Directory Services


The Microsoft LDAP provider ADsPath requires the following format.


Note  [ ] denotes optional parameters; it is not a literal part of the binding string.

The HostName can be a computer name, an IP address, or a domain name. A server name can also be specified in the binding string. Most LDAP providers follow a model that requires a server name to be specified.

The PortNumber specifies the specific port that should be used for the connection. If no port number is specified, the LDAP provider uses the default port number. The default port number is 389 if not using an SSL connection or 636 if using an SSL connection.

The DistinguishedName specifies the distinguished name of a specific object. A distinguished name for a given object is guaranteed to be unique.

The following table lists examples of binding strings.

LDAP ADsPath Example Description
Bind to the root of the LDAP namespace.
Bind to a specific server.
Bind to a specific server using the specified port number.
LDAP://CN=Jeff Smith,CN=users,DC=fabrikam,DC=com
Bind to a specific object.
LDAP://server01/CN=Jeff Smith,CN=users,DC=fabrikam,DC=com
Bind to a specific object through a specific server.

If Kerberos authentication is required for the successful completion of a specific directory request, the binding string must use either a serverless ADsPath, such as "LDAP://CN=Jeff Smith,CN=users,DC=fabrikam,DC=com", or it must use an ADsPath with a fully-qualified DNS server name, such as "LDAP:// Smith,CN=users, DC=fabrikam,DC=com". Binding to the server using a flat NETBIOS name or a short DNS name, for example, using the name "server01" instead of "", is not guaranteed to yield Kerberos authentication.

For more information and more examples of LDAP binding strings, as well as a description of special characters that can be used in LDAP binding strings, see LDAP ADsPath.

Windows 2000 SP1 and later:  With the LDAP provider, if a binding string includes a server name, you can increase performance by using the ADS_SERVER_BIND flag with the ADsOpenObject function or the IADsOpenDSObject::OpenDSObject method. The ADS_SERVER_BIND flag indicates that a server name was specified, which enables ADSI to avoid additional, unnecessary network traffic.

The following characters are reserved and cannot be used in an ADsPath with the LDAP provider.

Character Name Hex Value
<LF> Line feed 0x0A
<CR> Carriage return 0x0D
" Double quote 0x22
# Number sign 0x23
+ Plus sign 0x2B
, Comma 0x2C
/ Forward slash 0x2F
; Semicolon 0x3B
< Left angle bracket 0x3C
= Equals sign 0x3D
> Right angle bracket 0x3E
\ Backward slash 0x5C

For more information about the distinguished name notation used by LDAP-compliant directory services, see or