Active Directory LDAP Compliance

Microsoft Corporation
Published: October 2003
Abstract
Directories are public or private stores containing essential identifying information typically used in daily
enterprise activities. Many application providers capitalize on directories offering integration into existing
directories to extend their applications functionality. et!or" operating systems also house vital net!or"
information# such as users and computers# !ithin directories.
Light!eight Directory Access Protocol $LDAP% is a directory standard founded on the legacy &.'(( directory.
LDAPs initial implementations provided gate!ay services bet!een &.'(( directory servers and clients.
)hile LDAP !as initially created to meet this re*uirement# it became clear that a parting from the
cumbersome &.'(( directory standard !as needed to simplify deployments. +n ,--.# LDAP !as
transformed into a directory specification !ith its o!n database and structuring conventions.
/his paper discusses the origins of LDAP !ithin Microsoft products and# specifically# the implementation of#
and conformance to# the LDAPv0 Proposed 1tandard !ithin Microsoft )indo!s 2((( 1erver and Microsoft
)indo!s 1erver 2((0. +ncluded for reference are matrixes detailing supported 34Cs.
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to chanin mar!et
conditions" it should not be interpreted to be a commitment on the part of
Microsoft" and Microsoft cannot uarantee the accurac# of an#
information presented after the date of publication.
This document is for informational purposes onl#. M$C%O&O'T M()*&
+O ,(%%(+T$*&" *-P%*&& O% $MP.$*/" (& TO T0*
$+'O%M(T$O+ $+ T0$& /OC1M*+T.
Compl#in with all applicable cop#riht laws is the responsibilit# of the
user. ,ithout limitin the rihts under cop#riht" no part of this document
ma# be reproduced" stored in or introduced into a retrieval s#stem" or
transmitted in an# form or b# an# means 2electronic" mechanical"
photocop#in" recordin" or otherwise3" or for an# purpose" without the
e4press written permission of Microsoft Corporation.
Microsoft ma# have patents" patent applications" trademar!s" cop#rihts"
or other intellectual propert# rihts coverin sub5ect matter in this
document. *4cept as e4pressl# provided in an# written license areement
from Microsoft" the furnishin of this document does not ive #ou an#
license to these patents" trademar!s" cop#rihts" or other intellectual
propert#.
6 2003 Microsoft Corporation. (ll rihts reserved.
Microsoft" (ctive /irector#" 7isual Basic" ,indows" and ,indows &erver
are either reistered trademar!s or trademar!s of Microsoft Corporation in
the 1nited &tates and8or other countries.
The names of actual companies and products mentioned herein ma# be
the trademar!s of their respective owners.
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Contents
Contents.................................................................................................................................................. 1
Introduction............................................................................................................................................. 2
What Is LDAP?........................................................................................................................................ 3
What Does It Mean to Be LDAP Compliant?........................................................................................
Acti!e Director"#s LDAP Compliance................................................................................................... $
Compliance Misconceptions............................................................................................................... 1%
Director" Interoperabilit"..................................................................................................................... 11
Additional &esources........................................................................................................................... 1'
Microsoft5 Active Directory5 LDAP Compliance ,
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Introduction
Directories6public or private resource lists containing names# locations# and other identifying information6
are essential tools often ta"en for granted in our daily activities. /ypically these directories provide
information about people# places# or organizations as part of an overall solution. 4or example# a telephone is
virtually useless !ithout a directory to correspond names !ith telephone numbers. 7istorically# most
directories !ere only available in printed form.
As the computer revolution forged ahead# printed directories gave !ay to an electronic counterpart. Many
application providers capitalized on the directory concept offering proprietary versions that extended their
applications functionality. et!or" operating systems also provided directories# typically housing user and
device information. 8nfortunately# these first generation directories !ere often developed !ith little or no
concern for interoperability. +solated and specific in function# they performed admirably. 7o!ever# it !as
obvious directories needed to interact !ithin a larger net!or" ecosystem. /his idea gre! into the definition of
the &.'(( standard.
Director" (oundation) *.%%
+n ,-99# the +nternational :rganization for 1tandardization $+1:% and the +nternational /elecommunications
8nion $+/8% introduced the &.'(( standard. &.'(( defines the protocols and the information model for an
application and net!or" platform agnostic directory service. As a distributed directory based on hierarchically
named information ob;ects# &.'(( specifications characterized a directory that users and applications could
bro!se or search.
/he &.'(( paradigm includes one or more Directory 1ystem Agents $D1As%6directory servers6!ith each
holding a portion of the Directory +nformation <ase $D+<%. /he D+< contains named information ob;ects
assembled in a tree structure6defined by a Directory +nformation /ree $D+/%6!ith each entry having an
associated set of attributes. =very attribute has a pre>defined type and one or more associated values.
