Directory Services |
If possible, do not hard-code a server name. Furthermore, under most circumstances, binding should not be unnecessarily tied to a single server. Active Directory supports serverless binding, which means that Active Directory can be bound to on the default domain without specifying the name of a domain controller. For ordinary applications, this is typically the domain of the logged-on user. For service applications, this is either the domain of the service logon account or that of the client that the service impersonates.
In LDAP 3.0, rootDSE is defined as the root of the directory data tree on a directory server. The rootDSE is not part of any namespace. The purpose of the rootDSE is to provide data about the directory server. The following is the binding string that is used to bind to rootDSE.
LDAP://<servername>/rootDSE
The <servername> is the DNS name of a server. The <servername> is optional, as shown in the following format.
LDAP://rootDSE
In this case, a default domain controller from the domain that the security context of the calling thread is in will be used. If a domain controller cannot be accessed within the site, the first domain controller that can be found will be used.
For an Active Directory server (a Windows NT domain controller), the rootDSE contains the following attributes.
Property | Description |
---|---|
currentTime | Contains the current time set on this directory server. |
subschemaSubentry | Contains the distinguished name for the subSchema
object. The subSchema object contains properties that expose
the supported attributes (in the attributeTypes property)
and classes (in the objectClasses property).
The subschemaSubentry property and subschema are defined in LDAP 3.0 (see RFC 2251). |
dsServiceName | Contains the distinguished name of the NTDS settings object for this directory server. |
namingContexts | A multi-valued atttribute that contains the distinguished names for all naming contexts stored on this directory server. By default, a Windows 2000 domain controller contains at least three naming contexts: Schema, Configuration, and one for the domain of which the server is a member. |
defaultNamingContext | Contains the distinguished name for the domain of which this directory server is a member. |
schemaNamingContext | Contains the distinguished name for the schema container. |
configurationNamingContext | Contains the distinguished name for the configuration container. |
RootDomainNamingContext | Contains the distinguished name for the first domain in the forest that contains the domain of which this directory server is a member. |
SupportedControl | A multi-valued attribute that contains the OIDs for extension controls supported by this directory server. The controls supported by Active Directory are listed in the following table. |
SupportedLDAPVersion | A multi-valued attribute that contains the LDAP versions (specified by major version number) supported by this directory server. |
HighestCommittedUSN | Contains the highest USN used on this directory server. Used by directory replication. |
SupportedSASLMechanisms | Contains the security mechanisms supported for SASL negotiation (see LDAP RFCs). By default, GSSAPI is supported. |
DnsHostName | Contains the DNS address for this directory server. |
LdapServiceName | Contains the Service Principal Name (SPN) for the LDAP server. Used for mutual authentication. |
ServerName | Contains the distinguished name for the server object for this directory server in the configuration container. |
The rootDSE is a well-known and reliable location on every directory server to get distinguished names of the domain, schema, and configuration containers, and other data about the server and the contents of its directory data tree. These properties rarely change on a particular server. An application can read these properties at startup and use them throughout the session.
In summary, an application should use serverless binding to bind to the directory on the current domain, use rootDSE to get the distinguished name for a namespace, and use that distinguished name to bind to objects in the namespace.
Active Directory supports the following extension controls listed in the SupportedControl attribute. For more information, see LDAPControl and ldap_search_init_page.
Control OID | String constant |
---|---|
1.2.840.113556.1.4.319 | LDAP_PAGED_RESULT_OID_STRING |
1.2.840.113556.1.4.473 | LDAP_SERVER_SORT_OID |
1.2.840.113556.1.4.474 | LDAP_SERVER_RESP_SORT_OID |
1.2.840.113556.1.4.801 | LDAP_SERVER_SD_FLAGS_OID |
1.2.840.113556.1.4.528 | LDAP_SERVER_NOTIFICATION_OID |
1.2.840.113556.1.4.417 | LDAP_SERVER_SHOW_DELETED_OID |
1.2.840.113556.1.4.619 | LDAP_SERVER_LAZY_COMMIT_OID |
1.2.840.113556.1.4.841 | LDAP_SERVER_DIRSYNC_OID |
1.2.840.113556.1.4.529 | LDAP_SERVER_EXTENDED_DN_OID |
1.2.840.113556.1.4.805 | LDAP_SERVER_TREE_DELETE_OID |
1.2.840.113556.1.4.521 | LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID |
1.2.840.113556.1.4.1338 | LDAP_SERVER_VERIFY_NAME_OID |
1.2.840.113556.1.4.1339 | LDAP_SERVER_DOMAIN_SCOPE_OID |
1.2.840.113556.1.4.1340 | LDAP_SERVER_SEARCH_OPTIONS_OID |
1.2.840.113556.1.4.1413 | LDAP_SERVER_PERMISSIVE_MODIFY_OID |
For more information and a code example that shows how to use serverless binding and rootDSE, see Example Code for Getting the Distinguished Name of the Domain.