Implementing the Active Directory Global Catalog with PAM

Document ID : KB000122398
Last Modified Date : 07/12/2018
Show Technical Document Details
Depending on the complexity of the AD forest, it may be easier to point PAM at the AD Global Catalog, rather than configure multiple LDAP servers on the 3rd party page.
Connecting to the Global Catalog works just fine.  It works via 3268 (cleartext or STARTTLS) or 3269 (LDAPS).  They are used instead of 389 or 636, respectively.  Below are some notes based on what we've learned during one such deployment. 

In complex Active Directory (AD) deployments where AD (universal) groups contain members from different sub-domains, an easy way to configure PAM to support such environments, i.e. to be able to successfully import all the users and devices from the (universal) group, even if they are in different subdomains, is to configure PAM to use the global catalog which contains information about all objects in the AD forest:

Change the LDAP port in the 3rd Party Configuration from 389/636 to 3268/3269.

The Global Catalog is an optional domain controller role so not all domain controllers may have it, you may need to configure PAM with the right DC to use the global catalog.

If you encounter a problem implementing this, please open a support ticket.