Active Directory Interoperability

From Glitchdata
Jump to navigation Jump to search


Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is the industry standard for directory access. LDAP is on the Internet Engineering Task Force (IETF) track for becoming an Internet standard.

Active Directory and LDAP

LDAP is the primary directory access protocol used to add, modify, and delete information stored in Active Directory, as well as to query and retrieve data from Active Directory. The Windows 2000 operating system supports LDAP versions 2 and 320. LDAP defines how a directory client can access a directory server and how the client can perform directory operations and share directory data. That is, Active Directory clients must use LDAP to obtain information from Active Directory or to maintain information in Active Directory.

Active Directory uses LDAP to enable interoperability with other LDAP-compatible client applications. Given the appropriate permission, you can use any LDAP-compatible client application to browse, query, add, modify, or delete information in Active Directory.

Application Programming Interfaces

You can use the following application programming interfaces (APIs) to access information in Active Directory:

  • Active Directory Service Interface (ADSI).
  • LDAP C API.

Active Directory Service Interface

Active Directory Service Interface (ADSI) enables access to Active Directory by exposing objects stored in the directory as Component Object Model (COM) objects. A directory object is manipulated using the methods available on one or more COM interfaces. ADSI has a provider-based architecture that allows COM access to different types of directories for which a provider exists.

Currently, Microsoft supplies ADSI providers for Novell NetWare Directory Services (NDS) and NetWare 3, Windows NT, LDAP, and the Internet Information Services (IIS) metabase. (The IIS metabase is the IIS configuration settings.) The LDAP provider can be used with any LDAP directory, including Active Directory, Microsoft Exchange 5.5, or Netscape.

You can use ADSI from many tools, ranging from Microsoft Office applications to C/C++. ADSI supports extensibility so that you can add functionality to an ADSI object to support new properties and methods. For example, you can add a method to the user object that creates an Exchange mailbox for a user when the method is invoked. ADSI has a very simple programming model. It abstracts the data management overhead that is characteristic of non-COM interfaces, such as LDAP C APIs. Because ADSI is fully scriptable, it is easy to develop rich Web applications. ADSI supports ActiveX® Data Objects (ADO) and object linking and embedding database (OLE DB) for querying.

Developers and administrators can add objects and attributes to Active Directory by creating scripts based on ADSI (as well as scripts based on LDIFDE, covered later in this document).

LDAP C API

The LDAP C API, defined in Internet standard RFC 1823, is a set of low-level C-language APIs to the LDAP protocol. Microsoft supports LDAP C APIs on all Windows platforms.

Developers have the choice of writing Active Directory-enabled applications using LDAP C APIs or ADSI. LDAP C APIs are most often used to ease portability of directory-enabled applications to the Windows platform. On the other hand, ADSI is a more powerful language and is more appropriate for developers writing directory-enabled code on the Windows platform.

Synchronizing Active Directory with Other Directory Services

Microsoft provides directory synchronization services that let you synchronize Active Directory information with Microsoft Exchange 5.5, Novell NDS and NetWare, Lotus Notes, and GroupWise. In addition, command-line utilities let you import and export directory information from other directory services.

Active Directory and Microsoft Exchange

The Windows 2000 operating system contains a service called the Active Directory Connector that offers bi-directional synchronization with Microsoft Exchange 5.5. Active Directory Connector provides a rich mapping of objects and attributes when it synchronizes the data between the two directories. For more about Active Directory Connector, see the section "For More Information" at the end of this paper.

Active Directory and Novell NDS and NetWare

As part of Services for Netware 5.0, Microsoft intends to ship a directory synchronization service that performs bi-directional synchronization with Novell NDS and NetWare.

Active Directory and Lotus Notes

As part of Microsoft Exchange 2000 Server, previously code-named "Platinum", Microsoft intends to ship a directory synchronization service that performs bi-directional synchronization with Lotus Notes for purposes of synchronizing e-mail and other common attributes.

Active Directory and GroupWise

As part of Microsoft Exchange 2000 Server, previously code-named "Platinum", Microsoft intends to ship a directory synchronization service that performs bi-directional synchronization with GroupWise for purposes of synchronizing e-mail and other common attributes.

Active Directory and LDIFDE

The Windows 2000 operating system provides the command-line utility LDAP Data Interchange Format (LDIFDE) to support importing and exporting of directory information. LDAP Data Interchange Format (LDIF) is an Internet Draft that is an industry standard, which defines the file format used for exchanging directory information. The Windows 2000-based utility that supports import/export to the directory using LDIF is called LDIFDE. LDIFDE lets you export Active Directory information in LDIF format so that it can later be imported into some other directory. You can also use LDIFDE to import directory information from some other directory.

You can use LDIFDE to perform batch operations, such as add, delete, rename, or modify. You can also populate Active Directory with information obtained from other sources, such as other directory services. In addition, because the schema in Active Directory is stored inside the directory itself, you can use LDIFDE to back up or extend the schema. For a list of LDIFDE parameters and what they do, see Windows 2000 Help. For information about how to use LDIFDE for batch operations with Active Directory, see the section "For More Information" at the end of this document.