Active Directory Interoperability

[David J N Begley <david@avarice.nepean.uws.edu.au>]

Just a FYI for those playing with LDAP at all (or OpenLDAP specifically) and
looking at the possibility of interoperating with Microsoft's Active Directory
(AD) sometime in the not-too-distant future.

On the ldap-nis mailing list (discussing PADL Software's software projects) it
has come to light that naming attributes (particularly "cn" - "commonName",
also "CN" in NDS) in AD are always single-valued;  the current definition of
the attribute in AD is:

  http://msdn.microsoft.com/library/sdkdoc/adschema/attrdetl_0yed.htm

Note the Attribute-ID (OID), "2.5.4.3".  The page also indicates that the
information is subject to change (let's hope it does so).

Various members of the list (and off-list) have checked the standards and
reported that the following all define the attribute (same OID) to be
multi-valued (not single-valued):

- IETF RFC 2256
- DMTF DEN
- ITU-T X.520(93)

The second is most interesting because Microsoft was one of the founders of
the DEN effort...

Testing against some existing LDAPv3 servers (namely, Netscape Directory 4.0
and Novell NetWare 5's LDAPv3 front-end to NDS 8) shows that they accept "cn"
as multi-valued.

The discussion was in relation to RFC 2307 (and whether or not AD could really
be compliant with the existing schema given this - and other - limitations and
namespace clashes).

Note - this is NOT intended to be Microsoft/AD-bashing nor is it meant to be
alarmist;  merely a heads-up for anyone who may be doing work in this area.
As noted above, let's hope Microsoft fixes AD rather than all the other
vendors breaking their directories (thus all being non-conformant) just to
suit Microsoft.  :-(

Cheers..


dave