Windows logins do not use LDAP. Essentially, that stuff is all done using Kerberos or NTLM if there is some kind of failover. All of the Kerberos ticket creation and group membership expansion for Windows security tokens is done through different APIs and protocols.
LDAP is mainly used by applications for querying and modifying the directory. Exchange does a lot of this for discovering email addresses and other stuff. Hopefully my other post provided more information about LDAP and channel encryption and such. If you are really curious about the LDAP traffic on your network, sniff the traffic. All of the traffic on port 389, 636, 3268 and 3269 is LDAP. 636 and 3269 will be SSL, so it will be encrypted and you won't be able to read it. 389 and 3269 might or might not be encrypted. HTH, Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, March 23, 2005 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS part 2 I am mainly thinking about communications with Exchange. Other than that, I am not really sure what applications or other communications are actually using LDAP. For instance, when someone logs onto a machine, what is happening? I have thought that everything was taken care of by Kerberos, but not totally sure that that is all that is happening. I mean, isn't group membership and junk like that using LDAP? Is this the case: Authorization uses LDAP in plain text Authentication uses Kerberos If so, exactly what makes up the authorization component (username, groups)? This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
