Microsoft LDAP

www.microsoft.com/technet/archive/winntas/plan/ldapcmr.mspx

The Security Model

LDAP version 2 defines an authentication model based on clear text passwords or Kerberos V4.1. LDAP version 3 defines an extensible model based on the Simple Authentication and Security Layer (SASL). SASL uses a layered architecture for using different security providers. The Generic Security Service Application Program Interface (GSSAPI) is used as one of SASL's principal providers. GSSAPI is a security interface which defines a common interoperable security system for the Internet. LDAP version 3 defines the packet formats of the SASL requests and responses between the LDAP client and server. It supports both security authentication and encryption using different SASL and GSSAPI mechanisms.

In addition to SASL, LDAP version 3 also supports secure connections using the Secure Sockets Layer (SSL) protocol. LDAP SSL connections use port 636, whereas connections using SASL authentication and encryption use port 389.

The Topological Model

A major part of LDAP is that you can build a global directory structure using LDAP. It is essentially a directory Web in much the same way that HTTP and HTML are used to define and implement the global hypertext Web. One or more LDAP servers together make up the directory tree. An LDAP client connects to an LDAP server and makes a request. If the information is available locally, the server attempts to connect to another LDAP server that can fulfill the request. LDAP uses this referral capability to implement a global directory structure of independent LDAP servers that appear to a client to be a single LDAP server.

LDAP C-Binding API

RFC 1823 specifies the C-binding APIs for a client to access a Directory Service that supports the LDAP protocol. This API set is extremely simple and supports both synchronous and asynchronous calls to the server.

An application generally uses the LDAP API in four simple steps.

•	Open a connection to an LDAP server. The ldap_open() call returns a handle to the connection, allowing multiple connections to be open at once.
•	Authenticate to the LDAP server and/or the X.500 DSA. The ldap_bind() call and friends support a variety of authentication methods.
•	Perform some LDAP operations and obtain some results ldap_search() and friends return results which can be parsed by ldap_result2error(), ldap_first_entry(), ldap_next_entry(), and so forth
•	Close the connection. The ldap_unbind() call closes the connection.

Operations can be performed either synchronously or asynchronously. Synchronous calls end in _s. For example, a synchronous search can be completed by calling ldap_search_s(). An asynchronous search can be initiated by calling ldap_search(). All synchronous routines return an indication of the outcome of the operation (for example, the constant LDAP_SUCCESS or some other error code). The asynchronous routines return the message ID of the operation initiated. This ID can be used in subsequent calls to ldap_result() to obtain the result(s) of the operation. An asynchronous operation can be abandoned by calling ldap_abandon().

Here is a list of the LDAP API calls:

API Name	Description
ldap_open	Opens a connection to an LDAP server
ldap_bind	This API and its friends are used to authenticate to the directory
ldap_unbind	This is used to unbind from the directory and close the connection.
ldap_search	This API and friends are used to search the LDAP directory
ldap_modify, ldap_modify_s	These routines are used to modify an existing LDAP entry
ldap_modrdn, ldap_modrdn_s	These routines are used to change the name of an LDAP entry
ldap_add, ldap_add_s	These are used to add entries to the LDAP directory
ldap_delete, ldap_delete_s	These are used to delete entries from the LDAP directory
ldap_abandon	This is used to abandon an operation in progress
ldap_result	This is used to obtain the result of a previous asynchronously initiated operation
ldap_result2error, ldap_err2string and ldap_perror	These APIs are used to interpret errors returned by other APIs
ldap_first_entry ldap_next_entry	These routines are used to step through a set of entries in a search result
ldap_count_entries	This is used to count the number of entries returned
ldap_first_attribute and ldap_next_attribute	These APIs are used to step through the list of attribute types returned with an entry
ldap_get_values and ldap_get_values_len	These APIs are used to retrieve the values of a given attribute from an entry
ldap_get_dn	This is used to retrieve the name of an entry
ldap_explode_dn	This is used to break up the name into its component parts
ldap_dn2ufn	This API converts the DN into the user friendly format.