Configuring Profiles

Testing LDAP profile queries

After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.

When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.

Table 55:Possible failure messages from LDAP query tests

Failure Message Meaning and Solution
Empty input The query cannot be performed until you provide the information required by the query.

Table 55:Possible failure messages from LDAP query tests

Failed to bind with bind DN and password The FortiMail unit successfully connected to the LDAP server, but could not authenticate in order to perform the query. If the server permits anonymous queries, the Bind DN and Bind password you specified in User Query Options section should be blank, and Allow unauthenticated bind should be enabled (see “Allow unauthenticated bind” on page 567).

Otherwise, you must enter a valid bind DN and its password.

Unable to found user DN that matches mail address The FortiMail unit successfully connected to the LDAP server, and, if configured, bound, but could not find a user whose email address attribute matched that value. The user may not exist on the LDAP server in the Base DN and using the query filter you specified in User Query Options, or the value of the user’s email address attribute does not match the value that you supplied in Mail address.
Unable to find LDAP group for user The FortiMail unit successfully located a user with that email address, but their group membership attribute did not match your supplied value. The group membership attribute you specified in Group Query Options may not exist, or the value of the group membership attribute may not match the value that you supplied in Group DN. If the value does not match, verify that you have supplied the Group DN according to the syntax expected by both your LDAP server and your configuration of Group Query Options.
Failed to bind The FortiMail unit successfully located a user with that email address, but the user’s bind failed and the FortiMail unit was unable to authenticate the user. Binding may fail if the value of the user’s password attribute does not match the value that you supplied in Old password. If this error message appears when testing Change Password, it also implies that the query failed to change the password.
Unable to find mail alias The FortiMail unit was unable to find the email alias. The email address alias may not exist on the LDAP server in the Base DN and using the query filter you specified in User Alias Options, or the value of the alias’ email address attribute does not match the value that you supplied in Mail address.

To verify user query options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose User Query Options section query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select User.

Figure 240:LDAP Query Test: User

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record.

To verify group query options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose Group Query Options section query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options section

  1. From Select query type, select Group.

Figure 241:LDAP Query Test: Group (Use group name with base DN as group DN is disabled)

Figure 242:LDAP Query Test: Group (Use group name with base DN as group DN is enabled)

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. Either the Group DN or Group Name field appears. If Group DN appears, enter the value of the user’s group membership attribute. If Group Name appears, enter only the group name portion of the value of the user’s group membership attribute.

For example, a Group DN entry with valid syntax could be either:

  • 10000
  • admins
  • cn=admins,ou=People,dc=example,dc=com

but a Group Name entry with valid syntax would be admins.

Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

  1. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the group to which the user belongs.

To verify group query options group owner

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose Group Query Options group owner query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options.

  1. From Select query type, select Group Owner.

Figure 243:LDAP Query Test: Group Owner (Use group name with base DN as group DN is disabled)

Figure 244:LDAP Query Test: Group Owner (Use group name with base DN as group DN is enabled)

  1. Either the Group DN or Group Name field appears. If Group DN appears, enter the distinguished name of the group object. If Group Name appears, enter only the group name portion of the distinguished name of the group object.

For example, a Group DN entry with valid syntax would be cn=admins,ou=People,dc=example,dc=com, but a Group Name entry with valid syntax would be admins.

Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.

  1. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the group record and find the group owner and their email address.

To verify user authentication options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whosequery you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select Authentication.

Figure 245:LDAP Query Test: Authentication

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. In Password, enter the current password for that user.
  3. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.

To verify user query options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose user query options you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select Alias.

Figure 246:LDAP Query Test: Alias

  1. In Mail address, enter the email address alias of a user on the LDAP server, such as test-alias@example.com.
  2. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the alias record, or binding to authenticate the user.

To verify Mail Routing Options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose Mail Routing Options query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select Mail Routing.

Figure 247:LDAP Query Test: Mail Routing

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the mail host and mail routing address for that user.

To verify AS/AV On/Off options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose AS/AV On/Off Options (antispam and antivirus preference) query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select ASAV.

Figure 248:LDAP Query Test: ASAV

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the antispam and antivirus processing preferences for that user.

To verify address mapping options

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose Address Mapping Optionsquery you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select Address Mapping.

Figure 249:LDAP Query Test: Address Mapping

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
  2. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the internal and external email addresses for that user.

To verify the webmail password change query

  1. Go to Profile > LDAP > LDAP.
  2. Double-click the LDAP profile whose webmail password change query you want to test.
  3. Click Test LDAP Query.

A pop-up window appears allowing you to test the query.

  1. From Select query type, select Change Password.

Figure 250:LDAP Query Test: Change Password

  1. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.

Only use an email account whose password it is acceptable to change, and make note of the new password. Verifying the Webmail Password Options query configuration performs a real password change, and does not restore the previous password after the query has been verified.

  1. In Password, enter the current password for that user.
  2. In New Password, enter the new password for that user.
  3. Click Test.

The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, binding to authenticate the password change, and the password change operation itself.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

6 thoughts on “Configuring Profiles

  1. Steve

    Hi, on these instructions it states “personal black lists and white lists” on page 620.”

    Where can i get the book to view page 620??

    Reply
  2. Laurent

    Hello,
    What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…

    Reply
    1. Mike Post author

      Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.

      Reply
  3. Dormond

    Hello,
    Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.

    Reply
  4. Laurent

    Hello,

    Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.