Connecting to an LDAP server

This section describes how you can connect Kaspersky Secure Mail Gateway to an LDAP server and configure the LDAP server connection settings and filters.

About the connection to an LDAP server

Kaspersky Secure Mail Gateway can connect to servers of external directory services used by your organization via the LDAP protocol.

A directory service is a software system that can store information about network resources (such as users) in one place and provides centralized management capabilities.

LDAP stands for Lightweight Directory Access Protocol for accessing directory services.

A connection to an external directory service via the LDAP protocol enables the Kaspersky Secure Mail Gateway administrator to perform the following tasks:

• Add senders or recipients from an external directory service to message processing rules.
• Create, edit, and view custom black and white lists of addresses of users on the LAN of the organization.
• View Backup copies of messages of users on the LAN of the organization.

Connecting to and disconnecting from an LDAP server

To connect to an LDAP server or disconnect from an LDAP server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. Click the LDAP server connection link to open the LDAP server connection window.
3. Select one of the following LDAP server connection options:
   • Not in use, if you do not want to use an LDAP server with Kaspersky Secure Mail Gateway.
   • Active Directory or generic LDAP, if you want to connect to an LDAP server of Microsoft Active Directory or any other LDAP-compatible directory service (such as Red Hat Directory Server).
4. If you want to limit the server response timeout, select the check box next to the name of the Set a time limit for server timeout setting.
5. If you have selected the check box next to the name of the Set a time limit for server timeout setting, in the Server timeout in seconds field specify the maximum time in seconds during which a response from the LDAP server must be received.

   The default value is 20 seconds.

6. Click the Apply button.

The LDAP server connection window closes.

Adding a connection to an LDAP server

You can add a connection to one or several LDAP servers.

To add a connection to an LDAP server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. If the workspace shows the value of the LDAP server connection setting as Not in use, perform the following actions:
   1. Click the LDAP server connection link to open the LDAP server connection window.
   2. In the LDAP server connection list, select Active Directory or generic LDAP.
   3. If you want to limit the server response timeout, select the check box next to the name of the Set a time limit for server timeout setting.
   4. If you have selected the check box next to the name of the Set a time limit for server timeout setting, in the Server timeout in seconds field specify the maximum time in seconds during which a response from the LDAP server must be received.

      The default value is 20 seconds.

   5. Click the Apply button.

      The LDAP server connection window closes.

3. Click the Add button in the workspace.

   The LDAP server connection wizard window opens.

4. On the Connection settings tab, in the LDAP server settings section, select one of the following external directory services in the LDAP server list:
   • Generic LDAP, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).
   • Active Directory, if you want to add a connection to a Microsoft Active Directory server.
5. In the LDAP server settings section, in the Server address field type the IP address in IPv4 format or the FQDN name of the LDAP server to which you want to connect.
6. In the LDAP server settings section, in the Connection port number list specify the port for connecting to the LDAP server.

   The LDAP server usually receives inbound connections at port 389 via the TCP or UDP protocol. Port 636 is normally used to connect to an LDAP server via the SSL protocol.

7. In the LDAP server settings section, in the Connection type list select one of the data encryption options when connecting to the LDAP server:
   • SSL, if you want to use SSL.
   • TLS, if you want to use TLS.
   • No encryption, if you do not want to use data encryption technologies when connecting to the LDAP server.

     After the Microsoft update is released (see ADV190023 LDAP Channel Binding and LDAP Signing for details), SSL or TLS encryption will be required when connecting to Active Directory. If you continue to use the No encryption option, the application may experience the following operational issues: no connection to Active Directory; no access to copies of messages in personal storage; errors in the message processing rules.

8. In the Authentication settings section, in the LDAP server user account name field type the name of the user of the LDAP server who has privileges to read directory records (BindDN). Enter the user name in one of the following formats:
   • cn=<user name>, ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).

     For example, you can enter the following user name: cn=LdapServerUser, dc=example, dc=com, where LdapServerUser is the name of the LDAP server user; example is the domain name of the directory to which the user's account belongs; com is the name of the parent domain in which the directory is located.

   • cn=<user name>, ou=<unit name> (if required), dc=<domain name>, dc=<parent domain name> or <user name>@<domain name>.<parent domain name> if you want to add a connection to a Microsoft Active Directory server.

     For example, you can enter the following user name: LdapServerUser@example.com, where LdapServerUser is the name of the LDAP server user; example.com is the domain name of the directory to which the user's account belongs.

9. In the Authentication settings section, in the LDAP server user account password field type the LDAP server access password of the user specified in the LDAP server user account name field.
10. In the Search settings section, in the Search base field type the DN (Distinguished Name) of the directory object beginning with which Kaspersky Secure Mail Gateway will start searching directory records.

    Enter the search base in the following format: ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>.

    For example, you can enter the following search base: ou=people, dc=example, dc=com, where people is the directory level from which Kaspersky Secure Mail Gateway starts searching for records (the search is run at the people level and lower levels. Objects located above this level are excluded from the search scope); example is the domain name of the directory in which Kaspersky Secure Mail Gateway searches for records; com is the name of the parent domain in which the directory is located.

11. Click the Check button.

    Kaspersky Secure Mail Gateway checks the connection to the LDAP server using the connection and authentication settings you have specified.

12. Click the Next button.

    The Filters tab opens.

13. In the Set up LDAP filters group of settings, in the User authentication field specify the user authentication filter (for example, to let the user access the user's messages in Backup).
14. To set the standard values of the user authentication filter, click the Set default values link under the User authentication field.
15. In the Set up LDAP filters settings group, in the User and group search field, specify the search filter for users or a group of users.
16. To set the standard values of the user and group search filter, click the Set default values link under the User and group search field.
17. In the Set up LDAP filters settings group, in the Search for the DN of users and groups using email address field, specify the filter for searching for the DN of users and groups to which they belong based on their email address.
18. To set standard values for the filter for searching for the DN of users and groups to which they belong based on their email address, click the Set default values link under the Search for the DN of users and groups using email address.
19. In the Set up LDAP filters group of settings, in the Search for groups by users' DN field configure the filter for searching for groups to which the user belongs based on the user's DN. This filter is used when the user group could not be determined using the filter specified in the Search for the DN of users and groups using email address field.
20. To set the standard values of the filter for searching for groups to which the user belongs based on the user's DN, click the Set default values link under the Search for groups by users' DN field.
21. Select the Use recursive search check box to enable a search for LDAP accounts in subgroups.
22. Click the Finish button.

    The LDAP server connection wizard window closes.

The connection to an external directory service that you have added appears in the workspace of the LDAP section of the main window of the application interface.

Deleting a connection to an LDAP server

You can delete a connection to one or several LDAP servers.

To delete a connection to an LDAP server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. In the lower part of the workspace, select the check box next to the address of the LDAP server that you want to remove.
3. Click the Delete button.

   The Delete action confirmation window opens.

4. Click the Yes button.

   The Delete window closes.

The connection to the LDAP server is deleted.

Enabling and disabling a connection to an LDAP server

You can enable or disable the connection to one or several LDAP servers.

To enable or disable usage of the connection to an LDAP server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. In the lower part of the workspace, do one of the following:
   • Flip on the toggle switch next to the address of the LDAP server the connection to which you want to enable.
   • Flip off the toggle switch next to the address of the LDAP server the connection to which you want to disable.

Configuring the connection to an LDAP server

To configure the LDAP server connection settings:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. In the lower part of the workspace, select the LDAP server the connection to which you want to configure.
3. In the LDAP Server Connection Settings settings group of the selected server, click any link to open the LDAP Server Connection Settings window.
4. In the LDAP server settings settings group, in the LDAP server list, select one of the following external directory services:
   • generic LDAP, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).
   • Active Directory, if you want to add a connection to a Microsoft Active Directory server.
5. In the LDAP server settings section, in the Server address field type the IP address in IPv4 format or the FQDN name of the LDAP server to which you want to connect.
6. In the LDAP server settings section, in the Connection port number list specify the port for connecting to the LDAP server.

   The LDAP server usually receives inbound connections at port 389 via the TCP or UDP protocol. Port 636 is normally used to connect to an LDAP server via the SSL protocol.

