What are X.500 and LDAP?

A. X.500 is the most common directory-management protocol. Two X.500 standards exist: the 1988 version and the 1993 version. Windows 2000’s Directory Service (DS) implementation is derived from the 1993 X.500 standard.

The X.500 model uses a hierarchical approach to objects in the namespace. The namespace has a root at the top, with children coming off the root. Win2K domains have DNS names (e.g., savilltech.com would be a domain name, and legal.savilltech.com would be a child domain of savilltech.com).

The Figure shows an example domain with a DS root and several children. The first layer of children is countries.

Imagine each country as a child domain of the root (e.g., usa.root.com, england.root.com). You can break each child domain into several organizations, and you can break the organizations into organizational units (OUs). Various privileges and policies apply to each OU. Each OU has several objects, such as users, computers, and groups.

Although Win2K’s DS is based on X.500, the access mechanism uses Lightweight Directory Access Protocol. LDAP solves several X.500 problems.

X.500 is part of the Open System Interconnection (OSI) model, but OSI doesn’t translate well into a TCP/IP environment. Thus, LDAP uses TCP/IP as its communication medium. LDAP reduces the number of functions available with a full X.500 implementation, providing a lean and fast DS while maintaining X.500’s overall structure. LDAP is the mechanism that communicates with Active Directory (AD) and performs basic read, write, and modify operations. You can find more information about X.500 in D.W. Chadwick’s book, Understanding X.500 - The Directory.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.