|
|
|
Microsoft claim that the Active Directory Server (ADS) within Windows 2000 server is fully LDAP compliant. There are other LDAP compliant servers that are available on the internet, including OpenLDAP, and various LDAP clients including GQ.
We tested the interoperability of these products.
It must be taken into account that this is beta software, and there may be features that are currently unimplemented, or not working correctly, for various reasons.
The ADS within Windows 2000 server appears to conform to most of the LDAP version 2 and version 3 standards. So far, it appears that searching the ADS using an LDAP based tool doesn't work, although this may be fixed in a later version of Windows 2000 server.
I have Windows 2000 server installed on a test machine (Compaq). I have OpenLDAP and Netscape Directory Server installed on another machine, running Red Hat Linux 6.0 with all updates to 1st July 1999.
I have a freeware LDAP client called GQ as well as Netscape Communicator running on Linux. I also have the Mail client from Outlook Express / Internet Explorer 5, the Outlook 98 client, and Netscape Communicator version 4.6 running on Windows NT workstation 4.0.
Additionally, there is an LDAP client called LDP available on Windows 2000 server. To get access to this, install the resource kit, and run the Tools Management Console. LDP is contained in the Microsoft Resource Kits -> Windows 2000 Resource Kits -> Tool Categories -> Network Management Group -> Directory Services Tools section.
I have a single directory called chc.someco.co.nz.
It isn't immediately obvious what the suffix of the ADS, but I pointed GQ at the server in browse mode and it found the following three containers:
cn=Schema,cn=Configuration,dc=chc,dc=someco,dc=co,dc=nz
cn=Configuration,dc=chc,dc=someco,dc=co,dc=nz
dc=chc,dc=someco,dc=co,dc=nz
I assumed that the last one of these is the active container, and I was successfully able to log in, using simple authentication, as the following user:
cn=Administrator,cn=Users,dc=chc,dc=someco,dc=co,dc=nz
I used the password that had been assigned as the administrator password on the server, and it all appeared to work.
Using the MMC snap-in, we inserted an Organisational Unit called Department into the tree, and a user called Some User into that OU.
We created a single directory with the suffix "o=Some Company,c=NZ".
I inserted three users into the tree at build time (using ldif2ldbm, a tool supplied with OpenLDAP):
cn=Del,ou=Members,o=Some Company,c=NZ
cn=Some User,ou=Members,o=Some Company,c=NZ
cn=root,ou=Members,o=Some Company,c=NZ
The last of these was installed as the root DN (i.e. authenticating as this user allows administrator access to the tree).
GQ, and Netscape Communicator, were installed clean from the RPM files with no modifications.
Outlook 98 was installed from a setup created by the Outlook Deployment Kit.
GQ contains an LDAP tree browser. Browsing the LDAP tree of the OpenLDAP server and the ADS from here was quite successful. Without authentication, the entire OpenLDAP tree is visible, but no changes can be made. Before authentication to the ADS tree, only the top three containers are visible, and appear to be empty. After authentication (with the above user dn and password), the entire tree appears to be visible.
After authenticating to the OpenLDAP tree, attempts to modify entries in the tree, or add entries to the tree, appear successful.
Attempts to modify the ADS tree always fail with an error message "DS unwilling to perform", which indicates that the tree is write-locked.
Note: The GQ client supports Kerberos authentication, however I am using only plain text. Perhaps using Kerberos authentication would make a difference as to whether the tree can be modified.
None of the other clients that I have support tree browsing.
I used the GQ browser to search the OpenLDAP tree. Entering a search criteria of "cn=Del" I was able to find the user that I had entered. The full details of the user were displayed.
Using the same search tool, I was unable to find any users in the ADS tree. The response was "0 entries found", indicating that the search had completed successfully, but not found anything. I tried various combinations of "Some", "Some User", and "Department" and failed to find anything.
Using Netscape Communicator (which only reports cn's and e-mail addresses), I was able to find all of the users and e-mail addresses in the OpenLDAP tree. I was unable to find anything in ADS.
Once again, the error messages indicated that the search was successful, but no entries were found.
Using the Address Book in Outlook Express, I was unable to find any entries in either the OpenLDAP tree or the ADS tree. I created the LDAP server entries in Tools->Accounts in the Address Book, and inserted what I believed to be the correct information (including authentication details for the ADS), however none of the searches found anything.
Using LDP from the Windows 2000 resource kit, I was successfully able to search the OpenLDAP server using the following steps:
Connect to the OpenLDAP server by host name and port 389, using the Connection -> Connect menu item.
Search using the Browse -> Search menu item, enter a base DN of "o=Some Company,c=NZ", and a search item of "(cn=Del)".
Repeating the above process to search the ADS again showed 0 entries found.
Conclusion: There is either an alternative method that I should use for LDAP queries into ADS, or LDAP queries in ADS are broken. Not even Microsoft's own LDAP query tool is successfully able to perform an LDAP search on the ADS, although they are able to search the OpenLDAP server.
I went to the ADS snap-in on the MMC on the Windows 2000 server, and did a search for a user there. This search was successful. There didn't appear to be any configuration options to get the tool to query an external LDAP server. This snap-in is probably not using LDAP as its query method.