How to use LDAP user filtering on Barracuda anti-spam service

Eric Jack
Eric Jack used Ask the Experts™
on
I am using the Barracuda ESS service for anti-spam, and I have it set up with LDAP lookup for the user accounts. Currently, when I synchronize the users from my AD to the Barracuda, It creates user accounts for all the mailboxes, distribution groups, etc. that I don't want. So this forces me to leave synchronize automatically turned off.

Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.

I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:

ESS Screenshot
Here's the text from the Barracuda help screen for that field:
User Filter
Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made.

    Example 1: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
    Example 2: You create the User Filter (mail=*@domain.com) which only pulls users matching the domain "domain.com". Any attribute that is available for reading on your LDAP server can be used in the user filter.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jian An LimSolutions Architect
Top Expert 2016

Commented:
so even (mail=*@domain.com)    will not work?

If this is the case, you got a faulty product or there are layer 8 issues
Eric JackIT Manager

Author

Commented:
Oh, that works. But not the way I want it to. After syncing with that filter, it adds users for every conference room, distribution group, health mailbox, etc. because they all have *@domain.com email addresses. That's why I'm trying to filter based on an OU or security group membership or something.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
Okay, at least the product is not broken which make things easier.

let's try this

(&(objectCategory=Person)(mail=*@domain.com)(memberOf=cn=Groupyouwanttoadd,ou=users,dc=company,dc=com))
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Eric JackIT Manager

Author

Commented:
Sorry for the delay in responding. Between a couple days off for PAX East and then New England getting walloped by that storm, I was out of the office.

That doesn't seem to be working for some reason. I've input it as:

(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracuda,ou=Employees,dc=tx,dc=local))

to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.

Capture.JPG
Jian An LimSolutions Architect
Top Expert 2016

Commented:
the memberof is wrong.
memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local

in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
Eric JackIT Manager

Author

Commented:
Doh! I had "ou=users" because I assumed it was checking to see what users in the users ou had the sg-barracuda security group. Well, even after changing it as you stated, I still can't get this working. Even Barracuda support seems to be stumped.

In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
do one thing

run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@domain.com)(memberOf=cn=Groupyouwanttoadd,ou=users,dc=company,dc=com))}

and see whether it return any.

If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
Eric JackIT Manager

Author

Commented:
Run that from where?
Jian An LimSolutions Architect
Top Expert 2016

Commented:
that is a  powershell script.
you can run from your machine (if you have activedirectory module) or from domain controller
Eric JackIT Manager

Author

Commented:
Um, I must be doing something wrong:

PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracu
da,ou=Security,dc=tx,dc=com))}
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=com))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument
Jian An LimSolutions Architect
Top Expert 2016

Commented:
remove the run

just

get-adobject -ldapfilter  ....... 

Open in new window

Eric JackIT Manager

Author

Commented:
Okay, I must still have something wrong in the syntax.

PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracuda,o
u=Security,dc=tx,dc=local))}
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=local))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

PS C:\Users\ejack-a>
Jian An LimSolutions Architect
Top Expert 2016

Commented:
did you have active directory powershell imported?

run

import-module activedirectory

Open in new window

Eric JackIT Manager

Author

Commented:
Same error even after running the import-module command. Here's an actual screenshot of the PowerShell window. Is it saying the error is the comma after Barracuda? Is this a simple syntax error?

Screenshot_1.png
Jian An LimSolutions Architect
Top Expert 2016

Commented:
i thought your group is as below?
memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local

Open in new window

Eric JackIT Manager

Author

Commented:
No, same exact error even adding the ou=groups to the syntax.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
Try the follow

get-adobject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com))}

Open in new window


get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}

Open in new window


is any of the above works?
command on my end works well so i am trying to think what could go wrong.
Eric JackIT Manager

Author

Commented:
Still not working. Two different errors on each of those. BTW, you had an extra ) on your first command.

PS C:\Users\ejack-a> get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
get-ADObject : The search filter cannot be recognized
At line:1 char:1
+ get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*@comarktv.com)}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADObject

PS C:\Users\ejack-a> get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
At line:1 char:52
+ get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx, ...
+                                                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

Open in new window

Jian An LimSolutions Architect
Top Expert 2016

Commented:
i miss a (


get-adobject -ldapfilter {(mail=*@comarktv.com)}

Open in new window


also try
get-adobject -ldapfilter "(mail=*@comarktv.com)"

Open in new window


then tell me what windows Dc are you on please
Eric JackIT Manager

Author

Commented:
Both of those work. I'm using Windows Server 2012 R2 Standard. So the previous commands must have a syntax error somewhere. I'm just not familiar enough to know what.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
I am on the same platform so it is definitely going to work


get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*@comarktv.com))}

get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*@comarktv.com))"

try this?

then try this?

get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)"
Eric JackIT Manager

Author

Commented:
Okay, so each of those get commands worked. It seems like there's a problem when you try to combine those different commands into one.
Solutions Architect
Top Expert 2016
Commented:
get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*@comarktv.com)(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local))"

Open in new window


last round. will this work?

If you want to try to use the memberof method in barracuda, and see whether it pull it correctly?
Eric JackIT Manager

Author

Commented:
Sorry it has taken so long to respond. That last command works in Powershell. It also seems to work in Barracuda. Sort of.

Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)

Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
Eric JackIT Manager

Author

Commented:
After a brief conversation with Barracuda support, I was told that the LDAP sync will never remove users. So that addresses that. And I also learned that since I'm linking the disto groups manually to user accounts within Barracuda, they are getting wiped out during the LDAP sync because those links don't exist in the sync. Makes sense...

Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial