Set up LDAP Authentication
Mail Assure provides full integration with LDAP in order to allow all your email users to log in to the Mail Assure Control Panel with their existing email credentials (this is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra). This means that your users will no longer have two sets of credentials, but only one.
When LDAP authentication is enabled, 2FA is still functional, but password changes and recovery are managed on your LDAP server and not by Mail Assure. Generally, there is no point in adding or removing email users to Mail Assure as they will be added automatically when LDAP is activated. However, one reason to add one or more email users is so that you can prevent them from logging into the Mail Assure Control Panel by setting the user status to inactive.
LDAP support is only available at Email User Level - and not at the Admin, Sub-Admin or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the Mail Assure Control Panel, the username must be an email address e.g. email@example.com (and NOT a username in the format 'fred').
Set up LDAP Authentication for Email Level users from the Domain Level Control panel:
- In the Domain Level Control Panel, select Users & Permissions > Manage Email Users.
- Click on LDAP authentication at the top of the page, to expand the LDAP section:
- AD - Windows Active Directory (e.g. Exchange)
- LDAP - Select this for simple LDAP authentication (e.g. Zimbra, OpenLDAP)
- Click on Save to apply the settings.
The Manage email users page is displayed:
The following settings are available:
This is the server hostname and optionally the port 'server:port'. For example, if your LDAP domain controller is ldap.example.com and connects on port 389 (insecure) or port 636 (secure - over TLS), you can add 'ldap.example.com:636' (this must be open in the firewall to accept connections).
|Security protocol||The type of security used on the connection - usually None or TLS.|
|BaseDN||This should be the starting point of the DNs that contains all the users for this domain For example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com”|
This can be used to override the bind username that's passed to your server. For example, if your userPrincipalName format is firstname.lastname@example.org enter %(user)email@example.com
This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users.
For example, if the user is firstname.lastname@example.org, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName
If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: email@example.com”, you can use userPrincipalName=%n to append the domain name
Other possible values include, but not limited to: sAMAccountName, CN, uid
Once LDAP is set up and the email user attempts to log in for the first time, the system automatically checks the credentials via LDAP.
If, for any reason, Mail Assure is unable to contact the LDAP server, it will check cached local credentials.