Description
Scope
Solution
This article explain how to allow users to login to personal quarantine with their Active Directory credentials using LDAP.
Scope
Example shown using FortiMail 5.1.6 but is also valid for 5.2.x and 5.3.x
Solution
1. Create LDAP profile in FortiMail.
- Go to Profile > LDAP > New
- Set profile name
- Set server IP and port number
- Expand the “User Query Options”
- Set Schema: Active Directory
- Set the Base DN (In this example the domain is “tri.ton”)
- Set the Bind DN and password. This is a service account in the AD, that can bind and get user information
- Under “User Authentication Options” select “Search user and try bind DN”
- Click the “Create” button
2. Edit the newly created LDAP profile and test.
- Open the profile for editing
- Click [Test LDAP Query]
- From the drop-down menu “Select query type” and choose “Authentication”
- Type the test user’s email address and password
- Click test
- If everything is ok the result should be “Bind successful”
In case of problem with the user credentials the response will be “Failed to bind”. In case of incorrect LDAP server settings (IP/port) there will be an error “Connection failure”.
3. Apply the LDAP profile in recipient policy.
- Go to Policy > Policies > New (or Edit)
- Expand “Authentication and Access”
- Select “Authentication type” LDAP
- Select the LDAP profile
- Enable the access options that are required
- Click “Create”/OK
Note that when the WebMail user is trying to login, only the 1st policy with matching "Recipient Pattern" is applied. If there are multiple Recipient Policies with "Recipient Pattern" that may match the login "user@domain" combination, the authentication options need to be configured in all of them.
4. Once spam messages are quarantined, users should be able to login to http://<FortiMail_address>/mail/ and view their quarantine mailboxes
- Go to Profile > LDAP > New
- Set profile name
- Set server IP and port number
- Expand the “User Query Options”
- Set Schema: Active Directory
- Set the Base DN (In this example the domain is “tri.ton”)
- Set the Bind DN and password. This is a service account in the AD, that can bind and get user information
- Under “User Authentication Options” select “Search user and try bind DN”
- Click the “Create” button
2. Edit the newly created LDAP profile and test.
- Open the profile for editing
- Click [Test LDAP Query]
- From the drop-down menu “Select query type” and choose “Authentication”
- Type the test user’s email address and password
- Click test
- If everything is ok the result should be “Bind successful”
In case of problem with the user credentials the response will be “Failed to bind”. In case of incorrect LDAP server settings (IP/port) there will be an error “Connection failure”.
3. Apply the LDAP profile in recipient policy.
- Go to Policy > Policies > New (or Edit)
- Expand “Authentication and Access”
- Select “Authentication type” LDAP
- Select the LDAP profile
- Enable the access options that are required
- Click “Create”/OK
Note that when the WebMail user is trying to login, only the 1st policy with matching "Recipient Pattern" is applied. If there are multiple Recipient Policies with "Recipient Pattern" that may match the login "user@domain" combination, the authentication options need to be configured in all of them.
4. Once spam messages are quarantined, users should be able to login to http://
