Here in this blog we discuss about directory, directory services and how it works. Then will discuss different kind of directory services like Novell, X.500, LDAP and Active Directory.
“In computer networks, a directory store and organize no of users, their passwords and information about network resources that the users can access. Network resources may be printers, computers, scanners etc.”
Windows Microsoft started to use the term “folder” instead of “directory”. With DOS 2.x, IBM/Microsoft introduced multiple directories on a single disk.
File vs Directory:
A file is a collection of data that is stored on disk and that can be manipulated as a single unit by its name.
A directory is a file that acts as a folder for other files. A directory can also contain other directories (sub-directories); a directory that contains another directory is called the parent directory of the directory it contains.
A directory tree includes a directory and all of its files, including the contents of all sub-directories.
- Business directory information about suppliers and manufacturers.
- Telephone directory allows telephone numbers to be found for the subscriber’s name.
- Web directory an organized collection of links to websites.
- File Directory of a Computer. If you look at a complete file name in the computer, you see something like: C:\Windows\System32\system.ini (or whatever).
- Here the root directory is the ” C:\ ”
” Windows ” is the next level.
” System32 ” is a sub-directory under ” Windows ” and
” system.ini ” is the actual file name.
It is the service related to directory (folder) i.e. which and what type of users and objects/resources will be stored in the directory and how that objects will be managed and accessed.
Objects/Resources: E-mail, computers, Peripheral devices ( Printer, Scanner …) etc. A directory object contains attributes that describes the object.
Definition: “A directory service is a network service that identifies all resources on a network and makes that information available to users and applications.”
“Directory service is a software application for organizing information about a computer network’s users and objects.”
Directory services are important, because they provide a proper way to name, describe, locate, access, manage, and secure information about these resources. Directory services uses standard protocols and API’s to access the information contained in the directory.
Using DS user on a network can access any resource without exactly knowing where it is .
directory service = naming service + objects containing attributes
Applications of Directory Services –
- Resource planning
- Value chain management – VCM focuses on minimizing resources and accessing at each chain level, resulting in optimal process integration, decreased inventories, better products and enhanced customer satisfaction.
- Security and firewalls
- Resource provisioning i.e. supplying or providing resources and
- Deployment of e-business and extra-net applications.
An example of a directory service is the Domain Name System (DNS), which is provided by DNS servers. A DNS server stores the mappings of computer host names and other forms of domain name to IP addresses. A DNS client sends questions to a DNS server about these mappings (e.g. what is the IP address of gripinit.com ). Thus, all of the computing resources (hosts) become clients of the DNS server. The mapping of host names enables users of the computing resources to locate computers on a network, using host names rather than complex numerical IP addresses. DNS server stores only two types of information: names and IP addresses
Characteristics of Directory Services –
A directory service can be considered an extension of a database, directory services generally have the following characteristics:
- Hierarchical naming model – A hierarchical naming model uses the concept of containment to reduce ambiguity between names and simplify administration. For example, the name of an object representing an employee of a particular company contains the name of the object representing the company, and the name of the company might contain the name of the objects representing the country where the company operates, e.g. cn= Nikhil Singh, o=GIIT Corporation Ltd, c=INDIA. Together the names of all objects in the directory service form a tree, and each Directory Server holds a branch of that tree.
- Extended search capability – Directory services provide robust search capabilities, allowing searches on individual attributes of entries. Like searing an item in flipkart using various citerias.
- Distributed information model – A directory service enables directory data to be distributed across multiple servers within a network.
- Shared network access – Directory access means network access by definition. Directories are designed specifically for shared access among applications. This is achieved through the object-oriented schema model.
- Replicated data – Directories support replication (copies of directory data on more than one server) which make information systems more accessible and more resistant to failure.
- Data-store optimized for reads – The storage mechanism in a directory service is generally designed to support a high ratio of reads to writes.
- Extensible schema – The schema describes the type of data stored in the directory. Directory services generally support the extension of schema, meaning that new data types can be added to the directory.
One thing common to all directory services is a tree based organization. A directory is a specialized database that is designed to retrieve information quickly and securely.
Information about the services, resources, users, and other objects is organized as individual entries. To make accessing these entries as efficient as possible, they are organized in a hierarchy called the Directory Information Tree (DIT).
The following diagram shows an example of a DIT:
- The root of the tree is typically a country (C) followed by an organization (O). For example, in the figure above, the root of the tree is o=Alphalite Airways, c=US.
- One or more organizational units (OU) typically appear below the root. These are container objects in that they can contain other directory entries.
- Directory entries that store information about a specific resource are referred to as leaf objects and they are added to the tree under an existing container object.
The path to each entry in the tree is called its distinguished name (DN), and each DN in the tree is unique. For example, using the DIT in the figure above, the DN for the plane Maintenance Department of Alphalite Airways would be ou=Planes, ou=Maintenance,o=Alphalite Airways, c=US.
Various Directory Services –
- Microsoft Active Directory: by Microsoft
- Netware Directory Service or e Directory: by Novell
- X.500 Directory service (Global White Pages Directory): by any enterprises or institution. Created and organized when used as a part of single global directory.
- LDAP directory service: primarily used for e-mail addresses. It provide a central place to store usernames and passwords and allows different applications and services to connect to the LDAP server to validate user.
- Oracle Internet Directory: by Oracle Corporation’s directory service, compatible with LDAP version 3
- Apache Directory Server: Apache Directory service, written in Java, supporting LDAP, Kerberos 5 and the Change Password Protocol; LDAPv3 certified
- Sun Java System Directory Server: by Sun Micro systems directory service
Developer: Novell was an American software and service companey. It is now acquired by micro focus Internation in 2014 and Noell is a division of it.
Netware: Also known as Novell Netware is a multiplateform Network Operating System ( NOS).
NDS: Novell directory services is one of the major innovation in 1994 by Novell now known as eDirectory. It was introduced with Netware V4.0 operating system.
NDS is a software product for managing access to computer resources and keep track of network users from a single point of administration. Users of computers at remote locations can be added, updated and managed centrally. NDS is considered as Industry Benchmark.
NDS can be installed on various platforms ( shown below) to control multiplateform network.
- Windows NT
- Sun Micro-systems, Solaris
- IBM’s OS/390 and
In 1988, ITU-T and ISO published the X.500 directory service recommendation and defined the Directory Access Protocol (DAP) to produce a global directory service standard.
X.500 and DAP were considered difficult to implement and did not receive broad commercial acceptance. Another limiting factor was the fact that X.500 depends on the Open Systems Interconnect (OSI) network protocols instead of present Internet model TCP/IP. Although X.500 was unique in bringing a true distributed nature and a rich searching functionality to directories, those advantages came at the expense of requiring a large amount of computing resources.
Components of X.500 Directory System:
LDAP is alternative to complex DAP of X.500 directory services.
In X.500, standard, the client accesses the server via the Directory Access Protocol (DAP), which is OSI protocol stack based. With the Internet boom in the nineties, the accessibility of directories via TCP/IP became more and more important. Hence a TCP/IP-based access method, which in functionality was a subset of DAP, was standardized in 1993: the Lightweight Directory Access Protocol (LDAP).
At first, LDAP was simply an alternative to X.500’s DAP. However, because LDAP defined the protocol, any one can do their own implementations of a directory service that follow LDAP standards and did not require X.500.
The first such implementation was, at the University of Michigan, where SLAPD (stand-alone LDAP daemon) and its replication partner, SLURPD (stand-alone LDAP update replication daemon), were developed in 1995. SLAPD was a simple LDAP server that could communicate with several different databases serving as directories. SLURPD was the program that replicated the changes in the directory database to other computers.
While LDAP largely replaced X.500, the Simple Mail Transfer Protocol (SMTP) became the de facto standard for e-mail on the Internet.
Microsoft Active Directory
Active Directory is the directory service of Microsoft in Windows Server 2003 architecture. The Active Directory directory service is a distributed database that stores and manages information about network resources, as well as application-specific data from directory-enabled applications.
In Active Directory, you organize resources in a logical structure. This enables you to find a resource by its name rather than its physical location. Because you group resources logically, Active Directory makes the network’s physical structure transparent to users.
Active Directory allows administrators to organize objects of a network (such as users, computers, and devices) into a hierarchical collection of containers known as the logical structure. The top-level logical container in this hierarchy is the forest. Within a forest are domain containers, and within domains are organizational units.
