Home > Store

Building LDAP-Enabled Applications with Microsoft's Active Directory and Novell's NDS

Register your product to gain access to bonus material or receive a coupon.

Building LDAP-Enabled Applications with Microsoft's Active Directory and Novell's NDS

  • Published Dec 26, 2001 by Pearson.


  • Sorry, this book is no longer in print.
Not for Sale


  • Copyright 2002
  • Dimensions: K
  • Pages: 208
  • Edition: 1st
  • Book
  • ISBN-10: 0-13-062145-5
  • ISBN-13: 978-0-13-062145-0

The only applied guide for LDAP development in Active Directory and NDS environments.

  • LDAP—the open standard for directories
  • Integrate LDAP into your Active Directory and NDS applications
  • Explained by one of the world's top directory authorities!

Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral standard for accessing directory information. Using LDAP, developers can transform directories built in Active Directory and Novell Directory Services (NDS) into extendable, multiplatform, Internet-enabled solutions. In this book, Bruce Greenblatt—one of the world's leading directory experts—shows exactly how to develop custom LDAP solutions in both Active Directory and NDS environments. With examples in Java, and with the near-universal access afforded by LDAP, this book provides the tools you need to make your distributed applications more widely available than ever before.

Greenblatt begins with a discussion of LDAP and how it fits in with Internet standards, then explains LDAP schema design and security concepts. After detailed coverage of LDAP implementations in Active Directory and NDS, and an overview of how to use LDAP with Java, Greenblatt gives a first-hand look at Internet directories in action and walks through three complete application case studies-storage management, e-commerce, and a Web-based chat room. He then demonstrates how to access LDAP-enabled applications using Java servlets, Java applets, and Active Server Pages. Finally, you'll learn about LDAP's limitations (and how to work around them!) and also how to use XML with LDAP. Background information on Internet technologies, networking, and security is provided throughout. You'll learn how

  • LDAP can dramatically increase the reach of your distributed applications
  • To enable LDAP in Active Directory and NDS applications, step by step
  • To integrate LDAP technology into your own applications

This book is designed for Active Directory and NDS software developers, especially those involved with client-server or three-tier software development tools.

Sample Content

Online Sample Chapter

Principles of LDAP Schema Design

Table of Contents



1. Introduction.

What Is Driving LDAP Application Development? Who Is the Target Audience of This Book? What Background Is Needed to Understand This Book? How to Obtain Documentation on the Internet. Organization of This Book.

2. An Overview of LDAP and the Internet.

The Internet. The TLS Layer. The TCP Layer. The UDP Layer. Tying the Layers Together. Directories. LDAP. Data Storage. Protocol Usage. Distributed Operation. White Pages Service. Chapter Summary.

3. LDAP Overview.

LDAP Namespace and Information Model. LDAP Functional Components. Command Details. Bind and Unbind Commands. Search Command. Making Changes (Add, Modify, and Delete Commands). Lesser Used Commands (Modify DN, Compare, and Abandon). Extended Commands and Controls. What APIs Are Available for Programming to LDAP? What Kind of LDAP Server Is Included with NDS and Active Directory?

4. Principles of LDAP Schema Design.

Typical Problems with LDAP Schema Design. Relational Database Normalization. Data Redundancy. Retrieval of Unwanted Data. Delete and Update Anomalies. An Example. Summary.

5. LDAP Security.

Network Security. Secret-Key Encryption. Public-Key Encryption. Message Digests, Digital Signatures, and Authentication. TLS. Access Control. Native NDS Access Control. Application-Defined Permissions. Authentication.


6. Using an Installation of Active Directory.

A Typical ADS Installation. ADS Replication.

7. Using an Installation of Novell's NDS.

A Typical NDS Installation. NDS Replication.


8. Building LDAP Programs Using Java.

LDAP APIs for Java. The Netscape LDAP API for Java. Connecting to the LDAP Server. Searching the Directory. Adding Entries. Modifying Entries. Deleting Entries. Using Compare. Renaming Entries. Using Asynchronous Commands. Ending the Connection. Using LDAP in Java Applets. Using LDAP in Servlets.

9. Example LDAP Applications.

Using LDAP to Store User Configuration Information. Using LDAP to Store Application-Defined Access Control Information. An LDAP-Enabled Mailing List Administration Application. Installing LDAP-Enabled Applications.

