LDAP access to KIT-AD
Access to the KIT-AD via LDAP
- Advisory services: Jörg Kramer
The service "LDAP access to KIT-AD" provides load balancing for LDAP access to KIT-AD domain controllers. It can be used instead of direct LDAP access to a dedicated KIT-DC.
LDAP access is provided via the server name "kit-ad.scc.kit.edu".
Access is available from the KIT network and requires authentication of the user. To secure the authentication it is mandatory to use TLS or STARTTLS.
The load balancing is based on the SCC load balancer BigIP F5. The F5 acts as a proxy. It accepts the following TLS port constellations and forwards them 1:1 to the KIT-AD domain controllers:
- LDAP TLS on port 636
- LDAP TLS on port 3269
- LDAP STARTTLS on port 389
- LDAP STARTTLS on port 3268
LDAP access on ports 389 and 636 leads to the Domain Partition, while ports 3268 and 3269 lead to the Global Catalog. The differences are explained at http://technet.microsoft.com/en-us/library/cc978012.aspx.
Important: the contents in an Active Directory are basically dynamic. An object should therefore always be searched for via its CN and not statically referenced via its DN!