Debian – Querying LDAP server on UDP

debianldap

I am trying to query an LDAP server (Active directory) over ldaps. The problem is that the only ports i have available (389 and 636) are UDP ports. TCP is not allowed by the firewall rules (which i don't understand myself, so don't bother asking:) )

I am not having much luck however.
Running the command

ldapsearch -H ldaps://cmpname.dk:636 -b "ou=CmpName,dc=cmpname,dc=dk" -D "cn=devldap,ou=Service,ou=Misc acconts,ou=CmpName,dc=cmpname,dc=dk" -w "password123" -v

Gives the message:

ldap_initialize( ldaps://cmpname.dk:636/??base )

after which it hangs for a while and then returns

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Can i assume that this is because ldapsearch only attempts to contact via tcp? Can i make ldapsearch contact the UDP port somehow?

Or is the error something else entirely?

Basically: Help 🙂

Best Answer

AD only supports LDAP over UDP in a very limited way. Not much more than being able to query authentication methods available.

LDAP Search Over UDP

Active Directory supports search over UDP only for searches against rootDSE. It encodes the results of an LDAP search performed over UDP in the same manner as it does a search performed over TCP; specifically, as one or more SearchResultEntry messages followed by a SearchResultDone message, as described in [RFC2251]. This means that the search response is not encoded as described in [RFC1798]. Only LDAP search and LDAP abandon operations are supported over UDP by Active Directory.

-

root DSE (rootDSE): A nameless entry containing the configuration status of the Lightweight Directory Access Protocol (LDAP) server. Typically, access to at least a portion of the root DSE is available to unauthenticated clients, allowing them to determine the authentication methods supported by the server.

Related Topic