Share via


LDAP Evaluation Criteria

Topic Last Modified: 2009-07-24

The LDAP is a directory service protocol that runs directly over the TCP/IP stack, and provides a mechanism for connecting to, searching, and modifying Internet directories. The LDAP directory service is based on a client-server model. The function of LDAP is to allow access to an existing directory. Microsoft Exchange 2000 Server messaging and collaboration application clients can use LDAP to access user and group information across a network or the Internet.

Caveats

Functional Criteria

Criteria Lightweight Directory Access Protocol (LDAP)

Application Domain

Applications that use LDAP typically retrieve or manage user- and computer-resource information stored in a directory service such as the Active Directory directory service. Because Exchange uses Active Directory to store user and configuration information, LDAP is used to communicate with the directory in applications that manage users and server configuration.

Major Objects

LDAP is a protocol, not an object model. Applications that use LDAP typically use ADSI to access information in a directory service.

Data access model

Not applicable.

Threading Models

Not applicable.

Application Architectures

LDAP and ADSI are commonly used in the middle tiers of applications. Exchange application clients that use LDAP and ADSI are typically intranet applications, or are applications that monitor and manage other Exchange servers.

Remote Usage

Firewalls and routers are usually configured to block LDAP access outside the corporate intranet. Applications that use LDAP and ADSI typically do not execute on the computer running Active Directory.

Transactions

Information about this is not yet available here.

Management Capabilities

Information about this is not yet available here.

Availability

Information about this is not yet available here.

Development Criteria

Criteria Lightweight Directory Access Protocol (LDAP)

Languages and Tools

LDAP is a protocol; it is available through many different development tools and languages.

Managed Implementation

LDAP is a protocol, not a component. ADSI can be used to work with LDAP-compatible directory services that are using the System.DirectoryServices .NET Framework objects.

Scriptable

LDAP is a protocol; ADSI is scriptable.

Test/Debug Tools

No special debugging tools are needed to debug applications that use LDAP. For particularly difficult protocol-interaction issues, a network monitoring utility may prove helpful, but is typically not required.

Expert Availability

LDAP and ADSI is a reasonably well-known technology, with abundant Microsoft and third-party information available.

Available Information

Numerous third-party Web sites and books exist, and Microsoft provides LDAP, ADSI, and Active Directory information on the MSDN Web site.

Developer / Deployment Licensing

No special licensing is required to develop applications that use LDAP.

Security Criteria

Criteria Lightweight Directory Access Protocol (LDAP)

Design-Time Permissions

The account under which the application-under-development runs must have proper permissions to access the intended information. This varies greatly based on the type of operations the application is performing.

Setup Permissions

No special permissions are required to set up applications that use ICS.

Run-Time Permissions

Applications that access directory service information should be deployed only on those systems and for users who have sufficient permissions to access the information needed by the application.

Built-in Security Features

Information about this is not yet available here.

Security Monitoring Features

Information about this is not yet available here.

Deployment Criteria

Criteria Lightweight Directory Access Protocol (LDAP)

Server Platform Requirements

LDAP requires access to an appropriate directory service. Because Exchange uses Active Directory, a computer running Microsoft Windows is needed to access information about Exchange users and configuration.

Client Platform Requirements

LDAP is not a client technology. The design and implementation of the application client determines the client requirements.

Deployment Methods

Information about this is not yet available here.

Deployment Notes

None.