Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
 

There may be a time when you will be required to allow anonymous LDAP access to the Active Directory, to allow users to search the address book.

A typical example we had for this need was a recent rollout where there were a number of MAC's that were too underpowered to use the Outlook client for MAC's. It was decided to use their existing  IMAP client, which used an LDAP address book.

LDAP works fine by default with Exchange 2000, however, it is only enabled to be used by authenticating clients. Obviously, the MAC clients do not authenticate to Active Directory.

Active Directory supports LDAP searches through Port 389 (Local domain), and Port 3268 (Global Catalogue, all domains in the forest), so if you are restricting access to these ports through an internal firewall (or wish external access), you will need to open these ports up. 

More importantly however, it is much faster to search the Global Catalogue than the whole Active Directory. This is also true is the way an Outlook client does an address book lookup. The Global Catalogue is used, so keep this in mind when deploying Exchange 2000 out to remote sites.

The steps required on the client are :-

  1. Change the server name to the Active Directory Domain Controller
  2. Change the port from 389 (LDAP port) to 3268 (Global Catalogue)
  3. Change the search root (See below)
  4. Grant the "Everyone" group READ permissions in Active Directory from the search root downwards (This allows anonymous access for clients that do not authenticate)

Those of you who used the LDAP in Outlook Express with Exchange 5.5, probably found that there was no need to enter a search root. However you were only browsing the Exchange directory. With Exchange 2000, you would be searching the whole Active Directory.

You can still do the same with Exchange 2000, but you would do this by entering the tree root as NULL. This however is not very effective, or secure. To narrow this down, let's assume the following:-

  • The AD domain is called                                        - outlookexchange.com
  • The users are in an Organisational Unit called    - columnists

The full path to the users is    - columnists.outlookexchange.com

The LDAP search path would become

ou=columnists, DC=outlookexchange, DC=com

None of this is documented very well anywhere, so I hope this is helpful.

 

   

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008