:b;ect classes# containing mandatory and optional attributes# are defined !ithin a directory schema. =nd
users communicate !ith an &.'(( D1A using the Directory Access Protocol $DAP% !hile the Directory
1ystem Protocol $D1P% controls interaction bet!een t!o or more D1As.
*.%%) +he ,eed -or a Li.ht/ei.ht Alternati!e
8nderstanding the need for a streamlined directory standard# several implementers proposed a light!eight
alternative for connecting to &.'(( directories. 8ltimately# the first iteration of LDAP gained traction as a
simple alternative to the &.'(( Directory 8ser Agent $D8A%. /he ne! LDAP definition?
1implified protocol encoding
8sed text encoding for names and attributes
Mapped directly onto the /CP@+P stac"
1upplied a simple Application Programming +nterface $AP+%
Microsoft5 Active Directory5 LDAP Compliance 2
Microsoft
9
,indows &erver
:
2003 ,hite Paper
What Is LDAP?
:rganized development of LDAP occurred on several fronts. 7o!ever# the most notable !or"# and the first
freely available implementation# !as completed by the 8niversity of Michigan in ,--0. /he 8niversity focused
efforts on developing a simpler /CP@+P version of &.'((s DAP. DAP !as considered cumbersome as it
pushed much of its !or"load to the client.
Although LDAP is !ell rooted as a simplified component of the &.'(( directory# it has become the de facto
directory protocol on the +nternet today.
LDAP) (irst 0eneration
LDAPs initial implementations provided gate!ay services bet!een &.'(( directory servers and clients. /he
clients communicated !ith an LDAP gate!ay through LDAP>enabled soft!are. +n turn# the gate!ay handled
transactions6on behalf of the client6!ith the &.'(( D1A. /his model promoted directory interoperability
allo!ing application providers to easily develop client soft!are capable of communicating !ith an LDAP
gate!ay service# regardless of the bac"end platform. )hile LDAP !as initially created to meet this
re*uirement# it became clear that a parting from &.'(( !as needed to simplify deployments. +n ,--.# LDAP
!as transformed into a directory specification !ith its o!n database and structuring conventions.
:nce transformed# the LDAP specifications reflected a true client>server model !ith clients ma"ing re*uests
directly to servers for information or operations. :ne or more directory servers may either perform the
operation or refer the client to another directory server that may be able to provide the re*uested information#
or perform the re*uested operation. /he LDAP client !ill see the same vie! of the directory no matter !hich
server is contacted. +f necessary# the LDAP server can authenticate the client to the operating system in use.
:nce received# the LDAP server !ill convert a re*uest into an appropriate format for the accessed directory.
4or &.'(( directories# the LDAP server !ould convert the LDAP re*uest into a DAP re*uest.
1nhancements /ith 2ersion 2
As interest in LDAP increased# several ne! developments extended its core functionality !hile streamlining
its footprint. +n ,--'# 3e*uest for Comment $34C% ,AAA !as introduced for LDAP Bersion 2. 34C ,AAA
eliminated many of the impracticable components of &.'(( that !ere central to the original LDAP
specifications. 4urthermore# net!or" connectivity !as changed from the &.'(( :pen 1tandards
+ntercommunication $:1+% model to the /CP@+P model.
LDAPv2 is officially defined by the follo!ing 34Cs?
RFC 1777 C Light!eight Directory Access Protocol $v2%
RFC 1778 C /he 1tring 3epresentation of 1tandard Attribute 1yntaxes
RFC 1779 C A 1tring 3epresentation of Distinguished ames
+he Current 3tate o- LDAP
Developed by the +nternet =ngineering /as" 4orce $+=/4% in ,--A# the current LDAPv0 implementation is a
renovation of LDAPv2# !hich primarily tac"les deployment limitations identified !ithin the previous version.
LDAPv0 also enriches compatibility !ith &.'(( along !ith enhanced integration !ith non>&.'(( directories.
LDAPv0 encompasses LDAPv2 !ithin a ne! set of 34Cs.
LDAPv0 is a Proposed 1tandard currently defined by 34C 00AA# !hich includes# the 34Cs belo! in addition
to support for the LDAPv2 34Cs listed above
,
?
RFC 2251 C Light!eight Directory Access Protocol $v0%
RFC 2252 C LDAP $v0%? Attribute 1yntax Definitions
RFC 2253 C LDAP $v0%? 8/4>9 1tring 3epresentation of Distinguished ames
1
This means that any application that is LDAPv3 compliant is by default, LDAPv2 compliant.
