LDAP - Active Directory - Global Catalog

LDAP - Active Directory - Global Catalog

Authenticating users from Active Directory forests (not only from a single domain) is possible in NoTouch Center. The NTC appliance needs to be configured to talk with the Active Directory Global Catalog server then though. The LDAP Server URL in NoTouch Center’s Configuration/Authentication has the following general format: protocol://address:port

Depending on how NoTouch Center should talk with the LDAP Server (encrypted vs. unencrypted, domainwide vs. forestwide) the URL components should be as following:


URL Component

Value

Comment

 protocol

ldap

Unencrypted LDAP connection. This is the default protocol, which will be used when the ‘protocol’ URL component will be omitted.

protocol

ldaps

SSL-encrypted LDAP connection.

address

<IP>, <hostname> , <FQDN>

IP address, hostname, or fully-qualified domain name of the LDAP server.

port

389

Default port for unencrypted domainwide LDAP queries. Active Directory Domain Controller of particular domain will be queried only.

port

636

Default port for SSL-encrypted domainwide LDAP (LDAPS) queries. Active Directory Domain Controller of particular domain will be queried only.

port

3268

Port for unencrypted forestwide LDAP queries. Global Catalog server will be queried.

port

3269

Port for SSL-encrypted forestwide LDAP queries. Global Catalog server will be queried.


When the ‘port’ component will be omitted, then it will default to 389 for ‘ldap’ protocol and to 636 for the ‘ldaps’ protocol. In both cases only the Domain Controller of single domain will be queried. As you see for Global Catalog queries the ‘port’ must always be specified (as 3268 or 3269 for unencrypted and encrypted connections, accordingly).

 

Here are few examples of valid LDAP URLs:

 

URL

Comment

192.168.123.45

‘protocol’ and ‘port’ components omitted. It will be expanded to: ldap://192.168.123.45:389. Single Active Directory Domain Controller will be queried.

ldaps://192.168.123.45

‘port’ component omitted, encrypted ‘ldaps’ protocol specified. It will be expanded to: ldpas://192.168.123.45:636. Single Active Directory Domain Controller will be queried.

ldap://192.168.234.56:3268 

Global Catalog server at ‘192.168.234.56’ will be queried through unencrypted LDAP connection.

ldaps://ad1.company.local:3269

Global Catalog server at ‘ad1.company.local’ will be queried through SSL-encrypted LDAP connection.

 

In case of URLs pointing to Global Catalog servers, to allow forestwide (cross-domain) searches, the ‘Base’ parameter in NoTouch Center’s Authentication configuration should be set to the distinguished name of the top of the Active Directory forest.

Note: If you use 'userPrincipalname' in your filter, the users must use the full domain username to log on (for example 'testuser@mycompany.com'). If you want to use the username only (in this case: 'testuser'), please use 'sAMAccountName' instead!




    • Related Articles

    • LDAP Authentication (NoTouch Center)

      LDAP Authentication (NoTouch Center) NoTouch Center is a tool for system administrators to manage their endpoints. It not only maintains a list of local user accounts, but it also supports user authentication via LDAP using either Microsoft Active ...
    • Configuring LDAP (JumpCloud) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support JumpCloud only authentication. Or, depending on your ...
    • Configuring LDAP (OpenLDAP) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support OpenLDAP only authentication.  
    • How to create a limited-privilege AD user for VERDE's LDAP integration

      Product Line:  VERDE VERDE requires an AD service account user in two places:  In the LDAP Server page to provide access to VERDE and in the Session Settings to provide dynamic AD join capabilities to Windows guests. The easiest way to provide the ...
    • The 10-Minute LDAP Tutorial - Automating System Administration with Perl

      by David N. Blank-Edelman The Lightweight Directory Access Protocol (LDAP) is the protocol[138] for accessing the preeminent directory services deployed in the world today. Over time, system administrators are likely to find themselves dealing with ...