Link to home
Start Free TrialLog in
Avatar of Eric Jack
Eric JackFlag for United States of America

asked on

How to use LDAP user filtering on Barracuda anti-spam service

I am using the Barracuda ESS service for anti-spam, and I have it set up with LDAP lookup for the user accounts. Currently, when I synchronize the users from my AD to the Barracuda, It creates user accounts for all the mailboxes, distribution groups, etc. that I don't want. So this forces me to leave synchronize automatically turned off.

Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.

I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:

User generated image
Here's the text from the Barracuda help screen for that field:
User Filter
Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made.

    Example 1: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
    Example 2: You create the User Filter (mail=* which only pulls users matching the domain "". Any attribute that is available for reading on your LDAP server can be used in the user filter.
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

so even (mail=*    will not work?

If this is the case, you got a faulty product or there are layer 8 issues
Avatar of Eric Jack


Oh, that works. But not the way I want it to. After syncing with that filter, it adds users for every conference room, distribution group, health mailbox, etc. because they all have * email addresses. That's why I'm trying to filter based on an OU or security group membership or something.
Okay, at least the product is not broken which make things easier.

let's try this

Sorry for the delay in responding. Between a couple days off for PAX East and then New England getting walloped by that storm, I was out of the office.

That doesn't seem to be working for some reason. I've input it as:


to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.

User generated image
the memberof is wrong.

in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
Doh! I had "ou=users" because I assumed it was checking to see what users in the users ou had the sg-barracuda security group. Well, even after changing it as you stated, I still can't get this working. Even Barracuda support seems to be stumped.

In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
do one thing

run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*,ou=users,dc=company,dc=com))}

and see whether it return any.

If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
Run that from where?
that is a  powershell script.
you can run from your machine (if you have activedirectory module) or from domain controller
Um, I must be doing something wrong:

PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=com))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument
remove the run


get-adobject -ldapfilter  ....... 

Open in new window

Okay, I must still have something wrong in the syntax.

PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*,o
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=local))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

PS C:\Users\ejack-a>
did you have active directory powershell imported?


import-module activedirectory

Open in new window

Same error even after running the import-module command. Here's an actual screenshot of the PowerShell window. Is it saying the error is the comma after Barracuda? Is this a simple syntax error?

User generated image
i thought your group is as below?

Open in new window

No, same exact error even adding the ou=groups to the syntax.
Try the follow

get-adobject -ldapfilter {&(objectCategory=Person)(mail=*}

Open in new window

get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}

Open in new window

is any of the above works?
command on my end works well so i am trying to think what could go wrong.
Still not working. Two different errors on each of those. BTW, you had an extra ) on your first command.

PS C:\Users\ejack-a> get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*}
get-ADObject : The search filter cannot be recognized
At line:1 char:1
+ get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADObject

PS C:\Users\ejack-a> get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
At line:1 char:52
+ get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx, ...
+                                                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

Open in new window

i miss a (

get-adobject -ldapfilter {(mail=*}

Open in new window

also try
get-adobject -ldapfilter "(mail=*"

Open in new window

then tell me what windows Dc are you on please
Both of those work. I'm using Windows Server 2012 R2 Standard. So the previous commands must have a syntax error somewhere. I'm just not familiar enough to know what.
I am on the same platform so it is definitely going to work

get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*}

get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*"

try this?

then try this?

get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)"
Okay, so each of those get commands worked. It seems like there's a problem when you try to combine those different commands into one.
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry it has taken so long to respond. That last command works in Powershell. It also seems to work in Barracuda. Sort of.

Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)

Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
After a brief conversation with Barracuda support, I was told that the LDAP sync will never remove users. So that addresses that. And I also learned that since I'm linking the disto groups manually to user accounts within Barracuda, they are getting wiped out during the LDAP sync because those links don't exist in the sync. Makes sense...

Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!