Configure LDAP Chained Query in the Email Security Appliance

Available Languages

Download Options

  • PDF     (590.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (717.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (649.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 6, 2023
Document ID:220347

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to enable the Lightweight Directory Access Protocol (LDAP) Chained query option in the Email Security Appliance.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Two (2) or more LDAP profiles are already configured in the Email Security Appliance (ESA). This example uses Domain_A and Domain_B as the profiles.
    • An active query in the LDAP profiles (this example uses the Accept query).

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The LDAP Chained Query is a feature in the Cisco Email Security Appliance that allows administrators to perform directory lookups across multiple LDAP servers. With this feature, administrators can configure multiple LDAP profiles if a specific domain is hosted on multiple servers. If one server fails or the ESA is unable to retrieve a result for the query, the appliance automatically switches to the next server until a final answer is provided.

    Procedure

    1. Log in to the Cisco Email Security Appliance with your administrative credentials.

    Log In Screen

    2. Navigate to the LDAP settings page under the System Administration menu.

    System Administration Menu

    3. Click Advance.

    Click on Advance

    4. Click Add Chained Query.

    Click Add Chained Query

    5. Specify a name for the chained query, choose the query type to be used, and add the LDAP profiles from the drop-down menus. Then click Submit.

    Name the Query

    note-icon

    Note: In this section, you can configure a specific order for the profile lookup.

    6. Navigate to the Listeners settings in the Network tab.

    Network Menu

    7. Choose a listener to enable the chained query and scroll down to LDAP Queries.

    LDAP Queries

    8. Expand the LDAP queries option, then expand the Accept option, and choose the chained query that was previously created.

    Choose the Query  

    9. Click Submit and commit the changes.

    Verify

    With the earlier configuration, the Email Security Appliance validates recipient addresses with the use of the accept query in both LDAP profiles. First, it queries the Domain_A profile, and if there is no result, it moves to the next configured profile, in this case, the Domain_B profile.

    To verify if the LDAP chained query option works fine in the Cisco Email Security Appliance, complete these steps:

    1. Log in to the Cisco Email Security Appliance with an administrator account.

    2. Navigate to the LDAP Configuration page under the System Administration tab.

    3. Click Test Server(s) for each server in the chain in order to verify the LDAP servers configured for chained query work properly.

    4. Open the Chained query that is to be tested.

    5. Click the Test Query; test an email recipient hosted in the second profile so the device queries the first profile, fails, and tests the second profile.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    06-Apr-2023
    Initial Release
    1.0
    06-Apr-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Julio Mario Sandoval Borja
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products