Microsoft5 Active Directory5 LDAP Compliance 0
Microsoft
9
,indows &erver
:
2003 ,hite Paper
RFC 2254 C 1tring 3epresentation of LDAP 1earch 4ilters
RFC 2255 C /he LDAP 83L 4ormat
RFC 2256 C A 1ummary of &.'(($-D% 8ser 1chema for use !ith LDAP $v0%
RFC 2829 C Authentication Methods for LDAP
RFC 2830 C LDAP $v0%? =xtensions for /ransport Layer 1ecurity
Microsoft5 Active Directory5 LDAP Compliance .
Microsoft
9
,indows &erver
:
2003 ,hite Paper
What Does It Mean to Be LDAP Compliant?
Claiming LDAP compliance seems to be a common occurrence among todays directory>capable vendors. +n
truth# applications may be either directory>a!are6capable of reading an LDAP directory6or directory>
enabled6capable of reading and performing other defined LDAP operations on a directory. <oth
implementations should be considered LDAP>compliant if proposed standards are follo!ed in achieving an
applications desired level of LDAP functionality. Compliance !ith standards# ho!ever# does not ensure
interoperability. 1tandards may lac" sufficient clarity# even after formalization# leading to varying guideline
interpretations.
/he compliance tas" for directory server vendors !eighs on their ability to conform to defined standards !hile
ensuring interoperability !ith those standards. +n addition# the process of standard formalization is an
ongoing effort compounding the difficulty of achieving full compliance. 4or example# LDAPv2 has been
formalized !ith a defined set of 34Cs# ho!ever# LDAPv0# a Proposed 1tandard# is theoretically still a !or" in
progress as it moves to!ard an +nternet 1tandard. +n summary# a vendors compliance statement should be
vie!ed as their ability to implement a "no!n set of 34Cs# accurately interpret those 34Cs to ensure
interoperability# and provide a frame!or" capable of incorporating ne! 34Cs.
Achie!in. Compliance) I1+( Applicabilit" 3tatement
/he +=/4 has established an LDAPv0 )or"ing Eroup6ldapbis6!ith the charter of steering the previously
mentioned LDAPv0 34Cs through the +nternet 1tandards process. +n 1eptember 2((2# the !or"ing group
submitted a revised LDAP specification for consideration as a draft standard. Currently# no +=/4 LDAPv0
conformance or compliance directive existsF ho!ever# one of the most pervasive documents to be delivered
by the !or"ing group is an LDAP applicability statement.
:nce complete# an LDAP applicability statement !ill guide independent vendors to!ard +=/4>based LDAP
compliance. +n all probability# third>party test suites# based on the applicability statement# !ill be developed#
allo!ing vendors and end users to accurately determine LDAP compliance. 8ntil then# vendor declarations
combined !ith existing third>party testing suites are the most suitable alternatives.
Achie!in. Compliance) +hird4Part" +est 3uites
1everal LDAP compliance testing and certification solutions exist in the mar"etplace today. :ne of the most
prominent test suites is offered by the :pen Eroup# a technology>neutral consortium. /he :pen Eroup also
sponsors the Directory +nteroperability 4orum $D+4%# !hich compromises architects# strategists# and product
managers from customers and vendors of directories and directory>enabled applications. According to the
:pen Eroup# the D+4 is chartered to Gprovide testing and certification for directory servers and applications
that use :pen Directory 1tandards.H Microsoft Corporation is an active member of the D+4.
The Open Group LDAP Certifi!tion"
3ecently released in 2((0 are t!o directory :pen Eroup@D+4 test certifications? LDAP 3eady and LDAP
Certified. )ith an LDAP Certified directory# the vendor guarantees its LDAP directory server conforms to the
LDAPv0 specifications published by the +=/4. :n the other hand# an LDAP 3eady application !arrants that it
!ill interoperate !ith an LDAP Certified directory.
/o become LDAP Certified# directory vendors typically submit a !arranty of LDAPv0 conformance using the
:pen Eroups B1LDAP /est 1uite as a compliance measuring tool. /he !arranty is intended to ensure
conformity to industry standard specifications# conformity through a products lifecycle# and the *uic" remedy
of any nonconformity. At the moment# no vendor has received either of these ne! certifications.
3ettin. an LDAP Compliance Baseline
According to the D+4
2
# a baseline of LDAP compliance can be measured by verifying support of the follo!ing
2
Extacted fom the !pen "oup#s LDAP $eatues fo %etification.
Microsoft5 Active Directory5 LDAP Compliance '
Microsoft
9
,indows &erver
:
2003 ,hite Paper
34C components. <y no means exhaustive# an LDAP compliance baseline can be supplemented by support
of additional LDAP 34Cs# features# or extensions.
