Configuring LDAP profiles
The LDAP submenu lets you configure LDAP profiles which can query LDAP servers such as FortiAuthenticator, Microsoft Active Directory, Red Hat Directory Server, or Google Cloud Identity for authentication, email address mappings, and more.
Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended mail processing behaviors can result, including bypassing antivirus scans. For details on preparing an LDAP directory for use with FortiMail LDAP profiles, see Preparing your LDAP schema for FortiMail LDAP profiles. |
LDAP profiles each contain one or more queries that retrieve specific configuration data, such as user groups, from an LDAP server. The LDAP profile list indicates which queries you have enabled in each LDAP profile.
To view the list of LDAP profiles, go to Profile > LDAP > LDAP.
GUI item |
Description |
---|---|
Clone (button) |
Click the row corresponding to the profile whose settings you want to duplicate when creating the new profile, then click Clone. A single-field dialog appears. Enter a name for the new profile. Click OK. |
Comment |
Displays the comment in the profile. |
Name |
Displays the name of the profile. |
Server |
Displays the domain name or IP address of the LDAP server. |
Port |
Displays the listening port of the LDAP server. |
Group |
Indicates whether Group Query Options is enabled. |
Auth |
Indicates whether User Authentication Options is enabled. |
Alias |
Indicates whether User Alias Options is enabled. |
Routing |
Indicates whether Mail Routing Options is enabled. |
Address Map |
Indicates whether Address Mapping Options is enabled. |
Cache |
Indicates whether query result caching is enabled. |
Ref. |
Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
You can add an LDAP profile to define a set of queries that the FortiMail unit can use with an LDAP server. You might create more than one LDAP profile if, for example, you have more than one LDAP server, or you want to configure multiple, separate query sets for the same LDAP server.
After you have created an LDAP profile, LDAP profile options will appear in other areas of the FortiMail unit’s configuration. These options let you to select the LDAP profile where you might otherwise create a reference to a configuration item stored locally on the FortiMail unit itself. These other configuration areas will only allow you to select applicable LDAP profiles — that is, those LDAP profiles in which you have enabled the query required by that feature. For example, if a feature requires a definition of user groups, you can select only from those LDAP profiles where Group Query Options are enabled.
To configure an LDAP profile
-
Go to Profile > LDAP > LDAP.
-
Click New to add a profile or double-click a profile to modify it.
A dialog appears.
-
Configure the following settings:
GUI item
Description
Name
For a new profile, enter a unique name.
Comment
Optional. Enter a descriptive comment.
Enter the fully qualified domain name (FQDN) or IP address of the LDAP server.
Port: Enter the port number where the LDAP server listens.
The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.
Optional. Enter the fully qualified domain name (FQDN) or IP address of an alternate LDAP server that the FortiMail unit can query if the primary LDAP server is unreachable.
Port: Enter the port number where the fallback LDAP server listens.
The default port number varies by your selection in Use secure connection. See also Appendix C: Port Numbers.
Select whether or not to connect to the LDAP servers using an encrypted connection.
- none: Use a non-secure connection.
-
SSL: Use an SSL/TLS-secured (LDAPS) connection.
If the LDAP server requires that clients such as the FortiMail unit present a client certificate to identify themselves during secure connections, then select the certificate from the Client certificate dropdown. Optionally,to authenticate using the selected certificate, enable Use client certificate for TLS authentication.This can be used instead of, or in addition to, a bind DN and password. See also Managing local certificates.
Click Test LDAP Query to test the connection. A pop-up window appears. For details, see To verify user query options.
Note: If your FortiMail unit is deployed in server mode, and you want to enable Enable webmail password change using an LDAP server that uses a Microsoft Active Directory-style schema, then you must select SSL. Active Directory servers require a secure connection for queries that change user passwords.
Note: The certificate that FortiMail uses for client authentication must:
- not be expired
- not be revoked
- be signed by a certificate authority (CA), whose certificate you have imported into the FortiMail unit and that the server trusts (directly or indirectly, proven via a signing chain)
Otherwise the secure connection will fail.
Servers may have their own certificate validation requirements in addition to FortiMail requirements. For example, client certificates may require that
Key Usage
field allow client authentication. See your LDAP server's documentation.Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for user objects, such as:
ou=People,dc=example,dc=com
User objects should be child nodes of this location.
Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:
cn=fortimail,dc=example,dc=com
Enter the password of the Bind DN.
Click Browse to locate the LDAP directory from the location that you specified in Base DN, or, if you have not yet entered a Base DN, beginning from the root of the LDAP directory tree.
Browsing the LDAP tree can be useful if you need to locate your Base DN, or need to look up attribute names. For example, if the Base DN is unknown, browsing can help you to locate it.
Note: Before you click Browse, you must configure Server name/IP, Use secure connection, Bind DN, Bind password, and Protocol version, then click Create or OK. These fields provide minimum information required to establish the directory browsing connection.
