...
Microsoft Active Directory
Port
...
Standard LDAP
If all users reside under the same single-depth container (e.g., CN=Users,DC=example,DC=edu
), the standard ports can likely be used:
- 389 for plain-old LDAP or LDAP with StartTLS. Note, StartTLS is only available on Windows Server 2003 and later.
- 636 for LDAPS
Searches using the above connection information may encounter and need to handle referrals (see Referrals below).
Global Catalog
If users are spread across multiple containers (e.g., CN=Staff,DC=example,DC=edu
and CN=Faculty,DC=example,DC=edu
) or if the standard connection method (above) doesn't work, the global catalog ports can be used:
- 3268 for plain-old LDAP or LDAP with StartTLS. Note, StartTLS is only available on Windows Server 2003 and later.
- 3269 for LDAPS
As a general note, the global catalog supports searches across the entire forest. Attributes that are to be released to the CAS server will have to be specified as part of the Partial Attribute Set (PAS) in Active Directory.
Bind DN
Active Directory authenticates users against its internal Kerberos realm. Therefore the principal name used for the bindDn
configuration option should be a Kerberos principal name, user@domain
, not a DN, cn=user,ou=Users,dc=example,dc=org
.
...
When performing a standard LDAP search on port 389/636, under some circumstances Active Directory will return LDAP referrals as a part of the LDAP result set. For example, this is known to occur when when using a domain DN as the LDAP search base (e.g. dc=example, dc=org
) as opposed to a lower level container (e.g. cn=Users,dc=example,dc=org
). These referrals must be followed for successful completion of the query by the connector. This entails adding a configuration parameter to the LDAP data connector configuration:
...