&(C (eature Description
22', Abandon /he server accepts abandon re*uests and performs the re*uested abandon operations.
22', Add /he server accepts add re*uests and performs the re*uested add operations.
22', Anonymous <ind over 11L
/he server accepts a simple bind over 11L !here the pass!ord is null and treats the
client as anonymously authenticated.
22', Authenticated 1imple <ind
/he server accepts a simple bind re*uest !ith a pass!ord and authenticates the client
by that pass!ord.
22', <=3
/he server correctly encodes and decodes protocol elements using A1., <=3 as
re*uired by LDAP.
22',
Client 1erver
Communication
/he client transmits an operation re*uest to the server# !hich performs the operation on
the directory and returns results@errors.
22', Compare /he server accepts compare re*uests and performs the re*uested compare operations.
22', Data Model
=ach entry must have an ob;ectClass attribute. /he attribute specifies the ob;ect classes
of an entry# !hich along !ith system and user schema determine permitted attributes of
entries.
22', Delete /he server accepts delete re*uests and performs the re*uested delete operations.
22',
Modify $Add# Delete#
3eplace%
/he server accepts modify re*uests and performs the operations# including additions#
deletions# and replacements.
22',
ModifyD C Move Leaf =ntry
to e! Parent
/he server accepts modify D re*uests to move leaf entries to ne! parents and
performs the leaf move operations.
22',
ModifyD C Move 3enamed
Leaf =ntry to e! Parent
/he server accepts modify D re*uests to rename leaf entries and move them to ne!
parents and performs the re*uested leaf rename and move operations.
22',
ModifyD > 3ename a Leaf
=ntry
/he server accepts modify D re*uests to rename leaf entries and performs the
re*uested leaf rename operations.
22', 1earch /he server accepts search re*uests and performs the re*uested search operations.
22',
1imple <ind !ith Pass!ord
over 11L
/he server accepts a simple bind re*uest over 11L !ith a pass!ord and authenticates
the client by that pass!ord.
22', 1imple Common =lements
/he server correctly encodes# decodes# and processes the simple common elements of
LDAPMessage envelope PD8s.
22',
/CP as the /ransporting
Protocol
A server implements mapping of LDAP over /CP and provides a protocol listener +P port
09-.
22',
22'2
Definition of Attributes
/he servers entries have attributes in accordance !ith the &.'(( model. /he server
supports entries !ith attributes.
22',
22'2
Definition of :b;ect Classes /he server associates entries !ith ob;ect classes in accordance !ith the &.'(( model.
22',
22'0
Distinguished ame
/he server correctly encodes and decodes protocol representations of distinguished
names.
22',
292-
Anonymous 1imple <ind
/he server accepts a simple bind re*uest !here the pass!ord is null and treats the
client as anonymously authenticated.
22'2 Definition of Matching 3ules /he server supports matching rules in accordance !ith the &.'(( model.
22'0 Parsing /he server correctly parses string representations of distinguished names.
Microsoft5 Active Directory5 LDAP Compliance D
Microsoft
9
,indows &erver
:
2003 ,hite Paper
22'0 3elationship !ith LDAP v2
/he server accepts but does not generate certain protocol constructs that are legal in
LDAP v2 but not in LDAP v0.
22'0 3elative Distinguished ame
/he server correctly encodes and decodes protocol representations of relative
distinguished names.
292-
290(
11L over /CP as the
/ransporting Protocol
A server implements mapping of LDAP over 11L over /CP and provides a protocol
listener +P port D0D.
Microsoft5 Active Directory5 LDAP Compliance A
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Acti!e Director"#s LDAP Compliance
Windo/s 2%%% 3er!er
)ith the release of )indo!s 2((( 1erver# Microsoft made its first introduction of Active Directory5directory
service. )ith a foundation stemming from proven Microsoft technologies# Active Directorys origins lie !ithin
the original ,--D release of Microsoft =xchange 1erver ..(. Active Directory# ho!ever# !as a significant
paradigm shift from the familiar )indo!s / ..( identity store. <y envisioning a directory capable of
extending beyond a typical :1 store# Microsofts first implementation of Active Directory became a viable
repository for many forms of enterprise data.
/o allo! Active Directory to gain popularity as an enterprise repository# Microsoft had to ma"e an early
commitment to LDAP. /he )indo!s 2((( implementation of Active Directory is an LDAP>compliant directory
supporting the core LDAP 34Cs available at the time of its release. Currently# )indo!s 2((( Active
Directory reaches LDAP compliance through support of the follo!ing 34Cs.
