LDAP - Active Directory - Global Catalog

            Authenticating users from Active Directory forests (not only from a single domain) is possible in NoTouch Center. The NTC appliance needs to be configured to talk with the Active Directory Global Catalog server then though. The LDAP Server URL in NoTouch Center’s Configuration/Authentication has the following general format: protocol://address:port

            Depending on how NoTouch Center should talk with the LDAP Server (encrypted vs. unencrypted, domainwide vs. forestwide) the URL components should be as following:


            URL Component

            Value

            Comment

             protocol

            ldap

            Unencrypted LDAP connection. This is the default protocol, which will be used when the ‘protocol’ URL component will be omitted.

            protocol

            ldaps

            SSL-encrypted LDAP connection.

            address

            <IP>, <hostname> , <FQDN>

            IP address, hostname, or fully-qualified domain name of the LDAP server.

            port

            389

            Default port for unencrypted domainwide LDAP queries. Active Directory Domain Controller of particular domain will be queried only.

            port

            636

            Default port for SSL-encrypted domainwide LDAP (LDAPS) queries. Active Directory Domain Controller of particular domain will be queried only.

            port

            3268

            Port for unencrypted forestwide LDAP queries. Global Catalog server will be queried.

            port

            3269

            Port for SSL-encrypted forestwide LDAP queries. Global Catalog server will be queried.


            When the ‘port’ component will be omitted, then it will default to 389 for ‘ldap’ protocol and to 636 for the ‘ldaps’ protocol. In both cases only the Domain Controller of single domain will be queried. As you see for Global Catalog queries the ‘port’ must always be specified (as 3268 or 3269 for unencrypted and encrypted connections, accordingly).

             

            Here are few examples of valid LDAP URLs:

             

            URL

            Comment

            192.168.123.45

            ‘protocol’ and ‘port’ components omitted. It will be expanded to: ldap://192.168.123.45:389. Single Active Directory Domain Controller will be queried.

            ldaps://192.168.123.45

            ‘port’ component omitted, encrypted ‘ldaps’ protocol specified. It will be expanded to: ldpas://192.168.123.45:636. Single Active Directory Domain Controller will be queried.

            ldap://192.168.234.56:3268 

            Global Catalog server at ‘192.168.234.56’ will be queried through unencrypted LDAP connection.

            ldaps://ad1.company.local:3269

            Global Catalog server at ‘ad1.company.local’ will be queried through SSL-encrypted LDAP connection.

             

            In case of URLs pointing to Global Catalog servers, to allow forestwide (cross-domain) searches, the ‘Base’ parameter in NoTouch Center’s Authentication configuration should be set to the distinguished name of the top of the Active Directory forest.

            Note: If you use 'userPrincipalname' in your filter, the users must use the full domain username to log on (for example 'testuser@mycompany.com'). If you want to use the username only (in this case: 'testuser'), please use 'sAMAccountName' instead!




            Helpful?  
            Help us to make this article better
            0 0