Active Directory LDAP 符合性.docx

Active Directory LDAP 符合性.docx

《Active Directory LDAP 符合性.docx》由会员分享，可在线阅读，更多相关《Active Directory LDAP 符合性.docx（21页珍藏版）》请在冰豆网上搜索。

ActiveDirectoryLDAP符合性

ActiveDirectoryLDAPCompliance

MicrosoftCorporation

Published:

October2003

Abstract1

Directoriesarepublicorprivatestorescontainingessentialidentifyinginformationtypicallyusedindailyenterpriseactivities.Manyapplicationproviderscapitalizeondirectoriesofferingintegrationintoexistingdirectoriestoextendtheirapplication’sfunctionality.Networkoperatingsystemsalsohousevitalnetworkinformation,suchasusersandcomputers,withindirectories.

LightweightDirectoryAccessProtocol（LDAP）isadirectorystandardfoundedonthelegacyX.500directory.LDAP’sinitialimplementationsprovidedgatewayservicesbetweenX.500directoryserversandclients.WhileLDAPwasinitiallycreatedtomeetthisrequirement,itbecameclearthatapartingfromthecumbersomeX.500directorystandardwasneededtosimplifydeployments.In1994,LDAPwastransformedintoadirectoryspecificationwithitsowndatabaseandstructuringconventions.

ThispaperdiscussestheoriginsofLDAPwithinMicrosoftproductsand,specifically,theimplementationof,andconformanceto,theLDAPv3ProposedStandardwithinMicrosoftWindows2000ServerandMicrosoftWindowsServer2003.IncludedforreferencearematrixesdetailingsupportedRFCs.

TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.

Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.

Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans（electronic,mechanical,photocopying,recording,orotherwise）,orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.

Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.

©2003MicrosoftCorporation.Allrightsreserved.

Microsoft,ActiveDirectory,VisualBasic,Windows,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.

Contents

Introduction2

DirectoryFoundation:

X.5002

X.500:

TheNeedforaLightweightAlternative2

WhatIsLDAP?

3

LDAP:

FirstGeneration3

EnhancementswithVersion23

TheCurrentStateofLDAP3

WhatDoesItMeantoBeLDAPCompliant?

5

AchievingCompliance:

IETFApplicabilityStatement5

AchievingCompliance:

Third-PartyTestSuites5

TheOpenGroupLDAPCertifications5

SettinganLDAPComplianceBaseline6

ActiveDirectory’sLDAPCompliance8

Windows2000Server8

WindowsServer20038

ComplianceMisconceptions10

inetOrgPerson10

NativeLDAPCalls10

DirectoryInteroperability11

LDAPAPI11

ActiveDirectoryServicesInterface11

DevelopmentEnvironments12

ActiveDirectoryApplicationMode12

DirectoryServicesMarkupLanguage12

MicrosoftIdentityIntegrationServer2003,EnterpriseEdition12

AdditionalResources14

LightweightDirectoryAccessProtocolVersion314

OpenGroupandtheDirectoryInteroperabilityForum14

DevelopingwithActiveDirectoryServicesInterface14

Miscellaneous14

Introduction

Directories—publicorprivateresourcelistscontainingnames,locations,andotheridentifyinginformation—areessentialtoolsoftentakenforgrantedinourdailyactivities.Typicallythesedirectoriesprovideinformationaboutpeople,places,ororganizationsaspartofanoverallsolution.Forexample,atelephoneisvirtuallyuselesswithoutadirectorytocorrespondnameswithtelephonenumbers.Historically,mostdirectorieswereonlyavailableinprintedform.

Asthecomputerrevolutionforgedahead,printeddirectoriesgavewaytoanelectroniccounterpart.Manyapplicationproviderscapitalizedonthedirectoryconceptofferingproprietaryversionsthatextendedtheirapplication’sfunctionality.Networkoperatingsystemsalsoprovideddirectories,typicallyhousinguseranddeviceinformation.Unfortunately,thesefirstgenerationdirectorieswereoftendevelopedwithlittleornoconcernforinteroperability.Isolatedandspecificinfunction,theyperformedadmirably.However,itwasobviousdirectoriesneededtointeractwithinalargernetworkecosystem.ThisideagrewintothedefinitionoftheX.500standard.

DirectoryFoundation:

X.500

In1988,theInternationalOrganizationforStandardization（ISO）andtheInternationalTelecommunicationsUnion（ITU）introducedtheX.500standard.X.500definestheprotocolsandtheinformationmodelforanapplicationandnetworkplatformagnosticdirectoryservice.Asadistributeddirectorybasedonhierarchicallynamedinformationobjects,X.500specificationscharacterizedadirectorythatusersandapplicationscouldbrowseorsearch.

