LDAP Authentication
SpamExperts provides full integration with LDAP Authentication in order to allow all email users to log in to the Email Level Control Panel with their existing email credentials. Using this method of authentication means that email users only have one set of credentials, instead of two, which makes accessing SpamExperts easier.
This is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra.
When LDAP authentication is enabled, Two Factor Authentication (2FA) can still be used.
Password changes and recovery are managed on your LDAP server and not by SpamExperts.
Logging in to SpamExperts via LDAP credentials is only available at Email User Level - and not at the Admin, Sub-Admin, Technician or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the SpamExperts Control Panel, the username must be an email address e.g. fred@example-domain.invalid (and NOT a username in the format 'fred').
Setup LDAP Authentication
Set up LDAP Authentication for Email Level users from the Domain Level Control Panel:
- Login to SpamExperts as a Domain user, or as an Admin user, and then open the Domain from Domains Overview
- In the Domain Level Control Panel, navigate to Users & Permissions > Manage Email Users
- Expand the LDAP Authentication section at the top of the page
- AD - This authentication mechanism attempts to bind to the directory server using Microsoft Active Directory services for authentication
- LDAP - This authentication mechanism attempts to bind to the directory server using supplied username and password
- Domain Controller is
ldap.demo-domain.invalid
- Connects on port
389
(insecure) - Connects on port
636
(secure - over TLS) - None
- SSL
- TLS
- You may tick Remember Credentials to ensure the above details are stored
- Click on Save to apply the settings
The Manage email users page is displayed:
The following settings are available:
Setting | Description |
---|---|
Authentication mode | |
Domain controller | This option allows you to switch between using LDAP authentication for email users on this done (when the Domain Controller is specified) or regular authentication when left blank. To enable it, specify the IP or hostname of a Domain Controller e.g. Or Add (this must be open in the firewall to accept connections) |
Security protocol | The type of security used on the connection: |
BaseDN | This setting is required This should be the starting point of the DNs that contains all the users for this domain, for example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com” |
BindDN Format | This can be used to override the bind username that's passed to your server. For example, if your userPrincipalName format is user@domain.local enter %(user)s@domain.local |
Search base | This setting is required This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users. For example, if the user is test@exchange.demo-domain.invalid, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: test@exchange.demo-domain.invalid”, you can use userPrincipalName=%n to append the domain name Other possible values include, but not limited to: sAMAccountName, CN, uid |
Once LDAP Authentication is set up and an email user attempts to log in for the first time, SpamExperts automatically checks the credentials provided against the credentials held in the LDAP server.
If, for any reason, SpamExperts is unable to contact the LDAP server, it will check cached local credentials.
Disable LDAP Authentication
To disable LDAP authentication:
- Login to SpamExperts as a Domain user, or as an Admin user, and then open the Domain from Domains Overview
- In the Domain Level Control panel, navigate to Users & Permissions > Manage Email Users
- Expand the LDAP Authentication section
- In the Domain Controller field delete the server hostname
- Click Save