Configuring user query options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see
“Configuring LDAP profiles”.
1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand User Query Options section.
4. Configure the query to retrieve the distinguished names (DN) of user objects by their email addresses.
GUI item | Description |
Schema (dropdown list) | You can select a schema style by clicking Schema. Then you can edit the schema as desired. Or select User Defined and write your own schema. |
User query | Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects. For details, see “LDAP user query example”. You can select a schema style by clicking Schema. Then you can edit the schema as desired. Or select User Defined and write your own schema. For details on query syntax, refer to any standard LDAP query filter reference manual. |
Scope | Select which level of depth to query, starting from Base DN. • One level: Query only the one level directly below the Base DN in the LDAP directory tree. • Subtree: Query recursively all levels below the Base DN in the LDAP directory tree. |
Derefer | Select the method to use, if any, when dereferencing attributes whose values are references. • Never: Do not dereference. • Always: Always dereference. • Search: Dereference only when searching. • Find: Dereference only when finding the base search object. |
LDAP user query example
For example, if user objects in your directory have two distinguishing characteristics, their objectClass and mail attributes, the query filter might be:
(& (objectClass=inetOrgPerson) (mail=$m))
where $m is the FortiMail variable for a user's email address.
If the email address ($m) as it appears in the message header is different from the user’s email address as it appears in the LDAP directory, such as when you have enabled recipient tagging, a query for the user by the email address ($m) may fail. In this case, you can modify the query filter to subtract prepended or appended text from the user name portion of the email address before performing the LDAP query. For example, to subtract -spam from the end of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{-spam}))
where ${-spam} is the FortiMail variable for the tag to remove before performing the query. Similarly, to subtract spam- from the beginning of the user name portion of the recipient email address, you could use the query filter:
(& (objectClass=inetOrgPerson) (mail=$m$
{^spam-}))
where ${^spam-} is the FortiMail variable for the tag to remove before performing the query.
For some schemas, such as Microsoft ActiveDirectory-style schemas, this query will retrieve both the user’s primary email address and the user’s alias email addresses. If your schema style is different, you may want to also configure
User Alias Options to resolve aliases. For details, see
“Configuring user alias options”.