User Guide
25-23
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 25 LDAP Queries
Using Group LDAP Queries to Determine if a Recipient is a Group Member
Using Group LDAP Queries to Determine if a Recipient is a Group
Member
You can define a query to your LDAP servers to determine if a recipient is a member of a group as
defined by your LDAP directory.
Procedure
Step 1 Create a message filter that uses a rcpt-to-group or mail-from-group rule to act upon the message.
Step 2 Then, use the System Administration > LDAP page (or the ldapconfig command) to define the LDAP
server for the appliance to bind to and configure a query for a group membership.
Step 3 Use the Network > Listeners page (or the listenerconfig -> edit -> ldapgroup subcommand) to
enable the group query for the listener.
Related Topics
• Sample Group Queries, page 25-23
• Configuring a Group Query, page 25-23
• Example: Using a Group Query to Skip Spam and Virus Checking, page 25-25
Sample Group Queries
For example, suppose that your LDAP directory classifies members of the “Marketing” group as
ou=Marketing. You can use this classification to treat messages sent to or from members of this group
in a special way. Step 1 creates a message filter to act upon the message, and Steps 2 and 3 enable the
LDAP lookup mechanism.
Configuring a Group Query
In the following example, mail from members of the Marketing group (as defined by the LDAP group
“Marketing”) will be delivered to the alternate delivery host
marketingfolks.example.com.
Table 25-5 Example LDAP Query Strings for Common LDAP Implementation: Group
Query for: Group
OpenLDAP
OpenLDAP does not support the memberOf attribute
by default. Your LDAP Administrator may add this
attribute or a similar attribute to the schema.
Microsoft Active Directory
(&(memberOf={g})(proxyAddresses=smtp:{a}))
SunONE Directory Server
(&(memberOf={g})(mailLocalAddress={a}))