How to configure LDAP directory for external access

Mark L · Guest

Hi,

I am trying to allow my users to able to verify their recipients address
with the AD information via LDAP (and our email system is running Exchange
2003) when using Outlook 2003 clients. I tried to search the KB but I was not
able to find the right information. So would like to ask if someone know a
good article to do this - like the Search Base details and port numbers, etc.

I also tried previous but it came up with LDAP Directory is unavailable (52).

I know that if you can connect directly to Exchange and use the GAL
information there. But our organization also have users running POP3/SMTP and
they need to have access to the list as well (as they are working from home),
so I just think using LDAP seems to be the logical choice. If there are
better ways to do this, please feel free to suggest as well.

Thanks for the information in advance.

Mark L

wickydog · Guest

See if this helps:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbconIntroductionToADSIObjectsInVisualStudio.asp

Thanks and Regards
Jacky

"Mark L" wrote:

Mark L · Guest

Hi,

It is not what I am really after - what I need is how to set up the AD to
allow external access and what to configure in MS Outlook to connect and
ready out the data. I am not intend to write out a new software to do it -
just to configure it with existing things..

Mark
"wickydog" wrote:

wickydog · Guest

To allow AD for external access, you can open certain ports to do so. It is
not secure enough unless your connection is secured such as using VPN. For
ports required, please refer the following article:

http://support.microsoft.com/?kbid=832017

For outlook access, if you are using Exchange 2003 and Outlook 2003, you can
using RPC over HTTP access, please refer the article for more information:

http://support.microsoft.com/?id=833401

Thanks and Regards
Jacky

"Mark L" wrote:

gordonah · Guest

Mark

you may also need to set permissions on the AD to allow the users the
facility. This can be done by explicitly giving the appropriate users the
appropriate rights on the appropriate objects.
Or, you can set the AD to allow anonymous LDAP access,
http://support.microsoft.com/default.aspx?scid=326690. This may used, because
unlike most other LDAPs, AD doesn't allow anonymous access by default.
Setting 'Pre-Windows Compatible Access' also gives search rights for normal
users (Everyone in fact).

The second two options are obviously large reductions in security, so
probably won'y make sense for internet users.

Does that make sense? I'm not sure if there's something cleverer you can do
for Exchange.

Gordon
"Mark L" wrote:

Joe Richards [MVP] · Guest

This can vary depending on your environment. Do you have multiple domains with
mail enabled objects (or at least objects with mail addresses)?

Assuming a single domain, your port is going to be 389 and your base is going to
be either the root of the domain like DC=domain,DC=com or a container in the
domain that has all of the objects in it you want them to find.

If you have multiple domains with mail objects then you will need to switch to a
port of 3268 and set the base to the root of the forest or if you have multiple
trees a null base though I am not sure if Outlook will handle that.

The biggest issue is that you have to specify an actual host name. This sucks
because AD has autolocation services and MSFT themselves aren't using them when
you do things in this way. If you specify the domain name, the client could go
to any DC in the domain, this is especially bad if you have multiple domains and
need to go to a GC instead.

You DO NOT have to enable anonymous access, so IGNORE everyone who said that,
that is a stupid thing to do. You want secured access to your directory data.
You just have to specify a userid and password combo when you add the new
directory to Outlook. Of course this is also a pain when the user changes their
password because they will need to go in and change it there as well.

Another option that helps with some of the issues is to sync the contacts/users
you want the non-Exchange clients to find into an ADAM (or other LDAP) store and
access from there. That way you can collapse the hierarchy (domain and
container/OU). Also it can help you get around some issues that can crop up when
you have >10,000 objects. Also you can easily set up a DNS alias that points to
a pool of ADAMs and use that and not worry about making changes in your domain
structures. Oh you can also set up a simple ID and password to use for the
outlook AB functions and use that. I don't recommend doing that for your normal
AD because there is a lot more info there than just AB info.

This is kind of a pain in the ass with Outlook to do, but it can be done.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Mark L wrote: