Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using ports in LDAP string are not working

    We are configuring a new system. We are on build 21.86.1828.0. We are trying to get Active Directory integration working. It seems to work using LDAP://domain1.anycompany.com/dc=anycompany,dc=com but because of security concerns this really is not an option. Documentation would suggest that we can use port numbers such as
    LDAP://domain1.anycompany.com:389/dc=anycompany,dc=com
    LDAP://domain1.anycompany.com:636/dc=anycompany,dc=com

    Neither of these work and also LDAPS://domain1.anycompany.com/dc=anycompany,dc=com does not work.
    Any suggestions on why using a port number in the ldap string does not work?
    Thanks

  • #2
    If you have your machine joined to the domain and it is authorized to do delegation you should be able to use any valid string you can query.
    Lance Paddock
    BTX | Business Telephone eXchange
    1(800) 289-0299

    Comment


    • #3
      Thanks for the suggestion. We selected Trust this computer for delegation to any service (Kerberos only) but that did not help. Server is joined to the domain. It is a Windows 2016 server.

      Comment


      • #4
        Originally posted by Lance View Post
        If you have your machine joined to the domain and it is authorized to do delegation you should be able to use any valid string you can query.
        ^This is for legacy AD integration. Connect does not use this.

        You'll want to reach out to TAC. Per my notes, only the first LDAP string you posted is valid for ShoreTel. I've been told ShoreTel doesn't support port change for LDAP or LDAPS. I have had success using GC instead of LDAP, if that helps.

        Comment


        • #5

          The first 2 strings should be valid

          This should work LDAP://domain1.anycompany.com:389/dc=anycompany,dc=com is the same as LDAP://domain1.anycompany.com/dc=anycompany,dc=com

          The ADsPath statement has the following format:
          LDAP://HostName[:PortNumber][/DistinguishedName]

          The “HostName” can be a computer or server name, an IP address, or a domain name. Typically, a server name is specified. For Connect, the Active Directory server is usually specified. The “PortNumber” is the port to be used for the connection to the directory. If no port number is specified, LDAP uses the default port number (636 if using an SSL connection or 389 if not using an SSL connection).

          If you have more than one CN, OU or DC I would check the string with a LDAP browser
          Lance Paddock
          BTX | Business Telephone eXchange
          1(800) 289-0299

          Comment


          • #6
            I have noticed each version of connect allows slight different variations of the LDAP string.

            For example the recent build Build:21.87.3629.0 doesn't appear to allow LDAP://domain1.anycompany.com:389/dc=anycompany,dc=com but it will allow LDAP://domain1:389/dc=anycompany,dc=com
            or
            LDAP://domain1.anycompany.com/dc=anycompany,dc=com

            Lance Paddock
            BTX | Business Telephone eXchange
            1(800) 289-0299

            Comment


            • #7
              I can get multiple strings to work as long as a port number is not used. Documentation says If no port number is specified, LDAP uses the default port number (636 if using an SSL connection..)
              If I cannot specify a port how do I get it so 636 is the default port. Currently it is using 389.
              Thanks

              Comment


              • #8
                It turns out that using a port number in the ldap string works for logging into the Connect client (secure port is used0, However when you go to the user screen and click on the Show from AD or Sync from AD these buttons do not work. We have a case open with Shoretel to resolve.

                Comment


                • #9
                  Are you requiring LDAP Signing by chance? I found similar behavior and after turning up the logging found out that Shoretel doesn't support this. Really kind of confusing as even cheap printers from years ago seem to work fine, but once I turned off requiring LDAP Signing it started working.

                  Comment

                  Working...
                  X