Get users from AD groups by looping through the PrincipalCollection

Question

1. LDAP server signing

domain-controller-ldap-server-signing-requirements

This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/636).
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
Caution: If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2. Issue

Our AD server is configured with LDAP signing and our client program wants to sync users from some groups, but we found that it automatically uses 389 when we loop group members. This doesn't make sense because we use 3269 to connect to the AD server and get groups and pull users. So can you help find out why? appreciate!

Sample Code

System.DirectoryServices.AccountManagement->GroupPrincipal

PrincipalCollection members = group.Members;
foreach (var member in members) // Microsoft AD Library will automatically use 389
{
//..............
}

Thanks & Best Regards

Answer 1

Hi,

While the gc (connection on 3269) has the group objects, it has a reduced set of the object attributes. The member and memberof attributes are only replicated based on the group type. The groupprincipal function probably has the logic to switch back to 389 ldap connection as it knows the member and memberof attributes will exist in this instance.

My concern would also be why is it using 389 and not 636, when the original connection to the gc was on the ssl connection on port 3269.

Gary.