10. Limitations of LDAP.
11. LDAP and XML.

A Quick XML Overview. DSML.




chapter objectives

  • What Is Driving LDAP Application Development?........ 4
  • Who Is the Target Audience of This Book?........ 5
  • What Background Is Needed to Understand This Book?........ 5
  • How to Obtain Documentation on the Internet........ 6
  • Organization of This Book........ 7

Many years ago (in 1983), I was taking a Computer Architecture course in graduate school. Most of the final grade in the course was derived from the semester-long project to design a computer. This project was to be done in three separate parts. Interestingly enough, when we were given the first part of the assignment, we didn't yet know exactly what the second or third parts of the assignment were. The first part of the assignment was to design the "exoarchitecture" of our computer, most of which involved creating the computer's assembly language. Once we had completed that stage, we were handed the second phase of the assignment, which was to design the "endoarchitecture" of our computer. This mostly involved designing the machine language of the computer. In addition, there were specific requirements added to part two that were not mentioned in part one. This was no big deal, except that part two built on part one and we were not allowed to change anything in the design of our exoarchitecture. As might be expected, quite a few students made many mistakes in their designs, which unfortunately had to be carried forward into the later stages of the project. So, of the original 75 or so students, about a third dropped the class after the first phase of the project.

For my part, I had made a choice in phase one to build an 8-bit computer so that the design of the assembly language and its implementation would be simpler. Unfortunately, there were several requirements in phase two that made this a seriously bad choice. Had I known of these requirements, I would have decided to build a 16-bit computer in phase one. This situation is unfortunately common in software development. Midway through the development of a project, new requirements come in and oftentimes seriously invalidate earlier assumptions. If the developers are lucky, they have time to go back and redesign the software system. The students in this class were not so lucky.

The third phase of the project completed the design of the computer. This part of the assignment involved designing much of the "microarchitecture" of the computer, which revolves around the microprogramming aspects of the hardware. Again, this assignment included some new requirements that made some of the students' earlier choices unfortunate. So, at the end of the three phases of the course project, I had assembled a seriously convoluted design for a computer. Many students had similar stories, and other students weren't around to complete the project. Only 22 of the original 75 students remained to the bitter end. Of these, only 11 received a passing grade (I was fortunate enough to be among that number).

While there were many books available that described existing computer architectures (most of them used the IBM 360 series mainframe as the principle example), very little material described the design process as a whole. Thus, unless we could have had access to Fred Brooks's1 diaries, we didn't really know what lay ahead of us. Even though the project was an interesting learning experience, it was very difficult to implement a top-notch computer design for this project. In many respects this is similar to the state of affairs of Lightweight Directory Access Protocol (LDAP) integrated application development today. There are several references available that define the basics of LDAP, but nothing is available that goes into any detail of design concepts that are unique to LDAP integrated application development. This book is intended to build on other references that explain the LDAP protocol and the functions of the LDAP Application Programming Interface (API).

What Is Driving LDAP Application Development?

LDAP has been available for several years as an add-on component to various server operating systems. Starting with Windows 2000 Server and NetWare 5.0, the LDAP server is built into the operating system. Windows 2000 Server includes the Active Directory. NetWare 5.0 includes the Novell Directory Service (NDS). So, application developers now have available a new piece of infrastructure technology which will always be available in the most popular network operating systems. Thus, there is no additional dependency for LDAP-enabled applications that are expected to run on a network, since virtually all local area networks in the future will use either Windows 2000 Server or NetWare 5.0.

The future utilization of LDAP in Internet applications is potentially—if not inevitably—explosive. The corporate networks built using Windows 2000 and NetWare 5.0 are now running the same Transport Control Protocol/Internet Protocol (TCP/IP) based networking protocols that are used on the Internet. This was not true in previous versions of these network operating systems. In the corporate network, LDAP Directories are responsible for making available information about network accessible resources, such as host machines, printers, users, and so forth.

An LDAP Directory provides a set of names and properties in such a way that Directory users can easily search them. Each name in the Directory and its associated properties are collected together as a Directory entry. LDAP Directories operate in client-server mode; LDAP clients submit service requests to Directory servers and Directory servers handle the requests and provide responses to the Directory clients. The core services provided by an LDAP server include property- or attribute-based information storage, manipulation, and retrieval. The most frequently utilized and hence most essential Directory service is property- or attribute-based information retrieval. Other services provided by a Directory server, such as data addition, deletion, and modification services, exist to support this primary service and are considered ancillary to the information retrieval service.

Who Is the Target Audience of This Book?

Throughout this book, the explanations of the various components of LDAP technology have been supplemented by making extensive use of examples. The examples of code are written exclusively using the Java programming language. Software developers desiring to create an application that is to be integrated with an LDAP Directory will find the treatment of technology, as well as the data organization in the examples, helpful in their efforts. I believe this to be the case even for developers whose principal programming language is not Java. Thus, the principal target audience for the book includes any application developer that wants to integrate his (or her) application with the network.

What Background Is Needed to Understand This Book?

This book assumes the reader has a basic background in computer science. Nearly all computer professionals will find most of this book easy to understand. Computer programming experience will be very helpful in understanding Chapter 8, Building LDAP Programs Using Java, and Chapter 9, Example LDAP Applications. The reader does not need to have a deep understanding of computer networking. It is helpful to have experience in using Internet applications, such as a Web Browser.

This book provides basic tutorial information on several different Internet technologies, as well as LDAP itself. Background material in computer networking and security is provided at appropriate points, when this material is needed to provide a complete treatment of the LDAP technology being discussed. This background material is provided for readers with limited backgrounds in those areas.

How to Obtain Documentation on the Internet

LDAP is a specification of the Internet Engineering Task Force (IETF) and provides the specifications that define the protocols that are used in the Internet. The IETF notes on its Web site (located at www.ietf.org), "The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet." The IETF publishes its specifications in documents that are known as Requests for Comments (RFCs). RFCs document various aspects of computer communications mainly in the area of protocols that are to be used for the exchange of information between two (or more) Internet hosts. These protocols fall into three main categories:

  • Network Layer
  • Transport Layer
  • Application Layer

An example of a Network Layer protocol is Internet Protocol (IP). Examples of Transport Layer protocols are Transport Control Protocol (TCP) and User Datagram Protocol (UDP). These layers will be summarized in the next chapter. Examples of Application Layer protocols are LDAP and SMTP.

RFCs are freely available from a number of sites around the world, including the IETF's own Web site mentioned above. The work of the IETF that has yet to be published as RFCs is available from these same sites in the form of Internet Drafts. Drafts are work-in-progress documents that are either being investigated by one of the many working groups of the IETF or are individual contributions.

An important difference between IETF and other standards-making bodies in terms of Internet documentation is that IETF documents are always free and, with only very rare exceptions, contain no patented or copyrighted information or ideas. Documentation from virtually every other standards body (e.g., ITU, ANSI, IEEE, ECMA) is prohibitively expensive to obtain. The IETF views this expense as a barrier to the implementation of standards and encourages implementations far and wide. As evidence of this strategy, RFC 2026 (the Internet Standards Process) defines the various types of RFCs and the stages in which they proceed. It defines the conditions that must exist before an RFC can proceed from the first level (Proposed Standard) to the first level on the IETF standards track (Draft Standard type RFC). "A specification from which at least two independent and interoperable implementations from different code bases have been developed, and for which sufficient successful operational experience has been obtained, may be elevated to the Draft Standard level." Other standard bodies typically introduce their standards prior to any implementation experience.

Organization of This Book

This book contains eleven chapters organized into three parts, arranged as follows:

  1. Part I serves as the book's introductory portion. It also provides detailed definitions of the LDAP components that make up the overall service provided by LDAP Directories and the protocols that they use. Chapter 1 sets out the purpose, target audience, and required background for the book. Chapter 2 gives an overview of the Internet and LDAP's place in the Internet. Chapter 3 discusses the Lightweight Directory Access Protocol (LDAP) itself. Chapter 4 discusses LDAP Schema Design. Chapter 5 discusses the various security concepts that are important to LDAP developers.
  2. Part II provides an overview of the two principal implementations of LDAP. Chapter 6 gives an overview of how to use an implementation of Active Directory. Chapter 7 provides an overview of how to use an implementation of NDS.
  3. Finally, Part III discusses applications of Internet Directories. Chapter 8 provides a quick overview of LDAP and Java. Chapter 9 gives detailed examples of three real-world LDAP-enabled applications. Chapter 10 discusses several limitations of LDAP and how the developer can work around them in the application. Chapter 11 discusses the emerging technology of XML and how it is used in LDAP.


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020