locked
Two simple questions about AD (LDAP) RRS feed

  • Question

  • Hi,

    First: Can anybody tell me what is the exact difference between the default LDAP port (389) and port 3268? I get different results with the same LDAP query!

    Second: Consider this simple LDAP query on the AD server:

    $ ldapsearch -D cn=Administrator,cn=Users,dc=domain -h AD-server -p 3268 -v -W -x -b "cn=Jack Public,cn=users,dc=domain"
    ldap_initialize( ldap://AD-server:3268 )
    filter: (objectclass=*)
    requesting: All userApplication attributes
    # extended LDIF
    #
    # LDAPv3
    # base <cn=Jack Public,cn=users,dc=domain> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # Jack Public, Users, domain
    dn: CN=Jack Public,CN=Users,DC=domain
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: Jack Public
    sn: Public
    givenName: Jack
    distinguishedName: CN=Jack Public,CN=Users,DC=domain
    instanceType: 4
    whenCreated: 20100922135739.0Z
    whenChanged: 20100922155508.0Z
    displayName: Jack Public
    uSNCreated: 49756
    memberOf: CN=group1,CN=Users,DC=domain
    uSNChanged: 49881
    name: Jack Public
    objectGUID:: Ubpavg4LGEOwCOsuVUQfsA==
    userAccountControl: 512
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAASSvEIpE9X0G7TptCZQQAAA==
    sAMAccountName: jack
    sAMAccountType: 805306368
    userPrincipalName: jack@domain
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain
    dSCorePropagationData: 16010101000000.0Z
    lastLogonTimestamp: 129296445082930721
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    Why does the field memberOf not contain the group "Domain Users"? According the user manager in Windows Server 2008 the user "Jack Public" is also a member of "Domain Users" (this is of course the case for all users who are domain users.

     

    Regards, Peter

     

     

     

    Thursday, September 23, 2010 11:56 AM

Answers

  • In the first case, you are querying domain naming context - in the second, a view of that partition which is exposed via Global Catalog

    memberOf attribute doees not contain Domain Users since that group is designated as primary - http://support.microsoft.com/kb/275523

    hth
    Marcin

    Thursday, September 23, 2010 12:11 PM
  • 389 Returns a search for objects from this domain.  It has a complete set of all attributes each object contains, whereas 3289 is attaching to the Global Catalog.  The Global Catalog is a Read Only replica which contains a Partial Attribute Set (PAS) of objects within the forest, so it holds certain replicate objects from all domains.  You can search the GC to locate objects from any domain without having to know the domain name itself.

    Global Catalog

    http://technet.microsoft.com/en-us/library/cc978012.aspx

    http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx

    Domain Users, is a special group, and no user has this group set within the memberof attribute as long as their primary group is Domain Users.  All users by default have their "Primary" group as Domain Users.

    http://stackoverflow.com/questions/525021/domain-users-group-is-empty-when-i-use-directoryservices-member-property

    Thursday, September 23, 2010 12:19 PM
  • As Paul has mentioned, that's the default - so unless you (or someone who manages AD in your environment) decided to change it, this should be the case

    GC will expose attributes of objects which are included in the Partial Attribute Set (http://support.microsoft.com/kb/248717). In a single domain forest, querying domain parition directly (via port 389) will give you a full set of attributes for every object

    hth
    Marcin

    Thursday, September 23, 2010 12:31 PM
  • 389 has always been my choice since all data will be there.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 23, 2010 12:32 PM

All replies

  • In the first case, you are querying domain naming context - in the second, a view of that partition which is exposed via Global Catalog

    memberOf attribute doees not contain Domain Users since that group is designated as primary - http://support.microsoft.com/kb/275523

    hth
    Marcin

    Thursday, September 23, 2010 12:11 PM
  • 389 Returns a search for objects from this domain.  It has a complete set of all attributes each object contains, whereas 3289 is attaching to the Global Catalog.  The Global Catalog is a Read Only replica which contains a Partial Attribute Set (PAS) of objects within the forest, so it holds certain replicate objects from all domains.  You can search the GC to locate objects from any domain without having to know the domain name itself.

    Global Catalog

    http://technet.microsoft.com/en-us/library/cc978012.aspx

    http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx

    Domain Users, is a special group, and no user has this group set within the memberof attribute as long as their primary group is Domain Users.  All users by default have their "Primary" group as Domain Users.

    http://stackoverflow.com/questions/525021/domain-users-group-is-empty-when-i-use-directoryservices-member-property

    Thursday, September 23, 2010 12:19 PM
  • Aaah, I see. So "Domain Users" is the field

    primaryGroupID: 513

    in the query above? So in general I can be sure that each "normal" user has "Domain User" as primary group?

    To "domain naming context" vs "global catalog": Sorry I am new to AD (used OpenLDAP until now). Global Catalog means all domains and domain naming context (port 389) only the current? So in my case there is only one domain; this means that both should be more or less equivalent.

    What is the preferred way of access? I guess with port 389 then? (later I want to use SSL over LDAP for this).

     

    Regards Peter

     

    Thursday, September 23, 2010 12:26 PM
  • As Paul has mentioned, that's the default - so unless you (or someone who manages AD in your environment) decided to change it, this should be the case

    GC will expose attributes of objects which are included in the Partial Attribute Set (http://support.microsoft.com/kb/248717). In a single domain forest, querying domain parition directly (via port 389) will give you a full set of attributes for every object

    hth
    Marcin

    Thursday, September 23, 2010 12:31 PM
  • 389 has always been my choice since all data will be there.

     

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, September 23, 2010 12:32 PM
  • Just to clarify. Every user (and computer) has a primaryGroupID, which is an integer that indicates the "primary" group of the user (or computer). Every group has a corresponding primaryGroupToken attribute. The group "Domain Users" always has primaryGroupToken equal to 513. The default "primary" group for computers is "Domain Computers". Since the group "Domain Computers" has primaryGroupToken = 515, then you would expect computer objects (except DC's) to have primaryGroupID = 515. You can search for all users that have a group other than "Domain Users" designated as their primary with the filter:

    (&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))

    Richard Mueller


    MVP ADSI
    Thursday, September 23, 2010 3:24 PM