|
|
n Active Directory, directory clients use Lightweight Directory Access Protocol (LDAP) to perform searches against the directory. LDAP is defined by Request for Comments (RFC) 3377, “Lightweight Directory Access Protocol (v3): Technical Specification.” LDAP is a standards-based protocol that makes it possible for users to query and update information in an LDAP-based directory service, such as Active Directory. To perform Active Directory searches, LDAP-compliant directory clients compose a search query using LDAP syntax and then submit the query to Active Directory for processing.
|
|
|
|
|
Active Directory Searches Architecture
The architecture for Active Directory searches includes both client and server components. On the client side, a directory client application constructs LDAP requests to be sent to Active Directory. These requests can be one of several types, including connect, bind (authentication), modify, and unbind. Depending on how a directory client application is written, one of three different application programming interfaces (APIs) is used to submit requests. The LDAP requests are received and processed by the Directory System Agent (DSA), which is represented by Ntdsa.dll on a domain controller. Ntdsa.dll runs as a part of the local security authority (LSA), which runs as Lsass.exe. The architecture for Active Directory searches is shown in the following figure.
The components of the architecture for Active Directory searches are described in the following table.
| Component |
Description |
|
Directory client application
|
Any application that is used to send LDAP messages to an LDAP directory service
|
|
LDAP APIs
|
Interfaces through which a directory client application can submit an LDAP request. For directory clients running a Windows operating system, one of three LDAP APIs can be used.
|
|
DSA (Ntdsa.dll)
|
The DSA, which runs on each domain controller, accepts LDAP requests through its LDAP protocol head and issues LDAP responses based on those requests.
|
|
LDAP protocol head
|
The LDAP interface on the DSA through which LDAP requests are accepted
|
|
LDAP request
|
A message that is constructed with LDAP syntax and sent by a directory client application to an LDAP directory service, such as Active Directory
|
|
LDAP response
|
A message that is constructed with LDAP syntax and sent by an LDAP directory service, such as Active Directory, to a directory client application
|
|
|
Active Directory Searches Protocols
LDAP is the standards-based protocol that directory client applications use to submit LDAP directory requests (for example, bind, search, modify, and unbind) to Active Directory. Active Directory supports both LDAP v2, which is defined in RFC 1777, “Lightweight Directory Access Protocol,” and LDAP v3, which is defined in RFC 3377.
LDAP is designed to be connection oriented, and it uses Transmission Control Protocol (TCP) as its transport layer protocol. LDAP uses Internet Protocol (IP) as its network layer protocol. The Secure Sockets Layer (SSL) protocol can be used for encrypting LDAP communications.
The protocols that are used by Active Directory searches — and their relationship to the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) 7-layered network protocol model — are shown in the following figure.
The following table describes the protocols that are used in Active Directory searches.
| Component |
Description |
|
LDAP
|
A standards-based protocol that is used for communication between directory clients and a directory service. LDAP is the primary directory access protocol for Active Directory.
|
|
SSL
|
A standards-based protocol for encrypting private communications on the Internet. When a Certificate Services infrastructure is in place (that is, when you have installed a certification authority (CA)), specifying server port 636 in an LDAP bind call results in an attempt to establish an SSL session. The CA serves as the security authority for the secure channel (Schannel) authentication protocol, which includes SSL. For this reason, some form of certificate services must be in place to use LDAP over SSL.
|
|
TCP
|
The connection-oriented session protocol on which LDAP runs
|
|
IP
|
A routable protocol that is responsible for the addressing, routing, and fragmenting of packets by the sending node. IP is required for Active Directory replication.
|
|
|
Active Directory Searches Interfaces
On computers running a Windows operating system, directory client applications can use one of three different LDAP APIs. As shown in the following figure, all LDAP requests from a directory client application ultimately go through the native LDAP C API, which runs as Wldap32.dll.
The following table describes the Windows LDAP APIs that are available for Active Directory searches.
| API |
Description |
|
System.DirectoryServices
(ADSI for .NET Framework)
|
A namespace in the Microsoft .NET Framework that provides simple programming access to LDAP directories, such as Active Directory. This API requires the Microsoft .NET Framework to be installed.
|
|
Active Directory Service Interfaces (ADSI) (Ads*.dll)
|
A set of Component Object Model (COM) interfaces that abstracts the capabilities of directory services from different network providers (such as LDAP) in a distributed computing environment to present a single set of directory service interfaces for managing network resources.
|
|
Native LDAP API (Wldap32.dll)
|
Provides functions that enable directory client applications to search for and retrieve information from an LDAP directory service, as well as functions for modifying directory entries where such modifications are permitted. There are also functions that provide access control for servers by allowing clients to authenticate themselves.
|
|
|