34C Core LDAP 34Cs 34C 1tatus
22',
0
Light!eight Directory Access Protocol $v0% Proposed
22'2
.
Light!eight Directory Access Protocol $v0%? Attribute 1yntax Definitions Proposed
22'0 Light!eight Directory Access Protocol $v0%? 8/4>9 1tring 3epresentation of Distinguished ames Proposed
22'. /he 1tring 3epresentation of LDAP 1earch 4ilters Proposed
22'' /he LDAP 83L 4ormat Proposed
22'D A 1ummary of the &.'(($-D% 8ser 1chema for use !ith LDAPv0 Proposed
292- Authentication Methods for LDAP Proposed
290( Light!eight Directory Access Protocol $v0%? =xtension for /ransport Layer 1ecurity Proposed
&(C Additional LDAP &(C 3upport &(C 3tatus
2D-D
LDAP Control =xtension for 1imple Paged 3esults Manipulation Proposed
22.A
8sing Domains in LDAP@&.'(( Distinguished ames Proposed
Windo/s 3er!er 2%%3
<uilding on the foundation established in )indo!s 2((( 1erver# the Active Directory service in )indo!s
1erver 2((0 extends beyond the baseline of LDAP compliance into one of the most comprehensive directory
servers offering a !ide range of LDAP support. Accordingly# the )indo!s 1erver 2((0 Active Directory
service introduces a number of ne! LDAP capabilities targeted for +/ professionals and application
developers. 1ome of the latest LDAP features include?
D#n!$i %ntrie" > Active Directory can store dynamic entries allo!ing the directory to assign /ime>/o>
Live $//L% values to determine automatic entry deletion.
Tr!n"port L!#er &eurit# 'TL&( > Connections to Active Directory over LDAP can no! be protected
using the /L1 security protocol.
3
&$% 22'1 ( Aliasin), multi(A*A &D+s, and multi(value D+s ae not cuently suppoted.
,
&$% 22'2 - .ome /+01(specific syntax definitions ae not cuently suppoted.
Microsoft5 Active Directory5 LDAP Compliance 9
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Di)e"t Authenti!tion *eh!ni"$ > Connections to Active Directory over LDAP can no! be
authenticated using the D+E=1/>MD' 1imple Authentication and 1ecurity Layer $1A1L% authentication
mechanism. /he )indo!s Digest 1ecurity 1upport Provider $11P% provides an interface for using Digest
Authentication as an 1A1L mechanism.
+irtu!, Li"t +ie-" '+L+( > )hen an LDAP *uery has a large result set# it is inefficient for a client
application to pull do!n the entire set from the server. BLB allo!s a client application to G!indo!H
through a large result set !ithout having to transfer the entire set from the server.
Conurrent LDAP .in/" > Although not specifically defined by the +=/4# Concurrent LDAP <ind
provides the ability to perform multiple LDAP binds on one connection for the purpose of authenticating
users.
Although the LDAP compliance guidelines proposed by the Directory +nteroperability 4orum signify
conformance at a base level# organizations demand directory servers capable of providing robust net!or"
and application services. /his is one of the driving forces behind Microsofts support of virtually all +=/4>
recognized LDAP components. Although LDAP compliance should al!ays be considered a !or" in progress
until full +=/4 standardization# Microsofts current LDAP compliance in )indo!s 1erver 2((0 includes
support of the follo!ing 34Cs.
34C Core LDAP 3e*uirements C 34C 00AA 34C 1tatus /imeline
22', Light!eight Directory Access Protocol $v0% Proposed )indo!s 2(((
22'2
Light!eight Directory Access Protocol $v0%? Attribute 1yntax
Definitions
Proposed )indo!s 2(((
22'0
Light!eight Directory Access Protocol $v0%? 8/4>9 1tring
3epresentation of Distinguished ames
Proposed )indo!s 2(((
22'. /he 1tring 3epresentation of LDAP 1earch 4ilters Proposed )indo!s 2(((
22'' /he LDAP 83L 4ormat Proposed )indo!s 2(((
22'D A 1ummary of the &.'(($-D% 8ser 1chema for use !ith LDAPv0 Proposed )indo!s 2(((
292- Authentication Methods for LDAP Proposed )indo!s 2(((
290(
Light!eight Directory Access Protocol $v0%? =xtension for /ransport
Layer 1ecurity
Proposed )indo!s 2(((
&(C Additional LDAP &(C 3upport &(C 3tatus +imeline
2D-D
LDAP Control =xtension for 1imple Paged 3esults Manipulation Proposed )indo!s 2(((
22.A
8sing Domains in LDAP@&.'(( Distinguished ames Proposed )indo!s 2(((
2'9-
LDAP Protocol $v0%? =xtensions for Dynamic Directory 1ervices Proposed )indo!s 1erver 2((0
2A-9
Definition of the inet:rgPerson LDAP :b;ect Class Proposed )indo!s 1erver 2((0
290,
8sing Digest Authentication as an 1A1L Mechanism Proposed )indo!s 1erver 2((0
29-,
LDAP Control =xtension for 1erver 1ide 1orting of 1earch 3esults Proposed )indo!s 1erver 2((0
Microsoft5 Active Directory5 LDAP Compliance -
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Compliance Misconceptions
1ince the release of )indo!s 2((( 1erver Active Directory# many assertions have been made about its
LDAPv0 compliance. As noted previously# Active Directory and Microsoft =xchange 1erver have supported a
baseline of LDAP compliance since inception. 4urthermore# Active Directory extends this baseline by
supporting a ma;ority of the LDAP +nformational and Proposed 34Cs. Although Microsofts commitment to
building one of the most comprehensive and interoperable directories in the mar"etplace is obvious# there are
still common compliance misconceptions !orth discussing.
