tags:

views:

361

answers:

2
+4  Q: 

Is Active Directory Really LDAP-Compliant?

I'm working on a plug-in to one of our products (an RMS) that will allow customers to import employee information stored in their LDAP directory into a corresponding Person record in our application.

Our RMS allows Person records to have multiple names and addresses (it's a public safety system: this feature is for supporting persons with AKA's and multiple known addresses). Because of the nature of the software, we think it would very useful to pull multiple names and addresses from LDAP if the LDAP server supports it.

I was under the impression Active Directory would support this, but it doesn't appear to at all. Looking at RFC 2256, Sections 5.41 and 5.42, for example, it seems obvious that givenName is intended to be a multi-value field (i.e. the syntax doesn't specify SINGLE-VALUE, and RFC 2252 states that "multi-value" is the default). The same goes for cn, sn, streetAddress, and most any other "standard" attribute I bother to look up.

Microsoft's own documentation seems to suggest that they are in compliance with RFC 2256:

Currently, Windows 2000 Active Directory reaches LDAP compliance through support of the following RFCs.

[RFC 2256 is then listed among the various "supported" RFCs, under the heading "Core LDAP Requirements – RFC 3377"]

RFC 3377 states that RFC 2256 is indeed part of a collection of 8 RFC's that together comprise the complete technical specification for LDAPv3.

I'm confused: wouldn't not following the actual proposed syntax for standard attributes such as givenName et al. constitute "non-compliance"?

Also, does anyone have a definitive list of differences between connecting to and querying Active Directory vs. other directory servers (OpenLDAP, eDirectory, etc.)? This is a VB6 application, so I've been using the ADSDSOObject ADODB provider. Initially I thought I could just write the same code for any directory server and have it work as long as I was using standard attributes, but obviously if the same attribute is defined as single-value in some implementations and multi-value in others, I'm going to have to write code to deal with that scenario.

I'm beginning to wonder if this is one reason why so many applications that have "LDAP integration" of some sort typically have a completely separate settings page for "Active Directory", and then the settings for "every other LDAP server that isn't Active Directory"...

+2  A: 

The problem with "compliance" to standards is that it's rare that an entity or piece of software is truly 100% compliant in all possible respects. Instead, in the absence of some guidelines or rules, using the phrase "compliant" generally means that the implementing entity thinks that the software satisfies the meat of the specification.

For example, take CSS Level 2. Most modern browsers today would claim to be "CSS 2 compliant", but it's not the case that every such browser implements 100% of the specification. Nevertheless, users will likely find the rendering experience to be approximately equal for a significant fraction of cases. Thus, compliance tends to be indicated by a combination of:

  • the implementer's claims (e.g., Mozilla issuing a statement saying that Firefox 3.5 is CSS 2 compliant)
  • a third-party test (e.g. the Acid tests)

It's much the same way here with AD and LDAP "compliance". The document you linked alludes to the absence of any compliance or conformance directives, and so Microsoft here has taken a (reasonable, IMO) position that "vendor declarations combined with third-party testing suites are the most suitable alternatives". Essentially, this means that if Exchange and other entities claiming LDAP compliance pass tests which measure compliance with the standard, then effectively they are compliant.

John Feminella  2010-01-20 05:24:51
I see your point, and CSS and web browsers in general are definitely a good example of a similar problem. I guess I'm a bit confused at how this design decision even came about in AD: you have to explicitly define an attribute to be "single-valued" when you define the schema; the default is "multi-valued", and very few attributes are actually defined as SINGLE-VALUE in the LDAP specification. I'm not saying Microsoft did this intentionally or with malicious intent, but it seems like they would have to have had put extra "effort" into doing it the "wrong" way. Just odd, and a bit annoying...
Mike Spross  2010-01-20 05:35:46
Constrast that with the fact that the other big players in the LDAP market seem to do things the correct way, or at least implement the specification more accurately than Microsoft does. It reminds of the "This page is best viewed with Internet Explorer" days.
Mike Spross  2010-01-20 05:40:19
A: 

Unfortunatly, Active Directory breaks many LDAP things, and 'singlevalueness' is only one of them.

I'm beginning to wonder if this is one reason why so many applications that have "LDAP integration" of some sort typically have a completely separate settings page for "Active Directory"...

Absolutely.

does anyone have a definitive list of differences between connecting to and querying Active Directory vs. other directory servers (OpenLDAP, eDirectory, etc.)?

I haven't seen one. But, Active Directory schema is well documented at MSDN so you can always check the difference.

Kirill Kovalenko  2010-02-03 12:35:27

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?