Features of Active Directory:
It extends the basic functionality of a directory service to provide the following benefits :
- Domain Name System (DNS) integration- Active directory uses DNS naming conventions to create a hierarchical structure that provides a familiar, orderly, and scalable view of network relationship. DNS also functions to map host name, such as www.microsoft.com, to numeric TCP/IP addresses, such as 192.168.19.2.
- Scalability – Active Directory is organized into sections that can store a large number of objects. As a result, Active Directory can expand as an organization grows. An organizational that has a single server with a few hundred objects can grow to thousands of servers and millions of objects.
- Centralized Management – Active Directory enables administrators to manage distributed desktops, network services, and applications from a central location, while using a consistent management interface. Active Directory also provides centralized control of access to network resources by enabling users to log on only once to gain full access to resources throughout Active directory.
- Delegated administration – The hierarchical structure of Active Directory enables administrative control to be delegated for specific segments of the hierarchy. A user authorized by a higher administrative authority can perform administrative duties in their designated portion of the structure. For example, a users might have limited administrative control over their workstation settings, and a department manager might have the administrative rights to create new users in an organization unit.
- LDAP support – Active Directory support LDAP to enable inter directory operability i.e. to access other directory services.
- Security Service – provide SSL and Kerberos based authentication.
- Support X.500 standard for global directories
Active Directory is LDAP based database that contain objects. Some basic terms that are used in AD is as follows –
- Objects – users, computers and gropus
- OU – grouping of objects based on business need.
- Group Policy – applied to more than one OU.
- Domain -is a form of network
- Domain Controller – It is a server running a windows server os and has AD DS.that responds to security authentication request that
Active Directory Architecture:
Various Components of Active Directory are as below-
Objects are the network resources. There are basically 3 Type of Objects which are further categorized as below –
- Container Objects
- Default Container Objects
- Foreign Security Principles
- Generic or Created Container Objects
- Domain Categories –
- Single Domain
- Master Domain
- Multiple Master Domain
- Domain Terminologies –
- Trust Relationship –
- Two way Trust
- Transitive Trust
- Domain Categories –
- Organizational Units
- Default Container Objects
- Leaf Objects
- Other Objects
A container object holds other objects. Container objects also have a defined location in the directory sub-tree hierarchy. Container Objects can be categorized in 2 types –
- Default Container Objects
- Generic/ Created Container Objects
1.1.1 DEFAULT CONTAINER OBJECT
There are several container objects that are installed by default when you promote the first domain controller on your network. They differ from manually created containers because their object attribute type is literally named a container. They don’t have the same properties as other generic Active Directory containers (such as sites, domains, and OUs). You cannot delete them nor can you create new objects of that container object type. You can also not associate Group Policy Objects with these.
- FOREIGN SECURITY PRINCIPALS
1.1.2 GENERIC AND CREATED CONTAINER OBJECTS
There are three major types of containers that are configured manually and are considered as generic –
- Organizational Units
These objects are most often used to link group policy objects. When you link a group policy to a container it enforces that policy on all the objects (users, computers, nested groups etc.) inside it.
A container is very similar to the folder concept in Windows. A folder contains files and other folders. In Active Directory, a container holds objects and other containers. The 3 types of containers are Domains, Sites and Organizational Units and are explained as below.
1. Domains – The domain container holds all of the other objects that are a part of that domain and also hold organizational unit objects and their contents.
A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database (called a directory service) located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain
Windows domains can be organized into following domain models.
- Single domain: In this model, only one domain contains all network resources.
- Master domain: The master model usually puts users at the top-level domain and then places network resources, such as shared folders or printers, in lower-level domains (called resource domains). In this model, the resource domains trust the master domain.
- Multiple master domains: This is a slight variation on the master domain model, in which users might exist in multiple master domains, all of which trust one another, and in which resources are located in resource domains, all of which trust all the master domains. Complete trust This variation of the single-domain model spreads users and resources across all domains, which all trust each other.
DOMAINS Application and Properties:
Domains are responsible for creating Trees and Forest as well as maintain trust relationship between each other to access the resources of other domains.
A tree is a group of domains that have the same DNS name; for example, nks.com (the top domain), sales.nks.com and software.sales.nks.com (the child domains).
A forest is a collection of trees, which can be treated as one administrative unit and Active Directory automatically manages trusts between domains. For security purposes, organizations have set up multiple forests, but trusts between forests must be managed manually by the administrator Because the forest is a security boundary, each forest does not trust or allow access from any other forest by default. However, in Windows Server 2003 and higher Active Directory, transitive trust relationships can be manually established between forests to establish cross-forest access to resources, so that users in one forest can access resources in another forest.
C. TRUST RELATIONSHIP
There are basically 2 types of trusts –
a. TWO WAY
When you create a new child domain, the child domain automatically trusts the parent domain, and vice versa. At the practical level, this means that authentication requests can be passed between the two domains in both directions.
An automatic trust association between parent and child domains and between root domains in a Windows Active Directory forest. For example, if domain A trusts B, and B trusts C, then A automatically trusts C.
At the level of the forest, a trust relationship is created automatically between the forest root domain and the root domain of each domain tree added to the forest, with the result that complete trust exists between all domains in an Active Directory forest. At the practical level, because trust relationships are transitive, a single logon process lets the system authenticate a user (or computer) in any domain in the forest. This single logon process potentially lets the account access resources on any domain in the forest.
GOALS TO USE DOMAIN
- ADMINISTRATIVE BOUNDARIES
- REPLICATE INFORMATION
- APPLY GROUP POLICY
- STRUCTURE THE NETWORK
- DELEGATE ADMINISTRATIVE AUTHORITY
2. Sites – A site is actually a physical grouping of objects based upon IP Addresses. A site cannot span multiple physical locations, but rather encompasses network objects and devices in one area. For example, the XYZ company has offices in pune, delhi, and ahmedabad. Each office is a physical location, and therefore is considered as a “site”. The site container is a logical representation of what is physically true. Simply we can say a site is a location. Specifically, sites are used to distinguish between local and remote locations.
3. Organizational Units – They are simple a container that the administrator creates that he can use for any purpose. Most administrators will create logical organizational units and place users and/or groups inside them in order to setup specific permissions or policy. For example, he may create an organizational unit called “Accounting” and place the executives and the accounting department into it in so that they can have access to specific resources that are not available to the rest of the network.
1.2 LEAF OBJECT
Objects are either container objects or leaf objects (also called non-container objects). A container object stores other objects and a leaf object does not. For example, a folder is a container object for files, which are leaf objects. Leaf objects are located at the end of the sub-tree hierarchy.
1.3 OTHER OBJECTS
In addition active directory also supports some other types of objects like Group, Contact, Shared Folder and Printer as listed in below.
- Group – A group object represents a collection of user accounts, computer accounts, contacts and other groups that can be managed as a single unit. Groups facilitate role based access to network resources. There are two types of groups – Security and Distribution groups. Security groups are mainly used for the purpose of providing access to network resources. Distribution groups are not security enabled and can be used only for communication purpose. Groups can vary in scope which limits its membership and scope of operation.
- Contact – A contact object contains the contact information about people who are associated with the organization but are not part of it like contractors, suppliers.
- Shared folder – A shared folder object is used to share files across the network.
- Printer – A printer object corresponds to a printer resource in a network.
Attributes are characteristics of objects in the directory. For example, the attributes of a user might include the user’s first and last names, department, and e-mail address
The schema is the component that defines all object classes and attributes that AD uses to store data. It is sometimes referred to as the blueprint for AD. The schema is replicated among all domain controllers in the forest. Any change that is made to the schema is replicated to every domain controller in the forest from the schema master holder, which is typically the first domain controller in the forest.
In Schema each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is defined once but is used in many different classes.
Each class of objects in the Active Directory schema has attributes that ensure:
- Unique identification of each object in a directory data store.
- security principals (users, computers, or groups)
- Compatibility with LDAP standards for directory object names.
8. LDAP NOTATION
three object naming formats that are supported by AD are –
8.1 LDAP DN and RDN names
LDAP defines operations for adding, searching, modifying, and deleting directory entries. An LDAP server is required to provide a LDAP directory service.
The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services. LDAP is based on entries; an entry is a set of attributes identified by a globally unique Distinguished Name (DN). Each of a directory entry’s attributes has a type and one or more values. The attributes in a directory entry’s distinguished name(DN) are arranged in a hierarchy from right to left with the rightmost attribute as the top entry and with the leftmost attribute(s) that are unique to its level called a Relative Distinguished Name (RDN). A DN is a sequence of RDNs.