inet5r.Person
:ne of the most !idely publicized )indo!s 2((( 1erver LDAP non>compliance claims pivots on the support
of 34C 2A-9 and inet:rgPerson. 34C 2A-9 !as submitted as an +nformational 34C in April 2((( defining
the inet:rgPerson LDAP ob;ect class. /he ob;ect class definition is considered an extension to LDAPv0 and#
as such# is not included in the 34C 00AA LDAPv0 specifications.
evertheless# the timing of the )indo!s 2((( 1erver release in 4ebruary 2((( and the introduction of 34C
2A-9 in April of that same year barred the inclusion of the inet:rgPerson :b;ect Class !ithin the )indo!s
2((( 1erver Active Directory schema. 7o!ever# any )indo!s 2((( Active Directory implementation can
easily accommodate inet:rgPerson through Active Directorys extensible schema.
+n response to customer re*uests for an inet:rgPerson ob;ect class for )indo!s 2(((# Microsoft released
the )indo!s 2((( inet:rgPerson Iit. /he "it# !hich is freely available# derives inet:rgPerson from the user
class !ithin Active Directorys schema. +n addition to defining the inet:rgPerson# the "it delivers basic
administrative control over the class ob;ect. 1ee the GAdditional 3esourcesH section for information on
obtaining the Microsoft )indo!s 2((( inet:rgPerson Iit.
As noted previously# )indo!s 1erver 2((0s Active Directory schema includes the full definition and provides
complete manageability of 34C 2A-9 and the inet:rgPerson LDAP :b;ect Class.
,ati!e LDAP Calls
Another common misconception is that Active Directory does not support native LDAP calls# thereby forcing
developers to use Active Directory 1ervices +nterface $AD1+% for access to the directory. +n fact# Active
Directory fully supports native LDAP calls through support of the LDAP AP+ $34C ,920% 6 it is actually the
primary access method for the ma;ority of )indo!s directory operations. Microsoft merely provides AD1+ as
an abstraction layer to simplify directory development and promote directory interoperability.
+t is important to note that Active Directory does have some functionality that is not exposed by the LDAP
protocol since the functionality extends beyond the LDAP model. 4or instance# LDAP applications bind to
specific directory servers via the serverJs D1 name !hereas Active Directory applications have the option of
employing a distributed locator service to find a nearby replica of a given directory partition. /his option does
not force +1Bs to re!rite their applications since they can bind to a specific LDAP server as usual. 7o!ever# if
an +1B !ants to use the Active Directory distributed locator service to reduce the customer cost of managing
an application# they can call the DsEetDcame AP+ and then use LDAP. Conversely# the +1B may use AD1+#
!hich abstracts a!ay both DsEetDcame and LDAP. /he choice is entirely up to the +1B.
Active Directory fully supports !riting to the 1erver Principal ame via the )indo!s 1erver 2((0 and
)indo!s 2((( 1erver LDAP AP+s.
Microsoft5 Active Directory5 LDAP Compliance ,(
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Director" Interoperabilit"
+t is not uncommon to find a variety of directories6from resource to application>specific6deployed !ithin the
enterprise today. 7o!ever# multiple directories can create complex challenges for the users# administrators#
and developers of any organization. 4rom multiple user logon re*uirements and management complexities to
developers needing to support multiple versions of their applications# directory complexities may continue
!ithout a common management and development frame!or". Microsoft has introduced several
interoperability tools to help customers reduce the complexities of using and managing heterogeneous
directory servers.
