由网友(熟吻)分享简介：什么是LDAP协议，这两个实现之间的主要diffrences？这对异构环境更好呢？关于这个话题有什么好的网站？What are the main diffrences between these two implementations of LDAP protocol? Which is better for het...

什么是LDAP协议，这两个实现之间的主要diffrences？这对异构环境更好呢？关于这个话题有什么好的网站？

What are the main diffrences between these two implementations of LDAP protocol? Which is better for heterogenous environment? Any good websites about this topic?

推荐答案

对于要使用通用服务器，如OpenLDAP的hetrogenous环境。 AD的优势通常是，它已经包含了内部用户的用户帐户 - 这些都可以保持同步，独立的LDAP服务器虽然这增加了复杂性。

For hetrogenous environments you want to use a general-purpose server such as OpenLDAP. The advantage of AD usually is that it already contains user accounts for your internal users - these can be kept in synch with separate LDAP server though this adds complexity.

至于协议的细节去，该文档的Oracle虚拟目录有一个pretty的很好的总结。 （OVD是可用于代理AD和翻译它的一些怪癖成更标准接口的产物。）：

As far as specifics of the protocol go, the docs for Oracle Virtual Directory have a pretty good summary. (OVD is a product that can be used to proxy AD and translate some of its quirks into a more standard interface.):

http://download.oracle.com/docs/html/E10286_01/app_bundled_plugins.htm#CHDGDBBG

测距属性的属性   在Active Directory和ADAM更多   那么1000值在返回1000   与包括一个名称的时间   范围内的值被返回的（或   1500适用于Windows 2003）。的范围是   回到形式的客户端：   成员; 1-1000：someValue中为了   获得下一个千条目，所述   客户端应用程序必须以某种方式知道   以重复的查询和请求   属性成员; 1001-2000。本   需要应用程序来处理   在Microsoft Active Directory中   相对于其他的特殊方式   目录中的产品。

Ranging Attributes Attributes in Active Directory and ADAM with more then 1000 values are returned 1000 at a time with a name that includes the range of values that were returned (or 1500 for Windows 2003). The range is returned to the client in the form: member;1-1000: somevalue In order to get the next thousand entries, the client application must somehow know to repeat the query and request the attribute member;1001-2000. This requires applications to handle Microsoft Active Directory in a special way compared to other directory products.

密码更新微软   Active Directory和ADAM有特殊   围绕一个怎样的密码规则   用户可以通过使用LDAP进行更新：

Password Updates Microsoft Active Directory and ADAM have special rules around how the password of a user may be updated by using LDAP:

  密码只可通过安全SSL连接进行更新。   如果用户正在更新自己的密码，原始密码必须   包括在修改与删除   新的密码是一个修改加入   同样的修改操作。   只有管理员可以重置用户的密码，不知道的   previous密码。   在活动Directroy不使用userPassword属性，它使用   UNI codePWD属性（这是   带引号的UTF16-六角填充-的base64恩codeD ）。    Passwords may only be updated via secure SSL connection. If a user is updating their own password, the original password must be included in a modify delete with the new password being a modify add in the same modify operation. Only an administrator may reset the password of a user without knowing the previous password. Active Directroy does not use the userPassword attribute, it uses the unicodePwd attribute (which is quoted-UTF16-hex-padded-base64 encoded).

对象类映射的大多数LDAP   目录使用的inetOrgPerson和   groupOfUniqueNames对象类   用户和组。微软活动   目录使用了用户和组   对象类具有特定属性   到Active Directory NOS要求   微软。

ObjectClass Mapping Most LDAP directories use the inetOrgPerson and groupOfUniqueNames object classes for users and groups. Microsoft Active Directory uses the user and group objectClasses with attributes specific to Active Directory NOS requirements of Microsoft."

这些是一些主要的，但还有其他的。

These are some of the main ones but there are others.