6.3 LDAP directory access for IMAP4 and POP3 clients

IMAP4 and POP3 are exclusively messaging protocols and do not incorporate a directory service. The assumption is that a client will use another protocol such as LDAP to access a separate directory service. The AD provides the directory service for Exchange and you must configure access to the directory separately.

By default, Outlook Express includes a placeholder entry for Active Directory in the list of directory services installed with the client. However, the entry is just that-a placeholder-and you must update its properties to add the necessary details to allow the connection to proceed. Figure 6.8 illustrates an example of the required changes, in this case to connect to a Global Catalog Server within the hp.com domain.

Figure 6.8: Configuring access to the Active Directory.

On the "General" property page, enter the FQDN of a Global Catalog Server in the "Server name" field, usually the same Global Catalog as used by the Exchange server that hosts the user mailbox. Secure connections to the AD are required, so you must state logon credentials in the form of the user's Windows account and password. The account name can be specified in the form of a User Principal Name (similar to the email address shown in Figure 6.8) or in the form Domain Name\Account Name (e.g., DOMAIN1\REDMOND). You can also instruct Outlook Express to use the directory to check names before sending messages. Only messages addressed to names are checked, and the client ignores fully qualified email addresses such as John.Doe@xyz.com.

The settings on the "Advanced" property page control how the client makes the LDAP connection to AD. The IP port number is specified (3268 is the default), along with the timeout and maximum number of matches to return. The default values for these parameters are a one-minute timeout and return 100 matches, which is acceptable in most situations. If configured correctly, AD responds quickly to LDAP searches, and exceeding a timeout points to a badly specified search. For example, if you execute a search for everyone called "John" in a directory holding 50,000 accounts or more, it is likely that the search will return many more than 100 entries and take a long time to go through the directory, so both parameters are likely to be exceeded. Users have to be educated to be as specific as possible when they search the directory. Unlike MAPI, LDAP offers no ability to browse the GAL, so you cannot begin from a position within the directory and move backward and forward to find the right entry.

The "Search base" field establishes the root of the search within the AD. You can use this field to limit searches to a specific domain or organizational unit, if required. The value shown in Figure 6.8 means that searches begin from the dc=compaq, dc=com address, which indicates that you might be looking for someone with a compaq.com email address.

The Outlook Express client executes directory searches by invoking the "Find People" option. Figure 6.9 shows the results of a search, including the criteria used to limit the search. Even when executed against a directory containing over 150,000 accounts, the search responded in less than a second. By comparison, the search with the criterion "Name contains Tony" timed out after a minute, because the directory could not respond within the default timeout interval. LDAP does not differentiate between accounts, contacts, and distribution groups and treats them all as mail- enabled directory entries that you can search for using first name, last name, name, email address, or organization.

Figure 6.9: Executing an LDAP search against Active Directory.

Unlike Outlook, which can use the OAB to validate and search addresses offline, IMAP and POP clients cannot use LDAP to interrogate addresses offline. Some clients, such as recent versions of Outlook Express, "remember" recently used email addresses and incorporate an auto-complete feature to fill in email addresses from this list as you type. This is certainly convenient, but power users will have to populate their own personal address books with email addresses they want to use offline. The problem with any personal address book is that it is very personal-and no facility exists to synchronize the data with a definitive directory to keep email addresses updated.