LDAP API
An LDAP AP+ is available through the Microsoft Developer et!or" $M1D% Platform 1DI. +t provides native
LDAP functionality for client applications to search for and retrieve information from an LDAP>compliant
directory server. Additional functions# such as modifying directory entries or access control to allo! clients to
authenticate themselves# are also available from !ithin the LDAP AP+. Actually# the AP+ supports all LDAP
compliance specific functions identified in the previous sections to assist in development efforts.
Acti!e Director" 3er!ices Inter-ace
AD1+ is a set of Component :b;ect Model $C:M% programming interfaces that ma"e it easy for customers
and independent soft!are vendors $+1Bs% to build applications that register !ith# access# and manage
multiple directory services !ith a single set of !ell>defined interfaces. AD1+ is an open AP+.
:ne of the most familiar open programming AP+s is :pen Data <ase Connectivity $:D<C%. :D<C provides
open interfaces for relational databases# thus allo!ing developers to !rite applications and tools that !or"
!ith any database that supports :D<C. <ecause of the thriving :D<C development community# every ma;or
relational database no! supports :D<C. AD1+ is e*uivalent to :D<C for directory services.
AD1+ provides developers !ith access to multiple directory service providers through a set of interfaces.
Applications !ritten to AD1+ !or" !ith any directory service that offers an AD1+ provider# thus addressing
some of the complexities outlined previously. <y abstracting the capabilities of directory services from
different net!or" providers# AD1+ presents a single set of directory service interfaces for managing net!or"
resources.
4or example# AD1+ defines a naming convention that can uni*uely identify an AD1+ ob;ect in an LDAP>
compliant or similar directory. /hese names are called AdsPath strings. +n the follo!ing code example#
AdsPath contains the LDAP providers moni"er and the providers specific path to identify an organizational
unit in the 1ample Domain?
LDAP)665783ales9 DC83ample9 DC8C5M
As an interoperability tool# AD1+ is?
Open > Any directory vendor can implement an AD1+ providerF Microsoft has included an LDAP AD1+
provider.
Diretor# &er0ie 1n/epen/ent > Administrative applications are not bound to a vendorJs directory
service as applications can be developed !ithout understanding of vendor>specific directory AP+s.
*u,tip,e De0e,op$ent L!n)u!)e C!p!2,e > C:M applications can be !ritten in languages such as
Microsoft5 Bisual <asic5# Microsoft Bisual <asic 1cripting =dition $B<1cript%# and C@CKK.
&i$p,e Pro)r!$$in) *o/e, > AD1+ consists of a small# easy>to>learn set of interfaces.
&ript!2,e > Any automation>compatible language can be used to develop directory service applications.
Administrators and developers can use the tools they already "no!.
Funtion!,,# Rih > +1Bs and sophisticated end users can develop serious applications using the same
AD1+ models used for simple scripted administrative applications.
Microsoft5 Active Directory5 LDAP Compliance ,,
Microsoft
9
,indows &erver
:
2003 ,hite Paper
%3ten"i2,e > Directory providers# +1Bs# and end users can extend AD1+ !ith ne! ob;ects and functions
to add value or meet uni*ue needs.
OL% D. A-!re > AD1+ provides an :L= D< interface so that programmers familiar !ith database
programming through :L= D< can use it effectively.
De!elopment 1n!ironments
AD1+ client applications can be !ritten in many languages. 4or most administrative tas"s# AD1+ defines
interfaces and ob;ects accessible from automation>compliant languages li"e Microsoft
5
Bisual <asic
5
#
Microsoft Bisual <asic 1cripting =dition $B<1cript%# Active 1erver Pages $A1P%# and Lava to the more
performance and efficiency>conscious languages such as C and CKK. A good foundation in C:M
programming is useful to the AD1+ programmer.
Acti!e Director" Application Mode
Active Directory Application Mode $ADAM% is a ne! capability of Microsoft Active Directory that addresses
certain deployment scenarios related to directory>enabled applications. ADAM runs as a non>operating
system service and# as such# does not re*uire deployment on a domain controller. 3unning as a non>
operating system service means that multiple instances of ADAM can run concurrently on a single server#
!ith each instance being independently configurable.
)hile the vision of a single enterprise directory is still unfulfilled# ADAM represents a significant brea"through
in directory services technology that separates typical et!or" :perating 1ystem $:1% functionality from a
native LDAP directory.
Director" 3er!ices Mar:up Lan.ua.e
/he Directory 1ervices Mar"up Language $D1ML% provides a means of representing directory structural
information and directory operations as an &ML document. /he intent of D1ML is to allo! &ML>based
enterprise applications to leverage profile and resource information from a directory in their native
environment. D1ML allo!s &ML and directories to !or" together and provides a common ground for all
&ML>based applications to ma"e better use of directories.
