Why You Shouldn’t Use Port 636 to Bind to LDAP Signing

, ,

The normal LDAP Signing ports are 636 and 3269.  Port 636 is the default signing port, and 3269 is called the Global Catalog Port.  Here is why you should only use port 3269 (if possible) when updating your LDAP Bind for LDAPS.

The default port (636) is used for searching the local domain controller, and it can search and return all attributes for the requested item.  The Global Catalog Port also searches the local domain controller, but only returns attributes marked for replication to the Global Catalog.  If you don’t need all attributes to be searched and returned (and for Lawson binding, you don’t), then using Global Catalog can be much faster.

If you choose to use the default port, be aware that there might be some performance issues, and maybe even timeouts, when users are logging in.  This can impact you, even if you are authenticating AD FS, because some pieces of the application still authenticate using LDAP Bind.  For instance, IPA nodes that have to authenticate against the Lawson server (such as file access, Lawson Query, etc.)

If users are experiencing latency or timeouts when logging in, you may see a “connection reset” error in your LAWDIR/system/security_authen.log file, similar to the error below:

Another symptom of a slow default port search is IPA processes throwing a login error when trying to make a connection to Lawson.  You might see an error similar to this one in your Work Unit logs.  This exception was thrown on an RM Query Node:

The best course of action if you are experiencing these issues is to update your LDAP Bind to use port 3269 instead of 636.  Check out our article on Configuring Lawson for LDAP Signing for step-by-step instructions on how to update the LDAP Bind.