Configuring LDAP and Global Catalog Access to the UMROOT Active Directory

This document provides information to help you configure applications for Lightweight Directory Access Protocol (LDAP) and Global Catalog access to Active Directory (UMROOT).

If you are looking for information about LDAP access to MCommunity, see instead LDAP Access to the MCommunity Directory.

Contents:

Windows clients joined to Active Directory do not need further LDAP configuration. However, there are a number of clients and applications that do need to be manually configured to use LDAP or Global Catalog Directory Lookups, including Unix and Mac operating systems.

To access these forests, you must authenticate with a valid Active Directory username and password. Do not use your uniqname (personal) account in the application configuration; use an application account created for that purpose.

Production Forest Information

Directory Server(s) adsroot.itcs.umich.edu

Use the domain DNS CNAME adsroot.itcs.umich.edu to access these servers, if at all possible. These servers:

  • Support read/write access.
  • Are only available from U-M networks.
  • Use a UMROOT non-public SSL certificate.

Computers joined to the UMROOT domain will have a copy of the Trusted Root Certificate. Computers not joined to UMROOT will need to download and install the Root and Issuing CA certificates by doing the following:

  1. Navigate to the certinfo folder (accessible to computers not connected to UMROOT).
  2. Download and install certificates for your system.

Read more about Windows Public Key Infrastructure and Certificates at U-M.

Username or Relative Distinguished Name (RDN)

This is the Active Directory username for the application account. The documentation may say username, Relative Distinguished Name (RDN), Distinguished Name (DN) or SamAccountName. Some of the names used in application documentation are not technically correct, but they are almost always looking for the short username listed first on the applications AD account. Depending on the application, the username may need to be in one of the following formats:

  • username
  • umroot\username
  • CN=username
  • CN=username,OU=People,OU=Umich,DC=adsroot,DC=itcs,DC=umich,DC=edu

Password

This is the standard Windows Active Directory password for the application's account in AD.

TCP/IP Ports

Active Directory provides the following services on the following ports. Use the one that your application documentation requires. If in doubt, start with TCP 389.

  • LDAP (TCP 389)
  • LDAP over SSL (TCP 636)
  • Global Catalog (TCP 3268)
  • Global Catalog over SSL (TCP 3269)

Search Base or Search Context

Most applications require that you define a Search Base. The following is the root of the domain, and a search from this point will find all objects in Active Directory.

  • DC=adsroot,DC=itcs,DC=umich,DC=edu

Test Forest Information

Pay special attention to differences in the server name(s) and the DNS names compared to the production forest. The test forrest names replace "ITCS" with "ITD."

Directory Server(s) adsroot.itd.umich.edu

Use the domain DNS CNAME adsroot.itcs.umich.edu to access these servers, if at all possible. These servers:

  • Support read/write access.
  • Are only available from U-M networks.
  • Use an ADSROOT non-public SSL certificate.

Any computers joined to the ADSROOT test domain will have a copy of the Trusted Root Certificate. Others connecting to the test domain will need to download and install the Root and Issuing CA Certificates.

Username or Relative Distinguished name (RDN)

This is the Active Directory username for the application account. The documentation may say username, Relative Distinguished Name (RDN), Distinguished Name (DN) or SamAccountName. Some of the names used in application documentation are not technically correct, but they are almost always looking for the short username listed first on the applications AD account. Depending on the application, the username may need to be in one of the following formats:

  • username
  • adsroot\username
  • CN=username
  • CN=username,OU=People,OU=Umich,DC=adsroot,DC=itd,DC=umich,DC=edu

Password

This is the standard Windows Active Directory password for the application's account in AD.

TCP/IP Ports

Active Directory provides the following services on the following ports. Use the one that your application documentation requires. If in doubt, start with TCP 389.

  • LDAP (TCP 389)
  • LDAP over SSL (TCP 636)
  • Global Catalog (TCP 3268)
  • Global Catalog over SSL (TCP 3269)

Search Base or Search Context

Most applications require that you define a Search Base. The following is the root of the domain, and a search from this point will find all objects in Active Directory.

  • DC=adsroot,DC=itd,DC=umich,DC=edu

Last Updated: 
Thursday, February 28, 2019