TheX.500paradigmincludesoneormoreDirectorySystemAgents（DSAs）—directoryservers—witheachholdingaportionoftheDirectoryInformationBase（DIB）.TheDIBcontainsnamedinformationobjectsassembledinatreestructure—definedbyaDirectoryInformationTree（DIT）—witheachentryhavinganassociatedsetofattributes.Everyattributehasapre-definedtypeandoneormoreassociatedvalues.Objectclasses,containingmandatoryandoptionalattributes,aredefinedwithinadirectoryschema.EnduserscommunicatewithanX.500DSAusingtheDirectoryAccessProtocol（DAP）whiletheDirectorySystemProtocol（DSP）controlsinteractionbetweentwoormoreDSAs.

X.500:

TheNeedforaLightweightAlternative

Understandingtheneedforastreamlineddirectorystandard,severalimplementersproposedalightweightalternativeforconnectingtoX.500directories.Ultimately,thefirstiterationofLDAPgainedtractionasasimplealternativetotheX.500DirectoryUserAgent（DUA）.ThenewLDAPdefinition:

∙Simplifiedprotocolencoding

∙Usedtextencodingfornamesandattributes

∙MappeddirectlyontotheTCP/IPstack

∙SuppliedasimpleApplicationProgrammingInterface（API）

WhatIsLDAP?

OrganizeddevelopmentofLDAPoccurredonseveralfronts.However,themostnotablework,andthefirstfreelyavailableimplementation,wascompletedbytheUniversityofMichiganin1993.TheUniversityfocusedeffortsondevelopingasimplerTCP/IPversionofX.500’sDAP.DAPwasconsideredcumbersomeasitpushedmuchofitsworkloadtotheclient.

AlthoughLDAPiswellrootedasasimplifiedcomponentoftheX.500directory,ithasbecomethedefactodirectoryprotocolontheInternettoday.

LDAP:

FirstGeneration

LDAP’sinitialimplementationsprovidedgatewayservicesbetweenX.500directoryserversandclients.TheclientscommunicatedwithanLDAPgatewaythroughLDAP-enabledsoftware.Inturn,thegatewayhandledtransactions—onbehalfoftheclient—withtheX.500DSA.ThismodelpromoteddirectoryinteroperabilityallowingapplicationproviderstoeasilydevelopclientsoftwarecapableofcommunicatingwithanLDAPgatewayservice,regardlessofthebackendplatform.WhileLDAPwasinitiallycreatedtomeetthisrequirement,itbecameclearthatapartingfromX.500wasneededtosimplifydeployments.In1994,LDAPwastransformedintoadirectoryspecificationwithitsowndatabaseandstructuringconventions.

Oncetransformed,theLDAPspecificationsreflectedatrueclient-servermodelwithclientsmakingrequestsdirectlytoserversforinformationoroperations.Oneormoredirectoryserversmayeitherperformtheoperationorrefertheclienttoanotherdirectoryserverthatmaybeabletoprovidetherequestedinformation,orperformtherequestedoperation.TheLDAPclientwillseethesameviewofthedirectorynomatterwhichserveriscontacted.Ifnecessary,theLDAPservercanauthenticatetheclienttotheoperatingsysteminuse.Oncereceived,theLDAPserverwillconvertarequestintoanappropriateformatfortheaccesseddirectory.ForX.500directories,theLDAPserverwouldconverttheLDAPrequestintoaDAPrequest.

EnhancementswithVersion2

AsinterestinLDAPincreased,severalnewdevelopmentsextendeditscorefunctionalitywhilestreamliningitsfootprint.In1995,RequestforComment（RFC）1777wasintroducedforLDAPVersion2.RFC1777eliminatedmanyoftheimpracticablecomponentsofX.500thatwerecentraltotheoriginalLDAPspecifications.Furthermore,networkconnectivitywaschangedfromtheX.500OpenStandardsIntercommunication（OSI）modeltotheTCP/IPmodel.

LDAPv2isofficiallydefinedbythefollowingRFCs:

∙RFC1777–LightweightDirectoryAccessProtocol（v2）

∙RFC1778–TheStringRepresentationofStandardAttributeSyntaxes

∙RFC1779–AStringRepresentationofDistinguishedNames

TheCurrentStateofLDAP

DevelopedbytheInternetEngineeringTaskForce（IETF）in1997,thecurrentLDAPv3implementationisarenovationofLDAPv2,whichprimarilytacklesdeploymentlimitationsidentifiedwithinthepreviousversion.LDAPv3alsoenrichescompatibilitywithX.500alongwithenhancedintegrationwithnon-X.500directories.LDAPv3encompassesLDAPv2withinanewsetofRFCs.

LDAPv