活动目录与 OpenLDAP [英] Active Directory vs OpenLDAP

问题描述

这两种 LDAP 协议实现之间的主要区别是什么?哪个更适合异质环境?有没有关于这个主题的好网站?

What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?

推荐答案

对于异构环境，您希望使用通用服务器，例如 OpenLDAP.AD 的优势通常在于它已经包含您的内部用户的用户帐户 - 尽管这会增加复杂性，但这些帐户可以与单独的 LDAP 服务器保持同步.

For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.

就协议的细节而言，Oracle 虚拟目录的文档有一个很好的总结.(OVD 是一种产品，可用于代理 AD 并将其一些怪癖转换为更标准的界面.):

As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):

http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG

范围属性 属性在 Active Directory 和 ADAM 中然后返回 1000 个值 1000 at名称中包含的时间返回的值范围(或1500 对于 Windows 2003).范围是以以下形式返回给客户:member;1-1000: somevalue 为了获取接下来的一千个条目，客户端应用程序必须以某种方式知道重复查询并请求属性成员；1001-2000.这需要应用程序来处理Microsoft Active Directory 中的与其他方式相比的特殊方式目录产品.

Ranging Attributes Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned (or 1500 for Windows 2003). The range is returned to the client in the form: member;1-1000: somevalue In order to get the next thousand entries, the client application must somehow know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Microsoft Active Directory in a special way compared to other directory products.

密码更新微软Active Directory 和 ADAM 有特殊的围绕如何使用密码的规则可以使用 LDAP 更新用户:

Password Updates Microsoft Active Directory and ADAM have special rules around how the password of a user may be updated by using LDAP:

• 只能通过安全的 SSL 连接更新密码.
• 如果用户要更新自己的密码，则必须使用原始密码包含在修改删除中新密码是修改添加相同的修改操作.
• 只有管理员可以在不知道用户密码的情况下重置用户密码以前的密码.
• Active Directory 不使用 userPassword 属性，它使用unicodePwd 属性(即quoted-UTF16-hex-padded-base64 编码).

ObjectClass 映射 大多数 LDAP目录使用 inetOrgPerson 和groupOfUniqueNames 对象类用户和组.微软主动目录使用用户和组具有特定属性的对象类对 Active Directory NOS 要求微软的."

ObjectClass Mapping Most LDAP directories use the inetOrgPerson and groupOfUniqueNames object classes for users and groups. Microsoft Active Directory uses the user and group objectClasses with attributes specific to Active Directory NOS requirements of Microsoft."

这些是一些主要的，但还有其他的.

These are some of the main ones but there are others.

这篇关于活动目录与 OpenLDAP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！