In addition to supporting e-mail accounts, Office Outlook 2007 also allows you to add LDAP-based directory service accounts that enable you to query for subscriber information in the remote server’s directory. The LDAP server might be internal to your organization, hosted by another company, or one of several LDAP directories located on the Internet. With an LDAP account in your profile, you can look up names, addresses, and other information stored in the directory.
To set up and configure an LDAP account in Outlook 2007, follow these steps:
Right-click the Outlook 2007 icon on the Start menu, choose Properties, and then click E-Mail Accounts (and select the profile if necessary). Alternatively, if Outlook 2007 is already started, choose Tools, Account Settings.
Select the Address Books tab, and then click New.
Select Internet Directory Service (LDAP), and then click Next.
On the Directory Service (LDAP) Settings page of the Add New E-Mail Account wizard, shown in Figure 17-1, type the server name or the IP address in the Server Name box.
If the server requires authentication, select the This Server Requires Me To Log On check box. Specify the logon credentials in the User Name and Password boxes. If you’re authenticating on a Windows Server domain controller, include the domain by entering <domain><user> in the User Name box, where <domain> is the domain name and <user> is the user account.
Click More Settings to open the Microsoft LDAP Directory dialog box, shown in Figure 17-2.
Change the name in the Display Name box to the name you want Outlook 2007 to display in the address book for the directory service.
In the Port box, type the port number required by the LDAP server. The default port is 389, although you can use 3268 for most searches in an Active Directory global catalog (GC).
You can select the Use Secure Sockets Layer (SSL) check box to connect to the LDAP server through SSL. In most cases, SSL won’t be required. This option works only if the server allows an SSL connection.
In the Microsoft LDAP Directory dialog box, click the Search tab, shown in Figure 17-3.
Specify the search time-out and the maximum number of entries you want returned in a search. In the Search Base box, either select Use Default (the Users container) or type the root for your search in the directory. If you’re searching Active Directory, for example, you might enter dc=<domain>,dc=<suffix>, where <domain> is your domain name (without the domain suffix). Specify the domain suffix (net, com, org, or us, for example) as the last data item. (See "Setting the Search Base" on the facing page for more details.) To be able to browse the directory, select the Enable Browsing (Requires Server Support) check box. The Active Directory domain controller must allow browsing for this feature to work.
Click OK to close the dialog box, and then click Next and click Finish to complete the account setup.
Note
Queries to Active Directory using SSL should be directed to port 636. GC queries using SSL should be directed to port 3269.
You can use the directory service accounts created in Outlook 2007 to perform LDAP queries from within Outlook 2007. Microsoft Windows Mail accounts can also be used for these types of searches. However, you can’t use these accounts from the search/find feature of your operating system.
Note
You can make changes to a directory service account in Outlook 2007 and query using the new settings without restarting Outlook 2007.
The search base for an LDAP query specifies the container in the directory service where the query will be performed. When querying against Active Directory on a server running Windows, specifying no search base causes Outlook 2007 to return all items in the directory that have an e‑mail address. Often, this means that you see many system-level objects, as shown in Figure 17-4. These additional objects often confuse casual users, and even users familiar with Active Directory generally don’t want to see these system-level objects. You can set the search base to more closely target the information you’re trying to find, but to do so, you must understand what the search base really is.
Each entry in the directory has a Distinguished Name (DN), which is a fully qualified name that identifies that specific object. Relative Distinguished Names (RDNs) are concatenated to form the DN, which uniquely identifies the object in the directory. RDNs include the following:
cn= common name
ou= organizational unit
o= organization
c= country
dc= domain
For example, assume that you want to search the Users container in the domain boyce.us. The search base would be as follows:
cn=users,dc=boyce,dc=us
Notice that the domain is represented by two dc attributes. If the domain you are searching is microsoft.com, you would use dc=microsoft,dc=com instead.
In some cases, the part of the directory you want to search will be in a specific organizational unit (OU). Or you might be setting up multiple LDAP accounts in Outlook 2007, each configured to search a specific OU. For example, perhaps your company has Sales, Marketing, Support, External Contacts, and a handful of other OUs, and you want to configure an LDAP query for each one. One solution is to add an LDAP service for each and configure the search base accordingly. For example, let’s say we’re configuring an LDAP service account to query the Support OU in the boyce.us domain. The search base would be as follows:
ou=support,dc=boyce,dc=us
Keep the following points in mind when deciding on a search base:
Specifying no search bases causes Outlook 2007 to retrieve objects from the entire directory.
Specifying a search base sets the branch of the directory to search in the directory tree.
If you decide to include a search base, determine the common name for the object or OU, and then add the domain. You can’t specify just the ou or cn attribute without the domain, but you can specify the domain by itself to perform a top-down search of the domain.
Note
If you need to search different branches of the directory tree, you can add multiple LDAP service accounts to your profile, each with the appropriate search base. Or add only one LDAP service account, and then simply change its search base when you need to query a different branch.
Troubleshooting
Your LDAP query returns this error message: "There are no entries in the directory service that match your search criteria"
Sooner or later, you’ll attempt to query an LDAP server that you know contains at least one item meeting your search criteria, but you’ll receive an error message telling you that no entries in the directory service match your criteria. One possible cause of this problem is that the search option specified at the LDAP server might be preventing the query from completing successfully. For example, you might be issuing an "any" query, but the server is configured to treat such queries as initial queries.
You might also receive this error message if you’ve incorrectly set the LDAP directory service account properties—for example, you might have configured the account to use port 389 when the server requires SSL. Check your directory service account settings to ensure that you have specified the proper server name or address, port, and search base.