Eric Jack
asked on
How to use LDAP user filtering on Barracuda anti-spam service
I am using the Barracuda ESS service for anti-spam, and I have it set up with LDAP lookup for the user accounts. Currently, when I synchronize the users from my AD to the Barracuda, It creates user accounts for all the mailboxes, distribution groups, etc. that I don't want. So this forces me to leave synchronize automatically turned off.
Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.
I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:
Here's the text from the Barracuda help screen for that field:
Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.
I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:
Here's the text from the Barracuda help screen for that field:
User Filter
Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made.
Example 1: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
Example 2: You create the User Filter (mail=*@domain.com) which only pulls users matching the domain "domain.com". Any attribute that is available for reading on your LDAP server can be used in the user filter.
ASKER
Oh, that works. But not the way I want it to. After syncing with that filter, it adds users for every conference room, distribution group, health mailbox, etc. because they all have *@domain.com email addresses. That's why I'm trying to filter based on an OU or security group membership or something.
Okay, at least the product is not broken which make things easier.
let's try this
(&(objectCategory=Person)( mail=*@dom ain.com)(m emberOf=cn =Groupyouw anttoadd,o u=users,dc =company,d c=com))
let's try this
(&(objectCategory=Person)(
ASKER
Sorry for the delay in responding. Between a couple days off for PAX East and then New England getting walloped by that storm, I was out of the office.
That doesn't seem to be working for some reason. I've input it as:
(&(objectCategory=Person)( mail=*@com arktv.com) (memberOf= cn=SG-Barr acuda,ou=E mployees,d c=tx,dc=lo cal))
to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.
That doesn't seem to be working for some reason. I've input it as:
(&(objectCategory=Person)(
to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.
the memberof is wrong.
memberOf=cn=SG-Barracuda,o u=Security ,OU=Groups ,dc=tx,dc= local
in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
memberOf=cn=SG-Barracuda,o
in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
ASKER
Doh! I had "ou=users" because I assumed it was checking to see what users in the users ou had the sg-barracuda security group. Well, even after changing it as you stated, I still can't get this working. Even Barracuda support seems to be stumped.
In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
do one thing
run get-adobject -ldapfilter {(&(objectCategory=Person) (mail=*@do main.com)( memberOf=c n=Groupyou wanttoadd, ou=users,d c=company, dc=com))}
and see whether it return any.
If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
run get-adobject -ldapfilter {(&(objectCategory=Person)
and see whether it return any.
If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
ASKER
Run that from where?
that is a powershell script.
you can run from your machine (if you have activedirectory module) or from domain controller
you can run from your machine (if you have activedirectory module) or from domain controller
ASKER
Um, I must be doing something wrong:
PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person) (mail=*@co marktv.com )(memberOf =cn=SG-Bar racu
da,ou=Security,dc=tx,dc=co m))}
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Securit y,dc=tx,dc =com))}
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordE xception
+ FullyQualifiedErrorId : MissingArgument
PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person)
da,ou=Security,dc=tx,dc=co
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Securit
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordE
+ FullyQualifiedErrorId : MissingArgument
remove the run
just
just
get-adobject -ldapfilter .......
ASKER
Okay, I must still have something wrong in the syntax.
PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person) (mail=*@co marktv.com )(memberOf =cn=SG-Bar racuda,o
u=Security,dc=tx,dc=local) )}
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Securit y,dc=tx,dc =local))}
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordE xception
+ FullyQualifiedErrorId : MissingArgument
PS C:\Users\ejack-a>
PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person)
u=Security,dc=tx,dc=local)
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Securit
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordE
+ FullyQualifiedErrorId : MissingArgument
PS C:\Users\ejack-a>
did you have active directory powershell imported?
run
run
import-module activedirectory
ASKER
i thought your group is as below?
memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local
ASKER
No, same exact error even adding the ou=groups to the syntax.
Try the follow
is any of the above works?
command on my end works well so i am trying to think what could go wrong.
get-adobject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com))}
get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
is any of the above works?
command on my end works well so i am trying to think what could go wrong.
ASKER
Still not working. Two different errors on each of those. BTW, you had an extra ) on your first command.
PS C:\Users\ejack-a> get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
get-ADObject : The search filter cannot be recognized
At line:1 char:1
+ get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADObject], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADObject
PS C:\Users\ejack-a> get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
At line:1 char:52
+ get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx, ...
+ ~
Missing argument in parameter list.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingArgument
i miss a (
also try
then tell me what windows Dc are you on please
get-adobject -ldapfilter {(mail=*@comarktv.com)}
also try
get-adobject -ldapfilter "(mail=*@comarktv.com)"
then tell me what windows Dc are you on please
ASKER
Both of those work. I'm using Windows Server 2012 R2 Standard. So the previous commands must have a syntax error somewhere. I'm just not familiar enough to know what.
I am on the same platform so it is definitely going to work
get-adobject -ldapfilter {(&(objectCategory=Person) (mail=*@co marktv.com ))}
get-adobject -ldapfilter "(&(objectCategory=Person) (mail=*@co marktv.com ))"
try this?
then try this?
get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda ,ou=Securi ty,OU=Grou ps,dc=tx,d c=local)"
get-adobject -ldapfilter {(&(objectCategory=Person)
get-adobject -ldapfilter "(&(objectCategory=Person)
try this?
then try this?
get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda
ASKER
Okay, so each of those get commands worked. It seems like there's a problem when you try to combine those different commands into one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry it has taken so long to respond. That last command works in Powershell. It also seems to work in Barracuda. Sort of.
Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)
Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)
Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
ASKER
After a brief conversation with Barracuda support, I was told that the LDAP sync will never remove users. So that addresses that. And I also learned that since I'm linking the disto groups manually to user accounts within Barracuda, they are getting wiped out during the LDAP sync because those links don't exist in the sync. Makes sense...
Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!
Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!
If this is the case, you got a faulty product or there are layer 8 issues