You can add a connection to one or several LDAP servers.
To add a connection to an LDAP server:
In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
If the workspace shows the value of the LDAP server connection setting as Not in use, perform the following actions:
Click the LDAP server connection link to open the LDAP server connection window.
In the LDAP server connection list, select Active Directory or generic LDAP.
If you want to limit the server response timeout, select the check box next to the name of the Set a time limit for server timeout setting.
If you have selected the check box next to the name of the Set a time limit for server timeout setting, in the Server timeout in seconds field specify the maximum time in seconds during which a response from the LDAP server must be received.
The default value is 20 seconds.
Click the Apply button.
The LDAP server connection window closes.
Click the Add button in the workspace.
The LDAP server connection wizard window opens.
On the Connection settings tab, in the LDAP server settings section, select one of the following external directory services in the LDAP server list:
Generic LDAP, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).
Active Directory, if you want to add a connection to a Microsoft Active Directory server.
In the LDAP server settings section, in the Server address field type the IP address in IPv4 format or the FQDN name of the LDAP server to which you want to connect.
In the LDAP server settings section, in the Connection port number list specify the port for connecting to the LDAP server.
The LDAP server usually receives inbound connections at port 389 via the TCP or UDP protocol. Port 636 is normally used to connect to an LDAP server via the SSL protocol.
In the LDAP server settings section, in the Connection type list select one of the data encryption options when connecting to the LDAP server:
SSL, if you want to use SSL.
TLS, if you want to use TLS.
No encryption, if you do not want to use data encryption technologies when connecting to the LDAP server.
After the Microsoft update is released (see ADV190023 LDAP Channel Binding and LDAP Signing for details), SSL or TLS encryption will be required when connecting to Active Directory. If you continue to use the No encryption option, the application may experience the following operational issues: no connection to Active Directory; no access to copies of messages in personal storage; errors in the message processing rules.
In the Authentication settings section, in the LDAP server user account name field type the name of the user of the LDAP server who has privileges to read directory records (BindDN). Enter the user name in one of the following formats:
cn=<user name>, ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).
For example, you can enter the following user name: cn=LdapServerUser, dc=example, dc=com, where LdapServerUser is the name of the LDAP server user; example is the domain name of the directory to which the user's account belongs; com is the name of the parent domain in which the directory is located.
cn=<user name>, ou=<unit name> (if required), dc=<domain name>, dc=<parent domain name> or <user name>@<domain name>.<parent domain name> if you want to add a connection to a Microsoft Active Directory server.
For example, you can enter the following user name: LdapServerUser@example.com, where LdapServerUser is the name of the LDAP server user; example.com is the domain name of the directory to which the user's account belongs.
In the Authentication settings section, in the LDAP server user account password field type the LDAP server access password of the user specified in the LDAP server user account name field.
In the Search settings section, in the Search base field type the DN (Distinguished Name) of the directory object beginning with which Kaspersky Secure Mail Gateway will start searching directory records.
Enter the search base in the following format: ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>.
For example, you can enter the following search base: ou=people, dc=example, dc=com, where people is the directory level from which Kaspersky Secure Mail Gateway starts searching for records (the search is run at the people level and lower levels. Objects located above this level are excluded from the search scope); example is the domain name of the directory in which Kaspersky Secure Mail Gateway searches for records; com is the name of the parent domain in which the directory is located.
Click the Check button.
Kaspersky Secure Mail Gateway checks the connection to the LDAP server using the connection and authentication settings you have specified.
Click the Next button.
The Filters tab opens.
In the Set up LDAP filters group of settings, in the User authentication field specify the user authentication filter (for example, to let the user access the user's messages in Backup).
To set the standard values of the user authentication filter, click the Set default values link under the User authentication field.
In the Set up LDAP filters settings group, in the User and group search field, specify the search filter for users or a group of users.
To set the standard values of the user and group search filter, click the Set default values link under the User and group search field.
In the Set up LDAP filters settings group, in the Search for the DN of users and groups using email address field, specify the filter for searching for the DN of users and groups to which they belong based on their email address.
To set standard values for the filter for searching for the DN of users and groups to which they belong based on their email address, click the Set default values link under the Search for the DN of users and groups using email address.
In the Set up LDAP filters group of settings, in the Search for groups by users' DN field configure the filter for searching for groups to which the user belongs based on the user's DN. This filter is used when the user group could not be determined using the filter specified in the Search for the DN of users and groups using email address field.
To set the standard values of the filter for searching for groups to which the user belongs based on the user's DN, click the Set default values link under the Search for groups by users' DN field.
Select the Use recursive search check box to enable a search for LDAP accounts in subgroups.
Click the Finish button.
The LDAP server connection wizard window closes.
The connection to an external directory service that you have added appears in the workspace of the LDAP section of the main window of the application interface.