-
Configure the following sections:
- Configuring user query options
- Configuring group query options
- Configuring user authentication options
- Configuring user alias options
- Configuring mail routing
- Configuring address mapping options
- Configuring scan override options
- Configuring domain lookup options
- Configuring remote access override options
- Configuring LDAP chain query
- Configuring advanced options
Configuring user query options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand User Query Options section.
-
Configure the query to retrieve the distinguished names (DN) of user objects by their email addresses:
GUI item
Description
Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.
Enter an LDAP query filter that selects a set of user objects from the LDAP directory.
The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For details, see Example: LDAP user query.
For details on query syntax, refer to any standard LDAP query filter reference manual.
Warning: To avoid user query confusion, this field cannot be empty.
Scope
Select which level of depth to query, starting from Base DN.
- One level: Query only the one level directly below the base DN in the LDAP directory tree.
- Subtree: Query recursively all levels below the base DN in the LDAP directory tree.
Derefer
Select the method to use, if any, when dereferencing attributes whose values are references.
- Never: Do not dereference.
- Always: Always dereference.
- Search: Dereference only when searching.
- Find: Dereference only when finding the base search object.
Retrieve display name for webmail
If enabled, when a webmail user (authenticated using LDAP) composes email, the display name of the From header will be automatically set to the value defined in LDAP, instead of the user preference.
Display name attribute
Specify the LDAP attribute of the display name to query. The default value is "cn".
Example: LDAP user query
For example, if user objects in your directory have two distinguishing characteristics, their objectClass
and mail
attributes, the query filter might be:
(& (objectClass=inetOrgPerson) (mail=$m))
where $m
is the FortiMail variable for a user's email address.
If the email address ($m
) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m
) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam
from the end of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))
where ${-spam}
is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam-
from the beginning of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))
where ${^spam-}
is the FortiMail variable for the tag to remove before performing the query.
For some schemas, such as Microsoft Active Directory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure User Alias Options to resolve aliases. For details, see Configuring user alias options.
Configuring group query options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand Group Query Options section.
For more information on determining user group membership by LDAP query, see Controlling email based on sender and recipient addresses or Controlling email based on IP addresses.
-
Configure the following:
GUI item
Description
Use LDAP tree node as group
Enable to use objects within the Base DN of User Query Options as if they were members of a user group object.
For example, your LDAP directory might not contain user group objects. In that sense, groups do not really exist in the LDAP directory. However, you could mimic a group’s presence by enabling this option to treat all users that are child objects of the Base DN in User Query Options as if they were members of such a group.
Group membership attribute
Enter the name of the attribute, such as
memberOf
orgidNumber
, whose value is the group number or DN of a group to which the user belongs.This attribute must be present in user objects.
Whether the value must use common name, group number, or DN syntax varies by your LDAP server schema. For example, if your user objects use both
inetOrgPerson
andposixAccount
schema, user objects have the attributegidNumber
, whose value must be an integer that is the group ID number, such as10000
.Enable to specify the base distinguished name (DN) portion of the group’s full DN in the LDAP profile. By specifying the group’s base DN and the name of its group name attribute in the LDAP profile, you will only need to supply the group name value when configuring each feature that uses this query.
For example, you might find it more convenient in each recipient-based policy to type only the group name,
admins
, rather than typing the full DN,cn=admins,ou=Groups,dc=example,dc=com
. In this case, you could enable this option, then configure Group base DN (ou=Groups,dc=example,dc=com
) and Group name attribute (cn
). When performing the query, the FortiMail unit would assemble the full DN by inserting the common name that you configured in the recipient-based policy between the Group name attribute and the Group base DN configured in the LDAP profile.Note: Enabling this option is appropriate only if your LDAP server’s schema specifies that the group membership attribute’s value must use DN syntax. It is not appropriate if this value uses another type of syntax, such as a number or common name.
For example, if your user objects use both
inetOrgPerson
andposixAccount
schema, user objects have the attributegidNumber
, whose value must be an integer that is the group ID number, such as10000
. Because a group ID number does not use DN syntax, you would not enable this option.Enter the base DN portion of the group’s full DN, such as:
ou=Groups,dc=example,dc=com
This option is available only if Use group name with base DN as group DN is enabled.
Enter the name of the attribute, such as
cn
, whose value is the group name of a group to which the user belongs.This option is available only if Use group name with base DN as group DN is enabled.
Max group expansion level
Enter how many levels of nested groups will be expanded for lookup. Valid range is 1-6. Default value is 1.
Enable to query the group object by its distinguished name (DN) to retrieve the DN of the group owner, which is a user that will receive that group’s quarantine reports. Using that user’s DN, the FortiMail unit will then perform a second query to retrieve that user’s email address, where the quarantine report will be sent.
For more information on sending quarantine reports to the group owner, see Quarantine Report Setting and Managing the personal quarantines.
Group owner attribute
Enter the name of the attribute, such as
groupOwner
, whose value is the distinguished name of a user object. You can configure the FortiMail unit to allow that user to be responsible for handling the group’s quarantine report.If Lookup group owner is enabled, this attribute must be present in group objects.
Group owner address attribute
Enter the name of the attribute, such as
mail
, whose value is the group owner’s email address.If Lookup group owner is enabled, this attribute must be present in user objects.
Configuring user authentication options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the User Authentication Options section.
For more information on authenticating users by LDAP query, see Controlling email based on sender and recipient addresses.
-
Configure the following:
GUI item
Description
Try UPN or mail address as bind DN
Select to form the user’s bind DN by prepending the user name portion of the email address (
$u
) to the User Principle Name (UPN, such asexample.com
).By default, the FortiMail unit will use the mail domain as the UPN. If you want to use a UPN other than the mail domain, enter that UPN in the field named Alternative UPN suffix. This can be useful if users authenticate with a domain other than the mail server’s principal domain name.
Try common name with base DN as bind DN
Select to form the user’s bind DN by prepending a common name to the base DN. Also enter the name of the user objects’ common name attribute, such as
cn
oruid
into the field.This option is preconfigured and read-only if, in User Query Options, you have selected from Schema any schema style other than User Defined.
Select to form the user’s bind DN by using the DN retrieved for that user by User Query Options.
Configuring user alias options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the User Alias Options section.
Resolving aliases to real email addresses enables the FortiMail unit to send a single quarantine report and maintain a single quarantine mailbox at each user’s primary email account, rather than sending separate quarantine reports and maintaining separate quarantine mailboxes for each alias email address. For FortiMail units operating in server mode, this means that users need only log in to their primary account in order to manage their spam quarantine, rather than logging in to each alias account individually.
-
Configure the following:
GUI item
Description
Schema
(dropdown list)
Click Schema to select a schema style. Then you can edit the schema or select User Defined and write your own schema.
Enter the name of the attribute, such as
mail
orrfc822MailMember
, whose value is an email address to which the email alias resolves, such asuser@example.com
.This attribute must be present in either alias or user objects, as determined by your schema and whether it resolves aliases directly or indirectly. For more information, see Base DN.
This option is preconfigured and read-only if, in User Alias Options, you have selected from Schema any schema style other than User Defined.
Enter an LDAP query filter that selects a set of either user or email alias objects, whichever object class contains the attribute you configured in Alias member attribute, from the LDAP directory.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.
The query string filters the result set, and should be based upon any attributes that are common to all user/alias objects but also exclude objects that are not user/alias objects. For details, see Example: Alias member query.
For more information on required object types and their attributes, see Preparing your LDAP schema for FortiMail LDAP profiles.
For details on query syntax, refer to any standard LDAP query filter reference manual.
Enable if your LDAP schema resolves email aliases indirectly. For more information on direct versus indirect resolution, see Base DN.
When this option is disabled, alias resolution occurs using one query. The FortiMail unit queries the LDAP directory using the Base DN and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.
When this option is enabled, alias resolution occurs using two queries:
- The FortiMail unit first performs a preliminary query using the Base DN and Group member query, and uses the value of each Group member attribute as the base DN for the second query.
- The FortiMail unit performs a second query using the distinguished names from the preliminary query (instead of the Base DN) and the Alias member query, and then uses the value of each Alias member attribute to resolve the alias.
The two-query approach is appropriate if, in your schema, alias objects are structured like group objects and contain references in the form of distinguished names of member user objects, rather than directly containing email addresses to which the alias resolves. In this case, the FortiMail unit must first “expand” the alias object into its constituent user objects before it can resolve the alias email address.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined.
Enter the name of the attribute, such as
member
, whose value is the DN of a user object.This attribute must be present in alias objects only if they do not contain an email address attribute specified in Alias member attribute.
This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.
Enter an LDAP query filter that selects a set of alias objects, represented as a group of member objects in the LDAP directory.
The query string filters the result set, and should be based upon any attributes that are common to all alias objects but also exclude non-alias objects.
For example, if alias objects in your directory have two distinguishing characteristics, their
objectClass
andproxyAddresses
attributes, the query filter might be:(&(objectClass=group) (proxyAddresses=smtp:$m))
where
$m
is the FortiMail variable for a recipient email address. ($s
is a sender email address.)This option is preconfigured and read-only if you have selected from Schema any schema style other than User Defined. If you have selected User Defined, this option is available only if User group expansion In advance is enabled.
For details on query syntax, refer to any standard LDAP query filter reference manual.
Max alias expansion level
Specify the maximum number of alias nesting levels that will be expanded for lookup. Valid range is 1-12 and the default value is 1.
Scope
Select which level of depth to query, starting from Base DN.
- One level: Query only the one level directly below the base DN in the LDAP directory tree.
- Subtree: Query recursively all levels below the base DN in the LDAP directory tree.
Derefer
Select the method to use, if any, when dereferencing attributes whose values are references.
- Never: Do not dereference.
- Always: Always dereference.
- Search: Dereference only when searching.
- Find: Dereference only when finding the base search object.
Use separate bind (configure the following if Default Bind Options is not what you want)
Base DN
Enter the distinguished name (DN) of the part of the LDAP directory tree within which the FortiMail will search for either alias or user objects.
User or alias objects should be child nodes of this location.
Whether you should specify the base DN of either user objects or alias objects varies by your LDAP schema style. Schema may resolve alias email addresses directly or indirectly (using references).
- With a direct resolution, alias objects directly contain one or more email address attributes, such as
mail
orrfc822MailMember
, whose values are user email addresses such asuser@example.com
, and that resolves the alias. The Base DN, such asou=Aliases,dc=example,dc=com
, should contain alias objects. - With an indirect resolution, alias objects do not directly contain an email address attribute that can resolve the alias; instead, in the style of LDAP group-like objects, the alias objects contain only references to user objects that are “members” of the alias “group.” User objects’ email address attribute values, such as
user@example.com
, actually resolve the alias. Alias objects refer to user objects by possessing one or more “member” attributes whose value is the DN of a user object, such asuid=user,ou=People,dc=example,dc=com
. The FortiMail unit performs a first query to retrieve the distinguished names of “member” user objects, then performs a second query using those distinguished names to retrieve email addresses from each user object. The Base DN, such asou=People,dc=example,dc=com
, should contain user objects.
Bind DN
Enter the bind DN of an LDAP user account with permissions to query the Base DN, such as:
cn=FortiMailA,dc=example,dc=com
Bind password
Enter the password of the Bind DN.
Example: Alias member query
For example, if user objects in your directory have two distinguishing characteristics, their objectClass
and mail
attributes, the query filter might be:
(& (objectClass=alias) (mail=$m))
where $m
is the FortiMail variable for a user's email address.
If the email address ($m
) as it appears in the message header is different from the alias email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the alias by the email address ($m
) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam
from the end of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${-spam}))
where ${-spam}
is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam-
from the beginning of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=alias) (mail=$m${^spam-}))
where ${^spam-}
is the FortiMail variable for the tag to remove before performing the query.
Whether you should configure this query filter to retrieve user or alias objects depends on whether your schema resolves email addresses directly or indirectly (using references). For more information on direct versus indirect alias resolution, see Base DN.
If alias objects in your schema provide direct resolution, configure this query string to retrieve alias objects. Depending on your schema style, you can do this either using the user name portion of the alias email address ($u
), or the entire email address ($m
). For example, for the email aliases finance@example.com
and admin@example.com
, if your LDAP directory contains alias objects distinguished by cn: finance and cn: admin
, respectively, this query string could be cn=$u
.
If alias objects in your schema provide indirect resolution, configure this query string to retrieve user objects by their distinguished name, such as distinguishedName=$b
or dn=$b
. Also enable User group expansion In advance, then configure Group member query to retrieve email address alias objects, and configure Group Member Attribute to be the name of the alias object attribute, such as member
, whose value is the distinguished name of a user object.
Configuring mail routing
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Mail Routing Options section.
The Mail Routing Options section query occurs after recipient tagging processing. If you have enabled recipient tagging, the Mail Routing Options section query will then be based on the tagged recipient address. If the tagged email address does not exist for the user in the LDAP directory, you may prefer to transform the recipient address by using the User Alias Options.
-
Configure the following:
GUI item
Description
Mail host attribute
Enter the name of the attribute, such as
mailHost
, whose value is the fully qualified domain name (FQDN) or IP address of the email server that stores email for the user’s email account.This attribute must be present in user objects.
Mail routing address attribute
Enter the name of the attribute, such as
mailRoutingAddress
, whose value is the email address of a deliverable user on the email server, also known as the mail host.For example, a user may have many aliases and external email addresses that are not necessarily known to the email server. These addresses would all map to a real email account (mail routing address) on the email server (mail host) where the user’s email is actually stored.
A user’s recipient email address located in the envelope or header portion of each email will be rewritten to this address.
This attribute must be present in user objects.
Configuring address mapping options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Address Mapping Options section.
Mappings usually should not translate an email address into one that belongs to an unprotected domain. However, unlike locally defined address mappings, this restriction is not enforced for mappings defined on an LDAP server.
After configuring a profile with this query, you must select it in order for the FortiMail unit to use it.
Alternatively, you can configure email address mappings on the FortiMail unit itself.
-
Configure the following:
Configuring scan override options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Scan Override Options section.
If the Scan Override Options query fails, then the FortiMail unit will instead use the antispam, antivirus, and content processing settings defined in the profile for that policy.
-
Configure the following:
GUI item
Description
AntiSpam attribute
Enter the name of the attribute, such as
antispam
, whose value indicates whether or not to perform antispam processing for that user, and which antispam profile to use. Multiple syntax values are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.If enabled, this attribute setting takes precedence over the generic antispam attribute setting in the domain lookup options (see Configuring domain lookup options).
If you enable this option but leave the attribute field blank, the antispam profile in the matched recipient-based policy will be used.
AntiVirus attribute
Enter the name of the attribute, such as
antivirus
, whose value indicates whether or not to perform antivirus processing for that user and which antivirus profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.If enabled, this attribute setting takes precedence over the generic antivirus attribute setting in the domain lookup options (see Configuring domain lookup options).
If you enable this option but leave the attribute field blank, the antivirus profile in the matched recipient-based policy will be used.
Content attribute
Enter the name of the attribute, such as
content
, whose value indicates whether or not to perform content processing for that user and which content profile to use. Multiple value syntaxes are permissible. For details, see LDAP directory requirements for each FortiMail LDAP profile query.If enabled, this attribute setting takes precedence over the generic content attribute setting in the domain lookup options (see Configuring domain lookup options).
If you enable this option but leave the attribute field blank, the content profile in the matched recipient-based policy will be used.
Configuring domain lookup options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
When configuring domain settings in gateway and transparent mode, if you set the Relay Type to LDAP Domain Mail Host, FortiMail will query the LDAP server to look up the domain and apply the antispam, antivirus, and content profiles assigned to this domain. If you set the Relay Type to other methods, the following settings will not apply.
If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.
For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@example.com
because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as example.com
.
When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.
If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Domain Lookup Options section.
-
Configure the following:
Configuring remote access override options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
When you add a FortiMail administrator (see Configuring administrator accounts), you must specify an access profile (the access privileges) for the administrator. You must also specify a domain (either system or a protected domain) that the administrator is allowed to access.
If you are adding an LDAP account, you can override the access profile and domain setting with the values of the remote attributes returned from the LDAP server.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Remote Access Override Options section.
-
Configure the following:
GUI item
Description
Enable remote access override
Enable to override the access profile you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing access profile. If there is no match, the specified access profile will still be used.
Also specify the access profile attribute.
Enable remote domain override
Enable to override the domain you specify when you add an administrator with the value of the remote attribute returned from the LDAP server, if the returned value matches an existing protected domain. If there is no match, the specified domain will still be used.
Also specify the domain name attribute.
Configuring LDAP chain query
If you use different attributes for similar or same values on different LDAP servers, you may want to query all of the LDAP servers one by one (a chain query).
You can do this by grouping several LDAP profiles into one LDAP profile. The order of the profiles determines the sequential order of the queries.
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the LDAP Profile Chain.
-
From the LDAP profile list, select the profile you want to add to the chain and click the plus sign.
-
Repeat the above step to add more profiles.
Configuring advanced options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see Configuring LDAP profiles.
-
Go to Profile > LDAP > LDAP.
-
Click New to create a new profile or double click on an existing profile to edit it.
-
Click the arrow to expand the Advanced Options section.
-
Configure the following:
GUI item
Description
Timeout
Enter the maximum amount of time in seconds that the FortiMail unit will wait for query responses from the LDAP server.
Referrals chase
Enable to use the LDAP server’s function of referral chasing, that is, instead of returning a result, it will return a referal to another LDAP server, which may contain further information.
Enable to cache LDAP query results.
Caching LDAP queries can introduce a delay between when you update LDAP directory information and when the FortiMail unit begins using that new information, but also has the benefit of reducing the amount of LDAP network traffic associated with frequent queries for information that does not change frequently.
If this option is enabled but queries are not being cached, inspect the value of TTL. Entering a TTL value of
0
effectively disables caching.Select to empty the FortiMail unit’s LDAP query cache.
This can be useful if you have updated the LDAP directory, and want the FortiMail unit to refresh its LDAP query cache with the new information.
TTL
Enter the amount of time, in minutes, that the FortiMail unit will cache query results. After the TTL has elapsed, cached results expire, and any subsequent request for that information causes the FortiMail unit to query the LDAP server, refreshing the cache.
The default TTL value is
1440
minutes (one day). The maximum value is10080
minutes (one week). Entering a value of0
effectively disables caching.This option is applicable only if Enable cache is enabled.
Enable if you want to allow FortiMail webmail users to change their password.
This option does not appear for FortiMail units operating in gateway or transparent mode. Active Directory appears only if Use secure connection is SSL.
Password schema
Select your LDAP server’s user schema style, either Openldap or Active Directory.
If you have selected using LDAP server to verify recipient or sender address and your LDAP server is not accessible, then you can enable this option to bypass the address verification process.
Note: This option only takes effect in gateway and transparent mode.
For more information about recipient address verification, see Configuring recipient address verification.
Preparing your LDAP schema for FortiMail LDAP profiles
FortiMail units can be configured to consult an LDAP server for many things that you might otherwise normally have to configure on the FortiMail unit itself, such as user authentication, group membership, mail routing, and other features. Especially if you have a large amount of users and groups already defined on an LDAP directory, you may find it more convenient to query those existing definitions than to recreate the definition of those same users locally on the FortiMail unit. To accomplish this, you would configure an LDAP profile, then select that LDAP profile in other areas of the configuration that should use its LDAP queries.
LDAP profiles require compatible LDAP server directory schema and contents. Your LDAP server configuration may already be compatible. However, if your LDAP server configuration does not contain required information in a schema acceptable to LDAP profile queries, you may be required to modify either or both your LDAP profile and LDAP directory schema.
Verify your LDAP server’s configuration for each query type that you enable and configure. For example, if you enable mail routing queries, verify connectivity and that each user object in the LDAP directory includes the attributes and values required by mail routing. Failure to verify enabled queries can result in unexpected mail processing behavior. |
Using common schema styles
Your LDAP server schema may require no modification if:
- your LDAP server already contains all information required by the LDAP profile queries you want to enable
- your LDAP server uses a common schema style, and a matching predefined LDAP query configuration exists for that schema style
If both of those conditions are true, your LDAP profile configuration may also be very minimal. Some queries in LDAP profiles contain schema options that automatically configure the query to match common schema styles such as IBM Lotus Domino, Microsoft ActiveDirectory (AD), and OpenLDAP. If you will only enable those queries that have schema options, it may be sufficient to select your schema style for each query.
For example, your LDAP server might use an OpenLDAP-style schema, where two types of user object classes exist, but both already have mail
and userPassword
attributes. Your FortiMail unit is in gateway mode, and you want to use LDAP queries to use users’ email addresses to query for authentication. In this scenario, it may be sufficient to:
- In the LDAP profile, enter the domain name or IP address of the LDAP server.
- Configure the LDAP profile queries:
- In User Query Options, select from Schema which OpenLDAP schema your user objects follow: either InetOrgPerson or InetLocalMailRecipient. Also enter the Base DN, Base DN, and Bind password to authenticate queries by the FortiMail unit and to specify which part of the directory tree to search.
- In User Authentication Options, enable the query with the option to Search user and try bind DN.
Using other schema styles
If your LDAP server’s schema is not one of the predefined common schema styles, or if you want to enable queries that require information that does not currently exist in your directory, you may need to adapt either or both your LDAP server and LDAP profile query configuration.
Before modifying your LDAP directory, verify that changes will be compatible with other applications using the directory. You may prefer to modify the LDAP profile query and/or add new attributes than to modify existing structures that are used by other applications, in order to reduce the likelihood of disruption to other applications. For instructions on modifying schema or setting attribute values, consult the documentation for your specific LDAP server. |
The primary goal when modifying your LDAP directory is to provide, in some way that can be retrieved by LDAP profile queries, the information required by FortiMail features which can use LDAP profiles. Depending on the LDAP profile queries that you enable, you may need to add to your LDAP directory:
Keep in mind that for some schema styles, such as that of Microsoft ActiveDirectory, user group objects may also play a double role as both user group objects and email alias objects. For the purpose of FortiMail LDAP queries, email alias objects can be any object that can be used to expand email aliases into deliverable email addresses, which are sometimes called distribution lists.
For each of those object types, you may also need to add required attributes in a syntax compatible with the FortiMail features that uses those attributes.
At a minimum, your LDAP directory must have user objects that each contain an email address attribute, and the value of that email address attribute must use full email address syntax (for example, mail: user@example.com
). This attribute is required by User Query Options, a query which is required in every LDAP profile.
Many other aspects of LDAP profiles are flexible enough to query for the required information in more than one way. It may be sufficient to modify the query strings and other fields in the LDAP profile to match your individual LDAP directory.
For example, the purpose of the User Query Options is to find the distinguished name (DN) of user objects by their email addresses, represented by the FortiMail variable $m
. Often user objects can be distinguished by the fact that they are the only records that contain the attribute-value pair objectClass: User
. If the class of user name objects in your LDAP directory is not objectClass: User
but instead objectClass: inetOrgPerson
, you could either modify:
- the LDAP profile’s user query to request user objects as they are denoted on your particular server, using
objectClass=inetOrgPerson
; for example, you might modify the user query from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=inetOrgPerson)(mail=$m))
- the LDAP server’s schema to match the queries’ expected structure, where user objects are defined by
objectClass=User
Alternatively, perhaps there are too many user objects, and you prefer to instead retrieve only those user objects belonging to a specific group number. In this case, you might modify the query string from:
(&(objectClass=User)(mail=$m))
to be:
(&(objectClass=User)(gidNumber=102)(mail=$m))
You can use any attribute-value pairs to filter the query result set, as long as they are unique and common to all objects in your intended result set.
For example, most directories do not contain an antivirus processing switch attribute for each user. However, FortiMail units can perform antivirus processing, which can be switched off or on depending on the results from an LDAP query. The FortiMail unit expects the query to return a value that may use Boolean syntax (TRUE
or FALSE
) that reflects whether or not, respectively, to perform antivirus processing. In this case, you would add to user objects in your LDAP directory an antivirus attribute whose value is a Boolean value.
The following table indicates expected object types, attribute names, and value syntax, as well as query results, for each LDAP profile query. Attributes listed should be present, but their names may vary by schema. Attributes that do not have a default name require that you configure them in both your LDAP profile and your LDAP directory’s schema.
LDAP directory requirements for each FortiMail LDAP profile query
Object type |
Attribute |
Value |
Query result |
---|---|---|---|
User Query Options |
|||
User object classes such as |
|
A user’s email address. |
Query compares the email address to the value of this attribute to find the matching user, and retrieve that user’s distinguished name (DN), which is the basis for most other LDAP profile queries. |
Group Query Options |
|||
(Objects from User Query Options.) |
Varies by schema. Typically is either a group number or the distinguished name (DN) of the group. |
Query retrieves the group name for any user defined by User Query Options. |
|
(Objects from User Query Options.) |
|
A user’s email address. |
Query uses the DN retrieved from |
A user object’s DN. |
Query retrieves the DN of a user object from the group defined in |
||
User Authentication Options |
|||
(Objects from User Query Options.) |
|
Any. |
Query verifies user identity by binding with the user password for any user defined by User Query Options. |
User Alias Options |
|||
Email alias object classes such as |
|
Either the user name portion of an email address (e.g. |
Query expands an alias to one or more user email addresses. If the alias is resolved directly, this query retrieves the email addresses from the alias object itself. If the alias is resolved indirectly, this query first queries the alias object for |
User group object classes such as User groups are not inherently associated with email aliases, but for some schemas, such as Microsoft Active Directory, group objects play the role of email alias objects, and are used to indirectly resolve email aliases. For details, see Base DN. |
|
A user object’s DN, or the DN of another alias object. |
Query retrieves the DN of a user object that is a member of the group. This attribute is required only if aliases resolve to user email addresses indirectly. For details, see Base DN. |
Mail Routing Options |
|||
(Objects from User Query Options.) |
|
A fully qualified domain name (FQDN) or IP address. |
Query retrieves the fully qualified domain name (FQDN) or IP address of the mail server — sometimes also called the mail host — that stores email for any user defined by User Query Options. |
A user’s email address for a user account whose email is physically stored on |
Query retrieves the email address for a real account physically stored on |
||
Scan Override Options |
|||
(Objects from User Query Options.) |
Varies by schema. May be:
|
Query retrieves whether or not to perform antivirus processing, or which profile to use, for any user defined by User Query Options. |
|
No default attribute name. |
Varies by schema. May be:
|
Query retrieves whether or not to perform antispam processing, or which profile to use, for any user defined by User Query Options. |
|
Address Mapping Options |
|||
(Objects from User Query Options.) |
No default attribute name. |
A user’s internal email address. |
Query retrieves the user’s internal email address |
No default attribute name. |
A user’s external email address. |
Query retrieves the user’s external email address. |
|
(Objects from User Query Options.) |
|
Any. |
Query, upon successful bind using the existing password, changes the password for any user defined by User Query Options. |
Each LDAP profile query filter string may indicate expected value syntax by the FortiMail variables used in the query filter string.
$b
: the query filter expects the attribute’s value to be a bind DN$d
: the query filter expects the attribute’s value to be a domain name$f
: the query filter expects the attribute’s value to be a sender domain name$m
: the query filter expects the attribute’s value to be a recipient email address$s
: the query filter expects the attribute’s value to be a sender email address$u
: the query filter expects the attribute’s value to be a user name
The following example illustrates a matching LDAP directory and LDAP profile. Labels indicate the part of the LDAP profile that is configured to match the directory schema.
Example: Compatible LDAP directory and LDAP profile
Testing LDAP profile queries
After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.
When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.
