Kaspersky Secure Mail Gateway can connect to servers of external directory services used by your organization over the LDAP protocol.
A connection to an external directory service via the LDAP protocol enables the Kaspersky Secure Mail Gateway administrator to:
If the organization uses multiple domains, a LDAP connection must be configured for each domain.
Multiple LDAP connections can be configured for a single domain in the external directory service, provided that each LDAP connection has a unique value of the Search base field.
If an LDAP domain uses multiple domain controllers for fault tolerance, it is not necessary to add an extra LDAP connection. The program automatically selects an available domain controller as part of a previously configured connection in accordance with the priorities of SRV records on the DNS server.
After configuring the LDAP server connection, the program automatically synchronizes data with the Active Directory domain controller every 30 minutes. You can configure the synchronization to run on a schedule. If you need to update user account data immediately (for example, after adding a user), you can start the synchronization manually.
Each cluster node synchronizes independently of other nodes. As a result of a successful synchronization, the LDAP cache stores the following information:
The program stores and uses this data until the next synchronization is initiated. If the domain controller is not available, the last received data is used. After deleting the LDAP server connection, all LDAP cache data is deleted.
After a successful synchronization, Kaspersky Secure Mail Gateway checks the LDAP accounts for duplicate data. The following data are checked for duplicates:
For users with duplicate names, protection against Active Directory spoofing is disabled; such users also cannot use personal Backup and personal allow and denylists of sender addresses.
For groups with duplicated names, protection against Active Directory spoofing is disabled.
For contacts with duplicated names, protection against Active Directory spoofing is disabled.
Users with duplicated Kerberos names cannot use personal Backup and personal allow and denylists of sender addresses.
Users with duplicated NTLM names cannot use personal Backup and personal allow and denylists of sender addresses.
Messages intended for duplicated addresses are not placed in users' personal Backup, and personal allow and denylists of sender addresses are not applied to duplicated addresses.
If duplicate data are found in accounts, the cluster node table displays a warning.