Avatar of Eric Jack
Eric Jack
Flag for United States of America asked on

How to use LDAP user filtering on Barracuda anti-spam service

I am using the Barracuda ESS service for anti-spam, and I have it set up with LDAP lookup for the user accounts. Currently, when I synchronize the users from my AD to the Barracuda, It creates user accounts for all the mailboxes, distribution groups, etc. that I don't want. So this forces me to leave synchronize automatically turned off.

Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.

I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:

ESS Screenshot
Here's the text from the Barracuda help screen for that field:
User Filter
Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made.

    Example 1: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
    Example 2: You create the User Filter (mail=*@domain.com) which only pulls users matching the domain "domain.com". Any attribute that is available for reading on your LDAP server can be used in the user filter.
* LDAPSecurity

Avatar of undefined
Last Comment
Eric Jack

8/22/2022 - Mon
Jian An Lim

so even (mail=*@domain.com)    will not work?

If this is the case, you got a faulty product or there are layer 8 issues
Eric Jack

ASKER
Oh, that works. But not the way I want it to. After syncing with that filter, it adds users for every conference room, distribution group, health mailbox, etc. because they all have *@domain.com email addresses. That's why I'm trying to filter based on an OU or security group membership or something.
Jian An Lim

Okay, at least the product is not broken which make things easier.

let's try this

(&(objectCategory=Person)(mail=*@domain.com)(memberOf=cn=Groupyouwanttoadd,ou=users,dc=company,dc=com))
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Eric Jack

ASKER
Sorry for the delay in responding. Between a couple days off for PAX East and then New England getting walloped by that storm, I was out of the office.

That doesn't seem to be working for some reason. I've input it as:

(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracuda,ou=Employees,dc=tx,dc=local))

to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.

Capture.JPG
Jian An Lim

the memberof is wrong.
memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local

in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
Eric Jack

ASKER
Doh! I had "ou=users" because I assumed it was checking to see what users in the users ou had the sg-barracuda security group. Well, even after changing it as you stated, I still can't get this working. Even Barracuda support seems to be stumped.

In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jian An Lim

do one thing

run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@domain.com)(memberOf=cn=Groupyouwanttoadd,ou=users,dc=company,dc=com))}

and see whether it return any.

If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
Eric Jack

ASKER
Run that from where?
Jian An Lim

that is a  powershell script.
you can run from your machine (if you have activedirectory module) or from domain controller
Your help has saved me hundreds of hours of internet surfing.
fblack61
Eric Jack

ASKER
Um, I must be doing something wrong:

PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracu
da,ou=Security,dc=tx,dc=com))}
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=com))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument
Jian An Lim

remove the run

just

get-adobject -ldapfilter  ....... 

Open in new window

Eric Jack

ASKER
Okay, I must still have something wrong in the syntax.

PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracuda,o
u=Security,dc=tx,dc=local))}
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=local))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

PS C:\Users\ejack-a>
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jian An Lim

did you have active directory powershell imported?

run

import-module activedirectory

Open in new window

Eric Jack

ASKER
Same error even after running the import-module command. Here's an actual screenshot of the PowerShell window. Is it saying the error is the comma after Barracuda? Is this a simple syntax error?

Screenshot_1.png
Jian An Lim

i thought your group is as below?
memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local

Open in new window

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Eric Jack

ASKER
No, same exact error even adding the ou=groups to the syntax.
Jian An Lim

Try the follow

get-adobject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com))}

Open in new window


get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}

Open in new window


is any of the above works?
command on my end works well so i am trying to think what could go wrong.
Eric Jack

ASKER
Still not working. Two different errors on each of those. BTW, you had an extra ) on your first command.

PS C:\Users\ejack-a> get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
get-ADObject : The search filter cannot be recognized
At line:1 char:1
+ get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADObject

PS C:\Users\ejack-a> get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
At line:1 char:52
+ get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx, ...
+                                                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jian An Lim

i miss a (


get-adobject -ldapfilter {(mail=*@comarktv.com)}

Open in new window


also try
get-adobject -ldapfilter "(mail=*@comarktv.com)"

Open in new window


then tell me what windows Dc are you on please
Eric Jack

ASKER
Both of those work. I'm using Windows Server 2012 R2 Standard. So the previous commands must have a syntax error somewhere. I'm just not familiar enough to know what.
Jian An Lim

I am on the same platform so it is definitely going to work


get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com))}

get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*@comarktv.com))"

try this?

then try this?

get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)"
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Eric Jack

ASKER
Okay, so each of those get commands worked. It seems like there's a problem when you try to combine those different commands into one.
ASKER CERTIFIED SOLUTION
Jian An Lim

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Eric Jack

ASKER
Sorry it has taken so long to respond. That last command works in Powershell. It also seems to work in Barracuda. Sort of.

Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)

Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
Eric Jack

ASKER
After a brief conversation with Barracuda support, I was told that the LDAP sync will never remove users. So that addresses that. And I also learned that since I'm linking the disto groups manually to user accounts within Barracuda, they are getting wiped out during the LDAP sync because those links don't exist in the sync. Makes sense...

Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.