Active Directory和OpenLDAP [英] Active Directory vs OpenLDAP
问题描述
这两个LDAP协议实现之间的主要区别是什么?哪个更适合异质环境?关于这个主题的任何好网站?
对于恶劣的环境,你想使用通用服务器如OpenLDAP。 AD的优点通常是它已经包含您的内部用户的用户帐户 - 这些可以保持与单独的LDAP服务器同步,虽然这增加了复杂性。
至于协议的细节go,Oracle虚拟目录的文档有一个很好的总结。 (OVD是一种产品,可用于代理AD,并将其部分疑问转换为更标准的界面。):
http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG
范围属性属性
在Active Directory和ADAM中,
在
a时间返回1000,其名称包括返回的
范围的值(或对于Windows 2003为
1500)。范围是
以如下形式返回给客户端:
member; 1-1000:somevalue为了获得下一千个条目,
客户端应用程序必须以某种方式知道
重复查询并请求
属性成员; 1001-2000。这个
要求应用程序处理
Microsoft Active Directory在
特殊方式比其他
目录产品。
< b>密码更新 Microsoft
Active Directory和ADAM有关于如何使用LDAP更新
用户密码的特殊
规则:
- 密码只能通过安全的SSL连接更新。
- 如果用户更新自己的密码,原始密码必须为
包含在修改删除中
新密码是在
中修改添加的相同修改操作。 - 只有管理员可以重置Active Directroy不使用userPassword属性,它使用
unicodePwd属性(这是
之前的密码
< =http://technet.microsoft.com/en-us/magazine/ff848710.aspx =nofollow noreferrer> quoted-UTF16-hex-padded-base64 encoded )。
ObjectClass映射大多数LDAP
目录使用inetOrgPerson和
groupOfUniqueNames对象类
用户和组。 Microsoft Active
目录使用用户和组
objectClasses具有特定属性
到Microsoft的Active Directory NOS要求
。
这些是一些主要的,但还有其他。
What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?
For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.
As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):
http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG
Ranging Attributes Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned (or 1500 for Windows 2003). The range is returned to the client in the form: member;1-1000: somevalue In order to get the next thousand entries, the client application must somehow know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Microsoft Active Directory in a special way compared to other directory products.
Password Updates Microsoft Active Directory and ADAM have special rules around how the password of a user may be updated by using LDAP:
- Passwords may only be updated via secure SSL connection.
- If a user is updating their own password, the original password must be included in a modify delete with the new password being a modify add in the same modify operation.
- Only an administrator may reset the password of a user without knowing the previous password.
- Active Directroy does not use the userPassword attribute, it uses the unicodePwd attribute (which is quoted-UTF16-hex-padded-base64 encoded).
ObjectClass Mapping Most LDAP directories use the inetOrgPerson and groupOfUniqueNames object classes for users and groups. Microsoft Active Directory uses the user and group objectClasses with attributes specific to Active Directory NOS requirements of Microsoft."
These are some of the main ones but there are others.
这篇关于Active Directory和OpenLDAP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