D1ML 1ervices for )indo!s extends the po!er of the Active Directory service. <ecause D1ML
1ervices for )indo!s uses open standards such as 7//P# &ML# and 1:AP# a greater level of
interoperability is possible. 4or example# in addition to the already standard Light!eight Directory
Access Protocol $LDAP%# many devices and other platforms have other alternatives to communicate
!ith Active Directory. /his provides a number of "ey benefits for +/ administrators and independent
soft!are vendors $+1Bs%# !ho can no! have even more open>standard choices to access Active
Directory.
D1ML 1ervices for )indo!s supports D1ML version 2 $D1MLv2%. D1MLv2 is a standard approved by
the :rganization for the Advancement of 1tructural +nformation 1tandards $:A1+1% and bac"ed by
many directory services vendors. 1upporting the D1MLv2 specification allo!s better interoperability
!ith other directory services vendors !ho are also supporting this standard. 4or information about the
D1MLv2 specification and schema# see the :A1+1 )eb site.
Microso-t Identit" Inte.ration 3er!er 2%%39 1nterprise 1dition
4or organizations that must support heterogeneous directories# Microsoft +dentity +ntegration 1erver $M++1%
2((0# =nterprise =dition# enables the integration and management of identity information across multiple
repositories# systems# and platforms. Although the administration of these multiple repositories often leads to
time>consuming and redundant efforts# it also causes frustration for users !ho may need to remember
multiple +Ds and pass!ords for varying applications or systems. /he larger the organization# the greater the
potential for multiple repositories and the effort re*uired to "eep them current.
M++1 augments Active Directory by providing broad interoperability capabilities# including integration !ith a
!ide range of identity repositoriesF provisioning and synchronizing identity information across multiple storesF
and bro"ering changes to identity information by automatically detecting updates and sharing the changes
Microsoft5 Active Directory5 LDAP Compliance ,2
Microsoft
9
,indows &erver
:
2003 ,hite Paper
across systems.
Microsoft5 Active Directory5 LDAP Compliance ,0
Microsoft
9
,indows &erver
:
2003 ,hite Paper
Additional &esources
1ee the follo!ing resources for further information?
Li.ht/ei.ht Director" Access Protocol 2ersion 3
/he +=/4 LDAPv0 )or"ing Eroup?
http?@@!!!.ietf.org@html.charters@ldapbis>charter.html
/he LDAPv0 )or"ing Eroup archived ne!sgroup?
http?@@!!!.openldap.org@lists@ietf>ldapbis@
34C 00AA# the current definition of LDAPv0?
ftp?@@ftp.rfc>editor.org@in>notes@rfc00AA.txt
5pen 0roup and the Director" Interoperabilit" (orum
/he :pen Eroups B1LDAP compliance testing suite overvie!?
http?@@!!!.opengroup.org@directory@mats@ldap2(((@dsvsldap.pdf
/he Directory +nteroperability 4orum $D+4%?
http?@@!!!.opengroup.org@directory@
De!elopin. /ith Acti!e Director" 3er!ices Inter-ace
Active Directory 1ervices +nterface developers reference?
http?@@msdn.microsoft.com@library@default.aspMurlN@do!nloads@list@directorysrv.asp
Miscellaneous
/he Microsoft Active Directory )eb site?
http?@@!!!.microsoft.com@ad
Active Directory Application Mode $ADAM%?
http?@@!!!.microsoft.com@!indo!sserver2((0@adam@default.mspx
Directory 1ervices Mar"up Language $D1ML%?
http?@@!!!.microsoft.com@!indo!s2(((@server@evaluation@ne!s@bulletins@dsml.asp
Microsoft +dentity +ntegration 1erver 2((0# =nterprise =dition?
http?@@!!!.microsoft.com@!indo!sserver2((0@technologies@directory@miis@default.mspx
/he Microsoft )indo!s 2((( inet:rgPerson Iit?
http?@@msdn.microsoft.com@library@default.aspMurlN@library@en>us@dnactdir@html@inetop"it.asp
LDAP reference for developers on M1D?
http?@@msdn.microsoft.com@library@default.aspMurlN@library@en>us@netdir@ldap@ldapOreference.asp
LDAP AP+ reference for developers on M1D?
http?@@msdn.microsoft.com@library@default.aspMurlN@library@en>us@!celdap@htm@cmconusingldapapi.asp
4or the latest information about )indo!s 1erver 2((0# see the )indo!s 1erver 2((0 )eb site at
http?@@!!!.microsoft.com@!indo!sserver2((0.
Microsoft5 Active Directory5 LDAP Compliance ,.