SV: empoyeeID value not given

Pål Axelsson Pal.Axelsson at
Thu Nov 27 02:52:51 EST 2014

> -----Ursprungligt meddelande-----
> Från: users-bounces at [mailto:users-
> bounces at] För Cantor, Scott
> Skickat: den 27 november 2014 04:29
> Till: Shib Users
> Ämne: Re: empoyeeID value not given
> On 11/26/2014 6:04 PM, Daniel Pryor wrote:
> >> We are using port 3268 and the ldaploginmodule. We have not tried
> >>another user, because the same user was able to query it via ldapsearch
> >>and ldifde. Do you suggest we still try using another more
> >> privileged user?
> >
> >
> >port 3286 accesses the Global Catalog. The GC does not have all the
> >attributes, employeeID is not it the GC. See:
> >
> >
> >
> >There are ways to add it to the GC.
> Sorry for butting in, but this keeps driving me what is the
> point of telling people to use that port? I keep hearing "you can't use
> 389 with AD because some data won't be there" and then I see people say
> you can't use the GC port because some data won't be there. I just don't
> understand this.
> What I really don't get is why people don't just use a freakin' database
> and avoid all this nonsense, but let's stick to non-religious topics.
> -- Scott


If I understand this correctly the Global Catalogue includes all users in
all domains in  forest but doesn't have all user attributes.

The standard LDAP port includes all users in the domain that the questioned
domain controller services. In a multi domain forest you just see the user
attributes from that domain.

If you have  a your users spread over multiple domains in the forest you
should use the GC port and change what's in the GC. Otherwise use the
standard LDAP port preferable over TLS.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5728 bytes
Desc: not available
Url : 

More information about the users mailing list