KnowledgeBase Content Details

February 08, 2016

Question:

Difference between using the default port 389 and default Global Catalog port 3289 in a Spotfire LDAP configuration.

Answer:


When configuring the TIBCO Spotfire Server LDAP configuration, you must specify the LDAP server URL as shown in these examples:

  • LDAP://myserver.example.com
  • LDAPS://myserver.example.com
  • LDAP://myserver.example.com:389
  • LDAPS://myserver.example.com:636
  • LDAP://myserver.example.com:3268
  • LDAPS://myserver.example.com:3269

The default port for an LDAP connection is 389 and 636 for LDAPS. When you configure an LDAP connection to use port 389/636, you search for objects from this local domain controller only (replicated between domain controllers in the same domain). It has a complete set of all attributes each object contains. Alternatively, when configuring Spotfire LDAP integration in environments with multiple domains in the forest, it is often required to use the Global Catalog in order to return objects from all domains in the forest.


The Global Catalog is a Read Only replica which contains a Partial Attribute Set (PAS) of objects within the forest, so it holds certain replicate objects from all domains. The default port for this is 3268 for LDAP and 3269 for LDAPS. When you configure the LDAP connection to use port 3268/3269, you search this Global Catalog (GC) to locate objects from any domain without having to know the domain name itself. This is often used in multi-domain forests where Spotfire must pull users/groups from multiple domains.

To summarize:
  • Default Ports: 389 (LDAP) / 636 (LDAPS)
    These ports are used for requesting information from the local domain controller. LDAP requests sent to port 389/636 can be used to search for objects only within the global catalog’s home domain. However, the requesting application can obtain all of the attributes for those objects.

  • Default Ports: 3268 (LDAP) / 3269 (LDAPS)
    These ports are used for queries specifically targeted for the Global Catalog. LDAP requests sent to port 3268/3269 can be used to search for objects in the entire forest. However, only the attributes marked for replication to the Global Catalog can be returned.
    
Detailed description of the Global Catalog:
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as Global Catalog servers and is distributed through multimaster replication. Searches that are directed to the Global Catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full writable replica of a single domain directory partition. A domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.

The Global Catalog provides the ability to locate objects from any domain without having to know the domain name. A Global Catalog server is a domain controller that, in addition to its full writable domain directory partition replica, also stores a partial read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single Global Catalog server.

Back to KnowledgeBase