SpamExperts provides full integration with LDAP in order to allow all your email users to log in to the SpamExperts Control Panel with their existing email credentials (This is currently only available to AD (Microsoft), OpenLDAP and Zimbra). This means that your users will no longer have two sets of credentials, but only one.
Even though your users will employ LDAP for authentication, the 2FA will still be functional but password changes and recovery will no longer be covered by us since the credentials are managed on your LDAP server. Usually there’s no usability in adding email users or just removing them as they will be added again when LDAP is activated. The only reason to add one or more email users is to prevent them from logging in the SpamExperts control interface by setting its status as inactive.
The LDAP support is only available for email user level and access to Super-Admin, Admin, Sub-Admin or Domain user levels is not available via LDAP. Because of this, the username that is used needs to be an email address Eg email@example.com . So the LDAP server needs to authenticates an email address for the LDAP integration with our control panel to work as expected and not a username of the form Eg test.
How to enable LDAP authentication
Overview > Select your domain > Webinterface Users > Manage Email Users
On the Manage Users page you will find the LDAP authentication tab where you will need to add your:
- Authentication mode:
- AD if you are using Active Directory (e.g Exchange)
- LDAP for simple LDAP (e.g. Zimbra, OpenLDAP)
- Domain controller
- This is the server hostname with optional port. For example if your LDAP domain controller is located ldap.example.com and connects on port 389 (unsecure) or port 636 (secure - over TLS), the domain controller you will have to add will be: “ldap.example.com:636”.
- Security protocol
- If you want to use secure connection for LDAP authentication with SSL or TLS, you can select them here.
- Bind DN:
- This should be the starting point of the DNs that contains all the users for this domain and no others.
- E.g. if the users DN is "CN=test,CN=Users,DC=exchange,DC=example,DC=com" the value for this field should be “CN=Users,DC=exchange,DC=example,DC=com”
- Search base:
- This should be the LDAP attribute that uniquely identifies your users. E.g. if the user is firstname.lastname@example.org, and there is an LDAP attribute like sAMAccountName: test. The correct value for the “Search base” is sAMAccountName.
- If there is no such attribute but there is one that has the domain as well, for example: “userPrincipalName: email@example.com”, you can use userPrincipalName=%n to append the domain name.
- Other possible values include, but not limited to: sAMAccountName, CN, uid
Once LDAP has been set up, when the email user will attempt to connect for the first time, we will automatically check its credentials via LDAP.
If any of the above settings you will receive an error when trying to log in.
Requirements for using LDAP synchronization
In order for the LDAP synchronization to work the following conditions must be met:
- All the fields must entered correctly in the LDAP settings
- The LDAP server must allow logging in with the username in the following format: firstname.lastname@example.org
- There must be a LDAP attribute that uniquely identifies the user either with or without the domain. For example:
- sAMAccountName: test
- userPrincipalName: email@example.com
- The users can have different email address than the actual LDAP user. For these cases the users still need to login with the LDAP user and not the email address.
- The users must have the mail LDAP attribute.
How to disable LDAP
To disable LDAP authentication just delete the server hostname and port from the Manage Email Users page and click Save.SpamExperts Also provides an easy to use single-sign-on system which can be integrated in most environments to ensure your clients do not need to login at different control panels.
The "one click login" system can for example be integrated with your LDAP user base to grant your users direct access to the SpamExperts control panel from your existing customer environment. If you're not using a control panel that we already provide free integration for, we're happy to assist in this process.
- If you have the LDAP usernames/passwords it's easy to synchronize the logins with our API, or to simply provide the details to the API whenever a new mailbox is provisioned.
- We have a feature to automatically enable our reporting and send a welcome email with the required login details to new recipients. When enabling this option it will automatically add all the filtered domain users to the 'Periodic user report' page, and then once added, send them a daily or weekly digest on the spam received. It also will send the end user a welcome email once the first spam message has been seen to let them know their personal quarantine has been activated, and if they would like to log in to see this, they can do it using the login link in the email. Once they have logged in for the first time, the users will be added to the 'manage email users' list.
LDAP user verification
To prevent the requirement for data duplication, SpamExperts uses advanced SMTP-based recipient verification calls. Your SMTP server will handle the local LDAP lookup, to ensure our system will always properly handle the email for your mailboxes. We include advanced dictionary attack handling to protect your SMTP and LDAP server from being flooded with queries. This system is fully automatic, no credentials are required on our side.