An entry in a directory is identified by a distinguished name (DN). An example of a directory entry’s distinguished name is:
DN: cn=nikhil, ou=People, dc=example, dc=com
In the example DN, the base entry/root is “dc=example, dc=com.” The relative distinguished name is “cn=nikhil”.
8.2 LDAP URL’s
Active Directory supports access using the LDAP protocol from any LDAP-enabled client. RFC 1959 describes a format for an LDAP Uniform Resource Locator (URL) that lets Internet clients to have direct access to the LDAP protocol. LDAP URLs are also used in scripting. An LDAP URL begins with the prefix “LDAP,” and then it names the server holding Active Directory services followed by the attributed name of the object (the distinguished name). For example:
LDAP://ADserver.example.com/cn=nikhil, ou=People, dc=example, dc=com
8.3 LDAP based canonical names
By default, Active Directory administrative tools display object names using the canonical name format, which lists the RDNs from the root downward and without the RFC 1779 naming attribute descriptors (dc=, ou=, or cn=). The canonical name uses the DNS domain name format, that is, the constituents of the domain labels section of the name are separated by periods—USRegion.OrgName.com. Table 1.2 contrasts the LDAP DN with the same name in canonical name format.
DN: cn=nikhil, ou=People, dc=example, dc=com
Canonical Name: example.com/people/nikhil
Most Active Directory applications refer to objects using their canonical names. A canonical name is a distinguish name (DN) in which the domain name comes first, followed by the name of the object’s parent containers from the root of the domain and separated by forward slashes.
7. OBJECT NAMING
7.1 LDAP DISPLAY NAME
The LDAP display name is globally unique for each schema object. The LDAP display name consists of one or more words combined, using initial caps for words after the first word. For example, mailAddress and machinePasswordChangeInterval are the LDAP display names. Programmers and administrators use this name to reference the object programmatically.
7.2 COMMON NAME
The common name for schema objects is also globally unique. You specify the common name when creating a new object class or attribute in the schema—it is the relative distinguished name (RDN) of the object in the schema that represents the object class. For example, the common names of the two attributes mentioned in the preceding paragraph are SMTP-Mail-Address and Machine-Password-Change-Interval.
7.3 OBJECT IDENTIFIER(OID)
A schema object’s identifier is a number issued by an issuing authority such as the International Organization for Standardization (ISO) and the American National Standards Institute (ANSI). For example, the OID for the SMTP-Mail-Address attribute is 1.2.840.113518.104.22.1686. OIDs are guaranteed to be unique across all networks worldwide. Once you obtain a root OID from an issuing authority, you can use it to allocate additional OIDs. OIDs form a hierarchy.
If your organization has several domains, it is possible to use the same user name or computer name in different domains. The security ID, GUID, LDAP distinguished name, and canonical name generated by Active Directory uniquely identify each user or computer in the directory. If the user or computer object is renamed or moved to a different domain, the security ID, LDAP relative distinguished name, distinguished name, and canonical name change, but the GUID generated by Active Directory does not change.
9. GLOBALLY UNIQUE IDENTIFIERS
Every object in Active Directory has a globally unique identifier (GUID), a 128-bit number assigned by the Directory System Agent when the object is created. The GUID, which cannot be altered or removed, is stored in an attribute, objectGUID, which is a required attribute for every object. Unlike a distinguish name (DN) or relative distinguish name (RDN), which can be changed, the GUID never changes.
10. USER PRINCIPLE NAMES
In Active Directory, each user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that is used by the system and easier to remember. The UPN is independent of the user object’s DN, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialog box.
The UPN’s three parts are the UPN prefix (user logon name), the @ character, and the UPN suffix (usually, a domain name). The default UPN suffix for a user account is the DNS name of the Active Directory domain where the user account is located. For example, the UPN for user Joel Roy, who has a user account in the OrgName.com domain (if OrgName.com is the only domain in the tree), is JRoy@OrgName.com.The UPN is an attribute (userPrincipalName) of the security principal object. If a user object’s userPrincipalName attribute has no value, the user object has a default UPN of userName@DnsDomainName.
