LDAP Authentication

Mail Assure provides full integration with LDAP Authentication in order to allow all email users to log in to the Email Level Control Panel with their existing email credentials. Using this method of authentication means that email users only have one set of credentials, instead of two, which makes accessing Mail Assure easier.

This is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra.

When LDAP authentication is enabled, Two Factor Authentication (2FA) can still be used.

Password changes and recovery are managed on your LDAP server and not by Mail Assure.

Logging in to Mail Assure via LDAP credentials is only available at Email User Level - and not at the Admin, Sub-Admin, Technician or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the Mail Assure Control Panel, the username must be an email address e.g. fred@example-domain.invalid (and NOT a username in the format 'fred').

Setup LDAP Authentication

Set up LDAP Authentication for Email Level users from the Domain Level Control Panel:

  1. Login to Mail Assure as a Domain user, or as an Admin user, and then open the Domain from Domains Overview
  2. In the Domain Level Control Panel, navigate to Users & Permissions > Manage Email Users
  3. The Manage email users page is displayed:

  4. Expand the LDAP Authentication section at the top of the page
  5. The following settings are available:

    Setting Description
    Authentication mode
    • AD - This authentication mechanism attempts to bind to the directory server using Microsoft Active Directory services for authentication
    • LDAP - This authentication mechanism attempts to bind to the directory server using supplied username and password
    Domain controller

    This option allows you to switch between using LDAP authentication for email users on this done (when the Domain Controller is specified) or regular authentication when left blank. To enable it, specify the IP or hostname of a Domain Controller e.g.

    • Domain Controller is ldap.demo-domain.invalid
    • Connects on port 389 (insecure)
    • Or

    • Connects on port 636 (secure - over TLS)

    Add ldap.demo-domain.invalid:636

    (this must be open in the firewall to accept connections)

    Security protocol

    The type of security used on the connection:

    • None
    • SSL
    • TLS
    BaseDN

    This setting is required

    This should be the starting point of the DNs that contains all the users for this domain, for example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com”

    BindDN Format

    This can be used to override the bind username that's passed to your server. For example, if your userPrincipalName format is user@domain.local enter %(user)s@domain.local

    Search base

    This setting is required

    This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users.

    For example, if the user is test@exchange.demo-domain.invalid, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName

    If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: test@exchange.demo-domain.invalid”, you can use userPrincipalName=%n to append the domain name

    Other possible values include, but not limited to: sAMAccountName, CN, uid

  6. You may tick Remember Credentials to ensure the above details are stored
  7. Click on Save to apply the settings

Once LDAP Authentication is set up and an email user attempts to log in for the first time, Mail Assure automatically checks the credentials provided against the credentials held in the LDAP server.

If, for any reason, Mail Assure is unable to contact the LDAP server, it will check cached local credentials.

Disable LDAP Authentication

To disable LDAP authentication:

  1. Login to Mail Assure as a Domain user, or as an Admin user, and then open the Domain from Domains Overview
  2. In the Domain Level Control panel, navigate to Users & Permissions > Manage Email Users
  3. Expand the LDAP Authentication section
  4. In the Domain Controller field delete the server hostname
  5. Click Save