licorbiosciences
asked on
How to test LDAP connection on Active Directory?
I need to use LDAP to authenticate against Active Directory 2003. At this point, we are not even sure what port AD is using to accept LDAP queries.
What is the easiest method and utility to use to simply test that we can successfully connect to Active Directory via LDAP?
Currently I'm trying to use Microsoft's LDP.EXE to connect to Active Directory at the port we *think* LDAP is running on, but it just hangs for about 20 minutes at:
ld = ldap_open("ad2.licor.com", 3389);
Established connection to ad2.licor.com.
Retrieving base DSA information...
and then says:
Server error: <empty>
Error<82>: ldap_parse_result failed: Local Error
Getting 0 entries:
-----------
What is the easiest method and utility to use to simply test that we can successfully connect to Active Directory via LDAP?
Currently I'm trying to use Microsoft's LDP.EXE to connect to Active Directory at the port we *think* LDAP is running on, but it just hangs for about 20 minutes at:
ld = ldap_open("ad2.licor.com",
Established connection to ad2.licor.com.
Retrieving base DSA information...
and then says:
Server error: <empty>
Error<82>: ldap_parse_result failed: Local Error
Getting 0 entries:
-----------
default port is 389; that may be your only problem.
(if it were ldap over ssl the port is 636 I believe)
(if it were ldap over ssl the port is 636 I believe)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By default, you access LDAP via AD by default port of 389.
3389 is used for remote desktop.
You might have been thinking of port 3268, which is for the Global Catalog, as you can see here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_bsad.mspx?mfr=true
3389 is used for remote desktop.
You might have been thinking of port 3268, which is for the Global Catalog, as you can see here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_bsad.mspx?mfr=true
ASKER
Hey, everybody, I *know* the default port is 389. This was changed by a previous administrator on install to, we believe, 3389 or one of the following:
Port State Service
53/tcp open domain
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1040/tcp open unknown
1050/tcp open java-or-OTGfileshare
1066/tcp open unknown
1723/tcp open pptp
3028/tcp open unknown
3389/tcp open ms-term-serv
8080/tcp open tomcat5
8400/tcp open unknown
8402/tcp open unknown
10250/tcp open unknown
Port State Service
53/tcp open domain
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1040/tcp open unknown
1050/tcp open java-or-OTGfileshare
1066/tcp open unknown
1723/tcp open pptp
3028/tcp open unknown
3389/tcp open ms-term-serv
8080/tcp open tomcat5
8400/tcp open unknown
8402/tcp open unknown
10250/tcp open unknown
You can not change LDAP port to port which already in use by another service.
Use Portquery to locate LDAP port:
"How to Use Portqry to Troubleshoot Active Directory Connectivity Issues"
http://support.microsoft.com/kb/310456
Use Portquery to locate LDAP port:
"How to Use Portqry to Troubleshoot Active Directory Connectivity Issues"
http://support.microsoft.com/kb/310456
Presumably, you have tried 389 with no success then?
From what he has posted 389 is not open.
Check your DNS server, _mcdcs zone which should contain _ldap records for your server, if port was changed, maybe DNS record will have correct port number defined.
Check your DNS server, _mcdcs zone which should contain _ldap records for your server, if port was changed, maybe DNS record will have correct port number defined.
ASKER
Nice tool. I've tried quite a few but hadn't run across this one. Thx!
ASKER
toniur,
Sweet! Your suggestion to check the DNS server on AD was right on. Turns out LDAP is on 3268.
The previous port scan doesn't show 3268 because we were originally pointing at the wrong server! duh!
thx
Sweet! Your suggestion to check the DNS server on AD was right on. Turns out LDAP is on 3268.
The previous port scan doesn't show 3268 because we were originally pointing at the wrong server! duh!
thx
I already point out 3268 in my first post. I guess you didn't look at that?
ASKER
ckimiball99,
You were absolutely right on target with the expected LDAP port. I did see your post. At that particular moment, my colleague and I were focused on a secondary AD server that we shouldn't have been pointing at. Mea culpa and many kudos to you!
You were absolutely right on target with the expected LDAP port. I did see your post. At that particular moment, my colleague and I were focused on a secondary AD server that we shouldn't have been pointing at. Mea culpa and many kudos to you!
LDAP port is 389 not 3389.
HTH
Toni