What ports can be used for LDAP authentication in Waters software systems? - WKB8290

ENVIRONMENT

• Empower versions supporting LDAP-based authentication
• NuGenesis 9
• NuGenesis 8

ANSWER

The standard LDAP ports:

• TCP 389: This port allows for cleartext (unencrypted) communications, OR secure communications with the use of the StartTLS extension.  Note that not all versions of Waters software support the use of StartTLS
• TCP 636: Supports LDAP over SSL connections

Microsoft Active Directory (AD) servers offer alternative ports for LDAP access, known as the Global Catalog:

• TCP 3268: the equivalent of TCP 389.  Supports both cleartext and StartTLS connections
• TCP 3269: the equivalent of TCP 636.  Supports LDAP over SSL connections.

Please reference WKB120648 for changes in LDAP configuration beginning Empower 3 FR5.

ADDITIONAL INFORMATION

Empower versions prior to Empower 3 Feature Release 2 required the use of SSL and the LDAP-over-SSL protocol..

Empower 3 Feature Release 2 and later versions allow use of non-SSL ports.

NuGenesis versions up to 9.1 support cleartext LDAP or LDAP-over-SSL.  NuGenesis 9.2 and later versions support cleartext, LDAP-over-SSL, and LDAP with StartTLS.

An advantage of querying the Global Catalog (GC) ports in AD is that queries to the root DN (example: DC=domain, DC=com) via the GC ports do not include referrals to DomainDnsZones.domain, ForestDnsZones.domain.com, and others in the search results.  NuGenesis will chase the referrals, and this may result in long login times for the client applications if the system is unable to resolve those names, or in error messages in the client apps.  Removing the referrals from the LDAP search results means that there are no referrals for SDMS to chase.