Set up LDAP Authentication
Mail Assure provides full integration with LDAP in order to allow all email users to log in to the Mail Assure Control Panel with their existing email credentials (this is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra). Using this method of authentication means that your users only have one set of credentials, instead of two, which makes accessing Mail Assure easier.
When LDAP authentication is enabled, Two Factor Authentication (2FA) can still be used. Password changes and recovery are managed on your LDAP server and not by Mail Assure. When using LDAP Mailbox Sync, there is no need to add or removing email users to Mail Assure manually as they will be added automatically when the sync runs.
You may want to add email users manually is so that you can prevent them from logging into the Mail Assure Control Panel by setting the user status to inactive.
Logging in to Mail Assure via LDAP credentials is only available at Email User Level - and not at the Admin, Sub-Admin or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the Mail Assure Control Panel, the username must be an email address e.g. fred@example-domain.invalid (and NOT a username in the format 'fred').
Set up LDAP Authentication for Email Level users from the Domain Level Control panel:
- In the Domain Level Control Panel, select Users & Permissions > Manage Email Users.
- Click on LDAP authentication at the top of the page, to expand the LDAP section:
- AD - Windows Active Directory (e.g. Exchange)
- LDAP - Select this for simple LDAP authentication (e.g. Zimbra, OpenLDAP)
- Click on Save to apply the settings.
The Manage email users page is displayed:
The following settings are available:
| Setting | Description |
|---|---|
| Authentication mode |
|
| Domain controller |
This is the server hostname and optionally the port 'server:port'. For example, if your LDAP domain controller is ldap.demo-domain.invalid and connects on port 389 (insecure) or port 636 (secure - over TLS), you can add 'ldap.demo-domain.invalid:636' (this must be open in the firewall to accept connections). |
| Security protocol | The type of security used on the connection - usually None or TLS. |
| BaseDN | This should be the starting point of the DNs that contains all the users for this domain For example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com” |
| BindDN Format |
This can be used to override the bind username that's passed to your server. For example, if your userPrincipalName format is user@domain.local enter %(user)s@domain.local |
| Search base |
This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users. For example, if the user is test@exchange.demo-domain.invalid, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: test@exchange.demo-domain.invalid”, you can use userPrincipalName=%n to append the domain name Other possible values include, but not limited to: sAMAccountName, CN, uid |
Once LDAP is set up and the email user attempts to log in for the first time, the system automatically checks the credentials via LDAP.
If, for any reason, Mail Assure is unable to contact the LDAP server, it will check cached local credentials.