username here> default LDAP Filter, LDAP Search Base, and LDAP UID may also need to be adjusted to work with your particular LDAP server (for instance, the UID value for all Microsoft Active Directory servers must be changed to sAMAccountName). Also, some LDAP servers do not require a Bind DN or Bind Password.

Once you have entered these settings, use the Test LDAP at the bottom of the page to check whether the Barracuda is able to successfully query your LDAP server. If you receive the Warning: Uniquely identifying attribute 'uid' not found error, your LDAP UID value must be changed to your LDAP server's UID variable.

If the test fails, scan the error output. If you see the message Can't contact LDAP server, the IP address or domain name could have been specified incorrectly, the port could be wrong, your network could be preventing the connection, or the LDAP server may simply be refusing the connection. The message failed to bind to LDAP server <your server's IP>: Invalid credentials usually means the Bind DN or Bind Password are not valid. The message LDAP search failed: 32 No such object is usually an indication of an improper or missing LDAP Search Base.

If you have verified that the IP address or domain name of the LDAP server is correct and that the LDAP server is accepting connections on the specified port, you must verify that the Bind DN, Bind Password, LDAP Filter, LDAP Search Base, and LDAP UID values are correct. If you are stuck, we recommend examining an LDIF file from your LDAP server.

LDIF (LDAP Data Interchange Format) files allow you to identify the search base as well as use the appropriate search filters. These actions can reduce LDAP search times and load on your LDAP server. LDIF files allow administrators to review the LDAP structure as well as make changes and updates to the LDAP directory. LDIF file lists all containers (or entries) in the LDAP directory. An LDIF file essentially amounts to a full listing of the directory.

Once the Test LDAP button returns a successful test, change the Exchange Accelerator/LDAP Verification option to Yes to enable LDAP recipient verification for this domain.

Link to This Page: