This document describes why LDAP group queries may not work on an Email Security Appliance (ESA).
Why does the LDAP group query not work with Active Directory?
Why is the LDAP group query not producing the expected results when tested with a user who is definitely a member of the specified group?
With group queries using Microsoft Active Directory, it is necessary to use the distinguished name (DN) of the group rather than it's common name (CN). Below are some examples of what these two items look like:
Common Name (CN):
Distinguished Name (DN):
CN=Administrators, DC=Example, DC=Com
CN=Phoenix-Users, OU=Phoenix, DC=Cisco, DC=Com
If you are not sure of what the DN is, you can locate this in Active Directory Users and Computers:
- Go to the ‘View’ menu and select ‘Advanced Features’
- From the properties of your desired Group Object, click the ‘Attribute Editor’
- Scroll to the ‘distinguishedName’ attribute and double click the attribute
- The full string should be highlighted. Right-click and copy to the clipboard
Once you have the DN of the group, you can use it whenever you specify the name of the group. This includes test queries, content and message filters, and also mail policies.
Another approach would be to use one of the following two programs to find the DN:
Softerra LDAP Browser:
The general process for using one of these tools for this purpose is outlined below:
- Connect to your Domain Controller using your LDAP browsing tool
- Locate a user object who is a member of the group
- Find the user object's 'memberOf' attribute
- Find the DN that corresponds to the group you are trying to target
- Copy the DN of the target group from this attribute