Link to home
Start Free TrialLog in
Avatar of licorbiosciences
licorbiosciences

asked on

How to test LDAP connection on Active Directory?

I need to use LDAP to authenticate against Active Directory 2003. At this point, we are not even sure what port AD is using to accept LDAP queries.

What is the easiest method and utility to use to simply test that we can successfully connect to Active Directory via LDAP?

Currently I'm trying to use Microsoft's LDP.EXE to connect to Active Directory at the port we *think* LDAP is running on, but it just hangs for about 20 minutes at:

ld = ldap_open("ad2.licor.com", 3389);
Established connection to ad2.licor.com.
Retrieving base DSA information...

and then says:

Server error: <empty>
Error<82>: ldap_parse_result failed: Local Error
Getting 0 entries:
-----------

Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Hi licorbiosciences,

LDAP port is 389 not 3389.

HTH

Toni
default port is 389; that may be your only problem.

(if it were ldap over ssl the port is 636 I believe)
ASKER CERTIFIED SOLUTION
Avatar of brwwiggins
brwwiggins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
By default, you access LDAP via AD by default port of 389.

3389 is used for remote desktop.  

You might have been thinking of port 3268, which is for the Global Catalog, as you can see here: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_bsad.mspx?mfr=true
Avatar of licorbiosciences
licorbiosciences

ASKER

Hey, everybody, I *know* the default port is 389. This was changed by a previous administrator on install to, we believe, 3389 or one of the following:

Port       State       Service
53/tcp     open        domain
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
443/tcp    open        https
445/tcp    open        microsoft-ds
1025/tcp   open        NFS-or-IIS
1040/tcp   open        unknown
1050/tcp   open        java-or-OTGfileshare
1066/tcp   open        unknown
1723/tcp   open        pptp
3028/tcp   open        unknown
3389/tcp   open        ms-term-serv
8080/tcp   open        tomcat5
8400/tcp   open        unknown
8402/tcp   open        unknown
10250/tcp  open        unknown
You can not change LDAP port to port which already in use by another service.

Use Portquery to locate LDAP port:

"How to Use Portqry to Troubleshoot Active Directory Connectivity Issues"
http://support.microsoft.com/kb/310456
Presumably, you have tried 389 with no success then?
From what he has posted 389 is not open.

Check your DNS server, _mcdcs zone which should contain _ldap records for your server, if port was changed, maybe DNS record will have correct port number defined.
Nice tool. I've tried quite a few but hadn't run across this one. Thx!
toniur,

Sweet! Your suggestion to check the DNS server on AD was right on. Turns out LDAP is on 3268.

The previous port scan doesn't show 3268 because we were originally pointing at the wrong server!  duh!

thx
I already point out 3268 in my first post.  I guess you didn't look at that?
ckimiball99,

You were absolutely right on target with the expected LDAP port. I did see your post. At that particular moment, my colleague and I were focused on a secondary AD server that we shouldn't have been pointing at. Mea culpa and many kudos to you!