For automating and programmatically accessing Active Directory (AD), the typical API of choice is Microsoft Active Directory Service Interfaces. ADSI is an easy-to-use, robust interface that lets you easily manipulate objects in AD. When you combine ADSI with ADO for query purposes, you can perform nearly any function necessary to automate AD.
However, because ADSI is COM based—and COM is a proprietary Microsoft technology—you can't easily use ADSI from other platforms. In other words, ADSI is tied to Windows OSs. Using ADSI to develop scripts or applications on a non-Windows platform or to develop cross-platform scripts or applications is difficult. Fortunately, an alternative exists: You can use a Lightweight Directory Access Protocol (LDAP) API.
Microsoft's track record for supporting standards hasn't always been that great, but with AD, Microsoft made significant improvements in that regard. AD supports not only LDAP but also other standards, such as DNS, Simple Network Time Protocol (SNTP), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Kerberos. One of the great benefits of AD supporting LDAP is that LDAP makes AD much more platform neutral from a client perspective. Because LDAP is a standard, you aren't limited to Windows clients and platforms. LDAP has been around for many years and has clients for nearly all platforms, which means you can write LDAP-enabled clients or scripts to query and update AD from your platform of choice. Having that capability is a boon for administrators who need to develop scripts or applications on a non-Windows platform or write cross-platform applications or scripts that use AD. . . .
)
Register
<P>I have been able to successfully 'add' values to the 'member' attribute of a group object using the 'modify' method. I am binding to LDAP with a domain admin user account.</P>
Andrew September 19, 2003