LDAP Query Failure Message |
Meaning and Solution |
---|---|
Empty input |
The query cannot be performed until you provide the information required by the query. |
Connection Failed |
The FortiMail unit could not connect to the LDAP server. The LDAP server may be unreachable, or the LDAP profile may be configured with an incorrect IP address, port number, or secure connection setting. |
Failed to bind with bind DN and password |
The FortiMail unit successfully connected to the LDAP server, but could not authenticate in order to perform the query. If the server permits anonymous queries, the Bind DN and Bind password you specified in User Query Options section should be blank. Otherwise, you must enter a valid bind DN and its password. |
Unable to found user DN that matches mail address |
The FortiMail unit successfully connected to the LDAP server, and, if configured, bound, but could not find a user whose email address attribute matched that value. The user may not exist on the LDAP server in the Base DN and using the query filter you specified in User Query Options, or the value of the user’s email address attribute does not match the value that you supplied in Mail address. |
Unable to find LDAP group for user |
The FortiMail unit successfully located a user with that email address, but their group membership attribute did not match your supplied value. The group membership attribute you specified in Group Query Options may not exist, or the value of the group membership attribute may not match the value that you supplied in Group base DN. If the value does not match, verify that you have supplied the Group base DN according to the syntax expected by both your LDAP server and your configuration of Group Query Options. |
Group owner query failure |
The FortiMail unit successfully connected to the LDAP server, but could not find a group whose distinguished name matched that value. The group may not exist on the LDAP server, or the value of the group’s distinguished name attribute does not match the value that you entered in Group base DN. |
Authentication failure |
|
Failed to bind |
The FortiMail unit successfully located a user with that email address, but the user’s bind failed and the FortiMail unit was unable to authenticate the user. Binding may fail if the value of the user’s password attribute does not match the value that you supplied in Old password. If this error message appears when testing Enable webmail password change, it also implies that the query failed to change the password. |
Unable to find mail alias |
The FortiMail unit was unable to find the email alias. The email address alias may not exist on the LDAP server in the Base DN and using the query filter you specified in User Alias Options, or the value of the alias’ email address attribute does not match the value that you supplied in Mail address. |
Error for LDAP user profile ID |
The FortiMail unit failed to change the email user’s password. Verify that you have entered the correct existing password in Old password. |
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose User Query Options section query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select User.
-
In Mail address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record.
To verify group query options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose Group Query Options section query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options section.
-
From Select query type, select Group.
-
In Email address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
Either the Group DN or Group Name field appears. If Group DN appears, enter the value of the user’s group membership attribute. If Group Name appears, enter only the group name portion of the value of the user’s group membership attribute.
For example, a Group DN entry with valid syntax could be either:
10000
admins
cn=admins,ou=People,dc=example,dc=com
but a Group Name entry with valid syntax would be
admins
.Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.
-
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the group to which the user belongs.
To verify group query options group owner
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose Group Query Options group owner query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options.
-
From Select query type, select Group Owner.
-
Either the Group DN or Group Name field appears. If Group DN appears, enter the distinguished name of the group object. If Group Name appears, enter only the group name portion of the distinguished name of the group object.
For example, a Group DN entry with valid syntax would be
cn=admins,ou=People,dc=example,dc=com
, but a Group Name entry with valid syntax would beadmins
.Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.
-
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the group record and find the group owner and their email address.
To verify user authentication options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Authentication.
-
In Mail address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
In Password, enter the current password for that user.
-
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.
To verify user query options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose user query options you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Alias.
-
In Email address, enter the email address alias of a user on the LDAP server, such as
test-alias@example.com
. -
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the alias record, or binding to authenticate the user.
To verify mail routing options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose Mail Routing Options query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Mail Routing.
-
In Mail address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the mail host and mail routing address for that user.
To verify scan override options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose Scan Override Options (antispam, antivirus, and content profile preference) query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Scan Override.
-
In Email address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the antispam and antivirus processing preferences for that user.
To verify address mapping options
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose Address Mapping Options query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Address Mapping.
-
In Email address, enter the email address of a user on the LDAP server, such as
test@example.com
. -
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the internal and external email addresses for that user.
To verify the webmail password change query
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose webmail password change query you want to test.
-
Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
-
From Select query type, select Change Password.
-
In Email address, enter the email address of a user on the LDAP server, such as
test@example.com
.Only use an email account whose password it is acceptable to change, and make note of the new password. Verifying the Webmail Password Options query configuration performs a real password change, and does not restore the previous password after the query has been verified.
-
In Password, enter the current password for that user.
-
In New Password, enter the new password for that user.
-
Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, binding to authenticate the password change, and the password change operation itself.
Clearing the LDAP profile cache
You can clear the FortiMail unit’s cache of query results for any LDAP profile.
This may be useful after, for example, you have updated parts of your LDAP directory that are used by that LDAP profile, and you want the FortiMail unit to discard outdated cached query results and reflect changes to the LDAP directory. After the cache is emptied, any subsequent request for information from that LDAP profile causes the FortiMail unit to query the updated LDAP server, refreshing the cache.
-
Go to Profile > LDAP > LDAP.
-
Double-click the LDAP profile whose query cache you want to clear.
-
Click Test LDAP Query.
-
From Select query type, select Clear Cache.
A warning appears at the bottom of the window, notifying you that the cache for this LDAP profile will be cleared if you proceed. All queries will therefore be new again, resulting in decreased performance until the query results are again cached.
-
Click OK.
The FortiMail unit empties cached LDAP query responses associated with that LDAP profile.