If your organization has many domains forming a deep domain tree, organized by department and region, default UPN names can become unwieldy. For example, the default UPN for a user might be sales.westcoast.microsoft.com. The logon name for a user in that domain is firstname.lastname@example.org. Instead of accepting the default DNS domain name as the UPN suffix, you can simplify both administration and user logon processes by providing a single UPN suffix for all users. You can choose to use your e-mail domain name as the UPN suffix—userName@companyName.com. This gives the user in the example the UPN name of email@example.com.
For a UPN–based logon, a global catalog may be necessary, depending on the user logging on, and the domain membership of the user’s computer. A global catalog is needed if the user logs on with a non-default UPN and the user’s machine account is in a different domain than the user’s user account. That is, if, instead of accepting the default DNS domain name as the UPN suffix (as in the example just given, firstname.lastname@example.org), you provide a single UPN suffix for all users (so that the user then becomes simply user@ microsoft.com), a global catalog is required for logon.
UPNs are assigned at the time a user is created. If you have created additional suffixes for the domain, you can select from the list of available suffixes when you create the user or group account. The suffixes appear in the list in the following order:
- Alternate suffixes (if any; last one created appears first).
- Root domain.
- The current domain.
4. DATA MODEL
The Active Directory data model is derived from the X.500 data model. The directory holds objects that represent various components of the network, and each of the objects is described by attributes. The collection of objects that can be stored in the directory is defined in the schema.
5. SECURITY MODEL
Active Directory’s security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies. The Active Directory Security model allows administrators to specify who has what access to which object to a high degree of control. It also allows administrators to specify access for an entire group of users so as to simply security management.
The following is an overview of how Active Directory’s security model protects stored content
- Each object is protected by a component known as a Security Descriptor
- Each security descriptor contains an Access Control List (ACL)
- Each ACL contains one or more Access Control Entries (ACEs)
- Each ACE allows or denies specific security permissions to some security principal
- Security groups can be specified and be part of security groups
- ACEs can be explicit or inherited; explicit ACEs override inherited ACEs
- Access is specified in the form of low–level technical permissions
- These low-level permissions can be standard permissions, or special permissions such as extended rights or validated writes
- Active Directory’s current object visibility mode impacts list access requests
- The access check takes into account the object’s ACL and the user’s token and determines resultant access for user on the object
6. ADMINISTRATION MODEL
Authorized users perform administration in Active Directory services. A user is authorized by a higher authority to perform a specified set of actions on a specified set of object instances and object classes in some identified subtree of the directory. This is called delegated administration. Delegated administration allows granular control over who can do what and enables delegation of authority without granting elevated privileges.
The DSA is the process that manages the directory’s physical storage. Clients use one of the supported interfaces to connect to the DSA and then search for read and write directory objects and their attributes. The DSA provides client isolation from the physical storage format of the directory data. This provides convenient access while enhancing system security.
Question: Differentiate between LDAP and X.500?
Answer: The first is X.500, a directory protocol standard developed by the International Telecommunications Union (ITU). The second is Lightweight Directory Access Protocol (LDAP), a derivative of the X.500 protocol developed as an open source project by the Open System Interconnection – Directory Services (OSI-DS) and the Internet Engineering Task Force (IETF).
LDAP is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. X.500 is a series of computer networking standards covering electronic directory services.
It was a case of the student overtaking the mentor as the Lightweight Directory Access Protocol was at first a simple alternative to X.500’s Directory Access Protocol (DAP). LDAP was used for accessing X.500 directories via the TCP/IP protocol. With the advent of the Internet and its reliance on TCP/IP, X.500 faded into the background even though it was later modified for use over TCP/IP.
Although Win2K’s DS is based on X.500, the access mechanism uses Lightweight Directory Access Protocol. LDAP solves several X.500 problems.
X.500 is part of the Open System Interconnection (OSI) model, but OSI doesn’t translate well into a TCP/IP environment. Thus, LDAP uses TCP/IP as its communication medium. LDAP reduces the number of functions available with a full X.500 implementation, providing a lean and fast DS while maintaining X.500’s overall structure. LDAP is the mechanism that communicates with Active Directory (AD) and performs basic read, write, and modify operations.
Question: Differentiate between LDAP and Active Directory?
Answer : Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment while LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP. In short we can say AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.