Set up LDAP Authentication

Spam Experts provides full integration with LDAP in order to allow all email users to log in to the Spam Experts Control Panel with their existing email credentials (this is currently only available to Active Directory (Microsoft), OpenLDAP and Zimbra). Using this method of authentication means that your users only have one set of credentials, instead of two, which makes accessing Spam Experts easier.

When LDAP authentication is enabled, Two Factor Authentication (2FA) can still be used. Password changes and recovery are managed on your LDAP server and not by Spam Experts. When using LDAP Mailbox Sync, there is no need to add or removing email users to Spam Experts manually as they will be added automatically when the sync runs.

You may want to add email users manually is so that you can prevent them from logging into the Spam Experts Control Panel by setting the user status to inactive.

Logging in to Spam Experts via LDAP credentials is only available at Email User Level - and not at the Admin, Sub-Admin or Domain User Levels. Because of this, and in order for the LDAP server to integrate with the Spam Experts Control Panel, the username must be an email address e.g. fred@example-domain.invalid (and NOT a username in the format 'fred').

Set up LDAP Authentication for Email Level users from the Domain Level Control panel:

  1. In the Domain Level Control Panel, select Users & Permissions > Manage Email Users.
  2. The Manage email users page is displayed:

  3. Click on LDAP authentication at the top of the page, to expand the LDAP section:
  4. The following settings are available:

    Setting Description
    Authentication mode
    • AD - Windows Active Directory (e.g. Exchange)
    • LDAP - Select this for simple LDAP authentication (e.g. Zimbra, OpenLDAP)
    Domain controller

    This is the server hostname and optionally the port 'server:port'. For example, if your LDAP domain controller is ldap.demo-domain.invalid and connects on port 389 (insecure) or port 636 (secure - over TLS), you can add 'ldap.demo-domain.invalid:636' (this must be open in the firewall to accept connections).

    Security protocol The type of security used on the connection - usually None or TLS.
    BaseDN This should be the starting point of the DNs that contains all the users for this domain For example, if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com”
    BindDN Format

    This can be used to override the bind username that's passed to your server. For example, if your userPrincipalName format is user@domain.local enter %(user)s@domain.local

    Search base

    This is the LDAP/AD value which the service will look for at login time and uniquely identifies your users.

    For example, if the user is test@exchange.demo-domain.invalid, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName

    If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: test@exchange.demo-domain.invalid”, you can use userPrincipalName=%n to append the domain name

    Other possible values include, but not limited to: sAMAccountName, CN, uid

  5. Click on Save to apply the settings.

Once LDAP is set up and the email user attempts to log in for the first time, the system automatically checks the credentials via LDAP.

If, for any reason, Spam Experts is unable to contact the LDAP server, it will check cached local credentials.