LDAP Queries to Windows Global Catalog

From: dln (dnadon_nospm_at_hotmail.com)
Date: 10/29/04 

Date: 29 Oct 2004 07:22:38 -0700

Hello all,

I really hope this is the correct newsgroup to post this question
against - I've had a hard time tracking down a good place to post it
and I've tried a few of the MS newsgroups with no response, but I
could really use some help - if I'm in the wrong place please direct
me to a more appropriate venue.

I'm trying to solve a particular issue at our site where we need to
authenticate users logging into UNIX boxes against our site's AD and
Kerberos servers. After reading the documentation at
http://www.microsoft.com/downloads/details.aspx?FamilyId=144F7B82-65CF-4105-B60C-44515299797D&displaylang=en,
I've been able to successfully authentication against a single domain.
 However I would like to expand the authentication scenario so that on
a few of our UNIX boxes any user in any domain under the same AD
forest could log into the box. I figure that instead of doing a
domain LDAP query (port 389), I need to make a query against the
Global Catalog (port 3268), but I can't figure out the configuration I
need. I have tried changing my /etc/ldap.conf configuration to query
on port 3268 and use a common search
root, but it doesn't work. I've tried the following configurations
(although not all at once) in my /etc/ldap.conf file:

  # "gc" works with some Windows tools, but I don't know if OpenLDAP
supports it
  uri gc://<fully qualified host name>
  # port 3268 being the port the global catalog server listens on
  uri ldap://<fully qualified host name>:3268
  # this works, but I can only query a single domain at a time
  uri ldap://<fully qualified host name>

I've verified that Kerberos authentication works by using kinit. I've
also used ldapsearch to successfully make an ldap query against the
Global Catalog. Unfortunately I'm at a loss to figure out how to get
the system to query the GC for account information.

Does anybody know of any documentation out there that could aid me and
has anybody else successfully gotten this type of configuration to
work? Any and all help would be appreciated (and again, really sorry
if this isn't the right newsgroup).

dln

Relevant Pages

  • UNIX Authenticating against Windows Servers
    ... I really hope this is the correct newsgroup to post this question against - ... 389), I need to make a query against the Global Catalog (port 3268), but I ... can't figure out the configuration I need. ...
    (microsoft.public.windows.server.networking)
  • RE: LDAP query for xerox 3545 printer/scanner blocked by SBS 2003?
    ... I am able to query the LDAP successfully from the second workstation but not ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Step2:Please ensure the DNS on workstation is pointed to SBS server. ...
    (microsoft.public.windows.server.sbs)
  • RE: MBSA and MSs attempts at "security"
    ... >the port status of TCP and UDP ports on a computer you choose. ... you can also query an LDAP service. ... LDAP query and interpret an LDAP server's response to ...
    (Focus-Microsoft)
  • Re: need help designin a report
    ... There will be a query on the child table that does the same. ... Design the form that will become your subform to properly display the things ... subform to the proper place on your main form. ... >> I suggested in the earlier thread in this newsgroup (the subject was ...
    (microsoft.public.access.gettingstarted)
  • Re: Cant update table data from form
    ... > tables (the form is built on tables, not queries). ... to more than one newsgroup, ... If the record source of the form is a table (not a multi-table query) ...
    (microsoft.public.access.forms)