LDAP - Active Directory - Global Catalog

LDAP - Active Directory - Global Catalog

Authenticating users from Active Directory forests (not only from a single domain) is possible in NoTouch Center. The NTC appliance needs to be configured to talk with the Active Directory Global Catalog server then though. The LDAP Server URL in NoTouch Center’s Configuration/Authentication has the following general format: protocol://address:port

Depending on how NoTouch Center should talk with the LDAP Server (encrypted vs. unencrypted, domainwide vs. forestwide) the URL components should be as following:


URL Component

Value

Comment

 protocol

ldap

Unencrypted LDAP connection. This is the default protocol, which will be used when the ‘protocol’ URL component will be omitted.

protocol

ldaps

SSL-encrypted LDAP connection.

address

<IP>, <hostname> , <FQDN>

IP address, hostname, or fully-qualified domain name of the LDAP server.

port

389

Default port for unencrypted domainwide LDAP queries. Active Directory Domain Controller of particular domain will be queried only.

port

636

Default port for SSL-encrypted domainwide LDAP (LDAPS) queries. Active Directory Domain Controller of particular domain will be queried only.

port

3268

Port for unencrypted forestwide LDAP queries. Global Catalog server will be queried.

port

3269

Port for SSL-encrypted forestwide LDAP queries. Global Catalog server will be queried.


When the ‘port’ component will be omitted, then it will default to 389 for ‘ldap’ protocol and to 636 for the ‘ldaps’ protocol. In both cases only the Domain Controller of single domain will be queried. As you see for Global Catalog queries the ‘port’ must always be specified (as 3268 or 3269 for unencrypted and encrypted connections, accordingly).

 

Here are few examples of valid LDAP URLs:

 

URL

Comment

192.168.123.45

‘protocol’ and ‘port’ components omitted. It will be expanded to: ldap://192.168.123.45:389. Single Active Directory Domain Controller will be queried.

ldaps://192.168.123.45

‘port’ component omitted, encrypted ‘ldaps’ protocol specified. It will be expanded to: ldpas://192.168.123.45:636. Single Active Directory Domain Controller will be queried.

ldap://192.168.234.56:3268 

Global Catalog server at ‘192.168.234.56’ will be queried through unencrypted LDAP connection.

ldaps://ad1.company.local:3269

Global Catalog server at ‘ad1.company.local’ will be queried through SSL-encrypted LDAP connection.

 

In case of URLs pointing to Global Catalog servers, to allow forestwide (cross-domain) searches, the ‘Base’ parameter in NoTouch Center’s Authentication configuration should be set to the distinguished name of the top of the Active Directory forest.

Note: If you use 'userPrincipalname' in your filter, the users must use the full domain username to log on (for example 'testuser@mycompany.com'). If you want to use the username only (in this case: 'testuser'), please use 'sAMAccountName' instead!




    • Related Articles

    • LDAP Authentication (NoTouch Center)

      LDAP Authentication (NoTouch Center) NoTouch Center is a tool for system administrators to manage their endpoints. It not only maintains a list of local user accounts, but it also supports user authentication via LDAP using either Microsoft Active ...

    • Configuring LDAP (JumpCloud) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support JumpCloud only authentication. Or, depending on your ...

    • Configuring LDAP (OpenLDAP) only. No Active Directory

      Product Line:  VERDE It's rare to have a customer NOT use AD/Domain.  But, it is supported.  We've tested with OpenLDAP and JumpCloud LDAP.  This article covers the VERDE Configuration to support OpenLDAP only authentication.  

    • Additional Assistance for Active Directory Integration With VERDE

      Product Line:  VERDE Here's additional information needed to properly integrate Active Directory and VERDE.  This includes proper PORTs being open using the NETCAT Linux Utility. Here is some information about the ‘netcat’ utility that allows you to ...

    • Active Directory Authentication With Remote Access Session

      Product Line:  VERDE Here is the way to configure Remote Access using an Active Directory Username as follows: FIRST, you must create a Verde Local User in Management Console with same Username and Password as the Active Directory Account   In the ...