7. In the LDAP server settings section, in the Connection type list select one of the data encryption options when connecting to the LDAP server:
   • SSL, if you want to use SSL.
   • TLS, if you want to use TLS.
   • No encryption, if you do not want to use data encryption technologies when connecting to the LDAP server.

     After the Microsoft update is released (see ADV190023 LDAP Channel Binding and LDAP Signing for details), SSL or TLS encryption will be required when connecting to Active Directory. If you continue to use the No encryption option, the application may experience the following operational issues: no connection to Active Directory; no access to copies of messages in personal storage; errors in the message processing rules.

8. In the Authentication settings section, in the LDAP server user account name field type the name of the user of the LDAP server who has privileges to read directory records (BindDN). Enter the user name in one of the following formats:
   • cn=<user name>, ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>, if you want to add a connection to a server of an LDAP-compatible directory service (such as Red Hat Directory Server).

     For example, you can enter the following user name: cn=LdapServerUser, dc=example, dc=com, where LdapServerUser is the name of the LDAP server user; example is the domain name of the directory to which the user's account belongs; com is the name of the parent domain in which the directory is located.

   • cn=<user name>, ou=<unit name> (if required), dc=<domain name>, dc=<parent domain name> or <user name>@<domain name>.<parent domain name> if you want to add a connection to a Microsoft Active Directory server.

     For example, you can enter the following user name: LdapServerUser@example.com, where LdapServerUser is the name of the LDAP server user; example.com is the domain name of the directory to which the user's account belongs.

9. In the Authentication settings section, in the LDAP server user account password field type the LDAP server access password of the user specified in the LDAP server user account name field.
10. In the Search settings section, in the Search base field type the DN (Distinguished Name) of the directory object beginning with which Kaspersky Secure Mail Gateway will start searching directory records.

    Enter the search base in the following format: ou=<department name> (if required), dc=<domain name>, dc=<parent domain name>.

    For example, you can enter the following search base: ou=people, dc=example, dc=com, where people is the directory level from which Kaspersky Secure Mail Gateway starts searching for records (the search is run at the people level and lower levels. Objects located above this level are excluded from the search scope); example is the domain name of the directory in which Kaspersky Secure Mail Gateway searches for records; com is the name of the parent domain in which the directory is located.

11. Click the Check button.

    Kaspersky Secure Mail Gateway checks the connection to the LDAP server using the connection and authentication settings you have specified.

12. Click the Apply button.

    The LDAP Server Connection Settings window closes.

Configuring the LDAP server connection filters

To configure the LDAP server connection filters:

1. In the main window of the application web interface, open the management console tree and select the Settings section and LDAP subsection.
2. In the lower part of the workspace, select the LDAP server the filters of the connection to which you want to configure.
3. In the LDAP Filter Settings settings group of the selected server, click any link to open the LDAP Filter Settings window.
4. In the Set up LDAP filters group of settings, in the User authentication field specify the user authentication filter (for example, to let the user access the user's messages in Backup).
5. To set the standard values of the user authentication filter, click the Set default values link under the User authentication field.
6. In the Set up LDAP filters settings group, in the User and group search field, specify the search filter for users or a group of users.
7. To set the standard values of the user and group search filter, click the Set default values link under the User and group search field.
8. In the Set up LDAP filters settings group, in the Search for the DN of users and groups using email address field, specify the filter for searching for the DN of users and groups to which they belong based on their email address.
9. To set standard values for the filter for searching for the DN of users and groups to which they belong based on their email address, click the Set default values link under the Search for the DN of users and groups using email address.
10. In the Set up LDAP filters group of settings, in the Search for groups by users' DN field configure the filter for searching for groups to which the user belongs based on the user's DN. This filter is used when the user group could not be determined using the filter specified in the Search for the DN of users and groups using email address field.
11. To set the standard values of the filter for searching for groups to which the user belongs based on the user's DN, click the Set default values link under the Search for groups by users' DN field.
12. Select the Use recursive search check box to enable a search for LDAP accounts in subgroups.
13. Click the OK button.

    The LDAP Filter Settings window closes.