LDAP

Active Directory servers are often used to provide a central directory service for an organization. Cumulus can be configured to leverage any LDAP directories you have at your disposal and simplify managing certain things like email addresses validation and user creation in Cumulus.

This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters

Administrators can manage LDAP synchronization under:
My Organization → Parameters → Advanced → LDAP


IN THIS ARTICLE
LDAP Configuration Synchronization
Enabling Recipient Validation

Cumulus can be configured to synchronize its information on valid addresses with the client’s electronic directory by using the LDAP protocol. The LDAP synchronization prevents all connections with emails sent to invalid addresses, which often represents a heavy volume of useless traffic.

Configuration

The LDAP synchronization means that Cumulus is authorized to connect to the client’s electronic directory to search for the list of valid addresses as well as the characteristics associated with these addresses. The LDAP configuration requires a good working knowledge of the company’s security protocol as well as their electronic directory system (Active Directory, OpenLDAP or other).

1
Head to My Organization → Parameters → Advanced → LDAP and click the Configure LDAP link.
2

Choose whether LDAP synchronizes automatically, whether individual user accounts are automatically created, and if (and to whom) LDAP synchronization reports should be sent. All these parameters can be edited later.

IF Automatic user creation is set to YES, other fields will appear
Option Description Notes
Send quarantine digest to users Enables/disables the emailing of the daily quarantine digest NA
Send credentials by email to the new users Enables/disables an automated email to invite users to log into their Cumulus account Enable if you do not want to use LDAP or SSO authentication. Accounts will authenticate directly with Cumulus.
Enable LDAP authentication Enables/disable LDAP authentication Disable if you want to use SSO or authenticate directly with Cumulus
3

Once an LDAP configuration exists in Cumulus, click the Create a new connection link to add a first LDAP connection. Below, you can find a list of the required fields, the optional fields, and an example of an LDAP connection.

4
Once a connection's details have been filled out, click the Test connection button to confirm that Cumulus can connect to your Active Directory. Once the test has been completed, click the Create button. If Cumulus is unable to connect to your server, it will display a message.

LDAP connections allow you to granularly specify what data should be synchronized to Cumulus. You can use multiple connections to pull data from multiple directories if the need arises. Each can be personalized with the various Required and Optional fields.

Required Fields

  • Hostname: The IP address or hostname of the electronic directory.
  • LDAP port: The LDAP Synchronization port that Cumulus must use to connect to the electronic directory. The default port without SSL is 389 (636 with SSL) but the connection can be made through any other port.
  • Enable SSL: Enables encryption between Cumulus and the electronic directory.
  • User DN: This corresponds to the user name that Cumulus must use to authenticate to the LDAP server in order to access the list of valid addresses. This is typically a valid LDAP DN (distinguished name). The client can use an existing user name or create one specifically for Cumulus synchronization.
  • Password: This is a password associated with the user name (user DN) indicated above. The password must be entered into this field but since Cumulus masks it for security reasons, it will only appear as asterisks.
  • Search DN: This information allows Cumulus to find the route within the client’s electronic directory, which will allow access to the list of valid addresses.
  • Primary email attribute: This corresponds to the character sequence that identifies the “primary address” attribute in the client’s electronic directory.

Optional Fields

  • Alias attribute: This corresponds to the character sequence that identifies the “alias” attribute in the client’s electronic directory.
  • First name attribute: First name field in your address directory (used to populate the Given Name for Cumulus user accounts).
  • Last Name attribute: Last name field in your address directory (used to populate the Surname for Cumulus user accounts).
  • Language attribute: This corresponds to the character sequence that identifies the “language” attribute in the client’s electronic directory.
  • SSO attribute: Unique Single Sign-On attribute in your address directory. Only useful if you have SSO configured in Cumulus.
  • Filter: Filter the results of the LDAP search. Example filters can be found here and here.
  • Pagination: (default: 500) Maximum number of records that can be synchronized with each pull request.

Configuration Example for a typical Microsoft ADFS

FIELD VALUE
Host Name 176.30.1.1 (your Active Directory server)
LDAP Port
389 (636 over SSL)
Enable SSL No (Yes)
User DN cumulus@mycompany.com
Password *******
Search DN CN=Users,DC=mycompany,DC=com
Primary email attribute mail
Alias attribute proxyAddresses
First name attribute givenname
Last name attribute sn
Language attribute preferredLanguage

Synchronization

Once all the information has been entered, you can click on the Test Connection button to make sure that the configuration allows Cumulus to communicate with the LDAP server. You can also click directly on the Create button. If Cumulus is unable to connect, an error message will appear.

It is recommended to restrict access of the LDAP connection to our servers

Manually initiated synchronizations will invite you to preview changes before the information gets synced into Cumulus. Once you preview the changes, you will need to confirm the synchronization. Automatic synchronizations will not request to preview and accept changes.

Once at least one connection exists, you will be able to view that connection's Users and Details.

Users

The Users section gives the detail of all synchronized addresses (organized by main address). Entries can be searched for by DN, Address, Name, or Surname. Each entry can be consulted by clicking its corresponding View link to see all the information that has been pulled into Cumulus. Some fields may be empty (and some searches may not return results) depending on what information was used to configure the connection.

Details

The Details section allows you to change the connection's parameters. Any change done to a connection should be re-tested before saving. The Details section also contains a log of all previous synchronization attempts.

Processing a synchronization request takes several minutes and you can follow its progress by referring to the “Synchronization” table, which indicates if the data was successfully imported.  

Enabling Recipient Validation

Once the LDAP synchronization is set up and activated, Cumulus can be configured to reject messages sent to invalid email addresses. 

1
Head to your filtering parameters ( My Organization → Parameters → Inbound Filtering → Filtering)
2
Select the Recipient Validation tab.
3
In the  Recipient validation configuration section, activate the Enable LDAP filtering parameter.