Directory change ldap(Novel) to MS Active directories

Posted on 2007-03-20
Medium Priority
Last Modified: 2011-09-20
 There is directory change in our application.It is changing from ldap(Novel) to MS Active directories.
What kind of change should I expect in our code? so that I can learn about them .Links are welcome.
Question by:Manish
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 35

Accepted Solution

ShineOn earned 500 total points
ID: 18763080
If this is a commercial application, why not keep it LDAP, to provide your customers with a choice?  AD works to a degree with LDAP.  It's not LDAPv3 Certified like eDirectory, but it's "LDAP Compatible" per Microsoft, whatever that means, and you won't lock out other LDAP-accessible directories, including eDirectory as well as the directory services provided by IBM, Oracle, SUN, etc. and, of course, openLDAP (which will grow, guaranteed, as part of the growing Linux presence.)

The big difference with AD is the LDAP notation to get to the context of the object.  AD makes considerable use of the "DC" container type where in a "normal" x.500-based directory you'd expect the customary hierarchy, CN, OU, O, C...

They do use the OU container type but it's not really a hierarchical structural organizational unit  but rather a grouping type added in to make it comply a bit closer to x.500.

If your app is home-grown, then I'd think it'd be easier to continue to use LDAP with AD, as well.  You'd just have to deal with the minor oddments with the structure, which should be no big deal.

If you're using a Java app server platform like Tomcat, JBoss, etc., and you plan to use the directory for authentication,  then you'll also have to make sure you have a usable PKI certificate you can import.  If you plan to use Kerberos, although it's got some proprietary quirks, that doesn't mean you have to scrap LDAP...  Heck, Microsoft uses LDAP lookups in its own utilities...
LVL 11

Author Comment

ID: 18763212
Client is changing directory structure,so we dont have much control on it.
Our application is using java and websphere (developed on ide wsad).
what is PKI certificate ?
Do I expect that we dont have to change much in code to access AD?
Like in ldap we are using url as ldap://....389.
How the AD is accesible? ANy software should I need to download to access it?
LVL 35

Assisted Solution

ShineOn earned 500 total points
ID: 18764124
If the AD server is using the default port for unsecure LDAP, then port 389 is still good, even with AD.

The url ldap://servername:389 should still work.

You have to make sure you can a) anonymous BIND, which will give you limited use or b) set up a user that you can use to log in to AD for LDAP access.

If your server internal DNS URL is, for example, server1.mydomain.myforest.local, then the user credentials would be:


If your users folder or user objects or groups or whatever are in an OU folder within your domain, then you'd use the ou= qualifier, but the default "users" folder is a cn object type.  

OU hierarchy begins after the last domain level in a forest.  Up to that point, all qualifiers must be "dc" (domain controller.)  If you want to set a base, use the "dc" heirarchy.

If you can limit your commands to LDAPv2 that'd be great, since AD isnt, as I mentioned, LDAPv3 certified (or even compliant, last I checked.)
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 35

Assisted Solution

ShineOn earned 500 total points
ID: 18764180
Also, PKI certificate is if you want to do SSL-secure LDAP (default port 636).  The customer would have to set up PKI services on their server (a Certificate Authority) and mint a public/private key pair.

That would encrypt the password info.

If LDAP isn't being used by your app for user/password authentication, then 389 should be fine, but if you're using LDAP for an authentication vehicle for your app and are using the directory service's user ID and password to authenticate, then you should already be using secure LDAP.

If it's just for lookup/white pages type stuff, then unsecure LDAP should be OK.
LVL 11

Author Comment

ID: 18769530
Application uses ldap for authentication and getting some attributes.
So what I am understanding is
current code can be used for authentication and getting attibutes...with some changes in
search base .As AD may have different type of hirarchy.
Currently like we have search base
LVL 35

Expert Comment

ID: 18770773
Yep, now the base would be cn=users,dc=domain,dc=forest,dc=dnsroot
users is the built-in users folder where the users/groups reside by default,
domain is the AD domain
forest is the AD forest, if their AD has that type of structure
dnsroot is the TLD they use when they define their AD DNS structure (.com, .net, .local, .lan or whatever they choose...)

If their AD is simple, with only the forest root domain, then you'd only have two DC levels...
If they customize their AD structure, dividing their user objects and group objects into self-defined OU's, you'd have to look in the OUs instead of the default "users" CN.

I don't know how well it does traversing through the structure below the base or dereferencing aliases or such.  In their current eDirectory setup, are all the user objects in their USERS OU, or do they put aliases in the USERS OU that get dereferenced to the actual containers the user objects are in?
LVL 35

Expert Comment

ID: 18770788
You may also have to map some attributes.  You should set up an AD test system to work with, so you can see how the base schema differs as regards attributes.  For example, in eDirectory, a group is type "groupofnames" while AD groups are just type "group."

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For beginner Java programmers or at least those new to the Eclipse IDE, the following tutorial will show some (four) ways in which you can import your Java projects to your Eclipse workbench. Introduction While learning Java can be done with…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question