Active Directory Lightweight Directory Services

Lightweight Directory Access Protocol (LDAP) is the standards-based protocol that directory client applications use to submit LDAP directory requests (for example, bind, search, modify, and unbind) to Active Directory Lightweight Directory Services (AD LDS). AD LDS supports both LDAP v2, which is defined in RFC 1777, “Lightweight Directory Access Protocol,” and LDAP v3, which is defined in RFC 3377. LDAP is designed to be connection oriented, and it uses Transmission Control Protocol (TCP) as its transport layer protocol. LDAP uses Internet Protocol (IP) as its network layer protocol. The Secure Sockets Layer (SSL) protocol can be used for encrypting LDAP communications.

To understand how Active Directory searches work, it is important to understand the LDAP standard. Active Directory structure is based on LDAP v3 requirements, which are defined in a series of Internet Engineering Task Force (IETF) RFCs, as summarized in RFC 3377.

LDAP features and functionality are described in four models:

• The information model, or schema, which describes the structure of information in a directory information tree

• The naming model, which describes how information is organized and referenced

• The functional model, which describes what can be done with the information

• The security model, which describes how information is protected in the directory information tree

Standardization of LDAP behavior through these models makes LDAP the preferred access protocol for all directory services.

Differences Between LDAP v2 and LDAP v3

Two versions of the LDAP specification exist: LDAP v2 and LDAP v3. LDAP v3 includes the following features that are not supported in LDAP v2:

• The use of UCS Transformation Format (UTF)-8 for all text string attributes to support extended character sets. Active Directory sends all responses in UTF-8-encoded form.

• Operational attributes that the directory maintains for its own use, for example, to log the date and time when another attribute is modified.

• Referrals, which enable a server to direct a client to another server. An LDAP server can return a referral to an LDAP client when the operation that is presented by the client cannot be serviced locally but the LDAP server has information about other LDAP servers that can handle the operation.

• Schema publishing with the directory, so that a client can discover what object classes and attributes a server supports.

• Extended search operations that facilitate paging and sorting of results and client-defined searching and sorting controls.

• Stronger security through the Simple Authentication Security Layer (SASL) authentication mechanism.

• Extended operations, which provide additional functionality without changing the protocol version.

On computers running a Windows operating system, directory client applications can use one of three different LDAP APIs. As shown in the following figure, all LDAP requests from a directory client application ultimately go through the native LDAP C API, which runs as Wldap32.dll.

Active Directory Searches Interfaces

The following table describes the Windows LDAP APIs that are available for Active Directory searches.

Active Directory Searches APIs