Geek Answers Handbook

Is Active Directory compatible with LDAP?

I am working on a plug-in for one of our products (RMS), which will allow customers to import employee information stored in their LDAP directory into the corresponding Person entry in our application.

Our RMS allows personal records to have several names and addresses (this is a public safety system: this function is designed to support individuals with AKA and several known addresses). Due to the nature of the software, we find it very useful to pull a few names and addresses from LDAP if the LDAP server supports it.

I was under the impression that Active Directory would support this, but it didn't look like it at all. For example, looking at RFC 2256 , sections 5.41 and 5.42, it seems obvious that givenName is for a multi-valued field (i.e., the syntax does not specify SINGLE-VALUE , and RFC 2252 states that the value of "multi-value" is the default) . The same goes for cn , sn , streetAddress and most of the other “standard” attributes that I am looking for to search.

Microsoft's own documentation seems to suggest that they comply with RFC 2256:

Windows 2000 Active Directory is currently achieving LDAP compliance through support for the following RFCs.

[RFC 2256 is then listed among the various "supported" RFCs, under the heading "Basic LDAP Requirements - RFC 3377"]

RFC 3377 claims that RFC 2256 is indeed part of a collection of 8 RFCs that together make up the complete technical specification for LDAPv3.

I am confused: I would not follow the actual proposed syntax for standard attributes such as givenName et al. constitute "non-compliance"?

Also, does anyone have a definitive list of differences between connecting and querying to Active Directory and other directory servers (OpenLDAP, eDirectory, etc.)? This is a VB6 application, so I used the ADSDSOObject ADODB provider. Initially, I thought that I could just write the same code for any directory server and work with it as long as I use the standard attributes, but, obviously, if the same attribute is defined as one value in some implementations and ambiguous in others , I will have to write code to handle this script.

I'm starting to wonder if this is one of the reasons why so many applications that have “LDAP integration” tend to have a completely separate settings page for “Active Directory” and then the settings for “every other LDAP server is not Active Directory "...

+6
active-directory ldap
source share
2 answers

The problem with “adhering” to the standards is that it rarely happens that the essence or part of the software really corresponds to 100% in all possible respects. Instead, in the absence of certain rules or regulations, the use of the phrase "compatible" usually means that the executive entity considers the software to meet the meat specification.

For example, take CSS level 2. Most modern browsers today claim that they are "CSS 2 compatible," but this is not the case when each such browser implements 100% of the specification. However, users are more likely to find that the rendering will be roughly equal for a significant portion of the cases. Thus, compliance is usually indicated by a combination of:

  • the developer claims (for example, Mozilla releases an expression that Firefox 3.5 is compatible with CSS 2)
  • third-party test (e.g. acid tests)

This is very similar to AD and LDAP "matching". The document you pointed out refers to the absence of any compliance or compliance directives, and therefore Microsoft has taken the (reasonable, IMO) position that "vendor ads combined with third-party test suites are the most suitable alternatives." In essence, this means that if Exchange and other organizations that require compliance with LDAP requirements pass tests that measure compliance with the standard, then they effectively meet the requirements.

+2
source share

Unfortunately, Active Directory breaks many of the LDAP stuff, and "singlelevalueness" is just one of them.

I'm starting to wonder if this is one of the reasons why so many applications that have “LDAP integration” tend to have a completely separate settings page for “Active Directory” ...

That's right.

Does anyone have a definitive list of differences between connecting and querying to Active Directory and other directory servers (OpenLDAP, eDirectory, etc.)?

I did not see him. But the Active Directory schema is well documented on MSDN, so you can always check the difference.

+2
source share

More articles:


All Articles