Testing LDAP profile queries
After you have created an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiMail unit can connect to the LDAP server, that the LDAP directory contains the required attributes and values, and that the query configuration is correct.
When testing a query in an LDAP profile, you may encounter error messages that indicate failure of the query and how to fix the problem.
Table 51: Possible failure messages from LDAP query tests
Failure Message | Meaning and Solution |
Empty input | The query cannot be performed until you provide the information required by the query. |
Failed to bind with bind DN and password | The FortiMail unit successfully connected to the LDAP server, but could not authenticate in order to perform the query. If the server permits anonymous queries, the Bind DN and Bind password you specified in User Query Options section should be blank. Otherwise, you must enter a valid bind DN and its password. |
Unable to found user DN that matches mail address | The FortiMail unit successfully connected to the LDAP server, and, if configured, bound, but could not find a user whose email address attribute matched that value. The user may not exist on the LDAP server in the Base DN and using the query filter you specified in User Query Options, or the value of the user’s email address attribute does not match the value that you supplied in Mail address. |
Unable to find LDAP group for user | The FortiMail unit successfully located a user with that email address, but their group membership attribute did not match your supplied value. The group membership attribute you specified in Group Query Options may not exist, or the value of the group membership attribute may not match the value that you supplied in Group DN. If the value does not match, verify that you have supplied the Group DN according to the syntax expected by both your LDAP server and your configuration of Group Query Options. |
Failed to bind | The FortiMail unit successfully located a user with that email address, but the user’s bind failed and the FortiMail unit was unable to authenticate the user. Binding may fail if the value of the user’s password attribute does not match the value that you supplied in Old password. If this error message appears when testing Change Password, it also implies that the query failed to change the password. |
Unable to find mail alias | The FortiMail unit was unable to find the email alias. The email address alias may not exist on the LDAP server in the Base DN and using the query filter you specified in User Alias Options, or the value of the alias’ email address attribute does not match the value that you supplied in Mail address. |
To verify user query options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose User Query Options section query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select User.
5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record.
To verify group query options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose Group Query Options section query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options section
4. From Select query type, select Group.
5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.
6. Either the Group DN or Group Name field appears. If Group DN appears, enter the value of the user’s group membership attribute. If Group Name appears, enter only the group name portion of the value of the user’s group membership attribute.
For example, a Group DN entry with valid syntax could be either:
• 10000
• admins
• cn=admins,ou=People,dc=example,dc=com
but a Group Name entry with valid syntax would be admins.
Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.
7. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the group to which the user belongs.
To verify group query options group owner
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose Group Query Options group owner query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query. Fields displayed in the window vary by whether or not Use group name with base DN as group DN is enabled in Group Query Options.
4. From Select query type, select Group Owner.
5. Either the Group DN or Group Name field appears. If Group DN appears, enter the distinguished name of the group object. If Group Name appears, enter only the group name portion of the distinguished name of the group object.
For example, a Group DN entry with valid syntax would be cn=admins,ou=People,dc=example,dc=com, but a Group Name entry with valid syntax would be admins.
Valid syntax varies by your LDAP server’s schema and by whether Use group name with base DN as group DN is enabled, but is identical to what you should enter when using this LDAP profile and entering the group name elsewhere in the FortiMail configuration, such as for a recipient-based policy.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the group record and find the group owner and their email address.
To verify user authentication options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Authentication.
5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
6. In Password, enter the current password for that user.
7. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, or binding to authenticate the user.
To verify user query options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose user query options you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Alias.
5. In Email address, enter the email address alias of a user on the LDAP server, such as test-alias@example.com.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the alias record, or binding to authenticate the user.
To verify Mail Routing Options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose Mail Routing Options query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Mail Routing.
5. In Mail address, enter the email address of a user on the LDAP server, such as test@example.com.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the mail host and mail routing address for that user.
To verify Scan Override options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose Scan Override Options (antispam, antivirus, and content profile preference) query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Scan Override.
5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the antispam and antivirus processing preferences for that user.
To verify address mapping options
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose Address Mapping Options query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Address Mapping.
5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.
6. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record and find the internal and external email addresses for that user.
To verify the webmail password change query
1. Go to Profile > LDAP > LDAP.
2. Double-click the LDAP profile whose webmail password change query you want to test.
3. Click Test LDAP Query.
A pop-up window appears allowing you to test the query.
4. From Select query type, select Change Password.
5. In Email address, enter the email address of a user on the LDAP server, such as test@example.com.
| Only use an email account whose password it is acceptable to change, and make note of the new password. Verifying the Webmail Password Options query configuration performs a real password change, and does not restore the previous password after the query has been verified. |
6. In Password, enter the current password for that user.
7. In New Password, enter the new password for that user.
8. Click Test.
The FortiMail unit performs the query, and displays either success or failure for each operation in the query, such as the search to locate the user record, binding to authenticate the password change, and the password change operation itself.