OpenAthens LA support ended on 31 March 2020


Skip to end of metadata
Go to start of metadata

The decision whether to search the Global Catalog or the domain is based on the scope of the search:

  • When the scope of a search is the domain or an organisational unit, the query can be resolved within the domain partition by using an LDAP search.
  • When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog search.

Any time that you specify port 3268, you are searching in the Global Catalog. In addition, the Global Catalog is searched by default under the following conditions:

  • When you choose Entire Directory in a search-scope list.
  • When you write the value for a distinguished name-valued property, where the distinguished name represents a nonlocal object. For example, if the member that you are adding is from a different domain, the Global Catalog is used to verify that the user object represented by the distinguished name actually exists.

For an LDAP search, you must supply a valid base distinguished name (DN). For a Global Catalog search, the base DN can be any value, including the value "NULL" (" "). A base DN of NULL effectively scopes the search on the search computer to the Global Catalog. If you use a NULL base DN with a scope of one level or subtree and specify port 389 (the default LDAP port), the search fails. Therefore, if you submit a NULL search to the Global Catalog port and then change the port to the LDAP port, you must change the base distinguished name for the search to succeed.

The default port is port 3268; so to submit the search to port 389, you must provide a valid base distinguished name as defined in RFC 2247. A blank base distinguished name fails on either port.

Characteristics of a Global Catalog Search

The following characteristics differentiate a Global Catalog search from a standard LDAP search:

  • Global Catalog queries are directed to port 3268, which explicitly indicates that Global Catalog semantics are required. By default, ordinary LDAP searches are received through port 389. If you bind to port 389, even if you bind to a Global Catalog server, your search includes a single domain directory partition. If you bind to port 3268, your search includes all directory partitions in the forest. If the server you attempt to bind to over port 3268 is not a Global Catalog server, the server refuses the bind.
  • Global Catalog searches can specify a non-instantiated search base, indicated as "com" or " " (blank search base).
  • Global Catalog searches cross directory partition boundaries. The extent of the LDAP search is the directory partition.

This article is based on information taken from the following technet article:

  • No labels